···

       
1
       
1
       
+
       
package e2e

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"Coves/internal/api/middleware"

     

       
5
       
5
       
+
       
	"net/http"

     

       
6
       
6
       
+
       
	"net/http/httptest"

     

       
7
       
7
       
+
       
	"testing"

     

       
8
       
8
       
+
       
	"time"

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
	"github.com/stretchr/testify/assert"

     

       
11
       
11
       
+
       
)

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
// TestRateLimiting_E2E_OAuthEndpoints tests OAuth-specific rate limiting

     

       
14
       
14
       
+
       
// OAuth endpoints have stricter rate limits to prevent:

     

       
15
       
15
       
+
       
// - Credential stuffing attacks on login endpoints (10 req/min)

     

       
16
       
16
       
+
       
// - OAuth state exhaustion

     

       
17
       
17
       
+
       
// - Refresh token abuse (20 req/min)

     

       
18
       
18
       
+
       
func TestRateLimiting_E2E_OAuthEndpoints(t *testing.T) {

     

       
19
       
19
       
+
       
	t.Run("Login endpoints have 10 req/min limit", func(t *testing.T) {

     

       
20
       
20
       
+
       
		// Create rate limiter matching oauth.go config: 10 requests per minute

     

       
21
       
21
       
+
       
		loginLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
		// Mock OAuth login handler

     

       
24
       
24
       
+
       
		testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
25
       
25
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
26
       
26
       
+
       
			_, _ = w.Write([]byte("OK"))

     

       
27
       
27
       
+
       
		})

     

       
28
       
28
       
+
       


     

       
29
       
29
       
+
       
		handler := loginLimiter.Middleware(testHandler)

     

       
30
       
30
       
+
       
		clientIP := "192.168.1.200:12345"

     

       
31
       
31
       
+
       


     

       
32
       
32
       
+
       
		// Make exactly 10 requests (at limit)

     

       
33
       
33
       
+
       
		for i := 0; i < 10; i++ {

     

       
34
       
34
       
+
       
			req := httptest.NewRequest("GET", "/oauth/login", nil)

     

       
35
       
35
       
+
       
			req.RemoteAddr = clientIP

     

       
36
       
36
       
+
       
			rr := httptest.NewRecorder()

     

       
37
       
37
       
+
       


     

       
38
       
38
       
+
       
			handler.ServeHTTP(rr, req)

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
			assert.Equal(t, http.StatusOK, rr.Code, "Request %d should succeed", i+1)

     

       
41
       
41
       
+
       
		}

     

       
42
       
42
       
+
       


     

       
43
       
43
       
+
       
		// 11th request should be rate limited

     

       
44
       
44
       
+
       
		req := httptest.NewRequest("GET", "/oauth/login", nil)

     

       
45
       
45
       
+
       
		req.RemoteAddr = clientIP

     

       
46
       
46
       
+
       
		rr := httptest.NewRecorder()

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
		handler.ServeHTTP(rr, req)

     

       
49
       
49
       
+
       


     

       
50
       
50
       
+
       
		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Request 11 should be rate limited")

     

       
51
       
51
       
+
       
		assert.Contains(t, rr.Body.String(), "Rate limit exceeded", "Should have rate limit error message")

     

       
52
       
52
       
+
       
	})

     

       
53
       
53
       
+
       


     

       
54
       
54
       
+
       
	t.Run("Mobile login endpoints have 10 req/min limit", func(t *testing.T) {

     

       
55
       
55
       
+
       
		loginLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       
56
       
56
       
+
       


     

       
57
       
57
       
+
       
		testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
58
       
58
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
59
       
59
       
+
       
		})

     

       
60
       
60
       
+
       


     

       
61
       
61
       
+
       
		handler := loginLimiter.Middleware(testHandler)

     

       
62
       
62
       
+
       
		clientIP := "192.168.1.201:12345"

     

       
63
       
63
       
+
       


     

       
64
       
64
       
+
       
		// Make 10 requests

     

       
65
       
65
       
+
       
		for i := 0; i < 10; i++ {

     

       
66
       
66
       
+
       
			req := httptest.NewRequest("GET", "/oauth/mobile/login", nil)

     

       
67
       
67
       
+
       
			req.RemoteAddr = clientIP

     

       
68
       
68
       
+
       
			rr := httptest.NewRecorder()

     

       
69
       
69
       
+
       
			handler.ServeHTTP(rr, req)

     

       
70
       
70
       
+
       
			assert.Equal(t, http.StatusOK, rr.Code)

     

       
71
       
71
       
+
       
		}

     

       
72
       
72
       
+
       


     

       
73
       
73
       
+
       
		// 11th request blocked

     

       
74
       
74
       
+
       
		req := httptest.NewRequest("GET", "/oauth/mobile/login", nil)

     

       
75
       
75
       
+
       
		req.RemoteAddr = clientIP

     

       
76
       
76
       
+
       
		rr := httptest.NewRecorder()

     

       
77
       
77
       
+
       
		handler.ServeHTTP(rr, req)

     

       
78
       
78
       
+
       


     

       
79
       
79
       
+
       
		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Mobile login should be rate limited at 10 req/min")

     

       
80
       
80
       
+
       
	})

     

       
81
       
81
       
+
       


     

       
82
       
82
       
+
       
	t.Run("Refresh endpoint has 20 req/min limit", func(t *testing.T) {

     

       
83
       
83
       
+
       
		// Refresh has higher limit (20 req/min) for legitimate token refresh

     

       
84
       
84
       
+
       
		refreshLimiter := middleware.NewRateLimiter(20, 1*time.Minute)

     

       
85
       
85
       
+
       


     

       
86
       
86
       
+
       
		testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
87
       
87
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
88
       
88
       
+
       
		})

     

       
89
       
89
       
+
       


     

       
90
       
90
       
+
       
		handler := refreshLimiter.Middleware(testHandler)

     

       
91
       
91
       
+
       
		clientIP := "192.168.1.202:12345"

     

       
92
       
92
       
+
       


     

       
93
       
93
       
+
       
		// Make 20 requests

     

       
94
       
94
       
+
       
		for i := 0; i < 20; i++ {

     

       
95
       
95
       
+
       
			req := httptest.NewRequest("POST", "/oauth/refresh", nil)

     

       
96
       
96
       
+
       
			req.RemoteAddr = clientIP

     

       
97
       
97
       
+
       
			rr := httptest.NewRecorder()

     

       
98
       
98
       
+
       
			handler.ServeHTTP(rr, req)

     

       
99
       
99
       
+
       
			assert.Equal(t, http.StatusOK, rr.Code, "Request %d should succeed", i+1)

     

       
100
       
100
       
+
       
		}

     

       
101
       
101
       
+
       


     

       
102
       
102
       
+
       
		// 21st request blocked

     

       
103
       
103
       
+
       
		req := httptest.NewRequest("POST", "/oauth/refresh", nil)

     

       
104
       
104
       
+
       
		req.RemoteAddr = clientIP

     

       
105
       
105
       
+
       
		rr := httptest.NewRecorder()

     

       
106
       
106
       
+
       
		handler.ServeHTTP(rr, req)

     

       
107
       
107
       
+
       


     

       
108
       
108
       
+
       
		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Refresh should be rate limited at 20 req/min")

     

       
109
       
109
       
+
       
	})

     

       
110
       
110
       
+
       


     

       
111
       
111
       
+
       
	t.Run("Logout endpoint has 10 req/min limit", func(t *testing.T) {

     

       
112
       
112
       
+
       
		logoutLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       
113
       
113
       
+
       


     

       
114
       
114
       
+
       
		testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
115
       
115
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
116
       
116
       
+
       
		})

     

       
117
       
117
       
+
       


     

       
118
       
118
       
+
       
		handler := logoutLimiter.Middleware(testHandler)

     

       
119
       
119
       
+
       
		clientIP := "192.168.1.203:12345"

     

       
120
       
120
       
+
       


     

       
121
       
121
       
+
       
		// Make 10 requests

     

       
122
       
122
       
+
       
		for i := 0; i < 10; i++ {

     

       
123
       
123
       
+
       
			req := httptest.NewRequest("POST", "/oauth/logout", nil)

     

       
124
       
124
       
+
       
			req.RemoteAddr = clientIP

     

       
125
       
125
       
+
       
			rr := httptest.NewRecorder()

     

       
126
       
126
       
+
       
			handler.ServeHTTP(rr, req)

     

       
127
       
127
       
+
       
			assert.Equal(t, http.StatusOK, rr.Code)

     

       
128
       
128
       
+
       
		}

     

       
129
       
129
       
+
       


     

       
130
       
130
       
+
       
		// 11th request blocked

     

       
131
       
131
       
+
       
		req := httptest.NewRequest("POST", "/oauth/logout", nil)

     

       
132
       
132
       
+
       
		req.RemoteAddr = clientIP

     

       
133
       
133
       
+
       
		rr := httptest.NewRecorder()

     

       
134
       
134
       
+
       
		handler.ServeHTTP(rr, req)

     

       
135
       
135
       
+
       


     

       
136
       
136
       
+
       
		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Logout should be rate limited at 10 req/min")

     

       
137
       
137
       
+
       
	})

     

       
138
       
138
       
+
       


     

       
139
       
139
       
+
       
	t.Run("OAuth callback has 10 req/min limit", func(t *testing.T) {

     

       
140
       
140
       
+
       
		// Callback uses same limiter as login (part of auth flow)

     

       
141
       
141
       
+
       
		callbackLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       
142
       
142
       
+
       


     

       
143
       
143
       
+
       
		testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
144
       
144
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
145
       
145
       
+
       
		})

     

       
146
       
146
       
+
       


     

       
147
       
147
       
+
       
		handler := callbackLimiter.Middleware(testHandler)

     

       
148
       
148
       
+
       
		clientIP := "192.168.1.204:12345"

     

       
149
       
149
       
+
       


     

       
150
       
150
       
+
       
		// Make 10 requests

     

       
151
       
151
       
+
       
		for i := 0; i < 10; i++ {

     

       
152
       
152
       
+
       
			req := httptest.NewRequest("GET", "/oauth/callback", nil)

     

       
153
       
153
       
+
       
			req.RemoteAddr = clientIP

     

       
154
       
154
       
+
       
			rr := httptest.NewRecorder()

     

       
155
       
155
       
+
       
			handler.ServeHTTP(rr, req)

     

       
156
       
156
       
+
       
			assert.Equal(t, http.StatusOK, rr.Code)

     

       
157
       
157
       
+
       
		}

     

       
158
       
158
       
+
       


     

       
159
       
159
       
+
       
		// 11th request blocked

     

       
160
       
160
       
+
       
		req := httptest.NewRequest("GET", "/oauth/callback", nil)

     

       
161
       
161
       
+
       
		req.RemoteAddr = clientIP

     

       
162
       
162
       
+
       
		rr := httptest.NewRecorder()

     

       
163
       
163
       
+
       
		handler.ServeHTTP(rr, req)

     

       
164
       
164
       
+
       


     

       
165
       
165
       
+
       
		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Callback should be rate limited at 10 req/min")

     

       
166
       
166
       
+
       
	})

     

       
167
       
167
       
+
       


     

       
168
       
168
       
+
       
	t.Run("OAuth rate limits are stricter than global limit", func(t *testing.T) {

     

       
169
       
169
       
+
       
		// Verify OAuth limits are more restrictive than global 100 req/min

     

       
170
       
170
       
+
       
		const globalLimit = 100

     

       
171
       
171
       
+
       
		const oauthLoginLimit = 10

     

       
172
       
172
       
+
       
		const oauthRefreshLimit = 20

     

       
173
       
173
       
+
       


     

       
174
       
174
       
+
       
		assert.Less(t, oauthLoginLimit, globalLimit, "OAuth login limit should be stricter than global")

     

       
175
       
175
       
+
       
		assert.Less(t, oauthRefreshLimit, globalLimit, "OAuth refresh limit should be stricter than global")

     

       
176
       
176
       
+
       
		assert.Greater(t, oauthRefreshLimit, oauthLoginLimit, "Refresh limit should be higher than login (legitimate use case)")

     

       
177
       
177
       
+
       
	})

     

       
178
       
178
       
+
       


     

       
179
       
179
       
+
       
	t.Run("OAuth limits prevent credential stuffing", func(t *testing.T) {

     

       
180
       
180
       
+
       
		// Simulate credential stuffing attack

     

       
181
       
181
       
+
       
		loginLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       
182
       
182
       
+
       


     

       
183
       
183
       
+
       
		testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
184
       
184
       
+
       
			// Simulate failed login attempts

     

       
185
       
185
       
+
       
			w.WriteHeader(http.StatusUnauthorized)

     

       
186
       
186
       
+
       
		})

     

