Add OIDC fixes, add prefered_username, add application-user claims

2025-11-25 16:29:40 +11:00
parent 7796c38c08
commit d6029556d3
34 changed files with 1003 additions and 64 deletions
--- a/test/models/application_user_claim_test.rb
+++ b/test/models/application_user_claim_test.rb
@@ -0,0 +1,78 @@
+require "test_helper"
+
+class ApplicationUserClaimTest < ActiveSupport::TestCase
+  def setup
+    @user = users(:bob)
+    @application = applications(:another_app)
+  end
+
+  test "should create valid application user claim" do
+    claim = ApplicationUserClaim.new(
+      user: @user,
+      application: @application,
+      custom_claims: { "role": "admin" }
+    )
+    assert claim.valid?
+    assert claim.save
+  end
+
+  test "should enforce uniqueness of user per application" do
+    ApplicationUserClaim.create!(
+      user: @user,
+      application: @application,
+      custom_claims: { "role": "admin" }
+    )
+
+    duplicate = ApplicationUserClaim.new(
+      user: @user,
+      application: @application,
+      custom_claims: { "role": "user" }
+    )
+
+    assert_not duplicate.valid?
+    assert_includes duplicate.errors[:user_id], "has already been taken"
+  end
+
+  test "parsed_custom_claims returns hash" do
+    claim = ApplicationUserClaim.new(
+      user: @user,
+      application: @application,
+      custom_claims: { "role": "admin", "level": 5 }
+    )
+
+    parsed = claim.parsed_custom_claims
+    assert_equal "admin", parsed["role"]
+    assert_equal 5, parsed["level"]
+  end
+
+  test "parsed_custom_claims returns empty hash when nil" do
+    claim = ApplicationUserClaim.new(
+      user: @user,
+      application: @application,
+      custom_claims: nil
+    )
+
+    assert_equal({}, claim.parsed_custom_claims)
+  end
+
+  test "should not allow reserved OIDC claim names" do
+    claim = ApplicationUserClaim.new(
+      user: @user,
+      application: @application,
+      custom_claims: { "groups": ["admin"], "role": "user" }
+    )
+
+    assert_not claim.valid?
+    assert_includes claim.errors[:custom_claims], "cannot override reserved OIDC claims: groups"
+  end
+
+  test "should allow non-reserved claim names" do
+    claim = ApplicationUserClaim.new(
+      user: @user,
+      application: @application,
+      custom_claims: { "kavita_groups": ["admin"], "role": "user" }
+    )
+
+    assert claim.valid?
+  end
+end