easyai-ai-gateway/apps/api/internal/auth/oidc_session_cookie_test.go
chengcheng d345c070ae feat: 实现 OIDC 服务端会话与请求刷新
使用 AES-256-GCM 保存认证中心令牌,并以随机 Cookie 哈希关联 PostgreSQL 会话。加入闲置与绝对期限、Refresh Token 轮换以及多实例刷新锁。
2026-07-13 19:09:10 +08:00

76 lines
2.8 KiB
Go

package auth
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"time"
)
func TestAuthenticateResolvesOpaqueOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
var resolved string
authenticator.OIDCSessionResolver = func(_ context.Context, raw string) (*User, error) {
resolved = raw
return &User{ID: "platform-subject", Source: "oidc", Roles: []string{"user"}}, nil
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
user, err := authenticator.Authenticate(request)
if err != nil {
t.Fatalf("authenticate OIDC session cookie: %v", err)
}
if user.ID != "platform-subject" || user.Source != "oidc" {
t.Fatalf("unexpected session user: %#v", user)
}
if resolved != "opaque-session-id" {
t.Fatalf("session resolver received %q", resolved)
}
}
func TestAuthenticateBearerTakesPrecedenceOverOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
localToken, err := authenticator.SignJWT(&User{ID: "local-user", Source: "gateway", Roles: []string{"user"}}, time.Hour)
if err != nil {
t.Fatal(err)
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.Header.Set("Authorization", "Bearer "+localToken)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
user, err := authenticator.Authenticate(request)
if err != nil {
t.Fatalf("authenticate bearer token: %v", err)
}
if user.ID != "local-user" || user.Source != "gateway" {
t.Fatalf("cookie overrode explicit bearer credentials: %#v", user)
}
}
func TestAuthenticateRejectsInvalidOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
if _, err := authenticator.Authenticate(request); err == nil {
t.Fatal("invalid OIDC session cookie was accepted")
}
}
func TestPublicRouteIgnoresExpiredOptionalOIDCSession(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
authenticator.OIDCSessionResolver = func(context.Context, string) (*User, error) {
return nil, &RequestAuthError{Status: http.StatusUnauthorized, Code: "OIDC_SESSION_EXPIRED", Message: "expired"}
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/public/catalog/providers", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "opaque-session-id"})
recorder := httptest.NewRecorder()
authenticator.Require(PermissionPublic, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusNoContent)
})).ServeHTTP(recorder, request)
if recorder.Code != http.StatusNoContent {
t.Fatalf("public route status = %d, want %d", recorder.Code, http.StatusNoContent)
}
}