       
187
       
187
       
+
       


     

       
188
       
188
       
+
       
		handler := loginLimiter.Middleware(testHandler)

     

       
189
       
189
       
+
       
		attackerIP := "203.0.113.50:12345"

     

       
190
       
190
       
+
       


     

       
191
       
191
       
+
       
		// Attacker tries 15 login attempts (credential stuffing)

     

       
192
       
192
       
+
       
		successfulAttempts := 0

     

       
193
       
193
       
+
       
		blockedAttempts := 0

     

       
194
       
194
       
+
       


     

       
195
       
195
       
+
       
		for i := 0; i < 15; i++ {

     

       
196
       
196
       
+
       
			req := httptest.NewRequest("GET", "/oauth/login", nil)

     

       
197
       
197
       
+
       
			req.RemoteAddr = attackerIP

     

       
198
       
198
       
+
       
			rr := httptest.NewRecorder()

     

       
199
       
199
       
+
       


     

       
200
       
200
       
+
       
			handler.ServeHTTP(rr, req)

     

       
201
       
201
       
+
       


     

       
202
       
202
       
+
       
			if rr.Code == http.StatusUnauthorized {

     

       
203
       
203
       
+
       
				successfulAttempts++ // Reached handler (even if auth failed)

     

       
204
       
204
       
+
       
			} else if rr.Code == http.StatusTooManyRequests {

     

       
205
       
205
       
+
       
				blockedAttempts++

     

       
206
       
206
       
+
       
			}

     

       
207
       
207
       
+
       
		}

     

       
208
       
208
       
+
       


     

       
209
       
209
       
+
       
		// Rate limiter should block 5 attempts after first 10

     

       
210
       
210
       
+
       
		assert.Equal(t, 10, successfulAttempts, "Should allow 10 login attempts")

     

       
211
       
211
       
+
       
		assert.Equal(t, 5, blockedAttempts, "Should block 5 attempts after limit reached")

     

       
212
       
212
       
+
       
	})

     

       
213
       
213
       
+
       


     

       
214
       
214
       
+
       
	t.Run("OAuth limits are per-endpoint", func(t *testing.T) {

     

       
215
       
215
       
+
       
		// Each endpoint gets its own rate limiter

     

       
216
       
216
       
+
       
		// This test verifies that limits are independent per endpoint

     

       
217
       
217
       
+
       
		loginLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       
218
       
218
       
+
       
		refreshLimiter := middleware.NewRateLimiter(20, 1*time.Minute)

     

       
219
       
219
       
+
       


     

       
220
       
220
       
+
       
		loginHandler := loginLimiter.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
221
       
221
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
222
       
222
       
+
       
		}))

     

       
223
       
223
       
+
       


     

       
224
       
224
       
+
       
		refreshHandler := refreshLimiter.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
225
       
225
       
+
       
			w.WriteHeader(http.StatusOK)

     

       
226
       
226
       
+
       
		}))

     

       
227
       
227
       
+
       


     

       
228
       
228
       
+
       
		clientIP := "192.168.1.205:12345"

     

       
229
       
229
       
+
       


     

       
230
       
230
       
+
       
		// Exhaust login limit

     

       
231
       
231
       
+
       
		for i := 0; i < 10; i++ {

     

       
232
       
232
       
+
       
			req := httptest.NewRequest("GET", "/oauth/login", nil)

     

       
233
       
233
       
+
       
			req.RemoteAddr = clientIP

     

       
234
       
234
       
+
       
			rr := httptest.NewRecorder()

     

       
235
       
235
       
+
       
			loginHandler.ServeHTTP(rr, req)

     

       
236
       
236
       
+
       
			assert.Equal(t, http.StatusOK, rr.Code)

     

       
237
       
237
       
+
       
		}

     

       
238
       
238
       
+
       


     

       
239
       
239
       
+
       
		// Login limit exhausted

     

       
240
       
240
       
+
       
		req := httptest.NewRequest("GET", "/oauth/login", nil)

     

       
241
       
241
       
+
       
		req.RemoteAddr = clientIP

     

       
242
       
242
       
+
       
		rr := httptest.NewRecorder()

     

       
243
       
243
       
+
       
		loginHandler.ServeHTTP(rr, req)

     

       
244
       
244
       
+
       
		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Login should be rate limited")

     

       
245
       
245
       
+
       


     

       
246
       
246
       
+
       
		// Refresh endpoint should still work (independent limiter)

     

       
247
       
247
       
+
       
		req = httptest.NewRequest("POST", "/oauth/refresh", nil)

     

       
248
       
248
       
+
       
		req.RemoteAddr = clientIP

     

       
249
       
249
       
+
       
		rr = httptest.NewRecorder()

     

       
250
       
250
       
+
       
		refreshHandler.ServeHTTP(rr, req)

     

       
251
       
251
       
+
       
		assert.Equal(t, http.StatusOK, rr.Code, "Refresh should not be affected by login rate limit")

     

       
252
       
252
       
+
       
	})

     

       
253
       
253
       
+
       
}

     

       
254
       
254
       
+
       


     

       
255
       
255
       
+
       
// OAuth Rate Limiting Configuration Documentation

     

       
256
       
256
       
+
       
// ================================================

     

       
257
       
257
       
+
       
// This test file validates OAuth-specific rate limits applied in oauth.go:

     

       
258
       
258
       
+
       
//

     

       
259
       
259
       
+
       
// 1. Login Endpoints (Credential Stuffing Protection)

     

       
260
       
260
       
+
       
//    - Endpoints: /oauth/login, /oauth/mobile/login, /oauth/callback

     

       
261
       
261
       
+
       
//    - Limit: 10 requests per minute per IP

     

       
262
       
262
       
+
       
//    - Reason: Prevent brute force and credential stuffing attacks

     

       
263
       
263
       
+
       
//    - Implementation: internal/api/routes/oauth.go:21

     

       
264
       
264
       
+
       
//

     

       
265
       
265
       
+
       
// 2. Refresh Endpoint (Token Refresh)

     

       
266
       
266
       
+
       
//    - Endpoint: /oauth/refresh

     

       
267
       
267
       
+
       
//    - Limit: 20 requests per minute per IP

     

       
268
       
268
       
+
       
//    - Reason: Allow legitimate token refresh while preventing abuse

     

       
269
       
269
       
+
       
//    - Implementation: internal/api/routes/oauth.go:24

     

       
270
       
270
       
+
       
//

     

       
271
       
271
       
+
       
// 3. Logout Endpoint

     

       
272
       
272
       
+
       
//    - Endpoint: /oauth/logout

     

       
273
       
273
       
+
       
//    - Limit: 10 requests per minute per IP

     

       
274
       
274
       
+
       
//    - Reason: Prevent session exhaustion attacks

     

       
275
       
275
       
+
       
//    - Implementation: internal/api/routes/oauth.go:27

     

       
276
       
276
       
+
       
//

     

       
277
       
277
       
+
       
// 4. Metadata Endpoints (No Extra Limit)

     

       
278
       
278
       
+
       
//    - Endpoints: /oauth/client-metadata.json, /oauth/jwks.json

     

       
279
       
279
       
+
       
//    - Limit: Global 100 requests per minute (from main.go)

     

       
280
       
280
       
+
       
//    - Reason: Public metadata, not sensitive to rate abuse

     

       
281
       
281
       
+
       
//

     

       
282
       
282
       
+
       
// Security Benefits:

     

       
283
       
283
       
+
       
//    - Credential Stuffing: Limits password guessing to 10 attempts/min

     

       
284
       
284
       
+
       
//    - State Exhaustion: Prevents OAuth state generation spam

     

       
285
       
285
       
+
       
//    - Token Abuse: Limits refresh token usage while allowing legitimate refresh

     

       
286
       
286
       
+
       
//

     

       
287
       
287
       
+
       
// Rate Limit Hierarchy:

     

       
288
       
288
       
+
       
//    - OAuth login: 10 req/min (most restrictive)

     

       
289
       
289
       
+
       
//    - OAuth refresh: 20 req/min (moderate)

     

       
290
       
290
       
+
       
//    - Comments: 20 req/min (expensive queries)

     

       
291
       
291
       
+
       
//    - Global: 100 req/min (baseline)

     

···

       
1
       
1
       
-
       
package integration

     

       
2
       
2
       
-
       


     

       
3
       
3
       
-
       
import (

     

       
4
       
4
       
-
       
	"Coves/internal/api/middleware"

     

       
5
       
5
       
-
       
	"Coves/internal/atproto/auth"

     

       
6
       
6
       
-
       
	"fmt"

     

       
7
       
7
       
-
       
	"net/http"

     

       
8
       
8
       
-
       
	"net/http/httptest"

     

       
9
       
9
       
-
       
	"os"

     

       
10
       
10
       
-
       
	"strings"

     

       
11
       
11
       
-
       
	"testing"

     

       
12
       
12
       
-
       
	"time"

     

       
13
       
13
       
-
       
)

     

       
14
       
14
       
-
       


     

       
15
       
15
       
-
       
// TestJWTSignatureVerification tests end-to-end JWT signature verification

     

       
16
       
16
       
-
       
// with a real PDS-issued token. This verifies that AUTH_SKIP_VERIFY=false works.

     

       
17
       
17
       
-
       
//

     

       
18
       
18
       
-
       
// Flow:

     

       
19
       
19
       
-
       
// 1. Create account on local PDS (or use existing)

     

       
20
       
20
       
-
       
// 2. Authenticate to get a real signed JWT token

     

       
21
       
21
       
-
       
// 3. Verify our auth middleware can fetch JWKS and verify the signature

     

       
22
       
22
       
-
       
// 4. Test with AUTH_SKIP_VERIFY=false (production mode)

     

       
23
       
23
       
-
       
//

     

       
24
       
24
       
-
       
// NOTE: Local dev PDS (docker-compose.dev.yml) uses symmetric JWT_SECRET signing

     

       
25
       
25
       
-
       
// instead of asymmetric JWKS keys. This test verifies the code path works, but

     

       
26
       
26
       
-
       
// full JWKS verification requires a production PDS or setting up proper keys.

     

       
27
       
27
       
-
       
func TestJWTSignatureVerification(t *testing.T) {

     

       
28
       
28
       
-
       
	// Skip in short mode since this requires real PDS

     

       
29
       
29
       
-
       
	if testing.Short() {

     

       
30
       
30
       
-
       
		t.Skip("Skipping JWT verification test in short mode")

     

       
31
       
31
       
-
       
	}

     

       
32
       
32
       
-
       


     

       
33
       
33
       
-
       
	pdsURL := os.Getenv("PDS_URL")

     

       
34
       
34
       
-
       
	if pdsURL == "" {

     

       
35
       
35
       
-
       
		pdsURL = "http://localhost:3001"

     

       
36
       
36
       
-
       
	}

     

       
37
       
37
       
-
       


     

       
38
       
38
       
-
       
	// Check if PDS is running

     

       
39
       
39
       
-
       
	healthResp, err := http.Get(pdsURL + "/xrpc/_health")

     

       
40
       
40
       
-
       
	if err != nil {

     

       
41
       
41
       
-
       
		t.Skipf("PDS not running at %s: %v", pdsURL, err)

     

       
42
       
42
       
-
       
	}

     

       
43
       
43
       
-
       
	_ = healthResp.Body.Close()

     

       
44
       
44
       
-
       


     

       
45
       
45
       
-
       
	// Check if JWKS is available (production PDS) or symmetric secret (dev PDS)

     

       
46
       
46
       
-
       
	jwksResp, _ := http.Get(pdsURL + "/oauth/jwks")

     

       
47
       
47
       
-
       
	if jwksResp != nil {

     

       
48
       
48
       
-
       
		defer func() { _ = jwksResp.Body.Close() }()

     

       
49
       
49
       
-
       
	}

     

       
50
       
50
       
-
       


     

       
51
       
51
       
-
       
	t.Run("JWT parsing and middleware integration", func(t *testing.T) {

     

       
52
       
52
       
-
       
		// Step 1: Create a test account on PDS

     

       
53
       
53
       
-
       
		// Keep handle short to avoid PDS validation errors

     

       
54
       
54
       
-
       
		timestamp := time.Now().Unix() % 100000 // Last 5 digits

     

       
55
       
55
       
-
       
		handle := fmt.Sprintf("jwt%d.local.coves.dev", timestamp)

     

       
56
       
56
       
-
       
		password := "testpass123"

     

       
57
       
57
       
-
       
		email := fmt.Sprintf("jwt%d@test.com", timestamp)

     

       
58
       
58
       
-
       


     

       
59
       
59
       
-
       
		accessToken, did, err := createPDSAccount(pdsURL, handle, email, password)

     

       
60
       
60
       
-
       
		if err != nil {

     

       
61
       
61
       
-
       
			t.Fatalf("Failed to create PDS account: %v", err)

     

       
62
       
62
       
-
       
		}

     

       
63
       
63
       
-
       
		t.Logf("✓ Created test account: %s (DID: %s)", handle, did)

     

       
64
       
64
       
-
       
		t.Logf("✓ Received JWT token from PDS (length: %d)", len(accessToken))

     

       
65
       
65
       
-
       


     

       
66
       
66
       
-
       
		// Step 3: Test JWT parsing (should work regardless of verification)

     

       
67
       
67
       
-
       
		claims, err := auth.ParseJWT(accessToken)

     

       
68
       
68
       
-
       
		if err != nil {

     

       
69
       
69
       
-
       
			t.Fatalf("Failed to parse JWT: %v", err)

     

       
70
       
70
       
-
       
		}

     

       
71
       
71
       
-
       
		t.Logf("✓ JWT parsed successfully")

     

       
72
       
72
       
-
       
		t.Logf("  Subject (DID): %s", claims.Subject)

     

       
73
       
73
       
-
       
		t.Logf("  Issuer: %s", claims.Issuer)

     

       
74
       
74
       
-
       
		t.Logf("  Scope: %s", claims.Scope)

     

       
75
       
75
       
-
       


     

       
76
       
76
       
-
       
		if claims.Subject != did {

     

       
77
       
77
       
-
       
			t.Errorf("Token DID mismatch: expected %s, got %s", did, claims.Subject)

     

       
78
       
78
       
-
       
		}

     

       
79
       
79
       
-
       


     

       
80
       
80
       
-
       
		// Step 4: Test JWKS fetching and signature verification

     

       
81
       
81
       
-
       
		// NOTE: Local dev PDS uses symmetric secret, not JWKS

     

       
82
       
82
       
-
       
		// For production, we'd verify the full signature here

     

       
83
       
83
       
-
       
		t.Log("Checking JWKS availability...")

