keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust/kei-auth-apple/tests
History
Parfii-bot a2b4dd6d66 fix(auth): SecretString redacted Serialize + PKCE verifier wired 
Two findings from KeiSeiKit2.0 pr-review (~/Projects/KeiSeiKit2.0/skills/pr-review)
applied to commit range b346250..HEAD.

1. BLOCKER — SecretString silently leaked plaintext via Serialize.

   File: _primitives/_rust/kei-runtime-core/src/secrets.rs
   Was: derive(Serialize) + serde(transparent) -> serde_json::to_string(&secret)
        emitted the raw plaintext in any parent struct with #[derive(Serialize)].
        Debug was redacted but Serialize was not. Defeated the type's purpose.
   Now: manual Serialize impl always emits literal "<redacted>". Deserialize
        derive kept (callers need to read secrets from config/env).
        Test serialize_emits_redacted_literal asserts JSON output is "\"<redacted>\"".

2. WARNING — PKCE code_verifier dropped before token exchange.

   build_auth_url generated code_challenge = SHA256(verifier) but verify() never
   threaded the verifier to the token endpoint. Token exchange submitted no
   code_verifier, defeating the PKCE protection.

   Files:
   - _primitives/_rust/kei-runtime-core/src/traits/auth.rs:
     AuthChallenge::OAuthCode now carries code_verifier: Option<String>.
     Caller stores verifier alongside state in their session-store, exactly as
     they already store state for CSRF check.
   - _primitives/_rust/kei-auth-google/src/provider.rs:
     verify() destructures code_verifier and passes to client.exchange_code(...).
   - _primitives/_rust/kei-auth-apple/src/provider.rs:
     same change.

   Tests added (wiremock body assertions):
   - google_smoke / apple_smoke: assert exchange request body contains
     code_verifier=<value> when challenge carried Some(verifier).
   - existing tests updated to construct OAuthCode { ..., code_verifier: None }.

Test split (Constructor Pattern 200 LOC):
   - apple_smoke.rs grew over 200 LOC after PKCE test addition. Split into
     apple_smoke.rs (provider tests) + apple_client_smoke.rs (client tests).
   - same for google_smoke.rs / google_client_smoke.rs.

Test results: 31 passed; 0 failed across kei-auth, kei-auth-apple, kei-auth-google,
kei-runtime-core unit + integration tests. cargo check --workspace clean.

Breaking change: any caller that constructs AuthChallenge::OAuthCode outside this
workspace must add code_verifier field (None for legacy no-PKCE; Some for PKCE).
Compile-time surfaced gap, not runtime regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:49:10 +08:00
..
helpers feat(auth): JWT verification + OAuth CSRF + PKCE + secret redaction 2026-05-02 21:39:18 +08:00
apple_client_smoke.rs fix(auth): SecretString redacted Serialize + PKCE verifier wired 2026-05-02 23:49:10 +08:00
apple_smoke.rs fix(auth): SecretString redacted Serialize + PKCE verifier wired 2026-05-02 23:49:10 +08:00