view mod_lib_ldap/dev/t/00-login.t @ 5404:1087f697c3f3

mod_http_oauth2: Strip unknown extra fields from client registration We shouldn't sign things we don't understand! RFC 7591 section-2 states: > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). Prevents grandfathering in of unvalidated data that might become used later, especially since the 'additionalProperties' schema keyword was removed in 698fef74ce53
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:23:40 +0200
parents 512e31cd8b70
children
line wrap: on
line source

use strict;
use warnings;
use lib 't';

use TestConnection;
use Test::More;

my @users = (
    'one',
    'two',
    'three',
    'four',
    'five',
    'six',
);

plan tests => scalar(@users) + 3;

foreach my $username (@users) {
    my $conn = TestConnection->new($username);

    $conn->reg_cb(session_ready => sub {
        $conn->cond->send;
    });

    my $error = $conn->cond->recv;
    ok(! $error) or diag("$username login failed: $error");
}

do {
    my $conn = TestConnection->new('one', password => '23451');

    $conn->reg_cb(session_ready => sub {
        $conn->cond->send;
    });

    my $error = $conn->cond->recv;
    ok($error);
};

do {
    my $conn = TestConnection->new('invalid', password => '12345');

    $conn->reg_cb(session_ready => sub {
        $conn->cond->send;
    });

    my $error = $conn->cond->recv;
    ok($error);
};

do {
    my $conn = TestConnection->new('seven', password => '1234567');

    $conn->reg_cb(session_ready => sub {
        $conn->cond->send;
    });

    my $error = $conn->cond->recv;
    ok($error);
};