mcp: token: handle authorization_code request (pt1)

2025-07-19 17:50:17 +02:00 · 2025-04-24 19:51:03 -04:00 · 2025-04-24 19:51:03 -04:00 · 625c9d4014
commit 625c9d4014
parent 9e4947c62f
11 changed files with 740 additions and 25 deletions
--- a/internal/oauth21/pkce_test.go
+++ b/internal/oauth21/pkce_test.go
@ -0,0 +1,81 @@
+package oauth21_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pomerium/pomerium/internal/oauth21"
+)
+
+// TestVerifyPKCES256 tests the S256 PKCE verification method.
+func TestVerifyPKCES256(t *testing.T) {
+	// Example values from RFC 7636 Appendix B
+	verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+	challenge := "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
+
+	tests := []struct {
+		name      string
+		verifier  string
+		challenge string
+		want      bool
+	}{
+		{
+			name:      "Correct Verifier",
+			verifier:  verifier,
+			challenge: challenge,
+			want:      true,
+		},
+		{
+			name:      "Incorrect Verifier",
+			verifier:  "incorrect_verifier_string",
+			challenge: challenge,
+			want:      false,
+		},
+		{
+			name:      "Incorrect Challenge",
+			verifier:  verifier,
+			challenge: "incorrect_challenge_string",
+			want:      false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := oauth21.VerifyPKCES256(tc.verifier, tc.challenge)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+// TestVerifyPKCEPlain tests the Plain PKCE verification method.
+func TestVerifyPKCEPlain(t *testing.T) {
+	verifierPlain := "this-is-a-plain-verifier-43-chars-long-askldfj"
+
+	tests := []struct {
+		name      string
+		verifier  string
+		challenge string
+		want      bool
+	}{
+		{
+			name:      "Correct Verifier",
+			verifier:  verifierPlain,
+			challenge: verifierPlain,
+			want:      true,
+		},
+		{
+			name:      "Incorrect Verifier",
+			verifier:  "incorrect_verifier_string",
+			challenge: verifierPlain,
+			want:      false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := oauth21.VerifyPKCEPlain(tc.verifier, tc.challenge)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}