zerobyte/app/server/modules/auth/__tests__/auth.sso-security.test.ts
Nico 29db09bb5b feat: OIDC (#564)
* feat: oidc

feat: organization switcher

refactor: org context

feat: invitations

GLM

* feat: link current account

* refactor: own page for sso registration

* feat: per-user account management

* refactor: code style

* refactor: user existing check

* refactor: restrict provider configuration to super admins only

* refactor: cleanup / pr review

* chore: fix lint issues

* chore: pr feedbacks

* test(e2e): automated tests for OIDC

* fix: check url first for sso provider identification

* fix: prevent oidc provider to be named "credential"
2026-03-04 18:48:00 +01:00

94 lines
2.5 KiB
TypeScript

import { beforeEach, describe, expect, test } from "bun:test";
import { createApp } from "~/server/app";
import { account, invitation, member, organization, ssoProvider, usersTable } from "~/server/db/schema";
import { db } from "~/server/db/db";
const app = createApp();
describe("auth SSO sign-in security", () => {
beforeEach(async () => {
await db.delete(member);
await db.delete(account);
await db.delete(invitation);
await db.delete(ssoProvider);
await db.delete(organization);
await db.delete(usersTable);
});
test("rejects malicious callback URL", async () => {
const response = await app.request("/api/auth/sign-in/sso", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
providerId: "missing-provider",
callbackURL: "https://evil.example",
}),
});
expect(response.status).toBe(400);
const body = await response.json();
expect(body.code).toContain("CALLBACKURL");
expect(body.message).toContain("callbackURL");
});
test("rejects malicious error callback URL", async () => {
const response = await app.request("/api/auth/sign-in/sso", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
providerId: "missing-provider",
callbackURL: "/login",
errorCallbackURL: "https://evil.example",
}),
});
expect(response.status).toBe(400);
const body = await response.json();
expect(body.code).toContain("ERRORCALLBACKURL");
expect(body.message).toContain("errorCallbackURL");
});
test("rejects malicious new user callback URL", async () => {
const response = await app.request("/api/auth/sign-in/sso", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
providerId: "missing-provider",
callbackURL: "/login",
newUserCallbackURL: "https://evil.example",
}),
});
expect(response.status).toBe(400);
const body = await response.json();
expect(body.code).toContain("NEWUSERCALLBACKURL");
expect(body.message).toContain("newUserCallbackURL");
});
test("allows relative callback URL to continue normal flow", async () => {
const response = await app.request("/api/auth/sign-in/sso", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
providerId: "missing-provider",
callbackURL: "/login",
}),
});
expect(response.status).toBe(404);
const body = await response.json();
expect(body.code).toBe("NO_PROVIDER_FOUND_FOR_THE_ISSUER");
});
});