     

       
84
       
84
       
-
       


     

       
85
       
85
       
-
       
		jwksFetcher := auth.NewCachedJWKSFetcher(1 * time.Hour)

     

       
86
       
86
       
-
       
		verifiedClaims, err := auth.VerifyJWT(httptest.NewRequest("GET", "/", nil).Context(), accessToken, jwksFetcher)

     

       
87
       
87
       
-
       
		if err != nil {

     

       
88
       
88
       
-
       
			// Expected for local dev PDS - log and continue

     

       
89
       
89
       
-
       
			t.Logf("ℹ️  JWKS verification skipped (expected for local dev PDS): %v", err)

     

       
90
       
90
       
-
       
			t.Logf("   Local PDS uses symmetric JWT_SECRET instead of JWKS")

     

       
91
       
91
       
-
       
			t.Logf("   In production, this would verify against proper JWKS keys")

     

       
92
       
92
       
-
       
		} else {

     

       
93
       
93
       
-
       
			// Unexpected success - means we're testing against a production PDS

     

       
94
       
94
       
-
       
			t.Logf("✓ JWT signature verified successfully!")

     

       
95
       
95
       
-
       
			t.Logf("  Verified DID: %s", verifiedClaims.Subject)

     

       
96
       
96
       
-
       
			t.Logf("  Verified Issuer: %s", verifiedClaims.Issuer)

     

       
97
       
97
       
-
       


     

       
98
       
98
       
-
       
			if verifiedClaims.Subject != did {

     

       
99
       
99
       
-
       
				t.Errorf("Verified token DID mismatch: expected %s, got %s", did, verifiedClaims.Subject)

     

       
100
       
100
       
-
       
			}

     

       
101
       
101
       
-
       
		}

     

       
102
       
102
       
-
       


     

       
103
       
103
       
-
       
		// Step 5: Test auth middleware with skipVerify=true (for dev PDS)

     

       
104
       
104
       
-
       
		t.Log("Testing auth middleware with skipVerify=true (dev mode)...")

     

       
105
       
105
       
-
       


     

       
106
       
106
       
-
       
		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true) // skipVerify=true for dev PDS

     

       
107
       
107
       
-
       
		defer authMiddleware.Stop()                                               // Clean up DPoP replay cache goroutine

     

       
108
       
108
       
-
       


     

       
109
       
109
       
-
       
		handlerCalled := false

     

       
110
       
110
       
-
       
		var extractedDID string

     

       
111
       
111
       
-
       


     

       
112
       
112
       
-
       
		testHandler := authMiddleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
113
       
113
       
-
       
			handlerCalled = true

     

       
114
       
114
       
-
       
			extractedDID = middleware.GetUserDID(r)

     

       
115
       
115
       
-
       
			w.WriteHeader(http.StatusOK)

     

       
116
       
116
       
-
       
			_, _ = w.Write([]byte(`{"success": true}`))

     

       
117
       
117
       
-
       
		}))

     

       
118
       
118
       
-
       


     

       
119
       
119
       
-
       
		req := httptest.NewRequest("GET", "/test", nil)

     

       
120
       
120
       
-
       
		req.Header.Set("Authorization", "DPoP "+accessToken)

     

       
121
       
121
       
-
       
		w := httptest.NewRecorder()

     

       
122
       
122
       
-
       


     

       
123
       
123
       
-
       
		testHandler.ServeHTTP(w, req)

     

       
124
       
124
       
-
       


     

       
125
       
125
       
-
       
		if !handlerCalled {

     

       
126
       
126
       
-
       
			t.Errorf("Handler was not called - auth middleware rejected valid token")

     

       
127
       
127
       
-
       
			t.Logf("Response status: %d", w.Code)

     

       
128
       
128
       
-
       
			t.Logf("Response body: %s", w.Body.String())

     

       
129
       
129
       
-
       
		}

     

       
130
       
130
       
-
       


     

       
131
       
131
       
-
       
		if w.Code != http.StatusOK {

     

       
132
       
132
       
-
       
			t.Errorf("Expected status 200, got %d", w.Code)

     

       
133
       
133
       
-
       
			t.Logf("Response body: %s", w.Body.String())

     

       
134
       
134
       
-
       
		}

     

       
135
       
135
       
-
       


     

       
136
       
136
       
-
       
		if extractedDID != did {

     

       
137
       
137
       
-
       
			t.Errorf("Middleware extracted wrong DID: expected %s, got %s", did, extractedDID)

     

       
138
       
138
       
-
       
		}

     

       
139
       
139
       
-
       


     

       
140
       
140
       
-
       
		t.Logf("✅ Auth middleware with signature verification working correctly!")

     

       
141
       
141
       
-
       
		t.Logf("  Handler called: %v", handlerCalled)

     

       
142
       
142
       
-
       
		t.Logf("  Extracted DID: %s", extractedDID)

     

       
143
       
143
       
-
       
		t.Logf("  Response status: %d", w.Code)

     

       
144
       
144
       
-
       
	})

     

       
145
       
145
       
-
       


     

       
146
       
146
       
-
       
	t.Run("Rejects tampered JWT", func(t *testing.T) {

     

       
147
       
147
       
-
       
		// Create valid token

     

       
148
       
148
       
-
       
		timestamp := time.Now().Unix() % 100000

     

       
149
       
149
       
-
       
		handle := fmt.Sprintf("tamp%d.local.coves.dev", timestamp)

     

       
150
       
150
       
-
       
		password := "testpass456"

     

       
151
       
151
       
-
       
		email := fmt.Sprintf("tamp%d@test.com", timestamp)

     

       
152
       
152
       
-
       


     

       
153
       
153
       
-
       
		accessToken, _, err := createPDSAccount(pdsURL, handle, email, password)

     

       
154
       
154
       
-
       
		if err != nil {

     

       
155
       
155
       
-
       
			t.Fatalf("Failed to create PDS account: %v", err)

     

       
156
       
156
       
-
       
		}

     

       
157
       
157
       
-
       


     

       
158
       
158
       
-
       
		// Tamper with the token more aggressively to break JWT structure

     

       
159
       
159
       
-
       
		parts := splitToken(accessToken)

     

       
160
       
160
       
-
       
		if len(parts) != 3 {

     

       
161
       
161
       
-
       
			t.Fatalf("Invalid JWT structure: expected 3 parts, got %d", len(parts))

     

       
162
       
162
       
-
       
		}

     

       
163
       
163
       
-
       
		// Replace the payload with invalid base64 that will fail decoding

     

       
164
       
164
       
-
       
		tamperedToken := parts[0] + ".!!!invalid-base64!!!." + parts[2]

     

       
165
       
165
       
-
       


     

       
166
       
166
       
-
       
		// Test with middleware (skipVerify=true since dev PDS doesn't use JWKS)

     

       
167
       
167
       
-
       
		// Tampered payload should fail JWT parsing even without signature check

     

       
168
       
168
       
-
       
		jwksFetcher := auth.NewCachedJWKSFetcher(1 * time.Hour)

     

       
169
       
169
       
-
       
		authMiddleware := middleware.NewAtProtoAuthMiddleware(jwksFetcher, true)

     

       
170
       
170
       
-
       
		defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       
171
       
171
       
-
       


     

       
172
       
172
       
-
       
		handlerCalled := false

     

       
173
       
173
       
-
       
		testHandler := authMiddleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       
174
       
174
       
-
       
			handlerCalled = true

     

       
175
       
175
       
-
       
			w.WriteHeader(http.StatusOK)

     

       
176
       
176
       
-
       
		}))

     

       
177
       
177
       
-
       


     

       
178
       
178
       
-
       
		req := httptest.NewRequest("GET", "/test", nil)

     

       
179
       
179
       
-
       
		req.Header.Set("Authorization", "DPoP "+tamperedToken)

     

       
180
       
180
       
-
       
		w := httptest.NewRecorder()

     

       
181
       
181
       
-
       


     

       
182
       
182
       
-
       
		testHandler.ServeHTTP(w, req)

     

       
183
       
183
       
-
       


     

       
184
       
184
       
-
       
		if handlerCalled {

     

       
185
       
185
       
-
       
			t.Error("Handler was called for tampered token - should have been rejected")

     

       
186
       
186
       
-
       
		}

     

       
187
       
187
       
-
       


     

       
188
       
188
       
-
       
		if w.Code != http.StatusUnauthorized {

     

       
189
       
189
       
-
       
			t.Errorf("Expected status 401 for tampered token, got %d", w.Code)

     

       
190
       
190
       
-
       
		}

     

       
191
       
191
       
-
       


     

       
192
       
192
       
-
       
		t.Logf("✅ Middleware correctly rejected tampered token with status %d", w.Code)

     

       
193
       
193
       
-
       
	})

     

       
194
       
194
       
-
       


     

       
195
       
195
       
-
       
	t.Run("Rejects expired JWT with signature verification", func(t *testing.T) {

     

       
196
       
196
       
-
       
		// For this test, we'd need to create a token and wait for expiry,

     

       
197
       
197
       
-
       
		// or mock the time. For now, we'll just verify the validation logic exists.

     

       
198
       
198
       
-
       
		// In production, PDS tokens expire after a certain period.

     

       
199
       
199
       
-
       
		t.Log("ℹ️  Expiration test would require waiting for token expiry or time mocking")

     

       
200
       
200
       
-
       
		t.Log("   Token expiration validation is covered by unit tests in auth_test.go")

     

       
201
       
201
       
-
       
		t.Skip("Skipping expiration test - requires time manipulation")

     

       
202
       
202
       
-
       
	})

     

       
203
       
203
       
-
       
}

     

       
204
       
204
       
-
       


     

       
205
       
205
       
-
       
// splitToken splits a JWT into its three parts (header.payload.signature)

     

       
206
       
206
       
-
       
func splitToken(token string) []string {

     

       
207
       
207
       
-
       
	return strings.Split(token, ".")

     

       
208
       
208
       
-
       
}

     

···

       
1
       
1
       
+
       
package integration

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"Coves/internal/atproto/oauth"

     

       
5
       
5
       
+
       
	"context"

     

       
6
       
6
       
+
       
	"encoding/json"

     

       
7
       
7
       
+
       
	"fmt"

     

       
8
       
8
       
+
       
	"net/http"

     

       
9
       
9
       
+
       
	"net/http/httptest"

     

       
10
       
10
       
+
       
	"strings"

     

       
11
       
11
       
+
       
	"testing"

     

       
12
       
12
       
+
       
	"time"

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
	oauthlib "github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       
15
       
15
       
+
       
	"github.com/bluesky-social/indigo/atproto/syntax"

     

       
16
       
16
       
+
       
	"github.com/go-chi/chi/v5"

     

       
17
       
17
       
+
       
	_ "github.com/lib/pq"

     

       
18
       
18
       
+
       
	"github.com/pressly/goose/v3"

     

       
19
       
19
       
+
       
	"github.com/stretchr/testify/assert"

     

       
20
       
20
       
+
       
	"github.com/stretchr/testify/require"

     

       
21
       
21
       
+
       
)

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
// TestOAuth_Components tests OAuth component functionality without requiring PDS.

