package oidcsession import ( "bytes" "strings" "testing" ) func TestCipherEncryptsTokenBundleAndAuthenticatesContext(t *testing.T) { key := bytes.Repeat([]byte{0x42}, 32) cipher, err := NewCipher(key) if err != nil { t.Fatal(err) } bundle := TokenBundle{AccessToken: "plain-access", RefreshToken: "plain-refresh", IDToken: "plain-id"} encrypted, err := cipher.EncryptBundle(bundle, "session-id", "gateway-user-id") if err != nil { t.Fatal(err) } if strings.Contains(string(encrypted), "plain-") { t.Fatal("token bundle was stored in plaintext") } decoded, err := cipher.DecryptBundle(encrypted, "session-id", "gateway-user-id") if err != nil { t.Fatal(err) } if decoded != bundle { t.Fatalf("decoded bundle = %#v", decoded) } if _, err := cipher.DecryptBundle(encrypted, "another-session", "gateway-user-id"); err == nil { t.Fatal("ciphertext was accepted with different authenticated context") } } func TestCipherRequiresIndependentAES256Key(t *testing.T) { if _, err := NewCipher(make([]byte, 31)); err == nil { t.Fatal("31-byte key was accepted") } }