fix(auth): harden pending oauth and backend mode flows

2026-04-22 12:30:00 +08:00
parent 1ffebbb568
commit 767f2f2dfe
12 changed files with 568 additions and 44 deletions
--- a/backend/internal/handler/auth_oauth_logout_test.go
+++ b/backend/internal/handler/auth_oauth_logout_test.go
@@ -0,0 +1,68 @@
+package handler
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/ent/pendingauthsession"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLogoutClearsOAuthStateCookiesAndConsumesPendingSession(t *testing.T) {
+	handler, client := newOAuthPendingFlowTestHandler(t, false)
+	ctx := context.Background()
+
+	session, err := client.PendingAuthSession.Create().
+		SetSessionToken("logout-pending-session-token").
+		SetIntent("login").
+		SetProviderType("oidc").
+		SetProviderKey("https://issuer.example").
+		SetProviderSubject("logout-subject-123").
+		SetBrowserSessionKey("logout-browser-session-key").
+		SetResolvedEmail("logout@example.com").
+		SetExpiresAt(time.Now().UTC().Add(10 * time.Minute)).
+		Save(ctx)
+	require.NoError(t, err)
+
+	recorder := httptest.NewRecorder()
+	ginCtx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/logout", nil)
+	req.AddCookie(&http.Cookie{Name: oauthPendingSessionCookieName, Value: encodeCookieValue(session.SessionToken)})
+	req.AddCookie(&http.Cookie{Name: oauthPendingBrowserCookieName, Value: encodeCookieValue("logout-browser-session-key")})
+	req.AddCookie(&http.Cookie{Name: oauthBindAccessTokenCookieName, Value: "bind-access-token"})
+	req.AddCookie(&http.Cookie{Name: linuxDoOAuthStateCookieName, Value: encodeCookieValue("linuxdo-state")})
+	req.AddCookie(&http.Cookie{Name: oidcOAuthStateCookieName, Value: encodeCookieValue("oidc-state")})
+	req.AddCookie(&http.Cookie{Name: wechatOAuthStateCookieName, Value: encodeCookieValue("wechat-state")})
+	req.AddCookie(&http.Cookie{Name: wechatPaymentOAuthStateName, Value: encodeCookieValue("wechat-payment-state")})
+	ginCtx.Request = req
+
+	handler.Logout(ginCtx)
+
+	require.Equal(t, http.StatusOK, recorder.Code)
+
+	cookies := recorder.Result().Cookies()
+	for _, name := range []string{
+		oauthPendingSessionCookieName,
+		oauthPendingBrowserCookieName,
+		oauthBindAccessTokenCookieName,
+		linuxDoOAuthStateCookieName,
+		oidcOAuthStateCookieName,
+		wechatOAuthStateCookieName,
+		wechatPaymentOAuthStateName,
+	} {
+		cookie := findCookie(cookies, name)
+		require.NotNil(t, cookie, name)
+		require.Equal(t, -1, cookie.MaxAge, name)
+		require.True(t, cookie.HttpOnly, name)
+	}
+
+	storedSession, err := client.PendingAuthSession.Query().
+		Where(pendingauthsession.IDEQ(session.ID)).
+		Only(ctx)
+	require.NoError(t, err)
+	require.NotNil(t, storedSession.ConsumedAt)
+}