     

       
24
       
24
       
+
       
// This validates all Coves OAuth code:

     

       
25
       
25
       
+
       
// - Session storage and retrieval (PostgreSQL)

     

       
26
       
26
       
+
       
// - Token sealing (AES-GCM encryption)

     

       
27
       
27
       
+
       
// - Token unsealing (decryption + validation)

     

       
28
       
28
       
+
       
// - Session cleanup

     

       
29
       
29
       
+
       
//

     

       
30
       
30
       
+
       
// NOTE: Full OAuth redirect flow testing requires both HTTPS PDS and HTTPS Coves deployment.

     

       
31
       
31
       
+
       
// The OAuth redirect flow is handled by indigo's library and enforces OAuth 2.0 spec

     

       
32
       
32
       
+
       
// (HTTPS required for authorization servers and redirect URIs).

     

       
33
       
33
       
+
       
func TestOAuth_Components(t *testing.T) {

     

       
34
       
34
       
+
       
	if testing.Short() {

     

       
35
       
35
       
+
       
		t.Skip("Skipping OAuth component test in short mode")

     

       
36
       
36
       
+
       
	}

     

       
37
       
37
       
+
       


     

       
38
       
38
       
+
       
	// Setup test database

     

       
39
       
39
       
+
       
	db := setupTestDB(t)

     

       
40
       
40
       
+
       
	defer func() {

     

       
41
       
41
       
+
       
		if err := db.Close(); err != nil {

     

       
42
       
42
       
+
       
			t.Logf("Failed to close database: %v", err)

     

       
43
       
43
       
+
       
		}

     

       
44
       
44
       
+
       
	}()

     

       
45
       
45
       
+
       


     

       
46
       
46
       
+
       
	// Run migrations to ensure OAuth tables exist

     

       
47
       
47
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
48
       
48
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
49
       
49
       
+
       


     

       
50
       
50
       
+
       
	t.Log("🔧 Testing OAuth Components")

     

       
51
       
51
       
+
       


     

       
52
       
52
       
+
       
	ctx := context.Background()

     

       
53
       
53
       
+
       


     

       
54
       
54
       
+
       
	// Setup OAuth client and store

     

       
55
       
55
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
56
       
56
       
+
       
	client := SetupOAuthTestClient(t, store)

     

       
57
       
57
       
+
       
	require.NotNil(t, client, "OAuth client should be initialized")

     

       
58
       
58
       
+
       


     

       
59
       
59
       
+
       
	// Use a test DID (doesn't need to exist on PDS for component tests)

     

       
60
       
60
       
+
       
	testDID := "did:plc:componenttest123"

     

       
61
       
61
       
+
       


     

       
62
       
62
       
+
       
	// Run component tests

     

       
63
       
63
       
+
       
	testOAuthComponentsWithMockedSession(t, ctx, nil, store, client, testDID, "")

     

       
64
       
64
       
+
       


     

       
65
       
65
       
+
       
	t.Log("")

     

       
66
       
66
       
+
       
	t.Log(strings.Repeat("=", 60))

     

       
67
       
67
       
+
       
	t.Log("✅ OAuth Component Tests Complete")

     

       
68
       
68
       
+
       
	t.Log(strings.Repeat("=", 60))

     

       
69
       
69
       
+
       
	t.Log("Components validated:")

     

       
70
       
70
       
+
       
	t.Log("  ✓ Session storage (PostgreSQL)")

     

       
71
       
71
       
+
       
	t.Log("  ✓ Token sealing (AES-GCM encryption)")

     

       
72
       
72
       
+
       
	t.Log("  ✓ Token unsealing (decryption + validation)")

     

       
73
       
73
       
+
       
	t.Log("  ✓ Session cleanup")

     

       
74
       
74
       
+
       
	t.Log("")

     

       
75
       
75
       
+
       
	t.Log("NOTE: Full OAuth redirect flow requires HTTPS PDS + HTTPS Coves")

     

       
76
       
76
       
+
       
	t.Log(strings.Repeat("=", 60))

     

       
77
       
77
       
+
       
}

     

       
78
       
78
       
+
       


     

       
79
       
79
       
+
       
// testOAuthComponentsWithMockedSession tests OAuth components that work without PDS redirect flow.

     

       
80
       
80
       
+
       
// This is used when testing with localhost PDS, where the indigo library rejects http:// URLs.

     

       
81
       
81
       
+
       
func testOAuthComponentsWithMockedSession(t *testing.T, ctx context.Context, _ interface{}, store oauthlib.ClientAuthStore, client *oauth.OAuthClient, userDID, _ string) {

     

       
82
       
82
       
+
       
	t.Helper()

     

       
83
       
83
       
+
       


     

       
84
       
84
       
+
       
	t.Log("🔧 Testing OAuth components with mocked session...")

     

       
85
       
85
       
+
       


     

       
86
       
86
       
+
       
	// Parse DID

     

       
87
       
87
       
+
       
	parsedDID, err := syntax.ParseDID(userDID)

     

       
88
       
88
       
+
       
	require.NoError(t, err, "Should parse DID")

     

       
89
       
89
       
+
       


     

       
90
       
90
       
+
       
	// Component 1: Session Storage

     

       
91
       
91
       
+
       
	t.Log("   📦 Component 1: Testing session storage...")

     

       
92
       
92
       
+
       
	testSession := oauthlib.ClientSessionData{

     

       
93
       
93
       
+
       
		AccountDID:  parsedDID,

     

       
94
       
94
       
+
       
		SessionID:   fmt.Sprintf("localhost-test-%d", time.Now().UnixNano()),

     

       
95
       
95
       
+
       
		HostURL:     "http://localhost:3001",

     

       
96
       
96
       
+
       
		AccessToken: "mocked-access-token",

     

       
97
       
97
       
+
       
		Scopes:      []string{"atproto", "transition:generic"},

     

       
98
       
98
       
+
       
	}

     

       
99
       
99
       
+
       


     

       
100
       
100
       
+
       
	err = store.SaveSession(ctx, testSession)

     

       
101
       
101
       
+
       
	require.NoError(t, err, "Should save session")

     

       
102
       
102
       
+
       


     

       
103
       
103
       
+
       
	retrieved, err := store.GetSession(ctx, parsedDID, testSession.SessionID)

     

       
104
       
104
       
+
       
	require.NoError(t, err, "Should retrieve session")

     

       
105
       
105
       
+
       
	require.Equal(t, testSession.SessionID, retrieved.SessionID)

     

       
106
       
106
       
+
       
	require.Equal(t, testSession.AccessToken, retrieved.AccessToken)

     

       
107
       
107
       
+
       
	t.Log("   ✅ Session storage working")

     

       
108
       
108
       
+
       


     

       
109
       
109
       
+
       
	// Component 2: Token Sealing

     

       
110
       
110
       
+
       
	t.Log("   🔐 Component 2: Testing token sealing...")

     

       
111
       
111
       
+
       
	sealedToken, err := client.SealSession(parsedDID.String(), testSession.SessionID, time.Hour)

     

       
112
       
112
       
+
       
	require.NoError(t, err, "Should seal token")

     

       
113
       
113
       
+
       
	require.NotEmpty(t, sealedToken, "Sealed token should not be empty")

     

       
114
       
114
       
+
       
	tokenPreview := sealedToken

     

       
115
       
115
       
+
       
	if len(tokenPreview) > 50 {

     

       
116
       
116
       
+
       
		tokenPreview = tokenPreview[:50]

     

       
117
       
117
       
+
       
	}

     

       
118
       
118
       
+
       
	t.Logf("   ✅ Token sealed: %s...", tokenPreview)

     

       
119
       
119
       
+
       


     

       
120
       
120
       
+
       
	// Component 3: Token Unsealing

     

       
121
       
121
       
+
       
	t.Log("   🔓 Component 3: Testing token unsealing...")

     

       
122
       
122
       
+
       
	unsealed, err := client.UnsealSession(sealedToken)

     

       
123
       
123
       
+
       
	require.NoError(t, err, "Should unseal token")

     

       
124
       
124
       
+
       
	require.Equal(t, userDID, unsealed.DID)

     

       
125
       
125
       
+
       
	require.Equal(t, testSession.SessionID, unsealed.SessionID)

     

       
126
       
126
       
+
       
	t.Log("   ✅ Token unsealing working")

     

       
127
       
127
       
+
       


     

       
128
       
128
       
+
       
	// Component 4: Session Cleanup

     

       
129
       
129
       
+
       
	t.Log("   🧹 Component 4: Testing session cleanup...")

     

       
130
       
130
       
+
       
	err = store.DeleteSession(ctx, parsedDID, testSession.SessionID)

     

       
131
       
131
       
+
       
	require.NoError(t, err, "Should delete session")

     

       
132
       
132
       
+
       


     

       
133
       
133
       
+
       
	_, err = store.GetSession(ctx, parsedDID, testSession.SessionID)

     

       
134
       
134
       
+
       
	require.Error(t, err, "Session should not exist after deletion")

     

       
135
       
135
       
+
       
	t.Log("   ✅ Session cleanup working")

     

       
136
       
136
       
+
       


     

       
137
       
137
       
+
       
	t.Log("✅ All OAuth components verified!")

     

       
138
       
138
       
+
       
	t.Log("")

     

       
139
       
139
       
+
       
	t.Log("📝 Summary: OAuth implementation validated with mocked session")

     

       
140
       
140
       
+
       
	t.Log("   - Session storage: ✓")

     

       
141
       
141
       
+
       
	t.Log("   - Token sealing: ✓")

     

       
142
       
142
       
+
       
	t.Log("   - Token unsealing: ✓")

     

       
143
       
143
       
+
       
	t.Log("   - Session cleanup: ✓")

     

       
144
       
144
       
+
       
	t.Log("")

     

       
145
       
145
       
+
       
	t.Log("⚠️  To test full OAuth redirect flow, use a production PDS with HTTPS")

     

       
146
       
146
       
+
       
}

     

       
147
       
147
       
+
       


     

       
148
       
148
       
+
       
// TestOAuthE2E_TokenExpiration tests that expired sealed tokens are rejected

     

       
149
       
149
       
+
       
func TestOAuthE2E_TokenExpiration(t *testing.T) {

     

       
150
       
150
       
+
       
	if testing.Short() {

     

       
151
       
151
       
+
       
		t.Skip("Skipping OAuth token expiration test in short mode")

     

       
152
       
152
       
+
       
	}

     

       
153
       
153
       
+
       


     

       
154
       
154
       
+
       
	db := setupTestDB(t)

     

       
155
       
155
       
+
       
	defer func() { _ = db.Close() }()

     

       
156
       
156
       
+
       


     

       
157
       
157
       
+
       
	// Run migrations

     

       
158
       
158
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
159
       
159
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
160
       
160
       
+
       


     

       
161
       
161
       
+
       
	ctx := context.Background()

     

       
162
       
162
       
+
       


     

       
163
       
163
       
+
       
	t.Log("⏰ Testing OAuth token expiration...")

