Uwe Schuster
fafee1278f
M-1 TokenExtract: exact-name cookie parse (new pure cookieValue helper) —
a substring find("session=") could be shadowed by a sibling xsession=,
defeating __Host-/__Secure- prefix guarantees.
M-2 AuthInterceptor: gate setup-mode pseudo-admin on a loopback bind and log
the grant; document that IAuthBackend::hasActiveUsers() must fail closed.
M-3 ws/Hub: empty propertyIds now means NO access for non-admins (was "all") —
a non-admin whose scope set failed to populate no longer gets every
property's notifications. Admins still get all via role.
M-4 new util/OriginCheck.hpp (originHostname/sameOrigin/originAllowed) +
Hub doc: WSController must validate Origin at the handshake (CSWSH).
M-6 RedactedFieldRepository: ctor throws on an unknown redaction field name
(a typo would silently redact nothing, leaving credentials in history).
M-7 RateLimiter: ctor validates capacity (finite >=1) / refillRate (finite >0),
throws std::invalid_argument — zero/negative/NaN silently disabled it.
M-8 TokenExtract: document that clientIpTrusted's "unknown"/"invalid" sentinels
collapse to one shared rate-limit bucket off-proxy.
M-9 new util/SessionCookie.hpp: safe-by-default Set-Cookie builder
(HttpOnly+Secure+SameSite=Strict+Path=/), rejects control chars / ';'.
M-10 AuthInterceptor: Origin/Referer-vs-Host check on session mutations
(defence in depth atop X-Requested-With); cert path documented as
non-browser / not CSRF-gated.
M-11 AuthInterceptor: optional injected RateLimiter throttles invalid-token
attempts per client IP → 429.
M-12 AuthInterceptor: sanitize request method/path (strip control chars, cap
length) before logging — closes log-line forging (CWE-117).
(M-5 — temporal non-atomic save — was already resolved by the H-4 fix.)
Tests: new test_token_extract / test_rate_limiter / test_origin_check /
test_session_cookie; extended test_redacted_field_repository. All 19 ctest
targets pass. README + header docs updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
75 lines
2.2 KiB
C++
75 lines
2.2 KiB
C++
// Tests for oatpp-authkit/util/SessionCookie.hpp (authkit#16 M-9).
|
|
|
|
#include "oatpp-authkit/util/SessionCookie.hpp"
|
|
|
|
#include <cstdio>
|
|
#include <stdexcept>
|
|
#include <string>
|
|
|
|
namespace {
|
|
|
|
int g_failures = 0;
|
|
#define REQUIRE(expr) do { \
|
|
if (!(expr)) { \
|
|
std::fprintf(stderr, "FAIL %s:%d %s\n", __FILE__, __LINE__, #expr); \
|
|
++g_failures; \
|
|
} \
|
|
} while (0)
|
|
|
|
using namespace oatpp_authkit;
|
|
|
|
bool has(const std::string& hay, const std::string& needle) {
|
|
return hay.find(needle) != std::string::npos;
|
|
}
|
|
|
|
void test_defaults_are_hardened() {
|
|
std::string c = buildSetSessionCookie("tok123");
|
|
REQUIRE(has(c, "session=tok123"));
|
|
REQUIRE(has(c, "Path=/"));
|
|
REQUIRE(has(c, "HttpOnly"));
|
|
REQUIRE(has(c, "Secure"));
|
|
REQUIRE(has(c, "SameSite=Strict"));
|
|
REQUIRE(!has(c, "Max-Age")); // session cookie by default
|
|
}
|
|
|
|
void test_options_respected() {
|
|
SessionCookieOptions o;
|
|
o.name = "__Host-session";
|
|
o.secure = false; // dev opt-out
|
|
o.sameSite = "Lax";
|
|
o.maxAgeSeconds = 3600;
|
|
std::string c = buildSetSessionCookie("t", o);
|
|
REQUIRE(has(c, "__Host-session=t"));
|
|
REQUIRE(!has(c, "Secure"));
|
|
REQUIRE(has(c, "SameSite=Lax"));
|
|
REQUIRE(has(c, "Max-Age=3600"));
|
|
}
|
|
|
|
void test_clear_cookie_expires_now() {
|
|
std::string c = buildClearSessionCookie();
|
|
REQUIRE(has(c, "Max-Age=0"));
|
|
REQUIRE(has(c, "session="));
|
|
}
|
|
|
|
void test_injection_guard() {
|
|
bool threw = false;
|
|
try { buildSetSessionCookie("tok\r\nSet-Cookie: evil=1"); }
|
|
catch (const std::invalid_argument&) { threw = true; }
|
|
REQUIRE(threw);
|
|
|
|
bool threw2 = false;
|
|
try { buildSetSessionCookie("tok; Domain=evil.com"); } // ';' injection
|
|
catch (const std::invalid_argument&) { threw2 = true; }
|
|
REQUIRE(threw2);
|
|
}
|
|
|
|
} // namespace
|
|
|
|
int main() {
|
|
test_defaults_are_hardened();
|
|
test_options_respected();
|
|
test_clear_cookie_expires_now();
|
|
test_injection_guard();
|
|
std::printf("%s (%d failures)\n", g_failures ? "FAIL" : "OK", g_failures);
|
|
return g_failures ? 1 : 0;
|
|
}
|