synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: return failed refresh errors on external auth as string (was boolean) (#13402)

Browse Source 
* chore: return failed refresh errors on external auth

Failed refreshes should return errors. These errors are captured
as validate errors.
This commit is contained in:
Steven Masley
2024-06-03 09:33:49 -05:00
committed by GitHub
parent bf98b0dfe4
commit 24ba81930b
6 changed files with 68 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
coderd/externalauth/externalauth_test.go
View File

@ -59,9 +59,10 @@ func TestRefreshToken(t *testing.T) {
// Expire the link
link.OAuthExpiry = expired
_, refreshed, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err)
require.False(t, refreshed)
_, err := config.RefreshToken(ctx, nil, link)
require.Error(t, err)
require.True(t, externalauth.IsInvalidTokenError(err))
require.Contains(t, err.Error(), "refreshing is disabled")
})
// NoRefreshNoExpiry tests that an oauth token without an expiry is always valid.
@ -90,9 +91,8 @@ func TestRefreshToken(t *testing.T) {
// Zero time used
link.OAuthExpiry = time.Time{}
_, refreshed, err := config.RefreshToken(ctx, nil, link)
_, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err)
require.True(t, refreshed, "token without expiry is always valid")
require.True(t, validated, "token should have been validated")
})
@ -105,11 +105,12 @@ func TestRefreshToken(t *testing.T) {
},
},
}
_, refreshed, err := config.RefreshToken(context.Background(), nil, database.ExternalAuthLink{
_, err := config.RefreshToken(context.Background(), nil, database.ExternalAuthLink{
OAuthExpiry: expired,
})
require.NoError(t, err)
require.False(t, refreshed)
require.Error(t, err)
require.True(t, externalauth.IsInvalidTokenError(err))
require.Contains(t, err.Error(), "failure")
})
t.Run("ValidateServerError", func(t *testing.T) {
@ -131,8 +132,12 @@ func TestRefreshToken(t *testing.T) {
ctx := oidc.ClientContext(context.Background(), fake.HTTPClient(nil))
link.OAuthExpiry = expired
_, _, err := config.RefreshToken(ctx, nil, link)
_, err := config.RefreshToken(ctx, nil, link)
require.ErrorContains(t, err, staticError)
// Unsure if this should be the correct behavior. It's an invalid token because
// 'ValidateToken()' failed with a runtime error. This was the previous behavior,
// so not going to change it.
require.False(t, externalauth.IsInvalidTokenError(err))
require.True(t, validated, "token should have been attempted to be validated")
})
@ -156,9 +161,9 @@ func TestRefreshToken(t *testing.T) {
ctx := oidc.ClientContext(context.Background(), fake.HTTPClient(nil))
link.OAuthExpiry = expired
_, refreshed, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err, staticError)
require.False(t, refreshed)
_, err := config.RefreshToken(ctx, nil, link)
require.ErrorContains(t, err, "token failed to validate")
require.True(t, externalauth.IsInvalidTokenError(err))
require.True(t, validated, "token should have been attempted to be validated")
})
@ -191,9 +196,8 @@ func TestRefreshToken(t *testing.T) {
// Unlimited lifetime, this is what GitHub returns tokens as
link.OAuthExpiry = time.Time{}
_, ok, err := config.RefreshToken(ctx, nil, link)
_, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err)
require.True(t, ok)
require.Equal(t, 2, validateCalls, "token should have been attempted to be validated more than once")
})
@ -219,9 +223,8 @@ func TestRefreshToken(t *testing.T) {
ctx := oidc.ClientContext(context.Background(), fake.HTTPClient(nil))
_, ok, err := config.RefreshToken(ctx, nil, link)
_, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err)
require.True(t, ok)
require.Equal(t, 1, validateCalls, "token is validated")
})
@ -253,9 +256,8 @@ func TestRefreshToken(t *testing.T) {
// Force a refresh
link.OAuthExpiry = expired
updated, ok, err := config.RefreshToken(ctx, db, link)
updated, err := config.RefreshToken(ctx, db, link)
require.NoError(t, err)
require.True(t, ok)
require.Equal(t, 1, validateCalls, "token is validated")
require.Equal(t, 1, refreshCalls, "token is refreshed")
require.NotEqualf(t, link.OAuthAccessToken, updated.OAuthAccessToken, "token is updated")
@ -292,9 +294,9 @@ func TestRefreshToken(t *testing.T) {
// Force a refresh
link.OAuthExpiry = expired
updated, ok, err := config.RefreshToken(ctx, db, link)
updated, err := config.RefreshToken(ctx, db, link)
require.NoError(t, err)
require.True(t, ok)
require.True(t, updated.OAuthExtra.Valid)
extra := map[string]interface{}{}
require.NoError(t, json.Unmarshal(updated.OAuthExtra.RawMessage, &extra))