     

       
164
       
164
       
+
       


     

       
165
       
165
       
+
       
	// Setup OAuth client and store

     

       
166
       
166
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
167
       
167
       
+
       
	client := SetupOAuthTestClient(t, store)

     

       
168
       
168
       
+
       
	_ = oauth.NewOAuthHandler(client, store) // Handler created for completeness

     

       
169
       
169
       
+
       


     

       
170
       
170
       
+
       
	// Create test session with past expiration

     

       
171
       
171
       
+
       
	did, err := syntax.ParseDID("did:plc:expiredtest123")

     

       
172
       
172
       
+
       
	require.NoError(t, err)

     

       
173
       
173
       
+
       


     

       
174
       
174
       
+
       
	testSession := oauthlib.ClientSessionData{

     

       
175
       
175
       
+
       
		AccountDID:  did,

     

       
176
       
176
       
+
       
		SessionID:   "expired-session",

     

       
177
       
177
       
+
       
		HostURL:     "http://localhost:3001",

     

       
178
       
178
       
+
       
		AccessToken: "expired-token",

     

       
179
       
179
       
+
       
		Scopes:      []string{"atproto"},

     

       
180
       
180
       
+
       
	}

     

       
181
       
181
       
+
       


     

       
182
       
182
       
+
       
	// Save session

     

       
183
       
183
       
+
       
	err = store.SaveSession(ctx, testSession)

     

       
184
       
184
       
+
       
	require.NoError(t, err)

     

       
185
       
185
       
+
       


     

       
186
       
186
       
+
       
	// Manually update expiration to the past

     

       
187
       
187
       
+
       
	_, err = db.ExecContext(ctx,

     

       
188
       
188
       
+
       
		"UPDATE oauth_sessions SET expires_at = NOW() - INTERVAL '1 day' WHERE did = $1 AND session_id = $2",

     

       
189
       
189
       
+
       
		did.String(), testSession.SessionID)

     

       
190
       
190
       
+
       
	require.NoError(t, err)

     

       
191
       
191
       
+
       


     

       
192
       
192
       
+
       
	// Try to retrieve expired session

     

       
193
       
193
       
+
       
	_, err = store.GetSession(ctx, did, testSession.SessionID)

     

       
194
       
194
       
+
       
	assert.Error(t, err, "Should not be able to retrieve expired session")

     

       
195
       
195
       
+
       
	assert.Equal(t, oauth.ErrSessionNotFound, err, "Should return ErrSessionNotFound for expired session")

     

       
196
       
196
       
+
       


     

       
197
       
197
       
+
       
	// Test cleanup of expired sessions

     

       
198
       
198
       
+
       
	cleaned, err := store.(*oauth.PostgresOAuthStore).CleanupExpiredSessions(ctx)

     

       
199
       
199
       
+
       
	require.NoError(t, err, "Cleanup should succeed")

     

       
200
       
200
       
+
       
	assert.Greater(t, cleaned, int64(0), "Should have cleaned up at least one session")

     

       
201
       
201
       
+
       


     

       
202
       
202
       
+
       
	t.Logf("✅ Expired session handling verified (cleaned %d sessions)", cleaned)

     

       
203
       
203
       
+
       
}

     

       
204
       
204
       
+
       


     

       
205
       
205
       
+
       
// TestOAuthE2E_InvalidToken tests that invalid/tampered tokens are rejected

     

       
206
       
206
       
+
       
func TestOAuthE2E_InvalidToken(t *testing.T) {

     

       
207
       
207
       
+
       
	if testing.Short() {

     

       
208
       
208
       
+
       
		t.Skip("Skipping OAuth invalid token test in short mode")

     

       
209
       
209
       
+
       
	}

     

       
210
       
210
       
+
       


     

       
211
       
211
       
+
       
	db := setupTestDB(t)

     

       
212
       
212
       
+
       
	defer func() { _ = db.Close() }()

     

       
213
       
213
       
+
       


     

       
214
       
214
       
+
       
	// Run migrations

     

       
215
       
215
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
216
       
216
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
217
       
217
       
+
       


     

       
218
       
218
       
+
       
	t.Log("🔒 Testing OAuth invalid token rejection...")

     

       
219
       
219
       
+
       


     

       
220
       
220
       
+
       
	// Setup OAuth client and store

     

       
221
       
221
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
222
       
222
       
+
       
	client := SetupOAuthTestClient(t, store)

     

       
223
       
223
       
+
       
	handler := oauth.NewOAuthHandler(client, store)

     

       
224
       
224
       
+
       


     

       
225
       
225
       
+
       
	// Setup test server with protected endpoint

     

       
226
       
226
       
+
       
	r := chi.NewRouter()

     

       
227
       
227
       
+
       
	r.Get("/api/me", func(w http.ResponseWriter, r *http.Request) {

     

       
228
       
228
       
+
       
		sessData, err := handler.GetSessionFromRequest(r)

     

       
229
       
229
       
+
       
		if err != nil {

     

       
230
       
230
       
+
       
			http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       
231
       
231
       
+
       
			return

     

       
232
       
232
       
+
       
		}

     

       
233
       
233
       
+
       
		w.Header().Set("Content-Type", "application/json")

     

       
234
       
234
       
+
       
		_ = json.NewEncoder(w).Encode(map[string]string{"did": sessData.AccountDID.String()})

     

       
235
       
235
       
+
       
	})

     

       
236
       
236
       
+
       


     

       
237
       
237
       
+
       
	server := httptest.NewServer(r)

     

       
238
       
238
       
+
       
	defer server.Close()

     

       
239
       
239
       
+
       


     

       
240
       
240
       
+
       
	// Test with invalid token formats

     

       
241
       
241
       
+
       
	testCases := []struct {

     

       
242
       
242
       
+
       
		name  string

     

       
243
       
243
       
+
       
		token string

     

       
244
       
244
       
+
       
	}{

     

       
245
       
245
       
+
       
		{"Empty token", ""},

     

       
246
       
246
       
+
       
		{"Invalid base64", "not-valid-base64!!!"},

     

       
247
       
247
       
+
       
		{"Tampered token", "dGFtcGVyZWQtdG9rZW4tZGF0YQ=="}, // Valid base64 but invalid content

     

       
248
       
248
       
+
       
		{"Short token", "abc"},

     

       
249
       
249
       
+
       
	}

     

       
250
       
250
       
+
       


     

       
251
       
251
       
+
       
	for _, tc := range testCases {

     

       
252
       
252
       
+
       
		t.Run(tc.name, func(t *testing.T) {

     

       
253
       
253
       
+
       
			req, _ := http.NewRequest("GET", server.URL+"/api/me", nil)

     

       
254
       
254
       
+
       
			if tc.token != "" {

     

       
255
       
255
       
+
       
				req.Header.Set("Authorization", "Bearer "+tc.token)

     

       
256
       
256
       
+
       
			}

     

       
257
       
257
       
+
       


     

       
258
       
258
       
+
       
			resp, err := http.DefaultClient.Do(req)

     

       
259
       
259
       
+
       
			require.NoError(t, err)

     

       
260
       
260
       
+
       
			defer func() { _ = resp.Body.Close() }()

     

       
261
       
261
       
+
       


     

       
262
       
262
       
+
       
			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
263
       
263
       
+
       
				"Invalid token should be rejected with 401")

     

       
264
       
264
       
+
       
		})

     

       
265
       
265
       
+
       
	}

     

       
266
       
266
       
+
       


     

       
267
       
267
       
+
       
	t.Logf("✅ Invalid token rejection verified")

     

       
268
       
268
       
+
       
}

     

       
269
       
269
       
+
       


     

       
270
       
270
       
+
       
// TestOAuthE2E_SessionNotFound tests behavior when session doesn't exist in DB

     

       
271
       
271
       
+
       
func TestOAuthE2E_SessionNotFound(t *testing.T) {

     

       
272
       
272
       
+
       
	if testing.Short() {

     

       
273
       
273
       
+
       
		t.Skip("Skipping OAuth session not found test in short mode")

     

       
274
       
274
       
+
       
	}

     

       
275
       
275
       
+
       


     

       
276
       
276
       
+
       
	db := setupTestDB(t)

     

       
277
       
277
       
+
       
	defer func() { _ = db.Close() }()

     

       
278
       
278
       
+
       


     

       
279
       
279
       
+
       
	// Run migrations

     

       
280
       
280
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
281
       
281
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
282
       
282
       
+
       


     

       
283
       
283
       
+
       
	ctx := context.Background()

     

       
284
       
284
       
+
       


     

       
285
       
285
       
+
       
	t.Log("🔍 Testing OAuth session not found behavior...")

     

       
286
       
286
       
+
       


     

       
287
       
287
       
+
       
	// Setup OAuth store

     

       
288
       
288
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
289
       
289
       
+
       


     

       
290
       
290
       
+
       
	// Try to retrieve non-existent session

     

       
291
       
291
       
+
       
	nonExistentDID, err := syntax.ParseDID("did:plc:nonexistent123")

     

       
292
       
292
       
+
       
	require.NoError(t, err)

     

       
293
       
293
       
+
       


     

       
294
       
294
       
+
       
	_, err = store.GetSession(ctx, nonExistentDID, "nonexistent-session")

     

       
295
       
295
       
+
       
	assert.Error(t, err, "Should return error for non-existent session")

     

       
296
       
296
       
+
       
	assert.Equal(t, oauth.ErrSessionNotFound, err, "Should return ErrSessionNotFound")

     

       
297
       
297
       
+
       


     

       
298
       
298
       
+
       
	// Try to delete non-existent session

     

       
299
       
299
       
+
       
	err = store.DeleteSession(ctx, nonExistentDID, "nonexistent-session")

     

       
300
       
300
       
+
       
	assert.Error(t, err, "Should return error when deleting non-existent session")

     

       
301
       
301
       
+
       
	assert.Equal(t, oauth.ErrSessionNotFound, err, "Should return ErrSessionNotFound")

     

       
302
       
302
       
+
       


     

       
303
       
303
       
+
       
	t.Logf("✅ Session not found handling verified")

     

       
304
       
304
       
+
       
}

     

       
305
       
305
       
+
       


     

       
306
       
306
       
+
       
// TestOAuthE2E_MultipleSessionsPerUser tests that a user can have multiple active sessions

     

       
307
       
307
       
+
       
func TestOAuthE2E_MultipleSessionsPerUser(t *testing.T) {

     

       
308
       
308
       
+
       
	if testing.Short() {

     

       
309
       
309
       
+
       
		t.Skip("Skipping OAuth multiple sessions test in short mode")

     

       
310
       
310
       
+
       
	}

     

       
311
       
311
       
+
       


     

       
312
       
312
       
+
       
	db := setupTestDB(t)

     

       
313
       
313
       
+
       
	defer func() { _ = db.Close() }()

     

       
314
       
314
       
+
       


     

       
315
       
315
       
+
       
	// Run migrations

     

       
316
       
316
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
317
       
317
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
318
       
318
       
+
       


     

       
319
       
319
       
+
       
	ctx := context.Background()

     

       
320
       
320
       
+
       


     

       
321
       
321
       
+
       
	t.Log("👥 Testing multiple OAuth sessions per user...")

     

       
322
       
322
       
+
       


     

       
323
       
323
       
+
       
	// Setup OAuth store

     

       
324
       
324
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
325
       
325
       
+
       


     

       
326
       
326
       
+
       
	// Create a test DID

     

       
327
       
327
       
+
       
	did, err := syntax.ParseDID("did:plc:multisession123")

     

       
328
       
328
       
+
       
	require.NoError(t, err)

     

       
329
       
329
       
+
       


     

       
330
       
330
       
+
       
	// Create multiple sessions for the same user

     

       
331
       
331
       
+
       
	sessions := []oauthlib.ClientSessionData{

     

       
332
       
332
       
+
       
		{

     

       
333
       
333
       
+
       
			AccountDID:  did,

     

       
334
       
334
       
+
       
			SessionID:   "session-1-web",

     

       
335
       
335
       
+
       
			HostURL:     "http://localhost:3001",

     

       
336
       
336
       
+
       
			AccessToken: "token-1",

     

       
337
       
337
       
+
       
			Scopes:      []string{"atproto"},

     

       
338
       
338
       
+
       
		},

     

       
339
       
339
       
+
       
		{

     

       
340
       
340
       
+
       
			AccountDID:  did,

     

       
341
       
341
       
+
       
			SessionID:   "session-2-mobile",

     

       
342
       
342
       
+
       
			HostURL:     "http://localhost:3001",

     

       
343
       
343
       
+
       
			AccessToken: "token-2",

     

       
344
       
344
       
+
       
			Scopes:      []string{"atproto"},

     

       
345
       
345
       
+
       
		},

     

       
346
       
346
       
+
       
		{

     

       
347
       
347
       
+
       
			AccountDID:  did,

     

       
348
       
348
       
+
       
			SessionID:   "session-3-tablet",

     

       
349
       
349
       
+
       
			HostURL:     "http://localhost:3001",

     

       
350
       
350
       
+
       
			AccessToken: "token-3",

     

       
351
       
351
       
+
       
			Scopes:      []string{"atproto"},

     

       
352
       
352
       
+
       
		},

     

       
353
       
353
       
+
       
	}

     

       
354
       
354
       
+
       


     

       
355
       
355
       
+
       
	// Save all sessions

     

       
356
       
356
       
+
       
	for i, session := range sessions {

     

       
357
       
357
       
+
       
		err := store.SaveSession(ctx, session)

     

       
358
       
358
       
+
       
		require.NoError(t, err, "Should be able to save session %d", i+1)

     

       
359
       
359
       
+
       
	}

     

       
360
       
360
       
+
       


     

       
361
       
361
       
+
       
	t.Logf("✅ Created %d sessions for user", len(sessions))

     

       
362
       
362
       
+
       


     

       
363
       
363
       
+
       
	// Verify all sessions can be retrieved independently

     

       
364
       
364
       
+
       
	for i, session := range sessions {

     

       
365
       
365
       
+
       
		retrieved, err := store.GetSession(ctx, did, session.SessionID)

     

       
366
       
366
       
+
       
		require.NoError(t, err, "Should be able to retrieve session %d", i+1)

     

       
367
       
367
       
+
       
		assert.Equal(t, session.SessionID, retrieved.SessionID, "Session ID should match")

