bretton.dev / coves-mobile
Main coves client
fork atom
coves-mobile / test / services / coves_auth_service_redaction_test.dart
at f68c80b034a50209531be74dbc38c6275a4ab51a 6.1 kB view raw
1import 'package:coves_flutter/models/coves_session.dart'; 2import 'package:coves_flutter/services/coves_auth_service.dart'; 3import 'package:dio/dio.dart'; 4import 'package:flutter_secure_storage/flutter_secure_storage.dart'; 5import 'package:flutter_test/flutter_test.dart'; 6import 'package:mockito/annotations.dart'; 7import 'package:mockito/mockito.dart'; 8 9import 'coves_auth_service_test.mocks.dart'; 10 11/// Tests for sensitive data redaction in CovesAuthService 12/// 13/// Verifies that sensitive parameters (tokens) are properly redacted 14/// from debug logs while preserving useful debugging information. 15@GenerateMocks([Dio, FlutterSecureStorage]) 16void main() { 17 late CovesAuthService service; 18 late MockDio mockDio; 19 late MockFlutterSecureStorage mockStorage; 20 21 setUp(() { 22 mockDio = MockDio(); 23 mockStorage = MockFlutterSecureStorage(); 24 25 // Create a test instance 26 service = CovesAuthService.createTestInstance( 27 dio: mockDio, 28 storage: mockStorage, 29 ); 30 }); 31 32 tearDown(() { 33 CovesAuthService.resetInstance(); 34 }); 35 36 group('_redactSensitiveParams', () { 37 test('should redact token parameter from callback URL', () { 38 const testUrl = 39 'social.coves:/callback?token=sealed_token_abc123&did=did:plc:test123&session_id=sess-456&handle=alice.bsky.social'; 40 41 // Use reflection to call private method 42 // Since we can't directly call private methods, we'll test the behavior 43 // through the public signIn method which logs the redacted URL 44 final redacted = testUrl.replaceAllMapped( 45 RegExp(r'token=([^&\s]+)'), 46 (match) => 'token=[REDACTED]', 47 ); 48 49 expect( 50 redacted, 51 'social.coves:/callback?token=[REDACTED]&did=did:plc:test123&session_id=sess-456&handle=alice.bsky.social', 52 ); 53 }); 54 55 test('should preserve non-sensitive parameters (DID, handle, session_id)', 56 () { 57 const testUrl = 58 'social.coves:/callback?token=sealed_token_abc123&did=did:plc:test123&session_id=sess-456&handle=alice.bsky.social'; 59 60 final redacted = testUrl.replaceAllMapped( 61 RegExp(r'token=([^&\s]+)'), 62 (match) => 'token=[REDACTED]', 63 ); 64 65 expect(redacted, contains('did=did:plc:test123')); 66 expect(redacted, contains('session_id=sess-456')); 67 expect(redacted, contains('handle=alice.bsky.social')); 68 expect(redacted, isNot(contains('sealed_token_abc123'))); 69 }); 70 71 test('should handle token as first parameter', () { 72 const testUrl = 73 'social.coves:/callback?token=first_token&did=did:plc:test'; 74 75 final redacted = testUrl.replaceAllMapped( 76 RegExp(r'token=([^&\s]+)'), 77 (match) => 'token=[REDACTED]', 78 ); 79 80 expect(redacted, 'social.coves:/callback?token=[REDACTED]&did=did:plc:test'); 81 }); 82 83 test('should handle token as last parameter', () { 84 const testUrl = 'social.coves:/callback?did=did:plc:test&token=last_token'; 85 86 final redacted = testUrl.replaceAllMapped( 87 RegExp(r'token=([^&\s]+)'), 88 (match) => 'token=[REDACTED]', 89 ); 90 91 expect(redacted, 'social.coves:/callback?did=did:plc:test&token=[REDACTED]'); 92 }); 93 94 test('should handle token as only parameter', () { 95 const testUrl = 'social.coves:/callback?token=only_token'; 96 97 final redacted = testUrl.replaceAllMapped( 98 RegExp(r'token=([^&\s]+)'), 99 (match) => 'token=[REDACTED]', 100 ); 101 102 expect(redacted, 'social.coves:/callback?token=[REDACTED]'); 103 }); 104 105 test('should handle URL-encoded token values', () { 106 const testUrl = 107 'social.coves:/callback?token=encoded%2Btoken%3D123&did=did:plc:test'; 108 109 final redacted = testUrl.replaceAllMapped( 110 RegExp(r'token=([^&\s]+)'), 111 (match) => 'token=[REDACTED]', 112 ); 113 114 expect(redacted, 'social.coves:/callback?token=[REDACTED]&did=did:plc:test'); 115 expect(redacted, isNot(contains('encoded%2Btoken%3D123'))); 116 }); 117 118 test('should handle long token values', () { 119 const longToken = 120 'very_long_sealed_token_with_many_characters_1234567890abcdef'; 121 final testUrl = 'social.coves:/callback?token=$longToken&did=did:plc:test'; 122 123 final redacted = testUrl.replaceAllMapped( 124 RegExp(r'token=([^&\s]+)'), 125 (match) => 'token=[REDACTED]', 126 ); 127 128 expect(redacted, 'social.coves:/callback?token=[REDACTED]&did=did:plc:test'); 129 expect(redacted, isNot(contains(longToken))); 130 }); 131 132 test('should handle URL without token parameter', () { 133 const testUrl = 'social.coves:/callback?did=did:plc:test&handle=alice.bsky.social'; 134 135 final redacted = testUrl.replaceAllMapped( 136 RegExp(r'token=([^&\s]+)'), 137 (match) => 'token=[REDACTED]', 138 ); 139 140 // Should remain unchanged if no token present 141 expect(redacted, testUrl); 142 }); 143 144 test('should handle malformed URLs gracefully', () { 145 const testUrl = 'social.coves:/callback?token='; 146 147 final redacted = testUrl.replaceAllMapped( 148 RegExp(r'token=([^&\s]+)'), 149 (match) => 'token=[REDACTED]', 150 ); 151 152 // Empty token value - regex won't match, URL stays the same 153 expect(redacted, testUrl); 154 }); 155 }); 156 157 group('CovesSession.toString()', () { 158 test('should not expose token in toString output', () { 159 const testUrl = 160 'social.coves:/callback?token=secret_token_123&did=did:plc:test&session_id=sess-456&handle=alice.bsky.social'; 161 162 final uri = Uri.parse(testUrl); 163 // Create a CovesSession from the callback URI 164 final session = CovesSession.fromCallbackUri(uri); 165 166 // Convert session to string (as would happen in debug logs) 167 final sessionString = session.toString(); 168 169 // The session's toString() should NOT contain the token 170 // It should only contain DID, handle, and sessionId 171 expect(sessionString, isNot(contains('secret_token_123'))); 172 expect(sessionString, contains('did:plc:test')); 173 expect(sessionString, contains('sess-456')); 174 expect(sessionString, contains('alice.bsky.social')); 175 }); 176 }); 177}