gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 13:38:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

harden(auth/session+oidc): 503/401 split + go-oidc string pin (LOW-6 + Nit-2)

Browse Source 
Audit 2026-05-10 — close LOW-6 + Nit-2 from the HANDOFF.md backend
batch (items 8 + 9).

LOW-6: introduce ErrSessionTransient sentinel in session.Service.
session.Validate now distinguishes:
  - errors.Is(err, repository.ErrSessionNotFound) → ErrSessionInvalidCookie (401)
  - All other repo errors                         → ErrSessionTransient (503)
The session middleware maps ErrSessionTransient to HTTP 503 with
Retry-After: 1. Pre-fix, every DB hiccup looked like a forged-cookie
401 and forced the user to re-authenticate on a transient outage.
Two new regression tests pin the wire shape:
  - TestService_Validate_TransientSessionGetError (service layer)
  - TestService_Validate_SessionNotFoundMapsToInvalidCookie (negative
    leg: not-found stays 401)
  - TestSessionMiddleware_TransientErrorMappedTo503 (middleware-level
    503 + Retry-After header)

Nit-2: isJWKSFetchError documentation now pins go-oidc/v3 v3.18.0 as
the source-of-truth string set. v3.18.0 exposes only
*oidc.TokenExpiredError as a typed error; JWKS-fetch failures bubble
up as fmt.Errorf-wrapped strings. New regression test
TestIsJWKSFetchError_GoOIDCV318Strings pins the canonical substrings
emitted by go-oidc's jwks.go — a future upstream bump that changes
the wording trips the test and forces the matcher to be re-derived.
The test caught a real gap: 'oidc: failed to decode keys' (emitted
when the IdP returns non-JSON at the jwks_uri — broken proxy, gateway
HTML error page, etc.) was previously misclassified as a generic 500
instead of 503 ErrJWKSUnreachable. Added 'decode keys' substring to
the matcher.

Status: LOW-6 + Nit-2 marked CLOSED in audit-doc table.

Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md items 8, 9
      cowork/auth-bundles-audit-2026-05-10.md LOW-6, Nit-2
This commit is contained in:
shankar0123
2026-05-10 22:41:19 +00:00
parent 9cce2ab043
commit e7c4654b16
6 changed files with 138 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/session/middleware_test.go
+20
View File
@@ -338,6 +338,26 @@ func TestClientIPFromRequest_Variants(t *testing.T) {
}
}
// TestSessionMiddleware_TransientErrorMappedTo503 pins the LOW-6
// closure (audit 2026-05-10): when Validate returns
// ErrSessionTransient, the middleware MUST emit 503 with Retry-After
// instead of falling through to the Bearer/401 path. Pre-fix, a DB
// hiccup looked like a forged-cookie 401 + forced re-auth.
func TestSessionMiddleware_TransientErrorMappedTo503(t *testing.T) {
stub := &stubSessionValidator{validateErr: ErrSessionTransient}
chain := ChainAuthSessionThenBearer(NewSessionMiddleware(stub), nil)(markAuthenticated())
req := httptest.NewRequest(http.MethodGet, "/x", nil)
req.AddCookie(&http.Cookie{Name: sessiondomain.PostLoginCookieName, Value: "v1.ses.sk.bad"})
w := httptest.NewRecorder()
chain.ServeHTTP(w, req)
if w.Code != http.StatusServiceUnavailable {
t.Errorf("status = %d; want 503", w.Code)
}
if w.Header().Get("Retry-After") != "1" {
t.Errorf("Retry-After = %q; want 1", w.Header().Get("Retry-After"))
}
}
func TestChainAuthSessionThenBearer_NilBearer_Session401Path(t *testing.T) {
stub := &stubSessionValidator{validateErr: ErrSessionInvalidCookie}
chain := ChainAuthSessionThenBearer(NewSessionMiddleware(stub), nil)(markAuthenticated())