(t *testing.T)
| 407 | } |
| 408 | |
| 409 | func TestDecodeAndInvalidateDeviceVerifier(t *testing.T) { |
| 410 | ctx := context.Background() |
| 411 | reg := testhelpers.NewRegistryMemory(t, driver.WithConfigOptions( |
| 412 | configx.WithValue(config.KeyConsentRequestMaxAge, time.Hour), |
| 413 | )) |
| 414 | |
| 415 | nid := reg.Networker().NetworkID(ctx) |
| 416 | |
| 417 | t.Run("case=successful decode and invalidate with valid device verifier", func(t *testing.T) { |
| 418 | testFlow := createTestFlow(nid, flow.DeviceFlowStateUnused) |
| 419 | |
| 420 | deviceVerifier, err := testFlow.ToDeviceVerifier(ctx, reg) |
| 421 | require.NoError(t, err) |
| 422 | require.NotEmpty(t, deviceVerifier) |
| 423 | |
| 424 | decoded, err := flow.DecodeAndInvalidateDeviceVerifier(ctx, reg, deviceVerifier) |
| 425 | require.NoError(t, err) |
| 426 | require.NotNil(t, decoded) |
| 427 | |
| 428 | assert.Equal(t, flow.DeviceFlowStateUsed, decoded.State, "State should be DeviceFlowStateUsed after invalidation") |
| 429 | |
| 430 | snapshotx.SnapshotT(t, decoded, snapshotx.ExceptPaths("n", "ia")) |
| 431 | }) |
| 432 | |
| 433 | t.Run("case=fails when flow has already been used", func(t *testing.T) { |
| 434 | testFlow := createTestFlow(nid, flow.DeviceFlowStateUsed) |
| 435 | |
| 436 | deviceVerifier, err := testFlow.ToDeviceVerifier(ctx, reg) |
| 437 | require.NoError(t, err) |
| 438 | |
| 439 | _, err = flow.DecodeAndInvalidateDeviceVerifier(ctx, reg, deviceVerifier) |
| 440 | assert.ErrorIs(t, err, fosite.ErrInvalidRequest) |
| 441 | }) |
| 442 | |
| 443 | t.Run("case=fails with invalid flow state", func(t *testing.T) { |
| 444 | testFlow := createTestFlow(nid, flow.FlowStateLoginUnused) |
| 445 | |
| 446 | deviceVerifier, err := testFlow.ToDeviceVerifier(ctx, reg) |
| 447 | require.NoError(t, err) |
| 448 | |
| 449 | _, err = flow.DecodeAndInvalidateDeviceVerifier(ctx, reg, deviceVerifier) |
| 450 | assert.ErrorIs(t, err, fosite.ErrInvalidRequest) |
| 451 | }) |
| 452 | |
| 453 | t.Run("case=fails with wrong purpose (device challenge instead of verifier)", func(t *testing.T) { |
| 454 | testFlow := createTestFlow(nid, flow.DeviceFlowStateUnused) |
| 455 | |
| 456 | deviceChallenge, err := testFlow.ToDeviceChallenge(ctx, reg) |
| 457 | require.NoError(t, err) |
| 458 | require.NotEmpty(t, deviceChallenge) |
| 459 | |
| 460 | _, err = flow.DecodeAndInvalidateDeviceVerifier(ctx, reg, deviceChallenge) |
| 461 | assert.ErrorIs(t, err, fosite.ErrAccessDenied) |
| 462 | }) |
| 463 | |
| 464 | t.Run("case=fails with different network ID", func(t *testing.T) { |
| 465 | differentNID := uuid.Must(uuid.NewV4()) |
| 466 | flowWithDifferentNID := createTestFlow(differentNID, flow.DeviceFlowStateUnused) |
nothing calls this directly
no test coverage detected