authsome/session_settings_test.go at main · xraph/authsome · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package authsome

import (
	"encoding/json"
	"testing"

	log "github.com/xraph/go-utils/log"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/xraph/authsome/settings"
)

func TestRegisterCoreSessionSettings_AllRegistered(t *testing.T) {
	mgr := settings.NewManager(nil, log.NewNoopLogger())
	err := registerCoreSessionSettings(mgr)
	require.NoError(t, err)

	// Verify all settings are registered by checking key settings from each category.
	defs := mgr.Definitions()
	keys := make(map[string]bool, len(defs))
	for _, d := range defs {
		keys[d.Key] = true
	}

	// Existing settings
	assert.True(t, keys["session.token_ttl_seconds"], "token TTL should be registered")
	assert.True(t, keys["session.refresh_token_ttl_seconds"], "refresh token TTL should be registered")
	assert.True(t, keys["session.rotate_refresh_token"], "rotate refresh token should be registered")
	assert.True(t, keys["session.bind_to_ip"], "bind to IP should be registered")
	assert.True(t, keys["session.bind_to_device"], "bind to device should be registered")
	assert.True(t, keys["session.cookie_name"], "cookie name should be registered")
	assert.True(t, keys["session.cookie_same_site"], "cookie same site should be registered")
	assert.True(t, keys["session.auto_refresh_enabled"], "auto-refresh enabled should be registered")

	// New settings from security fixes
	assert.True(t, keys["session.auto_refresh_expose_refresh_token"], "auto-refresh expose refresh token should be registered")
	assert.True(t, keys["session.jwt_require_active_session"], "JWT require active session should be registered")
}

func TestSettingJWTRequireActiveSession_DefaultFalse(t *testing.T) {
	// The default value should be false (opt-in feature).
	var val bool
	err := json.Unmarshal(SettingJWTRequireActiveSession.Def.Default, &val)
	require.NoError(t, err)
	assert.False(t, val, "JWT require active session should default to false")
}

func TestSettingAutoRefreshExposeRefreshToken_DefaultFalse(t *testing.T) {
	// The default value should be false (secure by default).
	var val bool
	err := json.Unmarshal(SettingAutoRefreshExposeRefreshToken.Def.Default, &val)
	require.NoError(t, err)
	assert.False(t, val, "auto-refresh expose refresh token should default to false")
}

func TestSettingRequireEmailVerification_DefaultsToTrue(t *testing.T) {
	// Phase 2A: default flipped from false to true so signup-created accounts
	// can't be exploited before the user proves email ownership.
	var val bool
	err := json.Unmarshal(SettingRequireEmailVerification.Def.Default, &val)
	require.NoError(t, err)
	assert.True(t, val, "SettingRequireEmailVerification must default to true for new app configs (Phase 2A)")
}

func TestSettingRequireEmailVerification_ResolvesTrueWithNoOverrides(t *testing.T) {
	// With no store-level overrides, Get must resolve to the registered default.
	// This guards the runtime resolution path (settings.Get) — not just the JSON.
	mgr := settings.NewManager(settings.NilStore{}, log.NewNoopLogger())
	err := registerCoreSessionSettings(mgr)
	require.NoError(t, err)

	got, err := settings.Get(t.Context(), mgr, SettingRequireEmailVerification, settings.ResolveOpts{AppID: "app_test"})
	require.NoError(t, err)
	assert.True(t, got, "with no overrides, Get must resolve to the new default (true)")
}

func TestDefaultConfig_RefreshLimit(t *testing.T) {
	cfg := DefaultConfig()
	assert.Equal(t, 10, cfg.RateLimit.RefreshLimit, "refresh rate limit should default to 10")
}

func TestDefaultConfig_IntrospectLimit(t *testing.T) {
	cfg := DefaultConfig()
	assert.Equal(t, 20, cfg.RateLimit.IntrospectLimit, "introspect rate limit should default to 20")
}