diff --git a/consent/manager_test.go b/consent/manager_test.go index aed1bc635cd..1dc79f64d51 100644 --- a/consent/manager_test.go +++ b/consent/manager_test.go @@ -212,7 +212,7 @@ func TestManagers(t *testing.T) { } { t.Run("case=create-get-"+tc.s.ID, func(t *testing.T) { _, err := m.GetAuthenticationSession(tc.s.ID) - require.Error(t, err) + require.EqualError(t, err, pkg.ErrNotFound.Error()) err = m.CreateAuthenticationSession(&tc.s) require.NoError(t, err) diff --git a/consent/strategy_default.go b/consent/strategy_default.go index cc3b3012645..34da5a51c10 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -37,7 +37,6 @@ import ( "github.com/ory/go-convenience/stringsx" "github.com/ory/go-convenience/urlx" "github.com/ory/hydra/pkg" - "github.com/ory/sqlcon" "github.com/pborman/uuid" "github.com/pkg/errors" ) @@ -114,7 +113,7 @@ func (s *DefaultStrategy) requestAuthentication(w http.ResponseWriter, r *http.R } session, err := s.M.GetAuthenticationSession(sessionID) - if errors.Cause(err) == sqlcon.ErrNoRows { + if errors.Cause(err) == pkg.ErrNotFound { return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}) } else if err != nil { return err diff --git a/consent/strategy_default_test.go b/consent/strategy_default_test.go index f195c866f17..6027eebe290 100644 --- a/consent/strategy_default_test.go +++ b/consent/strategy_default_test.go @@ -32,6 +32,7 @@ import ( "testing" "time" + "github.com/gorilla/securecookie" "github.com/gorilla/sessions" "github.com/julienschmidt/httprouter" "github.com/ory/fosite" @@ -118,6 +119,11 @@ func TestStrategy(t *testing.T) { persistentCJ := newCookieJar() persistentCJ2 := newCookieJar() + nonexistentCJ, _ := cookiejar.New(&cookiejar.Options{}) + apURL, _ := url.Parse(ap.URL) + encoded, _ := securecookie.EncodeMulti(cookieAuthenticationName, map[interface{}]interface{}{cookieAuthenticationSIDName: "i-do-not-exist"}, securecookie.CodecsFromPairs([]byte("dummy-secret-yay"))...) + nonexistentCJ.SetCookies(apURL, []*http.Cookie{{Name: cookieAuthenticationName, Value: encoded}}) + for k, tc := range []struct { setup func() d string @@ -960,6 +966,37 @@ func TestStrategy(t *testing.T) { expectErrType: []error{ErrAbortOAuth2Request, ErrAbortOAuth2Request, nil}, expectErr: []bool{true, true, false}, }, + { + d: "This should require re-authentication because the session does not exist in the store", + req: fosite.AuthorizeRequest{ResponseTypes: fosite.Arguments{"token", "code", "id_token"}, Request: fosite.Request{Client: &client.Client{ID: "client-id"}, Scopes: []string{"scope-a"}}}, + jar: nonexistentCJ, + lph: func(t *testing.T) func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, r *http.Request) { + rr, res, err := apiClient.GetLoginRequest(r.URL.Query().Get("login_challenge")) + require.NoError(t, err) + require.EqualValues(t, http.StatusOK, res.StatusCode) + assert.False(t, rr.Skip) + assert.Empty(t, "", rr.Subject) + + v, res, err := apiClient.AcceptLoginRequest(r.URL.Query().Get("login_challenge"), swagger.AcceptLoginRequest{ + Subject: "foouser", + Remember: true, + }) + require.NoError(t, err) + require.EqualValues(t, http.StatusOK, res.StatusCode) + http.Redirect(w, r, v.RedirectTo, http.StatusFound) + } + }, + cph: func(t *testing.T) func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, r *http.Request) { + v, _, _ := apiClient.AcceptConsentRequest(r.URL.Query().Get("consent_challenge"), swagger.AcceptConsentRequest{GrantScope: []string{"scope-a"}}) + http.Redirect(w, r, v.RedirectTo, http.StatusFound) + } + }, + expectFinalStatusCode: http.StatusOK, + expectErrType: []error{ErrAbortOAuth2Request, ErrAbortOAuth2Request, nil}, + expectErr: []bool{true, true, false}, + }, { d: "This should fail because the user from the ID token does not match the user from the accept login request", req: fosite.AuthorizeRequest{ResponseTypes: fosite.Arguments{"token", "code", "id_token"}, Request: fosite.Request{Client: &client.Client{ID: "client-id"}, Scopes: []string{"scope-a"}}},