dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Remove plain text token from everywhere
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-12-30 11:58:11 +11:00
parent 99c3ac905f
commit 71d59e7367
5 changed files with 21 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
test/fixtures/oidc_access_tokens.yml vendored
View File

@@ -1,14 +1,16 @@
# Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
one:
token: <%= SecureRandom.urlsafe_base64(32) %>
token_digest: <%= BCrypt::Password.create(SecureRandom.urlsafe_base64(48)) %>
token_prefix: <%= SecureRandom.urlsafe_base64(8)[0..7] %>
application: kavita_app
user: alice
scope: "openid profile email"
expires_at: 2025-12-31 23:59:59
two:
token: <%= SecureRandom.urlsafe_base64(32) %>
token_digest: <%= BCrypt::Password.create(SecureRandom.urlsafe_base64(48)) %>
token_prefix: <%= SecureRandom.urlsafe_base64(8)[0..7] %>
application: another_app
user: bob
scope: "openid profile email"

27
test/models/oidc_access_token_test.rb
View File

@@ -24,10 +24,10 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
application: applications(:kavita_app),
user: users(:alice)
)
assert_nil new_token.token
assert_nil new_token.plaintext_token
assert new_token.save
assert_not_nil new_token.token
assert_match /^[A-Za-z0-9_-]+$/, new_token.token
assert_not_nil new_token.plaintext_token
assert_match /^[A-Za-z0-9_-]+$/, new_token.plaintext_token
end
test "should set expiry before validation on create" do
@@ -42,23 +42,6 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
assert new_token.expires_at <= 61.minutes.from_now # Allow some variance
end
test "should validate presence of token" do
@access_token.token = nil
assert_not @access_token.valid?
assert_includes @access_token.errors[:token], "can't be blank"
end
test "should validate uniqueness of token" do
@access_token.save! if @access_token.changed?
duplicate = OidcAccessToken.new(
token: @access_token.token,
application: applications(:another_app),
user: users(:bob)
)
assert_not duplicate.valid?
assert_includes duplicate.errors[:token], "has already been taken"
end
test "should identify expired tokens correctly" do
@access_token.expires_at = 5.minutes.ago
assert @access_token.expired?, "Should identify past expiry as expired"
@@ -153,7 +136,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
application: applications(:kavita_app),
user: users(:alice)
)
tokens << token.token
tokens << token.plaintext_token
end
# All tokens should be unique
@@ -180,7 +163,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
user: users(:alice)
)
assert access_token.token.length > auth_code.code.length,
assert access_token.plaintext_token.length > auth_code.code.length,
"Access tokens should be longer than authorization codes"
end