feat: generate a nonce to validate the OAuth callback

author: mo khan <mo@mokhan.ca> 2025-04-28 16:23:19 -0600
committer: mo khan <mo@mokhan.ca> 2025-04-28 16:23:19 -0600
commit: 62fdf88cbdec6dbf248bea13611521667112f5e1 (patch)
tree: 2632236a73a674aa86f8efe46f3553f8d81e5328 /app/controllers/sessions/controller_test.go
parent: 3b942be3d49830b80689a5c7b9f0fda4b3deb44b (diff)
1 files changed, 15 insertions, 5 deletions
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index e325afc..64c9fc1 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -37,11 +37,11 @@ func TestSessions(t *testing.T) {
 
 	t.Run("GET /session/new", func(t *testing.T) {
 		t.Run("without an authenticated session", func(t *testing.T) {
-			t.Run("redirect to the OIDC Provider", func(t *testing.T) {
-				r, w := test.RequestResponse("GET", "/session/new")
+			r, w := test.RequestResponse("GET", "/session/new")
 
-				mux.ServeHTTP(w, r)
+			mux.ServeHTTP(w, r)
 
+			t.Run("redirect to the OIDC Provider", func(t *testing.T) {
 				require.Equal(t, http.StatusFound, w.Code)
 				require.NotEmpty(t, w.Header().Get("Location"))
 				redirectURL, err := url.Parse(w.Header().Get("Location"))
@@ -50,12 +50,22 @@ func TestSessions(t *testing.T) {
 				assert.NotEmpty(t, redirectURL.Query().Get("state"))
 				assert.Equal(t, srv.MockOIDC.Config().ClientID, redirectURL.Query().Get("client_id"))
 				assert.Equal(t, "openid profile email", redirectURL.Query().Get("scope"))
-				assert.Equal(t, "todo", redirectURL.Query().Get("audience"))
+				assert.Equal(t, cfg.Config.ClientID, redirectURL.Query().Get("audience"))
 				assert.Equal(t, cfg.Config.RedirectURL, redirectURL.Query().Get("redirect_uri"))
 				assert.Equal(t, "code", redirectURL.Query().Get("response_type"))
 			})
 
-			t.Run("generates a CSRF token", func(t *testing.T) {})
+			t.Run("generates a CSRF token", func(t *testing.T) {
+				cookieHeader := w.Header().Get("Set-Cookie")
+				require.NotEmpty(t, cookieHeader)
+
+				cookies, err := http.ParseCookie(cookieHeader)
+				require.NoError(t, err)
+				cookie := x.Find(cookies, func(item *http.Cookie) bool {
+					return item.Name == "oauth_state"
+				})
+				require.NotZero(t, cookie)
+			})
 		})
 
 		t.Run("with an active authenicated session", func(t *testing.T) {})
author	mo khan <mo@mokhan.ca>	2025-04-28 16:23:19 -0600
committer	mo khan <mo@mokhan.ca>	2025-04-28 16:23:19 -0600
commit	62fdf88cbdec6dbf248bea13611521667112f5e1 (patch)
tree	2632236a73a674aa86f8efe46f3553f8d81e5328 /app/controllers/sessions/controller_test.go
parent	3b942be3d49830b80689a5c7b9f0fda4b3deb44b (diff)