(t *testing.T)
| 485 | } |
| 486 | |
| 487 | func TestDecodeAndInvalidateConsentVerifier(t *testing.T) { |
| 488 | ctx := t.Context() |
| 489 | reg := testhelpers.NewRegistryMemory(t, driver.WithConfigOptions( |
| 490 | configx.WithValue(config.KeyConsentRequestMaxAge, time.Hour), |
| 491 | )) |
| 492 | |
| 493 | nid := reg.Networker().NetworkID(ctx) |
| 494 | |
| 495 | t.Run("case=successful decode and invalidate with valid consent verifier", func(t *testing.T) { |
| 496 | testFlow := createTestFlow(nid, flow.FlowStateConsentUnused) |
| 497 | |
| 498 | consentVerifier, err := testFlow.ToConsentVerifier(ctx, reg) |
| 499 | require.NoError(t, err) |
| 500 | require.NotEmpty(t, consentVerifier) |
| 501 | |
| 502 | decoded, err := flow.DecodeAndInvalidateConsentVerifier(ctx, reg, consentVerifier) |
| 503 | require.NoError(t, err) |
| 504 | |
| 505 | // Verify that InvalidateConsentRequest was called |
| 506 | assert.Equal(t, flow.FlowStateConsentUsed, decoded.State, "State should be FlowStateConsentUsed after invalidation") |
| 507 | |
| 508 | snapshotx.SnapshotT(t, decoded, snapshotx.ExceptPaths("n", "ia")) |
| 509 | }) |
| 510 | |
| 511 | t.Run("case=fails when flow has already been used", func(t *testing.T) { |
| 512 | testFlow := createTestFlow(nid, flow.FlowStateConsentUsed) |
| 513 | |
| 514 | consentVerifier, err := testFlow.ToConsentVerifier(ctx, reg) |
| 515 | require.NoError(t, err) |
| 516 | |
| 517 | _, err = flow.DecodeAndInvalidateConsentVerifier(ctx, reg, consentVerifier) |
| 518 | assert.ErrorIs(t, err, fosite.ErrInvalidRequest) |
| 519 | }) |
| 520 | |
| 521 | t.Run("case=fails with invalid flow state", func(t *testing.T) { |
| 522 | testFlow := createTestFlow(nid, flow.FlowStateLoginUnused) |
| 523 | |
| 524 | consentVerifier, err := testFlow.ToConsentVerifier(ctx, reg) |
| 525 | require.NoError(t, err) |
| 526 | |
| 527 | _, err = flow.DecodeAndInvalidateConsentVerifier(ctx, reg, consentVerifier) |
| 528 | assert.ErrorIs(t, err, fosite.ErrInvalidRequest) |
| 529 | }) |
| 530 | |
| 531 | t.Run("case=fails with wrong purpose (consent challenge instead of verifier)", func(t *testing.T) { |
| 532 | testFlow := createTestFlow(nid, flow.FlowStateConsentUnused) |
| 533 | |
| 534 | consentChallenge, err := testFlow.ToConsentChallenge(ctx, reg) |
| 535 | require.NoError(t, err) |
| 536 | require.NotEmpty(t, consentChallenge) |
| 537 | |
| 538 | _, err = flow.DecodeAndInvalidateConsentVerifier(ctx, reg, consentChallenge) |
| 539 | assert.ErrorIs(t, err, fosite.ErrAccessDenied) |
| 540 | }) |
| 541 | |
| 542 | t.Run("case=fails with different network ID", func(t *testing.T) { |
| 543 | differentNID := uuid.Must(uuid.NewV4()) |
| 544 | flowWithDifferentNID := createTestFlow(differentNID, flow.FlowStateConsentUnused) |
nothing calls this directly
no test coverage detected