(t *testing.T)
| 330 | } |
| 331 | |
| 332 | func TestDecodeFromDeviceChallenge(t *testing.T) { |
| 333 | ctx := t.Context() |
| 334 | reg := testhelpers.NewRegistryMemory(t, driver.WithConfigOptions( |
| 335 | configx.WithValue(config.KeyConsentRequestMaxAge, time.Hour), |
| 336 | )) |
| 337 | |
| 338 | nid := reg.Networker().NetworkID(ctx) |
| 339 | testFlow := createTestFlow(nid, flow.DeviceFlowStateUnused) |
| 340 | |
| 341 | t.Run("case=successful decode with valid device challenge", func(t *testing.T) { |
| 342 | deviceChallenge, err := testFlow.ToDeviceChallenge(ctx, reg) |
| 343 | require.NoError(t, err) |
| 344 | require.NotEmpty(t, deviceChallenge) |
| 345 | |
| 346 | decoded, err := flow.DecodeFromDeviceChallenge(ctx, reg, deviceChallenge) |
| 347 | require.NoError(t, err) |
| 348 | require.NotNil(t, decoded) |
| 349 | |
| 350 | assert.Equal(t, testFlow.ID, decoded.ID) |
| 351 | assert.Equal(t, testFlow.NID, decoded.NID) |
| 352 | assert.Equal(t, testFlow.RequestedScope, decoded.RequestedScope) |
| 353 | assert.Equal(t, testFlow.Subject, decoded.Subject) |
| 354 | |
| 355 | snapshotx.SnapshotT(t, decoded, snapshotx.ExceptPaths("n", "ia")) |
| 356 | |
| 357 | t.Run("decodes deterministically", func(t *testing.T) { |
| 358 | second, err := flow.DecodeFromDeviceChallenge(ctx, reg, deviceChallenge) |
| 359 | require.NoError(t, err) |
| 360 | assert.Equal(t, decoded, second) |
| 361 | }) |
| 362 | }) |
| 363 | |
| 364 | t.Run("case=fails with wrong purpose (login challenge instead of device)", func(t *testing.T) { |
| 365 | loginChallenge, err := testFlow.ToLoginChallenge(ctx, reg) |
| 366 | require.NoError(t, err) |
| 367 | require.NotEmpty(t, loginChallenge) |
| 368 | |
| 369 | decoded, err := flow.DecodeFromDeviceChallenge(ctx, reg, loginChallenge) |
| 370 | assert.Error(t, err) |
| 371 | assert.Nil(t, decoded) |
| 372 | assert.ErrorIs(t, err, x.ErrNotFound) |
| 373 | }) |
| 374 | |
| 375 | t.Run("case=fails with different network ID", func(t *testing.T) { |
| 376 | flowWithDifferentNID := createTestFlow(uuid.Must(uuid.NewV4()), flow.DeviceFlowStateUnused) |
| 377 | |
| 378 | deviceChallenge, err := flow.Encode(ctx, reg.FlowCipher(), flowWithDifferentNID, flow.AsDeviceChallenge) |
| 379 | require.NoError(t, err) |
| 380 | require.NotEmpty(t, deviceChallenge) |
| 381 | |
| 382 | _, err = flow.DecodeFromDeviceChallenge(ctx, reg, deviceChallenge) |
| 383 | assert.ErrorIs(t, err, x.ErrNotFound) |
| 384 | }) |
| 385 | |
| 386 | t.Run("case=fails with expired request", func(t *testing.T) { |
| 387 | expiredFlow := createTestFlow(nid, flow.DeviceFlowStateUnused) |
| 388 | expiredFlow.RequestedAt = time.Now().Add(-2 * time.Hour) |
| 389 |
nothing calls this directly
no test coverage detected