keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust/kei-auth-google/tests/google_smoke.rs
Parfii-bot a2b4dd6d66 fix(auth): SecretString redacted Serialize + PKCE verifier wired 
Two findings from KeiSeiKit2.0 pr-review (~/Projects/KeiSeiKit2.0/skills/pr-review)
applied to commit range b346250..HEAD.

1. BLOCKER — SecretString silently leaked plaintext via Serialize.

   File: _primitives/_rust/kei-runtime-core/src/secrets.rs
   Was: derive(Serialize) + serde(transparent) -> serde_json::to_string(&secret)
        emitted the raw plaintext in any parent struct with #[derive(Serialize)].
        Debug was redacted but Serialize was not. Defeated the type's purpose.
   Now: manual Serialize impl always emits literal "<redacted>". Deserialize
        derive kept (callers need to read secrets from config/env).
        Test serialize_emits_redacted_literal asserts JSON output is "\"<redacted>\"".

2. WARNING — PKCE code_verifier dropped before token exchange.

   build_auth_url generated code_challenge = SHA256(verifier) but verify() never
   threaded the verifier to the token endpoint. Token exchange submitted no
   code_verifier, defeating the PKCE protection.

   Files:
   - _primitives/_rust/kei-runtime-core/src/traits/auth.rs:
     AuthChallenge::OAuthCode now carries code_verifier: Option<String>.
     Caller stores verifier alongside state in their session-store, exactly as
     they already store state for CSRF check.
   - _primitives/_rust/kei-auth-google/src/provider.rs:
     verify() destructures code_verifier and passes to client.exchange_code(...).
   - _primitives/_rust/kei-auth-apple/src/provider.rs:
     same change.

   Tests added (wiremock body assertions):
   - google_smoke / apple_smoke: assert exchange request body contains
     code_verifier=<value> when challenge carried Some(verifier).
   - existing tests updated to construct OAuthCode { ..., code_verifier: None }.

Test split (Constructor Pattern 200 LOC):
   - apple_smoke.rs grew over 200 LOC after PKCE test addition. Split into
     apple_smoke.rs (provider tests) + apple_client_smoke.rs (client tests).
   - same for google_smoke.rs / google_client_smoke.rs.

Test results: 31 passed; 0 failed across kei-auth, kei-auth-apple, kei-auth-google,
kei-runtime-core unit + integration tests. cargo check --workspace clean.

Breaking change: any caller that constructs AuthChallenge::OAuthCode outside this
workspace must add code_verifier field (None for legacy no-PKCE; Some for PKCE).
Compile-time surfaced gap, not runtime regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:49:10 +08:00