     

       
368
       
368
       
+
       
		assert.Equal(t, session.AccessToken, retrieved.AccessToken, "Access token should match")

     

       
369
       
369
       
+
       
	}

     

       
370
       
370
       
+
       


     

       
371
       
371
       
+
       
	t.Logf("✅ All sessions retrieved independently")

     

       
372
       
372
       
+
       


     

       
373
       
373
       
+
       
	// Delete one session and verify others remain

     

       
374
       
374
       
+
       
	err = store.DeleteSession(ctx, did, sessions[0].SessionID)

     

       
375
       
375
       
+
       
	require.NoError(t, err, "Should be able to delete first session")

     

       
376
       
376
       
+
       


     

       
377
       
377
       
+
       
	// Verify first session is deleted

     

       
378
       
378
       
+
       
	_, err = store.GetSession(ctx, did, sessions[0].SessionID)

     

       
379
       
379
       
+
       
	assert.Equal(t, oauth.ErrSessionNotFound, err, "First session should be deleted")

     

       
380
       
380
       
+
       


     

       
381
       
381
       
+
       
	// Verify other sessions still exist

     

       
382
       
382
       
+
       
	for i := 1; i < len(sessions); i++ {

     

       
383
       
383
       
+
       
		_, err := store.GetSession(ctx, did, sessions[i].SessionID)

     

       
384
       
384
       
+
       
		require.NoError(t, err, "Session %d should still exist", i+1)

     

       
385
       
385
       
+
       
	}

     

       
386
       
386
       
+
       


     

       
387
       
387
       
+
       
	t.Logf("✅ Multiple sessions per user verified")

     

       
388
       
388
       
+
       


     

       
389
       
389
       
+
       
	// Cleanup

     

       
390
       
390
       
+
       
	for i := 1; i < len(sessions); i++ {

     

       
391
       
391
       
+
       
		_ = store.DeleteSession(ctx, did, sessions[i].SessionID)

     

       
392
       
392
       
+
       
	}

     

       
393
       
393
       
+
       
}

     

       
394
       
394
       
+
       


     

       
395
       
395
       
+
       
// TestOAuthE2E_AuthRequestStorage tests OAuth auth request storage and retrieval

     

       
396
       
396
       
+
       
func TestOAuthE2E_AuthRequestStorage(t *testing.T) {

     

       
397
       
397
       
+
       
	if testing.Short() {

     

       
398
       
398
       
+
       
		t.Skip("Skipping OAuth auth request storage test in short mode")

     

       
399
       
399
       
+
       
	}

     

       
400
       
400
       
+
       


     

       
401
       
401
       
+
       
	db := setupTestDB(t)

     

       
402
       
402
       
+
       
	defer func() { _ = db.Close() }()

     

       
403
       
403
       
+
       


     

       
404
       
404
       
+
       
	// Run migrations

     

       
405
       
405
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
406
       
406
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
407
       
407
       
+
       


     

       
408
       
408
       
+
       
	ctx := context.Background()

     

       
409
       
409
       
+
       


     

       
410
       
410
       
+
       
	t.Log("📝 Testing OAuth auth request storage...")

     

       
411
       
411
       
+
       


     

       
412
       
412
       
+
       
	// Setup OAuth store

     

       
413
       
413
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
414
       
414
       
+
       


     

       
415
       
415
       
+
       
	// Create test auth request data

     

       
416
       
416
       
+
       
	did, err := syntax.ParseDID("did:plc:authrequest123")

     

       
417
       
417
       
+
       
	require.NoError(t, err)

     

       
418
       
418
       
+
       


     

       
419
       
419
       
+
       
	authRequest := oauthlib.AuthRequestData{

     

       
420
       
420
       
+
       
		State:                        "test-state-12345",

     

       
421
       
421
       
+
       
		AccountDID:                   &did,

     

       
422
       
422
       
+
       
		PKCEVerifier:                 "test-pkce-verifier",

     

       
423
       
423
       
+
       
		DPoPPrivateKeyMultibase:      "test-dpop-key",

     

       
424
       
424
       
+
       
		DPoPAuthServerNonce:          "test-nonce",

     

       
425
       
425
       
+
       
		AuthServerURL:                "http://localhost:3001",

     

       
426
       
426
       
+
       
		RequestURI:                   "http://localhost:3001/authorize",

     

       
427
       
427
       
+
       
		AuthServerTokenEndpoint:      "http://localhost:3001/oauth/token",

     

       
428
       
428
       
+
       
		AuthServerRevocationEndpoint: "http://localhost:3001/oauth/revoke",

     

       
429
       
429
       
+
       
		Scopes:                       []string{"atproto", "transition:generic"},

     

       
430
       
430
       
+
       
	}

     

       
431
       
431
       
+
       


     

       
432
       
432
       
+
       
	// Save auth request

     

       
433
       
433
       
+
       
	err = store.SaveAuthRequestInfo(ctx, authRequest)

     

       
434
       
434
       
+
       
	require.NoError(t, err, "Should be able to save auth request")

     

       
435
       
435
       
+
       


     

       
436
       
436
       
+
       
	t.Logf("✅ Auth request saved")

     

       
437
       
437
       
+
       


     

       
438
       
438
       
+
       
	// Retrieve auth request

     

       
439
       
439
       
+
       
	retrieved, err := store.GetAuthRequestInfo(ctx, authRequest.State)

     

       
440
       
440
       
+
       
	require.NoError(t, err, "Should be able to retrieve auth request")

     

       
441
       
441
       
+
       
	assert.Equal(t, authRequest.State, retrieved.State, "State should match")

     

       
442
       
442
       
+
       
	assert.Equal(t, authRequest.PKCEVerifier, retrieved.PKCEVerifier, "PKCE verifier should match")

     

       
443
       
443
       
+
       
	assert.Equal(t, authRequest.AuthServerURL, retrieved.AuthServerURL, "Auth server URL should match")

     

       
444
       
444
       
+
       
	assert.Equal(t, len(authRequest.Scopes), len(retrieved.Scopes), "Scopes length should match")

     

       
445
       
445
       
+
       


     

       
446
       
446
       
+
       
	t.Logf("✅ Auth request retrieved and verified")

     

       
447
       
447
       
+
       


     

       
448
       
448
       
+
       
	// Test duplicate state error

     

       
449
       
449
       
+
       
	err = store.SaveAuthRequestInfo(ctx, authRequest)

     

       
450
       
450
       
+
       
	assert.Error(t, err, "Should not allow duplicate state")

     

       
451
       
451
       
+
       
	assert.Contains(t, err.Error(), "already exists", "Error should indicate duplicate")

     

       
452
       
452
       
+
       


     

       
453
       
453
       
+
       
	t.Logf("✅ Duplicate state prevention verified")

     

       
454
       
454
       
+
       


     

       
455
       
455
       
+
       
	// Delete auth request

     

       
456
       
456
       
+
       
	err = store.DeleteAuthRequestInfo(ctx, authRequest.State)

     

       
457
       
457
       
+
       
	require.NoError(t, err, "Should be able to delete auth request")

     

       
458
       
458
       
+
       


     

       
459
       
459
       
+
       
	// Verify deletion

     

       
460
       
460
       
+
       
	_, err = store.GetAuthRequestInfo(ctx, authRequest.State)

     

       
461
       
461
       
+
       
	assert.Equal(t, oauth.ErrAuthRequestNotFound, err, "Auth request should be deleted")

     

       
462
       
462
       
+
       


     

       
463
       
463
       
+
       
	t.Logf("✅ Auth request deletion verified")

     

       
464
       
464
       
+
       


     

       
465
       
465
       
+
       
	// Test cleanup of expired auth requests

     

       
466
       
466
       
+
       
	// Create an auth request and manually set created_at to the past

     

       
467
       
467
       
+
       
	oldAuthRequest := oauthlib.AuthRequestData{

     

       
468
       
468
       
+
       
		State:         "old-state-12345",

     

       
469
       
469
       
+
       
		PKCEVerifier:  "old-verifier",

     

       
470
       
470
       
+
       
		AuthServerURL: "http://localhost:3001",

     

       
471
       
471
       
+
       
		Scopes:        []string{"atproto"},

     

       
472
       
472
       
+
       
	}

     

       
473
       
473
       
+
       


     

       
474
       
474
       
+
       
	err = store.SaveAuthRequestInfo(ctx, oldAuthRequest)

     

       
475
       
475
       
+
       
	require.NoError(t, err)

     

       
476
       
476
       
+
       


     

       
477
       
477
       
+
       
	// Update created_at to 1 hour ago

     

       
478
       
478
       
+
       
	_, err = db.ExecContext(ctx,

     

       
479
       
479
       
+
       
		"UPDATE oauth_requests SET created_at = NOW() - INTERVAL '1 hour' WHERE state = $1",

     

       
480
       
480
       
+
       
		oldAuthRequest.State)

     

       
481
       
481
       
+
       
	require.NoError(t, err)

     

       
482
       
482
       
+
       


     

       
483
       
483
       
+
       
	// Cleanup expired requests

     

       
484
       
484
       
+
       
	cleaned, err := store.(*oauth.PostgresOAuthStore).CleanupExpiredAuthRequests(ctx)

     

       
485
       
485
       
+
       
	require.NoError(t, err, "Cleanup should succeed")

     

       
486
       
486
       
+
       
	assert.Greater(t, cleaned, int64(0), "Should have cleaned up at least one auth request")

     

       
487
       
487
       
+
       


     

       
488
       
488
       
+
       
	t.Logf("✅ Expired auth request cleanup verified (cleaned %d requests)", cleaned)

     

       
489
       
489
       
+
       
}

     

       
490
       
490
       
+
       


     

       
491
       
491
       
+
       
// TestOAuthE2E_TokenRefresh tests the refresh token flow

     

       
492
       
492
       
+
       
func TestOAuthE2E_TokenRefresh(t *testing.T) {

     

       
493
       
493
       
+
       
	if testing.Short() {

     

       
494
       
494
       
+
       
		t.Skip("Skipping OAuth token refresh test in short mode")

     

       
495
       
495
       
+
       
	}

     

       
496
       
496
       
+
       


     

       
497
       
497
       
+
       
	db := setupTestDB(t)

     

       
498
       
498
       
+
       
	defer func() { _ = db.Close() }()

     

       
499
       
499
       
+
       


     

       
500
       
500
       
+
       
	// Run migrations

     

       
501
       
501
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
502
       
502
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
503
       
503
       
+
       


     

       
504
       
504
       
+
       
	ctx := context.Background()

     

       
505
       
505
       
+
       


     

       
506
       
506
       
+
       
	t.Log("🔄 Testing OAuth token refresh flow...")

     

       
507
       
507
       
+
       


     

       
508
       
508
       
+
       
	// Setup OAuth client and store

     

       
509
       
509
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
510
       
510
       
+
       
	client := SetupOAuthTestClient(t, store)

     

       
511
       
511
       
+
       
	handler := oauth.NewOAuthHandler(client, store)

     

       
512
       
512
       
+
       


     

       
513
       
513
       
+
       
	// Create a test DID and session

     

       
514
       
514
       
+
       
	did, err := syntax.ParseDID("did:plc:refreshtest123")

     

       
515
       
515
       
+
       
	require.NoError(t, err)

     

       
516
       
516
       
+
       


     

       
517
       
517
       
+
       
	// Create initial session with refresh token

     

       
518
       
518
       
+
       
	initialSession := oauthlib.ClientSessionData{

     

       
519
       
519
       
+
       
		AccountDID:                   did,

     

       
520
       
520
       
+
       
		SessionID:                    "refresh-session-1",

     

       
521
       
521
       
+
       
		HostURL:                      "http://localhost:3001",

     

       
522
       
522
       
+
       
		AuthServerURL:                "http://localhost:3001",

     

       
523
       
523
       
+
       
		AuthServerTokenEndpoint:      "http://localhost:3001/oauth/token",

     

       
524
       
524
       
+
       
		AuthServerRevocationEndpoint: "http://localhost:3001/oauth/revoke",

     

       
525
       
525
       
+
       
		AccessToken:                  "initial-access-token",

     

       
526
       
526
       
+
       
		RefreshToken:                 "initial-refresh-token",

     

       
527
       
527
       
+
       
		DPoPPrivateKeyMultibase:      "test-dpop-key",

     

       
528
       
528
       
+
       
		DPoPAuthServerNonce:          "test-nonce",

     

       
529
       
529
       
+
       
		Scopes:                       []string{"atproto", "transition:generic"},

     

       
530
       
530
       
+
       
	}

     

       
531
       
531
       
+
       


     

       
532
       
532
       
+
       
	// Save the session

     

       
533
       
533
       
+
       
	err = store.SaveSession(ctx, initialSession)

