(t *testing.T)
| 238 | } |
| 239 | |
| 240 | func TestDecodeAndInvalidateLoginVerifier(t *testing.T) { |
| 241 | ctx := t.Context() |
| 242 | reg := testhelpers.NewRegistryMemory(t, driver.WithConfigOptions( |
| 243 | configx.WithValue(config.KeyConsentRequestMaxAge, time.Hour), |
| 244 | )) |
| 245 | |
| 246 | nid := reg.Networker().NetworkID(ctx) |
| 247 | |
| 248 | t.Run("case=successful decode and invalidate with valid login verifier", func(t *testing.T) { |
| 249 | testFlow := createTestFlow(nid, flow.FlowStateLoginUnused) |
| 250 | |
| 251 | loginVerifier, err := testFlow.ToLoginVerifier(ctx, reg) |
| 252 | require.NoError(t, err) |
| 253 | require.NotEmpty(t, loginVerifier) |
| 254 | |
| 255 | decoded, err := flow.DecodeAndInvalidateLoginVerifier(ctx, reg, loginVerifier) |
| 256 | require.NoError(t, err) |
| 257 | |
| 258 | // Verify that InvalidateLoginRequest was called |
| 259 | assert.Equal(t, flow.FlowStateLoginUsed, decoded.State, "State should be FlowStateLoginUsed after invalidation") |
| 260 | |
| 261 | snapshotx.SnapshotT(t, decoded, snapshotx.ExceptPaths("n", "ia")) |
| 262 | }) |
| 263 | |
| 264 | t.Run("case=fails when flow has already been used", func(t *testing.T) { |
| 265 | testFlow := createTestFlow(nid, flow.FlowStateLoginUsed) |
| 266 | |
| 267 | loginVerifier, err := testFlow.ToLoginVerifier(ctx, reg) |
| 268 | require.NoError(t, err) |
| 269 | |
| 270 | _, err = flow.DecodeAndInvalidateLoginVerifier(ctx, reg, loginVerifier) |
| 271 | assert.ErrorIs(t, err, fosite.ErrInvalidRequest) |
| 272 | }) |
| 273 | |
| 274 | t.Run("case=fails with invalid flow state", func(t *testing.T) { |
| 275 | testFlow := createTestFlow(nid, flow.FlowStateConsentUnused) |
| 276 | |
| 277 | loginVerifier, err := testFlow.ToLoginVerifier(ctx, reg) |
| 278 | require.NoError(t, err) |
| 279 | |
| 280 | _, err = flow.DecodeAndInvalidateLoginVerifier(ctx, reg, loginVerifier) |
| 281 | assert.ErrorIs(t, err, fosite.ErrInvalidRequest) |
| 282 | }) |
| 283 | |
| 284 | t.Run("case=fails with wrong purpose (login challenge instead of verifier)", func(t *testing.T) { |
| 285 | testFlow := createTestFlow(nid, flow.FlowStateLoginUnused) |
| 286 | |
| 287 | loginChallenge, err := testFlow.ToLoginChallenge(ctx, reg) |
| 288 | require.NoError(t, err) |
| 289 | require.NotEmpty(t, loginChallenge) |
| 290 | |
| 291 | _, err = flow.DecodeAndInvalidateLoginVerifier(ctx, reg, loginChallenge) |
| 292 | assert.ErrorIs(t, err, fosite.ErrAccessDenied) |
| 293 | }) |
| 294 | |
| 295 | t.Run("case=fails with different network ID", func(t *testing.T) { |
| 296 | differentNID := uuid.Must(uuid.NewV4()) |
| 297 | flowWithDifferentNID := createTestFlow(differentNID, flow.FlowStateLoginUnused) |
nothing calls this directly
no test coverage detected