From 95cf5941c480a23b5f6049c97dd6e484c902f0d5 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Thu, 26 Mar 2026 17:02:21 -0600
Subject: [PATCH] test(jwt): assert scope array is invalid (issuer []string bug
 trap)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SpaceDelimited must unmarshal from a space-delimited string per RFC 6749
§3.3, not a JSON array. If a token arrives with "scope":[] the issuer
has a bug (e.g. using []string instead of SpaceDelimited in its claims
struct). This test documents that expectation and will catch any attempt
to silently accept the invalid form.
---
 auth/jwt/coverage_test.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/auth/jwt/coverage_test.go b/auth/jwt/coverage_test.go
index 059491e..00b9803 100644
--- a/auth/jwt/coverage_test.go
+++ b/auth/jwt/coverage_test.go
@@ -226,6 +226,18 @@ func TestCov_SpaceDelimited_UnmarshalJSON(t *testing.T) {
 			t.Fatal("expected error")
 		}
 	})
+	// Scope must be a space-delimited string per RFC 6749 §3.3, not a JSON array.
+	// If a token arrives with "scope":[] it means the issuer has a bug (e.g. using
+	// []string instead of SpaceDelimited in its claims struct).
+	t.Run("array_is_invalid", func(t *testing.T) {
+		var s SpaceDelimited
+		if err := json.Unmarshal([]byte(`[]`), &s); err == nil {
+			t.Fatal("expected error for array-typed scope; issuer may have a []string bug")
+		}
+		if err := json.Unmarshal([]byte(`["openid","profile"]`), &s); err == nil {
+			t.Fatal("expected error for array-typed scope; issuer may have a []string bug")
+		}
+	})
 }
 
 func TestCov_SpaceDelimited_MarshalJSON(t *testing.T) {