fix: get session token from header for passcode finalization (#1124)

2025-10-28 23:30:15 +08:00 · 2023-11-01 10:15:27 +01:00
parent 41126f8172
commit 4f3adb1634
3 changed files with 104 additions and 8 deletions
--- a/backend/handler/passcode_test.go
+++ b/backend/handler/passcode_test.go
@ -3,11 +3,14 @@ package handler
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"github.com/gofrs/uuid"
 	"github.com/stretchr/testify/suite"
 	"github.com/teamhanko/hanko/backend/config"
+	"github.com/teamhanko/hanko/backend/crypto/jwk"
 	"github.com/teamhanko/hanko/backend/dto"
 	"github.com/teamhanko/hanko/backend/persistence/models"
+	"github.com/teamhanko/hanko/backend/session"
 	"github.com/teamhanko/hanko/backend/test"
 	"golang.org/x/crypto/bcrypt"
 	"net/http"
@ -141,18 +144,32 @@ func (s *passcodeSuite) TestPasscodeHandler_Finish() {
 		UpdatedAt: now,
 	}

+	passcodeForNonAssignedEmail := models.Passcode{
+		ID:        uuid.FromStringOrNil("494129d5-76de-4fae-b07d-f2a521e1804d"),
+		UserId:    uuid.FromStringOrNil("b5dd5267-b462-48be-b70d-bcd6f1bbe7a5"),
+		EmailID:   uuid.FromStringOrNil("7c4473b8-ddcc-480b-b01f-df89e99f74c9"),
+		Ttl:       300,
+		Code:      string(hashedPasscode),
+		TryCount:  0,
+		CreatedAt: now,
+		UpdatedAt: now,
+	}
+
 	cfg := func() *config.Config {
 		return &test.DefaultConfig
 	}

 	tests := []struct {
-		name               string
-		passcodeId         string
-		retryCount         int
-		passcode           models.Passcode
-		code               string
-		expectedStatusCode int
-		cfg                func() *config.Config
+		name                         string
+		passcodeId                   string
+		retryCount                   int
+		passcode                     models.Passcode
+		code                         string
+		expectedStatusCode           int
+		cfg                          func() *config.Config
+		userId                       string
+		sendSessionTokenInCookie     bool
+		sendSessionTokenInAuthHeader bool
 	}{
 		{
 			name:               "finish successful",
@ -207,14 +224,64 @@ func (s *passcodeSuite) TestPasscodeHandler_Finish() {
 			expectedStatusCode: http.StatusRequestTimeout,
 			cfg:                cfg,
 		},
+		{
+			name:                     "create email with session in cookie",
+			passcodeId:               "494129d5-76de-4fae-b07d-f2a521e1804d",
+			passcode:                 passcodeForNonAssignedEmail,
+			code:                     "123456",
+			expectedStatusCode:       http.StatusOK,
+			cfg:                      cfg,
+			userId:                   "b5dd5267-b462-48be-b70d-bcd6f1bbe7a5",
+			sendSessionTokenInCookie: true,
+		},
+		{
+			name:                     "do not create email with wrong session in cookie",
+			passcodeId:               "494129d5-76de-4fae-b07d-f2a521e1804d",
+			passcode:                 passcodeForNonAssignedEmail,
+			code:                     "123456",
+			expectedStatusCode:       http.StatusForbidden,
+			cfg:                      cfg,
+			userId:                   "851842a9-db50-49b5-aa00-1c447c31d819",
+			sendSessionTokenInCookie: true,
+		},
+		{
+			name:                         "create email with session in Authorization header",
+			passcodeId:                   "494129d5-76de-4fae-b07d-f2a521e1804d",
+			passcode:                     passcodeForNonAssignedEmail,
+			code:                         "123456",
+			expectedStatusCode:           http.StatusOK,
+			cfg:                          cfg,
+			userId:                       "b5dd5267-b462-48be-b70d-bcd6f1bbe7a5",
+			sendSessionTokenInAuthHeader: true,
+		},
+		{
+			name:                         "do not create email with wrong session in Authorization header",
+			passcodeId:                   "494129d5-76de-4fae-b07d-f2a521e1804d",
+			passcode:                     passcodeForNonAssignedEmail,
+			code:                         "123456",
+			expectedStatusCode:           http.StatusForbidden,
+			cfg:                          cfg,
+			userId:                       "851842a9-db50-49b5-aa00-1c447c31d819",
+			sendSessionTokenInAuthHeader: true,
+		},
 	}

 	for _, currentTest := range tests {
 		s.Run(currentTest.name, func() {
+			s.SetupTest()
+
+			err := s.LoadFixtures("../test/fixtures/passcode")
+			s.Require().NoError(err)
+
+			jwkManager, err := jwk.NewDefaultManager(test.DefaultConfig.Secrets.Keys, s.Storage.GetJwkPersister())
+			s.Require().NoError(err)
+			sessionManager, err := session.NewManager(jwkManager, test.DefaultConfig)
+			s.Require().NoError(err)
+
 			e := NewPublicRouter(currentTest.cfg(), s.Storage, nil)

 			// Setup passcode
-			err := s.Storage.GetPasscodePersister().Create(currentTest.passcode)
+			err = s.Storage.GetPasscodePersister().Create(currentTest.passcode)
 			s.Require().NoError(err)

 			body := dto.PasscodeFinishRequest{
@ -230,6 +297,20 @@ func (s *passcodeSuite) TestPasscodeHandler_Finish() {
 			for i := 0; i <= currentTest.retryCount; i++ {
 				req := httptest.NewRequest(http.MethodPost, "/passcode/login/finalize", bytes.NewReader(bodyJson))
 				req.Header.Set("Content-Type", "application/json")
+				if currentTest.sendSessionTokenInAuthHeader {
+					sessionToken, err := sessionManager.GenerateJWT(uuid.FromStringOrNil(currentTest.userId))
+					s.Require().NoError(err)
+					req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", sessionToken))
+				}
+
+				if currentTest.sendSessionTokenInCookie {
+					sessionToken, err := sessionManager.GenerateJWT(uuid.FromStringOrNil(currentTest.userId))
+					s.Require().NoError(err)
+
+					sessionCookie, err := sessionManager.GenerateCookie(sessionToken)
+					s.Require().NoError(err)
+					req.AddCookie(sessionCookie)
+				}
 				rec := httptest.NewRecorder()

 				e.ServeHTTP(rec, req)
@ -249,6 +330,7 @@ func (s *passcodeSuite) TestPasscodeHandler_Finish() {

 			// remove passcode
 			_ = s.Storage.GetPasscodePersister().Delete(currentTest.passcode)
+			s.TearDownTest()
 		})
 	}
 }