claude-remote/auth_test.go at master · ducnhd/claude-remote · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
package main

import (
	"os"
	"testing"
	"time"
)

func TestGenerateSecret(t *testing.T) {
	dir := t.TempDir()
	a := &Auth{secretPath: dir + "/secret.key"}
	if err := a.GenerateSecret(); err != nil {
		t.Fatal(err)
	}
	if len(a.secret) != 32 {
		t.Errorf("want 32 bytes, got %d", len(a.secret))
	}
	info, err := os.Stat(a.secretPath)
	if err != nil {
		t.Fatal(err)
	}
	if info.Mode().Perm() != 0600 {
		t.Errorf("want 0600, got %o", info.Mode().Perm())
	}
}

func TestLoadSecret(t *testing.T) {
	dir := t.TempDir()
	a := &Auth{secretPath: dir + "/secret.key"}
	a.GenerateSecret()
	original := make([]byte, len(a.secret))
	copy(original, a.secret)

	a2 := &Auth{secretPath: dir + "/secret.key"}
	if err := a2.LoadSecret(); err != nil {
		t.Fatal(err)
	}
	if string(a2.secret) != string(original) {
		t.Error("loaded secret doesn't match")
	}
}

func TestGenerateToken(t *testing.T) {
	a := &Auth{}
	token := a.GenerateToken()
	if len(token) != 64 {
		t.Errorf("want 64 chars, got %d", len(token))
	}
	if a.pendingToken != token {
		t.Error("pending token not set")
	}
}

func TestTokenSingleUse(t *testing.T) {
	a := &Auth{}
	token := a.GenerateToken()
	if !a.ValidateToken(token) {
		t.Error("first use should succeed")
	}
	if a.ValidateToken(token) {
		t.Error("second use should fail")
	}
}

func TestJWTSignVerify(t *testing.T) {
	dir := t.TempDir()
	a := &Auth{secretPath: dir + "/secret.key"}
	a.GenerateSecret()

	tokenStr, err := a.IssueJWT("device-1")
	if err != nil {
		t.Fatal(err)
	}
	deviceID, err := a.VerifyJWT(tokenStr)
	if err != nil {
		t.Fatal(err)
	}
	if deviceID != "device-1" {
		t.Errorf("want device-1, got %s", deviceID)
	}
}

func TestJWTExpired(t *testing.T) {
	dir := t.TempDir()
	a := &Auth{secretPath: dir + "/secret.key", jwtExpiry: -1 * time.Hour}
	a.GenerateSecret()

	tokenStr, _ := a.IssueJWT("device-1")
	_, err := a.VerifyJWT(tokenStr)
	if err == nil {
		t.Error("expired JWT should fail")
	}
}

func TestGenerateHandoffToken(t *testing.T) {
	a := NewAuth(t.TempDir() + "/secret.key")
	token := a.GenerateHandoffToken()
	if len(token) != 64 {
		t.Errorf("want 64 chars, got %d", len(token))
	}
	if _, ok := a.handoffTokens[token]; !ok {
		t.Error("token not stored in handoffTokens")
	}
}

func TestHandoffTokenSingleUse(t *testing.T) {
	a := NewAuth(t.TempDir() + "/secret.key")
	token := a.GenerateHandoffToken()
	if !a.ValidateHandoffToken(token) {
		t.Error("first use should succeed")
	}
	if a.ValidateHandoffToken(token) {
		t.Error("second use should fail")
	}
}

func TestHandoffTokenExpired(t *testing.T) {
	a := NewAuth(t.TempDir() + "/secret.key")
	token := a.GenerateHandoffToken()
	// Manually back-date the expiry.
	a.mu.Lock()
	a.handoffTokens[token] = time.Now().Add(-1 * time.Minute)
	a.mu.Unlock()
	if a.ValidateHandoffToken(token) {
		t.Error("expired token should fail")
	}
}

func TestHandoffTokenInvalid(t *testing.T) {
	a := NewAuth(t.TempDir() + "/secret.key")
	if a.ValidateHandoffToken("not-a-real-token") {
		t.Error("invalid token should fail")
	}
}

func TestGenerateHandoffTokenCleansExpired(t *testing.T) {
	a := NewAuth(t.TempDir() + "/secret.key")
	// Insert a fake expired token.
	a.mu.Lock()
	a.handoffTokens["old"] = time.Now().Add(-10 * time.Minute)
	a.mu.Unlock()
	a.GenerateHandoffToken()
	a.mu.Lock()
	_, stillPresent := a.handoffTokens["old"]
	a.mu.Unlock()
	if stillPresent {
		t.Error("GenerateHandoffToken should clean up expired tokens")
	}
}

func TestJWTWrongSecret(t *testing.T) {
	dir := t.TempDir()
	a := &Auth{secretPath: dir + "/secret.key"}
	a.GenerateSecret()
	tokenStr, _ := a.IssueJWT("device-1")

	// Regenerate secret (simulates revoke)
	a.GenerateSecret()
	_, err := a.VerifyJWT(tokenStr)
	if err == nil {
		t.Error("JWT signed with old secret should fail")
	}
}