root/golib
1
0
Fork 0
mirror of https://github.com/therootcompany/golib.git synced 2026-03-29 03:24:07 +00:00
Code Issues Projects Releases Wiki Activity

test(jwt): assert scope array is invalid (issuer []string bug trap)

Browse Source 
SpaceDelimited must unmarshal from a space-delimited string per RFC 6749
§3.3, not a JSON array. If a token arrives with "scope":[] the issuer
has a bug (e.g. using []string instead of SpaceDelimited in its claims
struct). This test documents that expectation and will catch any attempt
to silently accept the invalid form.
This commit is contained in:
AJ ONeal 2026-03-26 17:02:21 -06:00
parent 0fc1ae4da8
commit 95cf5941c4
No known key found for this signature in database
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
auth/jwt/coverage_test.go
View File

@ -226,6 +226,18 @@ func TestCov_SpaceDelimited_UnmarshalJSON(t *testing.T) {
t.Fatal("expected error") t.Fatal("expected error")
} }
}) })
// Scope must be a space-delimited string per RFC 6749 §3.3, not a JSON array.
// If a token arrives with "scope":[] it means the issuer has a bug (e.g. using
// []string instead of SpaceDelimited in its claims struct).
t.Run("array_is_invalid", func(t *testing.T) {
var s SpaceDelimited
if err := json.Unmarshal([]byte(`[]`), &s); err == nil {
t.Fatal("expected error for array-typed scope; issuer may have a []string bug")
}
if err := json.Unmarshal([]byte(`["openid","profile"]`), &s); err == nil {
t.Fatal("expected error for array-typed scope; issuer may have a []string bug")
}
})
} }
func TestCov_SpaceDelimited_MarshalJSON(t *testing.T) { func TestCov_SpaceDelimited_MarshalJSON(t *testing.T) {