easyai-ai-gateway/apps/api/internal/auth/oidc_session_cookie_test.go
chengcheng a81a7b5200 fix: 修复 OIDC 用户预配与跨标签页登录态
增加受控 JIT 本地用户投影,并使用 HttpOnly Cookie 在新标签页恢复认证中心登录态。补充错误语义、安全校验、自动化测试与回滚配置。
2026-07-13 17:07:52 +08:00

87 lines
2.9 KiB
Go

package auth
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/golang-jwt/jwt/v5"
)
func TestAuthenticateAcceptsValidatedOIDCSessionCookie(t *testing.T) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
var issuer string
issuerServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path {
case "/.well-known/openid-configuration":
_ = json.NewEncoder(w).Encode(map[string]any{"issuer": issuer, "jwks_uri": issuer + "/jwks"})
case "/jwks":
_ = json.NewEncoder(w).Encode(map[string]any{"keys": []any{ecJWK("ec-key", &key.PublicKey)}})
default:
http.NotFound(w, r)
}
}))
defer issuerServer.Close()
issuer = issuerServer.URL
verifier, err := NewOIDCVerifier(OIDCConfig{
Issuer: issuer, Audience: "gateway-api", TenantID: "tenant-1", RolePrefix: "gateway.",
RequiredScopes: []string{"gateway.access"}, HTTPClient: issuerServer.Client(),
})
if err != nil {
t.Fatal(err)
}
authenticator := New("local-jwt-secret", "", "")
authenticator.OIDCVerifier = verifier
raw := signedOIDCToken(t, issuer, "ec-key", jwt.SigningMethodES256, key, nil)
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: raw})
user, err := authenticator.Authenticate(request)
if err != nil {
t.Fatalf("authenticate OIDC session cookie: %v", err)
}
if user.ID != "platform-subject" || user.Source != "oidc" {
t.Fatalf("unexpected session user: %#v", user)
}
if user.TokenExpiresAt.Before(time.Now().Add(50 * time.Minute)) {
t.Fatalf("token expiry was not retained: %v", user.TokenExpiresAt)
}
}
func TestAuthenticateBearerTakesPrecedenceOverOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
localToken, err := authenticator.SignJWT(&User{ID: "local-user", Source: "gateway", Roles: []string{"user"}}, time.Hour)
if err != nil {
t.Fatal(err)
}
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.Header.Set("Authorization", "Bearer "+localToken)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
user, err := authenticator.Authenticate(request)
if err != nil {
t.Fatalf("authenticate bearer token: %v", err)
}
if user.ID != "local-user" || user.Source != "gateway" {
t.Fatalf("cookie overrode explicit bearer credentials: %#v", user)
}
}
func TestAuthenticateRejectsInvalidOIDCSessionCookie(t *testing.T) {
authenticator := New("local-jwt-secret", "", "")
request := httptest.NewRequest(http.MethodGet, "/api/v1/me", nil)
request.AddCookie(&http.Cookie{Name: OIDCSessionCookieName, Value: "not-a-token"})
if _, err := authenticator.Authenticate(request); err == nil {
t.Fatal("invalid OIDC session cookie was accepted")
}
}