     

       
534
       
534
       
+
       
	require.NoError(t, err, "Should save initial session")

     

       
535
       
535
       
+
       


     

       
536
       
536
       
+
       
	t.Logf("✅ Initial session created")

     

       
537
       
537
       
+
       


     

       
538
       
538
       
+
       
	// Create a sealed token for this session

     

       
539
       
539
       
+
       
	sealedToken, err := client.SealSession(did.String(), initialSession.SessionID, time.Hour)

     

       
540
       
540
       
+
       
	require.NoError(t, err, "Should seal session token")

     

       
541
       
541
       
+
       
	require.NotEmpty(t, sealedToken, "Sealed token should not be empty")

     

       
542
       
542
       
+
       


     

       
543
       
543
       
+
       
	t.Logf("✅ Session token sealed")

     

       
544
       
544
       
+
       


     

       
545
       
545
       
+
       
	// Setup test server with refresh endpoint

     

       
546
       
546
       
+
       
	r := chi.NewRouter()

     

       
547
       
547
       
+
       
	r.Post("/oauth/refresh", handler.HandleRefresh)

     

       
548
       
548
       
+
       


     

       
549
       
549
       
+
       
	server := httptest.NewServer(r)

     

       
550
       
550
       
+
       
	defer server.Close()

     

       
551
       
551
       
+
       


     

       
552
       
552
       
+
       
	t.Run("Valid refresh request", func(t *testing.T) {

     

       
553
       
553
       
+
       
		// NOTE: This test verifies that the refresh endpoint can be called

     

       
554
       
554
       
+
       
		// In a real scenario, the indigo client's RefreshTokens() would call the PDS

     

       
555
       
555
       
+
       
		// Since we're in a component test, we're testing the Coves handler logic

     

       
556
       
556
       
+
       


     

       
557
       
557
       
+
       
		// Create refresh request

     

       
558
       
558
       
+
       
		refreshReq := map[string]interface{}{

     

       
559
       
559
       
+
       
			"did":          did.String(),

     

       
560
       
560
       
+
       
			"session_id":   initialSession.SessionID,

     

       
561
       
561
       
+
       
			"sealed_token": sealedToken,

     

       
562
       
562
       
+
       
		}

     

       
563
       
563
       
+
       


     

       
564
       
564
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
565
       
565
       
+
       
		require.NoError(t, err)

     

       
566
       
566
       
+
       


     

       
567
       
567
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
568
       
568
       
+
       
		require.NoError(t, err)

     

       
569
       
569
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
570
       
570
       
+
       


     

       
571
       
571
       
+
       
		// NOTE: In component testing mode, the indigo client may not have

     

       
572
       
572
       
+
       
		// real PDS credentials, so RefreshTokens() might fail

     

       
573
       
573
       
+
       
		// We're testing that the handler correctly processes the request

     

       
574
       
574
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
575
       
575
       
+
       
		require.NoError(t, err)

     

       
576
       
576
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
577
       
577
       
+
       


     

       
578
       
578
       
+
       
		// In component test mode without real PDS, we may get 401

     

       
579
       
579
       
+
       
		// In production with real PDS, this would return 200 with new tokens

     

       
580
       
580
       
+
       
		t.Logf("Refresh response status: %d", resp.StatusCode)

     

       
581
       
581
       
+
       


     

       
582
       
582
       
+
       
		// The important thing is that the handler doesn't crash

     

       
583
       
583
       
+
       
		// and properly validates the request structure

     

       
584
       
584
       
+
       
		assert.True(t, resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusUnauthorized,

     

       
585
       
585
       
+
       
			"Refresh should return either success or auth failure, got %d", resp.StatusCode)

     

       
586
       
586
       
+
       
	})

     

       
587
       
587
       
+
       


     

       
588
       
588
       
+
       
	t.Run("Invalid DID format (with valid token)", func(t *testing.T) {

     

       
589
       
589
       
+
       
		// Create a sealed token with an invalid DID format

     

       
590
       
590
       
+
       
		invalidDID := "invalid-did-format"

     

       
591
       
591
       
+
       
		// Create the token with a valid DID first, then we'll try to use it with invalid DID in request

     

       
592
       
592
       
+
       
		validToken, err := client.SealSession(did.String(), initialSession.SessionID, 30*24*time.Hour)

     

       
593
       
593
       
+
       
		require.NoError(t, err)

     

       
594
       
594
       
+
       


     

       
595
       
595
       
+
       
		refreshReq := map[string]interface{}{

     

       
596
       
596
       
+
       
			"did":          invalidDID, // Invalid DID format in request

     

       
597
       
597
       
+
       
			"session_id":   initialSession.SessionID,

     

       
598
       
598
       
+
       
			"sealed_token": validToken, // Valid token for different DID

     

       
599
       
599
       
+
       
		}

     

       
600
       
600
       
+
       


     

       
601
       
601
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
602
       
602
       
+
       
		require.NoError(t, err)

     

       
603
       
603
       
+
       


     

       
604
       
604
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
605
       
605
       
+
       
		require.NoError(t, err)

     

       
606
       
606
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
607
       
607
       
+
       


     

       
608
       
608
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
609
       
609
       
+
       
		require.NoError(t, err)

     

       
610
       
610
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
611
       
611
       
+
       


     

       
612
       
612
       
+
       
		// Should reject with 401 due to DID mismatch (not 400) since auth happens first

     

       
613
       
613
       
+
       
		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
614
       
614
       
+
       
			"DID mismatch should be rejected with 401 (auth check happens before format validation)")

     

       
615
       
615
       
+
       
	})

     

       
616
       
616
       
+
       


     

       
617
       
617
       
+
       
	t.Run("Missing sealed_token (security test)", func(t *testing.T) {

     

       
618
       
618
       
+
       
		refreshReq := map[string]interface{}{

     

       
619
       
619
       
+
       
			"did":        did.String(),

     

       
620
       
620
       
+
       
			"session_id": initialSession.SessionID,

     

       
621
       
621
       
+
       
			// Missing sealed_token - should be rejected for security

     

       
622
       
622
       
+
       
		}

     

       
623
       
623
       
+
       


     

       
624
       
624
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
625
       
625
       
+
       
		require.NoError(t, err)

     

       
626
       
626
       
+
       


     

       
627
       
627
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
628
       
628
       
+
       
		require.NoError(t, err)

     

       
629
       
629
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
630
       
630
       
+
       


     

       
631
       
631
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
632
       
632
       
+
       
		require.NoError(t, err)

     

       
633
       
633
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
634
       
634
       
+
       


     

       
635
       
635
       
+
       
		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
636
       
636
       
+
       
			"Missing sealed_token should be rejected (proof of possession required)")

     

       
637
       
637
       
+
       
	})

     

       
638
       
638
       
+
       


     

       
639
       
639
       
+
       
	t.Run("Invalid sealed_token", func(t *testing.T) {

     

       
640
       
640
       
+
       
		refreshReq := map[string]interface{}{

     

       
641
       
641
       
+
       
			"did":          did.String(),

     

       
642
       
642
       
+
       
			"session_id":   initialSession.SessionID,

     

       
643
       
643
       
+
       
			"sealed_token": "invalid-token-data",

     

       
644
       
644
       
+
       
		}

     

       
645
       
645
       
+
       


     

       
646
       
646
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
647
       
647
       
+
       
		require.NoError(t, err)

     

       
648
       
648
       
+
       


     

       
649
       
649
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
650
       
650
       
+
       
		require.NoError(t, err)

     

       
651
       
651
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
652
       
652
       
+
       


     

       
653
       
653
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
654
       
654
       
+
       
		require.NoError(t, err)

     

       
655
       
655
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
656
       
656
       
+
       


     

       
657
       
657
       
+
       
		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
658
       
658
       
+
       
			"Invalid sealed_token should be rejected")

     

       
659
       
659
       
+
       
	})

     

       
660
       
660
       
+
       


     

       
661
       
661
       
+
       
	t.Run("DID mismatch (security test)", func(t *testing.T) {

     

       
662
       
662
       
+
       
		// Create a sealed token for a different DID

     

       
663
       
663
       
+
       
		wrongDID := "did:plc:wronguser123"

     

       
664
       
664
       
+
       
		wrongToken, err := client.SealSession(wrongDID, initialSession.SessionID, 30*24*time.Hour)

     

       
665
       
665
       
+
       
		require.NoError(t, err)

     

       
666
       
666
       
+
       


     

       
667
       
667
       
+
       
		// Try to use it to refresh the original session

     

       
668
       
668
       
+
       
		refreshReq := map[string]interface{}{

     

       
669
       
669
       
+
       
			"did":          did.String(), // Claiming original DID

     

       
670
       
670
       
+
       
			"session_id":   initialSession.SessionID,

     

       
671
       
671
       
+
       
			"sealed_token": wrongToken, // But token is for different DID

     

       
672
       
672
       
+
       
		}

     

       
673
       
673
       
+
       


     

       
674
       
674
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
675
       
675
       
+
       
		require.NoError(t, err)

     

       
676
       
676
       
+
       


     

       
677
       
677
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
678
       
678
       
+
       
		require.NoError(t, err)

     

       
679
       
679
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
680
       
680
       
+
       


     

       
681
       
681
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
682
       
682
       
+
       
		require.NoError(t, err)

     

       
683
       
683
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
684
       
684
       
+
       


     

       
685
       
685
       
+
       
		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
686
       
686
       
+
       
			"DID mismatch should be rejected (prevents session hijacking)")

     

       
687
       
687
       
+
       
	})

     

       
688
       
688
       
+
       


     

       
689
       
689
       
+
       
	t.Run("Session ID mismatch (security test)", func(t *testing.T) {

     

       
690
       
690
       
+
       
		// Create a sealed token with wrong session ID

     

       
691
       
691
       
+
       
		wrongSessionID := "wrong-session-id"

     

       
692
       
692
       
+
       
		wrongToken, err := client.SealSession(did.String(), wrongSessionID, 30*24*time.Hour)

     

       
693
       
693
       
+
       
		require.NoError(t, err)

     

       
694
       
694
       
+
       


     

       
695
       
695
       
+
       
		// Try to use it to refresh the original session

     

       
696
       
696
       
+
       
		refreshReq := map[string]interface{}{

     

       
697
       
697
       
+
       
			"did":          did.String(),

     

       
698
       
698
       
+
       
			"session_id":   initialSession.SessionID, // Claiming original session

     

       
699
       
699
       
+
       
			"sealed_token": wrongToken,               // But token is for different session

     

       
700
       
700
       
+
       
		}

     

       
701
       
701
       
+
       


     

       
702
       
702
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
703
       
703
       
+
       
		require.NoError(t, err)

     

       
704
       
704
       
+
       


     

       
705
       
705
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
706
       
706
       
+
       
		require.NoError(t, err)

     

       
707
       
707
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
708
       
708
       
+
       


     

       
709
       
709
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
710
       
710
       
+
       
		require.NoError(t, err)

     

       
711
       
711
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
712
       
712
       
+
       


     

       
713
       
713
       
+
       
		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
714
       
714
       
+
       
			"Session ID mismatch should be rejected (prevents session hijacking)")

     

       
715
       
715
       
+
       
	})

     

       
716
       
716
       
+
       


     

       
717
       
717
       
+
       
	t.Run("Non-existent session", func(t *testing.T) {

     

       
718
       
718
       
+
       
		// Create a valid sealed token for a non-existent session

     

       
719
       
719
       
+
       
		nonExistentSessionID := "nonexistent-session-id"

     

       
720
       
720
       
+
       
		validToken, err := client.SealSession(did.String(), nonExistentSessionID, 30*24*time.Hour)

     

       
721
       
721
       
+
       
		require.NoError(t, err)

     

       
722
       
722
       
+
       


     

       
723
       
723
       
+
       
		refreshReq := map[string]interface{}{

     

       
724
       
724
       
+
       
			"did":          did.String(),

     

       
725
       
725
       
+
       
			"session_id":   nonExistentSessionID,

     

       
726
       
726
       
+
       
			"sealed_token": validToken, // Valid token but session doesn't exist

     

       
727
       
727
       
+
       
		}

     

       
728
       
728
       
+
       


     

       
729
       
729
       
+
       
		reqBody, err := json.Marshal(refreshReq)

     

       
730
       
730
       
+
       
		require.NoError(t, err)

     

       
731
       
731
       
+
       


     

       
732
       
732
       
+
       
		req, err := http.NewRequest("POST", server.URL+"/oauth/refresh", strings.NewReader(string(reqBody)))

     

       
733
       
733
       
+
       
		require.NoError(t, err)

     

       
734
       
734
       
+
       
		req.Header.Set("Content-Type", "application/json")

     

       
735
       
735
       
+
       


     

       
736
       
736
       
+
       
		resp, err := http.DefaultClient.Do(req)

     

       
737
       
737
       
+
       
		require.NoError(t, err)

     

       
738
       
738
       
+
       
		defer func() { _ = resp.Body.Close() }()

     

       
739
       
739
       
+
       


     

       
740
       
740
       
+
       
		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode,

     

       
741
       
741
       
+
       
			"Non-existent session should be rejected with 401")

     

       
742
       
742
       
+
       
	})

     

       
743
       
743
       
+
       


     

       
744
       
744
       
+
       
	t.Logf("✅ Token refresh endpoint validation verified")

     

       
745
       
745
       
+
       
}

     

       
746
       
746
       
+
       


     

       
747
       
747
       
+
       
// TestOAuthE2E_SessionUpdate tests that refresh updates the session in database

     

       
748
       
748
       
+
       
func TestOAuthE2E_SessionUpdate(t *testing.T) {

     

       
749
       
749
       
+
       
	if testing.Short() {

     

       
750
       
750
       
+
       
		t.Skip("Skipping OAuth session update test in short mode")

     

       
751
       
751
       
+
       
	}

     

       
752
       
752
       
+
       


     

       
753
       
753
       
+
       
	db := setupTestDB(t)

     

       
754
       
754
       
+
       
	defer func() { _ = db.Close() }()

     

       
755
       
755
       
+
       


     

       
756
       
756
       
+
       
	// Run migrations

     

       
757
       
757
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
758
       
758
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
759
       
759
       
+
       


     

       
760
       
760
       
+
       
	ctx := context.Background()

     

       
761
       
761
       
+
       


     

       
762
       
762
       
+
       
	t.Log("💾 Testing OAuth session update on refresh...")

