Mercurial > prosody-modules
view mod_lib_ldap/dev/t/00-login.t @ 5404:1087f697c3f3
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:23:40 +0200 |
parents | 512e31cd8b70 |
children |
line wrap: on
line source
use strict; use warnings; use lib 't'; use TestConnection; use Test::More; my @users = ( 'one', 'two', 'three', 'four', 'five', 'six', ); plan tests => scalar(@users) + 3; foreach my $username (@users) { my $conn = TestConnection->new($username); $conn->reg_cb(session_ready => sub { $conn->cond->send; }); my $error = $conn->cond->recv; ok(! $error) or diag("$username login failed: $error"); } do { my $conn = TestConnection->new('one', password => '23451'); $conn->reg_cb(session_ready => sub { $conn->cond->send; }); my $error = $conn->cond->recv; ok($error); }; do { my $conn = TestConnection->new('invalid', password => '12345'); $conn->reg_cb(session_ready => sub { $conn->cond->send; }); my $error = $conn->cond->recv; ok($error); }; do { my $conn = TestConnection->new('seven', password => '1234567'); $conn->reg_cb(session_ready => sub { $conn->cond->send; }); my $error = $conn->cond->recv; ok($error); };