summaryrefslogtreecommitdiff
path: root/tests/client-workflow.scm
diff options
context:
space:
mode:
Diffstat (limited to 'tests/client-workflow.scm')
-rw-r--r--tests/client-workflow.scm118
1 files changed, 116 insertions, 2 deletions
diff --git a/tests/client-workflow.scm b/tests/client-workflow.scm
index 04a4455..15f480a 100644
--- a/tests/client-workflow.scm
+++ b/tests/client-workflow.scm
@@ -1,4 +1,4 @@
-;; webid-oidc, implementation of the Solid specification
+;; disfluid, implementation of the Solid specification
;; Copyright (C) 2021 Vivien Kraus
;; This program is free software: you can redistribute it and/or modify
@@ -137,4 +137,118 @@
(equal? (request-uri final-request)
(string->uri "https://server@client-workflow.scm/"))
(eqv? (response-code final-response) 200))
- (exit 4)))))))))
+ (exit 4)))))
+ ;; 1 hour later, the access token should have expired.
+ (parameterize ((p:current-date 3600))
+ (receive (response response-body)
+ (let ((handler
+ (client:request client
+ (string->uri "https://server@client-workflow.scm/alice#me")
+ (string->uri "https://server@client-workflow.scm")
+ #:http-request (cute sim:request simulation <...>))))
+ (handler (build-request (string->uri "https://server@client-workflow.scm/"))
+ #f))
+ (unless (eqv? (response-code response) 200)
+ ;; Only Alice can read that resource.
+ (exit 5)))
+ (match (sim:simulation-scroll-log! simulation)
+ ;; 1. and 2. The client starts sending the request, the server
+ ;; querries the identity provider and keys.
+
+ ;; 3. The client directly sends the request. It fails because
+ ;; the access token expired.
+
+ ;; 4. The client queries the OIDC configuration to get the
+ ;; token endpoint.
+
+ ;; 5. The client gets an access token from the refresh token.
+
+ ;; 6. 7. The client decodes the ID token, by getting the keys
+ ;; again.
+
+ ;; 8. and 9. The client starts sending the new request, the
+ ;; server checks the access token.
+
+ ;; 10. The client sends the request again, and it succeeds.
+ ((_
+ _
+ (naively-try-request _ naively-try-response _)
+ (get-token-endpoint-request _ get-token-endpoint-response _)
+ (refresh-request _ refresh-response _)
+ _ _ _ _
+ (with-new-refresh-token-request _ with-new-refresh-token-response _))
+ (unless
+ (and
+ ;; 3. The client realizes that the access token is
+ ;; expired.
+ (equal? (request-uri naively-try-request)
+ (string->uri "https://server@client-workflow.scm/"))
+ (eqv? (response-code naively-try-response) 401)
+ (eqv? (time-second (date->time-utc (response-date naively-try-response)))
+ 3600)
+ ;; 4. The client discovers the token endpoint.
+ (equal? (request-uri get-token-endpoint-request)
+ (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration"))
+ (eqv? (response-code get-token-endpoint-response) 200)
+ ;; 5. Refresh the access token.
+ (equal? (request-uri refresh-request)
+ (string->uri "https://server@client-workflow.scm/token"))
+ (eqv? (response-code refresh-response) 200)
+ ;; 10. Send again.
+ (equal? (request-uri with-new-refresh-token-request)
+ (string->uri "https://server@client-workflow.scm/"))
+ (eqv? (response-code with-new-refresh-token-response) 200))
+ (exit 6)))))
+ ;; Wait another hour, and we’ll need to update the refresh
+ ;; token again, but this time it’s not there anymore.
+ (parameterize ((p:current-date 7200))
+ (refresh:remove-refresh-token
+ (string->uri "https://server@client-workflow.scm/alice#me")
+ (string->uri "https://client@client-workflow.scm/id"))
+ (with-exception-handler
+ (lambda (error)
+ (unless (client:refresh-token-expired? error)
+ (exit 7)))
+ (lambda ()
+ (let ((handler
+ (client:request client
+ (string->uri "https://server@client-workflow.scm/alice#me")
+ (string->uri "https://server@client-workflow.scm")
+ #:http-request (cute sim:request simulation <...>))))
+ (handler (build-request (string->uri "https://server@client-workflow.scm/"))
+ #f))
+ (exit 8))
+ #:unwind? #t
+ #:unwind-for-type client:&refresh-token-expired)
+ (match (sim:simulation-scroll-log! simulation)
+ ;; 1. and 2. The client starts sending the request, the server
+ ;; querries the identity provider and keys.
+
+ ;; 3. The client directly sends the request. It fails
+ ;; because the access token expired.
+
+ ;; 4. The client queries the OIDC configuration to get the
+ ;; token endpoint.
+
+ ;; 5. The client sends the token request, but it fails with
+ ;; 403.
+ ((_
+ _
+ (naively-try-request _ naively-try-response _)
+ (get-token-endpoint-request _ get-token-endpoint-response _)
+ (refresh-request _ refresh-response _))
+ ;; 3. The client realizes that the access token is
+ ;; expired.
+ (equal? (request-uri naively-try-request)
+ (string->uri "https://server@client-workflow.scm/"))
+ (eqv? (response-code naively-try-response) 401)
+ (eqv? (time-second (date->time-utc (response-date naively-try-response)))
+ 7200)
+ ;; 4. The client discovers the token endpoint.
+ (equal? (request-uri get-token-endpoint-request)
+ (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration"))
+ (eqv? (response-code get-token-endpoint-response) 200)
+ ;; 5. The client tries to refresh.
+ (equal? (request-uri refresh-request)
+ (string->uri "https://server@client-workflow.scm/token"))
+ (eqv? (response-code refresh-response) 403))))))))
generated by cgit v1.2.3 (git 2.44.0) at 2024-06-02 18:11:34 +0000