diff options
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/sessions/controller.go | 1 | ||||
| -rw-r--r-- | app/controllers/sessions/controller_test.go | 19 |
2 files changed, 18 insertions, 2 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go index ba3d112..7b6c871 100644 --- a/app/controllers/sessions/controller.go +++ b/app/controllers/sessions/controller.go @@ -20,6 +20,7 @@ func (c *Controller) MountTo(mux *http.ServeMux) { } func (c *Controller) New(w http.ResponseWriter, r *http.Request) { + // TODO:: Generate and store nonce and use as state param to compare as a CSRF token url := c.cfg.Config.AuthCodeURL("todo-csrf-token", oauth2.SetAuthURLParam("audience", "todo")) http.Redirect(w, r, url, http.StatusFound) } diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go index 5018e0c..d90896e 100644 --- a/app/controllers/sessions/controller_test.go +++ b/app/controllers/sessions/controller_test.go @@ -49,8 +49,8 @@ func TestSessions(t *testing.T) { mux := http.NewServeMux() controller.MountTo(mux) - t.Run("GET /", func(t *testing.T) { - t.Run("Without an authenticated session", func(t *testing.T) { + t.Run("GET /session/new", func(t *testing.T) { + t.Run("without an authenticated session", func(t *testing.T) { t.Run("redirect to the OIDC Provider", func(t *testing.T) { r, w := test.RequestResponse("GET", "/session/new") @@ -69,6 +69,21 @@ func TestSessions(t *testing.T) { assert.Equal(t, cfg.Config.RedirectURL, redirectURL.Query().Get("redirect_uri")) assert.Equal(t, "code", redirectURL.Query().Get("response_type")) }) + + t.Run("generates a CSRF token", func(t *testing.T) {}) + }) + + t.Run("with an active authenicated session", func(t *testing.T) {}) + t.Run("with an expired authenicated session", func(t *testing.T) {}) + }) + + t.Run("GET /session/callback", func(t *testing.T) { + t.Run("with an invalid csrf token", func(t *testing.T) {}) + t.Run("with an invalid authorization code grant", func(t *testing.T) {}) + t.Run("with a valid authorization code grant", func(t *testing.T) { + t.Run("stores the id token in a session cookie", func(t *testing.T) {}) + t.Run("stores the access token in a session cookie", func(t *testing.T) {}) + t.Run("redirects to the homepage", func(t *testing.T) {}) }) }) } |