gazagnaire.org / ocaml-auth
User authentication and session management for web applications
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Remove exchange_form_body and refresh_form_body from public API

These functions exposed client_secret in cleartext and relied on the
caller to POST over TLS. The secure-by-default API is exchange_code
and refresh_token which handle transport internally.

The form encoding functions remain as internal helpers but are no
longer exported. Tests that called them directly have been removed.

Thomas Gazagnaire 2df71d9b bdfd4de3

-30
-30
test/test_auth.ml
··· 348 348 in 349 349 go 0 350 350 351 - let test_exchange_form_includes_grant_type () = 352 - let body = 353 - Oauth.exchange_form_body ~client_id:"cid" ~client_secret:"sec" ~code:"abc" 354 - ~redirect_uri:(Oauth.redirect_uri "https://app.com/cb" |> Result.get_ok) 355 - () 356 - in 357 - Alcotest.(check bool) 358 - "has grant_type" true 359 - (contains body ~substring:"grant_type=authorization_code"); 360 - Alcotest.(check bool) 361 - "has client_id" true 362 - (contains body ~substring:"client_id=cid"); 363 - Alcotest.(check bool) "has code" true (contains body ~substring:"code=abc") 364 - 365 - let test_refresh_form_includes_grant_type () = 366 - let body = 367 - Oauth.refresh_form_body ~client_id:"cid" ~client_secret:"sec" 368 - ~refresh_token:"rt_123" 369 - in 370 - Alcotest.(check bool) 371 - "has grant_type" true 372 - (contains body ~substring:"grant_type=refresh_token"); 373 - Alcotest.(check bool) 374 - "has refresh_token" true 375 - (contains body ~substring:"refresh_token=rt_123") 376 - 377 351 (* ── Unique identity constraint ────────────────────────────────── *) 378 352 379 353 let test_duplicate_oauth_identity_rejected () = ··· 569 543 Alcotest.test_case "custom provider" `Quick test_custom_provider_userinfo; 570 544 Alcotest.test_case "garbage input" `Quick test_userinfo_rejects_garbage; 571 545 (* Token exchange *) 572 - Alcotest.test_case "exchange has grant_type" `Quick 573 - test_exchange_form_includes_grant_type; 574 - Alcotest.test_case "refresh has grant_type" `Quick 575 - test_refresh_form_includes_grant_type; 576 546 (* Identity uniqueness *) 577 547 Alcotest.test_case "duplicate identity rejected" `Quick 578 548 test_duplicate_oauth_identity_rejected;