(t *testing.T)
| 84 | } |
| 85 | |
| 86 | func TestDecodeFromLoginChallenge(t *testing.T) { |
| 87 | ctx := t.Context() |
| 88 | reg := testhelpers.NewRegistryMemory(t, driver.WithConfigOptions( |
| 89 | configx.WithValue(config.KeyConsentRequestMaxAge, time.Hour), |
| 90 | )) |
| 91 | |
| 92 | nid := reg.Networker().NetworkID(ctx) |
| 93 | testFlow := createTestFlow(nid, flow.FlowStateLoginUnused) |
| 94 | |
| 95 | t.Run("case=successful decode with valid login challenge", func(t *testing.T) { |
| 96 | loginChallenge, err := testFlow.ToLoginChallenge(ctx, reg) |
| 97 | require.NoError(t, err) |
| 98 | require.NotEmpty(t, loginChallenge) |
| 99 | |
| 100 | decoded, err := flow.DecodeFromLoginChallenge(ctx, reg, loginChallenge) |
| 101 | require.NoError(t, err) |
| 102 | require.NotNil(t, decoded) |
| 103 | |
| 104 | assert.Equal(t, testFlow.ID, decoded.ID) |
| 105 | assert.Equal(t, testFlow.NID, decoded.NID) |
| 106 | assert.Equal(t, testFlow.RequestedScope, decoded.RequestedScope) |
| 107 | assert.Equal(t, testFlow.Subject, decoded.Subject) |
| 108 | |
| 109 | snapshotx.SnapshotT(t, decoded, snapshotx.ExceptPaths("n", "ia")) |
| 110 | |
| 111 | t.Run("decodes deterministically", func(t *testing.T) { |
| 112 | second, err := flow.DecodeFromLoginChallenge(ctx, reg, loginChallenge) |
| 113 | require.NoError(t, err) |
| 114 | assert.Equal(t, decoded, second) |
| 115 | }) |
| 116 | }) |
| 117 | |
| 118 | t.Run("case=fails with wrong purpose (consent challenge instead of login)", func(t *testing.T) { |
| 119 | consentChallenge, err := testFlow.ToConsentChallenge(ctx, reg) |
| 120 | require.NoError(t, err) |
| 121 | require.NotEmpty(t, consentChallenge) |
| 122 | |
| 123 | decoded, err := flow.DecodeFromLoginChallenge(ctx, reg, consentChallenge) |
| 124 | assert.Error(t, err) |
| 125 | assert.Nil(t, decoded) |
| 126 | assert.ErrorIs(t, err, x.ErrNotFound) |
| 127 | }) |
| 128 | |
| 129 | t.Run("case=fails with different network ID", func(t *testing.T) { |
| 130 | flowWithDifferentNID := createTestFlow(uuid.Must(uuid.NewV4()), flow.FlowStateLoginUnused) |
| 131 | |
| 132 | loginChallenge, err := flow.Encode(ctx, reg.FlowCipher(), flowWithDifferentNID, flow.AsLoginChallenge) |
| 133 | require.NoError(t, err) |
| 134 | require.NotEmpty(t, loginChallenge) |
| 135 | |
| 136 | _, err = flow.DecodeFromLoginChallenge(ctx, reg, loginChallenge) |
| 137 | assert.ErrorIs(t, err, x.ErrNotFound) |
| 138 | }) |
| 139 | |
| 140 | t.Run("case=fails with expired request", func(t *testing.T) { |
| 141 | expiredFlow := createTestFlow(nid, flow.FlowStateLoginUnused) |
| 142 | expiredFlow.RequestedAt = time.Now().Add(-2 * time.Hour) |
| 143 |
nothing calls this directly
no test coverage detected