151 lines
5 KiB
Rust
Raw Blame History

// SPDX-License-Identifier: Apache-2.0
// Copyright 2026 <author org>
//!
//! Wiremock smoke tests for `GoogleAuthProvider`. No live HTTP.
use kei_auth_google::{GoogleAuthClient, GoogleAuthProvider};
use kei_runtime_core::traits::auth::{AuthChallenge, AuthProvider};
use serde_json::json;
use wiremock::matchers::{body_string_contains, header, method, path};
use wiremock::{Mock, MockServer, ResponseTemplate};
fn client_for(server: &MockServer) -> GoogleAuthClient {
GoogleAuthClient::with_urls(
format!("{}/token", server.uri()),
format!("{}/userinfo", server.uri()),
"client-id-xyz",
"client-secret-xyz",
"https://example.com/cb",
)
.unwrap()
}
#[tokio::test]
async fn verify_end_to_end_builds_auth_session() {
let server = MockServer::start().await;
Mock::given(method("POST"))
.and(path("/token"))
.respond_with(ResponseTemplate::new(200).set_body_json(json!({
"access_token": "tok",
"expires_in": 1800,
"id_token": null
})))
.expect(1)
.mount(&server)
.await;
Mock::given(method("GET"))
.and(path("/userinfo"))
.and(header("authorization", "Bearer tok"))
.respond_with(ResponseTemplate::new(200).set_body_json(json!({
"sub": "999",
"email": "bob@example.com",
"name": "Bob"
})))
.expect(1)
.mount(&server)
.await;
let client = client_for(&server);
let provider = GoogleAuthProvider::new(client, None).unwrap();
let challenge = AuthChallenge::OAuthCode {
provider: "google".into(),
code: "code-xyz".into(),
state: "csrf-state-xyz".into(),
expected_state: "csrf-state-xyz".into(),
code_verifier: None,
};
let session = provider.verify(&challenge).await.unwrap();
assert_eq!(session.user_id, "bob@example.com");
assert_eq!(session.dna.role(), "session");
assert!(session.dna.caps().contains("UI"));
assert_eq!(session.parent_dna.role(), "primitive");
assert!(session.parent_dna.caps().contains("GO"));
assert!(session.expires_unix_ms > 0);
}
#[tokio::test]
async fn issue_challenge_rejects_non_oauth() {
let client = GoogleAuthClient::with_urls(
"http://t/x", "http://u/x", "cid", "secret", "http://r/cb",
).unwrap();
let provider = GoogleAuthProvider::new(client, None).unwrap();
let challenge = AuthChallenge::MagicLink { email: "a@b.c".into() };
assert!(provider.issue_challenge(&challenge).await.is_err());
}
#[tokio::test]
async fn verify_rejects_wrong_provider() {
let client = GoogleAuthClient::with_urls(
"http://t/x", "http://u/x", "cid", "secret", "http://r/cb",
).unwrap();
let provider = GoogleAuthProvider::new(client, None).unwrap();
let challenge = AuthChallenge::OAuthCode {
provider: "github".into(),
code: "x".into(),
state: "y".into(),
expected_state: "y".into(),
code_verifier: None,
};
assert!(provider.verify(&challenge).await.is_err());
}
#[tokio::test]
async fn verify_rejects_csrf_state_mismatch() {
let server = MockServer::start().await;
let client = GoogleAuthClient::with_urls(
format!("{}/token", server.uri()),
format!("{}/userinfo", server.uri()),
"cid", "secret", "https://example.com/cb",
).unwrap();
let provider = GoogleAuthProvider::new(client, None).unwrap();
let challenge = AuthChallenge::OAuthCode {
provider: "google".into(),
code: "code".into(),
state: "got-this-state".into(),
expected_state: "expected-state".into(),
code_verifier: None,
};
let err = provider.verify(&challenge).await.unwrap_err();
assert!(
format!("{err}").contains("CSRF"),
"expected CSRF error, got: {err}"
);
}
#[tokio::test]
async fn verify_sends_code_verifier_when_challenge_carries_some() {
let server = MockServer::start().await;
Mock::given(method("POST"))
.and(path("/token"))
.and(body_string_contains("code_verifier=my-pkce-verifier"))
.respond_with(ResponseTemplate::new(200).set_body_json(json!({
"access_token": "tok-pkce",
"expires_in": 900,
"id_token": null
})))
.expect(1)
.mount(&server)
.await;
Mock::given(method("GET"))
.and(path("/userinfo"))
.respond_with(ResponseTemplate::new(200).set_body_json(json!({
"sub": "pkce-sub",
"email": "pkce@example.com",
"name": "PKCE"
})))
.expect(1)
.mount(&server)
.await;
let client = client_for(&server);
let provider = GoogleAuthProvider::new(client, None).unwrap();
let challenge = AuthChallenge::OAuthCode {
provider: "google".into(),
code: "code-pkce".into(),
state: "st".into(),
expected_state: "st".into(),
code_verifier: Some("my-pkce-verifier".into()),
};
let session = provider.verify(&challenge).await.unwrap();
assert_eq!(session.user_id, "pkce@example.com");
}
Reference in a new issue View git blame Copy permalink