     

       
763
       
763
       
+
       


     

       
764
       
764
       
+
       
	// Setup OAuth store

     

       
765
       
765
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
766
       
766
       
+
       


     

       
767
       
767
       
+
       
	// Create a test session

     

       
768
       
768
       
+
       
	did, err := syntax.ParseDID("did:plc:sessionupdate123")

     

       
769
       
769
       
+
       
	require.NoError(t, err)

     

       
770
       
770
       
+
       


     

       
771
       
771
       
+
       
	originalSession := oauthlib.ClientSessionData{

     

       
772
       
772
       
+
       
		AccountDID:              did,

     

       
773
       
773
       
+
       
		SessionID:               "update-session-1",

     

       
774
       
774
       
+
       
		HostURL:                 "http://localhost:3001",

     

       
775
       
775
       
+
       
		AuthServerURL:           "http://localhost:3001",

     

       
776
       
776
       
+
       
		AuthServerTokenEndpoint: "http://localhost:3001/oauth/token",

     

       
777
       
777
       
+
       
		AccessToken:             "original-access-token",

     

       
778
       
778
       
+
       
		RefreshToken:            "original-refresh-token",

     

       
779
       
779
       
+
       
		DPoPPrivateKeyMultibase: "original-dpop-key",

     

       
780
       
780
       
+
       
		Scopes:                  []string{"atproto"},

     

       
781
       
781
       
+
       
	}

     

       
782
       
782
       
+
       


     

       
783
       
783
       
+
       
	// Save original session

     

       
784
       
784
       
+
       
	err = store.SaveSession(ctx, originalSession)

     

       
785
       
785
       
+
       
	require.NoError(t, err)

     

       
786
       
786
       
+
       


     

       
787
       
787
       
+
       
	t.Logf("✅ Original session saved")

     

       
788
       
788
       
+
       


     

       
789
       
789
       
+
       
	// Simulate a token refresh by updating the session with new tokens

     

       
790
       
790
       
+
       
	updatedSession := originalSession

     

       
791
       
791
       
+
       
	updatedSession.AccessToken = "new-access-token"

     

       
792
       
792
       
+
       
	updatedSession.RefreshToken = "new-refresh-token"

     

       
793
       
793
       
+
       
	updatedSession.DPoPAuthServerNonce = "new-nonce"

     

       
794
       
794
       
+
       


     

       
795
       
795
       
+
       
	// Update the session (upsert)

     

       
796
       
796
       
+
       
	err = store.SaveSession(ctx, updatedSession)

     

       
797
       
797
       
+
       
	require.NoError(t, err)

     

       
798
       
798
       
+
       


     

       
799
       
799
       
+
       
	t.Logf("✅ Session updated with new tokens")

     

       
800
       
800
       
+
       


     

       
801
       
801
       
+
       
	// Retrieve the session and verify it was updated

     

       
802
       
802
       
+
       
	retrieved, err := store.GetSession(ctx, did, originalSession.SessionID)

     

       
803
       
803
       
+
       
	require.NoError(t, err, "Should retrieve updated session")

     

       
804
       
804
       
+
       


     

       
805
       
805
       
+
       
	assert.Equal(t, "new-access-token", retrieved.AccessToken,

     

       
806
       
806
       
+
       
		"Access token should be updated")

     

       
807
       
807
       
+
       
	assert.Equal(t, "new-refresh-token", retrieved.RefreshToken,

     

       
808
       
808
       
+
       
		"Refresh token should be updated")

     

       
809
       
809
       
+
       
	assert.Equal(t, "new-nonce", retrieved.DPoPAuthServerNonce,

     

       
810
       
810
       
+
       
		"DPoP nonce should be updated")

     

       
811
       
811
       
+
       


     

       
812
       
812
       
+
       
	// Verify session ID and DID remain the same

     

       
813
       
813
       
+
       
	assert.Equal(t, originalSession.SessionID, retrieved.SessionID,

     

       
814
       
814
       
+
       
		"Session ID should remain the same")

     

       
815
       
815
       
+
       
	assert.Equal(t, did, retrieved.AccountDID,

     

       
816
       
816
       
+
       
		"DID should remain the same")

     

       
817
       
817
       
+
       


     

       
818
       
818
       
+
       
	t.Logf("✅ Session update verified - tokens refreshed in database")

     

       
819
       
819
       
+
       


     

       
820
       
820
       
+
       
	// Verify updated_at was changed

     

       
821
       
821
       
+
       
	var updatedAt time.Time

     

       
822
       
822
       
+
       
	err = db.QueryRowContext(ctx,

     

       
823
       
823
       
+
       
		"SELECT updated_at FROM oauth_sessions WHERE did = $1 AND session_id = $2",

     

       
824
       
824
       
+
       
		did.String(), originalSession.SessionID).Scan(&updatedAt)

     

       
825
       
825
       
+
       
	require.NoError(t, err)

     

       
826
       
826
       
+
       


     

       
827
       
827
       
+
       
	// Updated timestamp should be recent (within last minute)

     

       
828
       
828
       
+
       
	assert.WithinDuration(t, time.Now(), updatedAt, time.Minute,

     

       
829
       
829
       
+
       
		"Session updated_at should be recent")

     

       
830
       
830
       
+
       


     

       
831
       
831
       
+
       
	t.Logf("✅ Session timestamp update verified")

     

       
832
       
832
       
+
       
}

     

       
833
       
833
       
+
       


     

       
834
       
834
       
+
       
// TestOAuthE2E_RefreshTokenRotation tests refresh token rotation behavior

     

       
835
       
835
       
+
       
func TestOAuthE2E_RefreshTokenRotation(t *testing.T) {

     

       
836
       
836
       
+
       
	if testing.Short() {

     

       
837
       
837
       
+
       
		t.Skip("Skipping OAuth refresh token rotation test in short mode")

     

       
838
       
838
       
+
       
	}

     

       
839
       
839
       
+
       


     

       
840
       
840
       
+
       
	db := setupTestDB(t)

     

       
841
       
841
       
+
       
	defer func() { _ = db.Close() }()

     

       
842
       
842
       
+
       


     

       
843
       
843
       
+
       
	// Run migrations

     

       
844
       
844
       
+
       
	require.NoError(t, goose.SetDialect("postgres"))

     

       
845
       
845
       
+
       
	require.NoError(t, goose.Up(db, "../../internal/db/migrations"))

     

       
846
       
846
       
+
       


     

       
847
       
847
       
+
       
	ctx := context.Background()

     

       
848
       
848
       
+
       


     

       
849
       
849
       
+
       
	t.Log("🔄 Testing OAuth refresh token rotation...")

     

       
850
       
850
       
+
       


     

       
851
       
851
       
+
       
	// Setup OAuth store

     

       
852
       
852
       
+
       
	store := SetupOAuthTestStore(t, db)

     

       
853
       
853
       
+
       


     

       
854
       
854
       
+
       
	// Create a test session

     

       
855
       
855
       
+
       
	did, err := syntax.ParseDID("did:plc:rotation123")

     

       
856
       
856
       
+
       
	require.NoError(t, err)

     

       
857
       
857
       
+
       


     

       
858
       
858
       
+
       
	// Simulate multiple refresh cycles

     

       
859
       
859
       
+
       
	sessionID := "rotation-session-1"

     

       
860
       
860
       
+
       
	tokens := []struct {

     

       
861
       
861
       
+
       
		access  string

     

       
862
       
862
       
+
       
		refresh string

     

       
863
       
863
       
+
       
	}{

     

       
864
       
864
       
+
       
		{"access-token-v1", "refresh-token-v1"},

     

       
865
       
865
       
+
       
		{"access-token-v2", "refresh-token-v2"},

     

       
866
       
866
       
+
       
		{"access-token-v3", "refresh-token-v3"},

     

       
867
       
867
       
+
       
	}

     

       
868
       
868
       
+
       


     

       
869
       
869
       
+
       
	for i, tokenPair := range tokens {

     

       
870
       
870
       
+
       
		session := oauthlib.ClientSessionData{

     

       
871
       
871
       
+
       
			AccountDID:              did,

     

       
872
       
872
       
+
       
			SessionID:               sessionID,

     

       
873
       
873
       
+
       
			HostURL:                 "http://localhost:3001",

     

       
874
       
874
       
+
       
			AuthServerURL:           "http://localhost:3001",

     

       
875
       
875
       
+
       
			AuthServerTokenEndpoint: "http://localhost:3001/oauth/token",

     

       
876
       
876
       
+
       
			AccessToken:             tokenPair.access,

     

       
877
       
877
       
+
       
			RefreshToken:            tokenPair.refresh,

     

       
878
       
878
       
+
       
			Scopes:                  []string{"atproto"},

     

       
879
       
879
       
+
       
		}

     

       
880
       
880
       
+
       


     

       
881
       
881
       
+
       
		// Save/update session

     

       
882
       
882
       
+
       
		err = store.SaveSession(ctx, session)

     

       
883
       
883
       
+
       
		require.NoError(t, err, "Should save session iteration %d", i+1)

     

       
884
       
884
       
+
       


     

       
885
       
885
       
+
       
		// Retrieve and verify

     

       
886
       
886
       
+
       
		retrieved, err := store.GetSession(ctx, did, sessionID)

     

       
887
       
887
       
+
       
		require.NoError(t, err, "Should retrieve session iteration %d", i+1)

     

       
888
       
888
       
+
       


     

       
889
       
889
       
+
       
		assert.Equal(t, tokenPair.access, retrieved.AccessToken,

     

       
890
       
890
       
+
       
			"Access token should match iteration %d", i+1)

     

       
891
       
891
       
+
       
		assert.Equal(t, tokenPair.refresh, retrieved.RefreshToken,

     

       
892
       
892
       
+
       
			"Refresh token should match iteration %d", i+1)

     

       
893
       
893
       
+
       


     

       
894
       
894
       
+
       
		// Small delay to ensure timestamp differences

     

       
895
       
895
       
+
       
		time.Sleep(10 * time.Millisecond)

     

       
896
       
896
       
+
       
	}

     

       
897
       
897
       
+
       


     

       
898
       
898
       
+
       
	t.Logf("✅ Refresh token rotation verified through %d cycles", len(tokens))

     

       
899
       
899
       
+
       


     

       
900
       
900
       
+
       
	// Verify final state

     

       
901
       
901
       
+
       
	finalSession, err := store.GetSession(ctx, did, sessionID)

     

       
902
       
902
       
+
       
	require.NoError(t, err)

     

       
903
       
903
       
+
       


     

       
904
       
904
       
+
       
	assert.Equal(t, "access-token-v3", finalSession.AccessToken,

     

       
905
       
905
       
+
       
		"Final access token should be from last rotation")

     

       
906
       
906
       
+
       
	assert.Equal(t, "refresh-token-v3", finalSession.RefreshToken,

     

       
907
       
907
       
+
       
		"Final refresh token should be from last rotation")

     

       
908
       
908
       
+
       


     

       
909
       
909
       
+
       
	t.Logf("✅ Token rotation state verified")

     

       
910
       
910
       
+
       
}