Add SSO authorization code flow (Phase 1)
MCIAS now acts as an SSO provider for downstream services. Services redirect users to /sso/authorize, MCIAS handles login (password, TOTP, or passkey), then redirects back with an authorization code that the service exchanges for a JWT via POST /v1/sso/token. - Add SSO client registry to config (client_id, redirect_uri, service_name, tags) with validation - Add internal/sso package: authorization code and session stores using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines - Add GET /sso/authorize endpoint (validates client, creates session, redirects to /login?sso=<nonce>) - Add POST /v1/sso/token endpoint (exchanges code for JWT with policy evaluation using client's service_name/tags from config) - Thread SSO nonce through password→TOTP and WebAuthn login flows - Update login.html, totp_step.html, and webauthn.js for SSO nonce passthrough Security: - Authorization codes are 256-bit random, single-use, 60-second TTL - redirect_uri validated as exact match against registered config - Policy context comes from MCIAS config, not the calling service - SSO sessions are server-side only; nonce is the sole client-visible value - WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
132
internal/sso/store_test.go
Normal file
132
internal/sso/store_test.go
Normal file
@@ -0,0 +1,132 @@
|
||||
package sso
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestStoreAndConsume(t *testing.T) {
|
||||
code, err := Store("mcr", "https://mcr.example.com/cb", "state123", 42)
|
||||
if err != nil {
|
||||
t.Fatalf("Store: %v", err)
|
||||
}
|
||||
if code == "" {
|
||||
t.Fatal("Store returned empty code")
|
||||
}
|
||||
|
||||
ac, ok := Consume(code)
|
||||
if !ok {
|
||||
t.Fatal("Consume returned false for valid code")
|
||||
}
|
||||
if ac.ClientID != "mcr" {
|
||||
t.Errorf("ClientID = %q, want %q", ac.ClientID, "mcr")
|
||||
}
|
||||
if ac.RedirectURI != "https://mcr.example.com/cb" {
|
||||
t.Errorf("RedirectURI = %q", ac.RedirectURI)
|
||||
}
|
||||
if ac.State != "state123" {
|
||||
t.Errorf("State = %q", ac.State)
|
||||
}
|
||||
if ac.AccountID != 42 {
|
||||
t.Errorf("AccountID = %d, want 42", ac.AccountID)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsumeSingleUse(t *testing.T) {
|
||||
code, err := Store("mcr", "https://mcr.example.com/cb", "s", 1)
|
||||
if err != nil {
|
||||
t.Fatalf("Store: %v", err)
|
||||
}
|
||||
|
||||
if _, ok := Consume(code); !ok {
|
||||
t.Fatal("first Consume should succeed")
|
||||
}
|
||||
if _, ok := Consume(code); ok {
|
||||
t.Error("second Consume should fail (single-use)")
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsumeUnknownCode(t *testing.T) {
|
||||
if _, ok := Consume("nonexistent"); ok {
|
||||
t.Error("Consume should fail for unknown code")
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsumeExpiredCode(t *testing.T) {
|
||||
code, err := Store("mcr", "https://mcr.example.com/cb", "s", 1)
|
||||
if err != nil {
|
||||
t.Fatalf("Store: %v", err)
|
||||
}
|
||||
|
||||
// Manually expire the code.
|
||||
v, loaded := pendingCodes.Load(code)
|
||||
if !loaded {
|
||||
t.Fatal("code not found in pendingCodes")
|
||||
}
|
||||
ac, ok := v.(*AuthCode)
|
||||
if !ok {
|
||||
t.Fatal("unexpected type in pendingCodes")
|
||||
}
|
||||
ac.ExpiresAt = time.Now().Add(-1 * time.Second)
|
||||
|
||||
if _, ok := Consume(code); ok {
|
||||
t.Error("Consume should fail for expired code")
|
||||
}
|
||||
}
|
||||
|
||||
func TestStoreSessionAndConsume(t *testing.T) {
|
||||
nonce, err := StoreSession("mcr", "https://mcr.example.com/cb", "state456")
|
||||
if err != nil {
|
||||
t.Fatalf("StoreSession: %v", err)
|
||||
}
|
||||
if nonce == "" {
|
||||
t.Fatal("StoreSession returned empty nonce")
|
||||
}
|
||||
|
||||
// GetSession should return it without consuming.
|
||||
s := GetSession(nonce)
|
||||
if s == nil {
|
||||
t.Fatal("GetSession returned nil")
|
||||
}
|
||||
if s.ClientID != "mcr" {
|
||||
t.Errorf("ClientID = %q", s.ClientID)
|
||||
}
|
||||
|
||||
// Still available after GetSession.
|
||||
s2, ok := ConsumeSession(nonce)
|
||||
if !ok {
|
||||
t.Fatal("ConsumeSession returned false")
|
||||
}
|
||||
if s2.State != "state456" {
|
||||
t.Errorf("State = %q", s2.State)
|
||||
}
|
||||
|
||||
// Consumed — should be gone.
|
||||
if _, ok := ConsumeSession(nonce); ok {
|
||||
t.Error("second ConsumeSession should fail")
|
||||
}
|
||||
if GetSession(nonce) != nil {
|
||||
t.Error("GetSession should return nil after consume")
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsumeSessionExpired(t *testing.T) {
|
||||
nonce, err := StoreSession("mcr", "https://mcr.example.com/cb", "s")
|
||||
if err != nil {
|
||||
t.Fatalf("StoreSession: %v", err)
|
||||
}
|
||||
|
||||
v, loaded := pendingSessions.Load(nonce)
|
||||
if !loaded {
|
||||
t.Fatal("session not found in pendingSessions")
|
||||
}
|
||||
sess, ok := v.(*Session)
|
||||
if !ok {
|
||||
t.Fatal("unexpected type in pendingSessions")
|
||||
}
|
||||
sess.ExpiresAt = time.Now().Add(-1 * time.Second)
|
||||
|
||||
if _, ok := ConsumeSession(nonce); ok {
|
||||
t.Error("ConsumeSession should fail for expired session")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user