security: close SEC-H4/H6 gaps from second-pass review

- SEC-H6: remove conditional audience check in mcp/index.ts — audience is now always enforced against the mcpResource URL. Add migration to revoke pre-existing oauth_tokens with audience=NULL so dead rows don't linger. - SEC-H4: validate doc.issuer against config.issuer inside discover() to prevent a MITM'd discovery doc from supplying a crafted expected issuer. verifyIdToken caller now passes config.issuer as ground truth, not doc.issuer. - tests: cover three new OIDC callback failure paths (no_id_token, id_token_invalid, subject_mismatch) and two idempotency caps (key length >128 chars returns 400, body >256 KiB skips caching).
2026-06-21 14:21:46 +00:00 · 2026-04-20 21:35:30 +02:00
parent 9f57ab4517
commit 20bf9c2312
7 changed files with 92 additions and 13 deletions
@@ -223,6 +223,49 @@ describe('GET /api/auth/oidc/callback', () => {
    expect(res.headers.location).toContain('oidc_error=token_failed');
  });

+  it('OIDC-010a: missing id_token in token response → redirects with no_id_token error', async () => {
+    mockDiscover.mockResolvedValueOnce(MOCK_DISCOVERY_DOC);
+    mockExchangeCode.mockResolvedValueOnce({ access_token: 'tok', _ok: true, _status: 200 }); // no id_token
+
+    const state = oidcService.createState('http://localhost:3001/api/auth/oidc/callback');
+
+    const res = await request(app).get(`/api/auth/oidc/callback?code=anycode&state=${state}`);
+
+    expect(res.status).toBe(302);
+    expect(res.headers.location).toContain('oidc_error=no_id_token');
+  });
+
+  it('OIDC-010b: verifyIdToken failure → redirects with id_token_invalid error', async () => {
+    mockDiscover.mockResolvedValueOnce(MOCK_DISCOVERY_DOC);
+    mockExchangeCode.mockResolvedValueOnce({ access_token: 'tok', id_token: 'bad.id.token', _ok: true, _status: 200 });
+    mockVerifyIdToken.mockResolvedValueOnce({ ok: false, error: 'signature_or_claim_mismatch: invalid signature' });
+
+    const state = oidcService.createState('http://localhost:3001/api/auth/oidc/callback');
+
+    const res = await request(app).get(`/api/auth/oidc/callback?code=anycode&state=${state}`);
+
+    expect(res.status).toBe(302);
+    expect(res.headers.location).toContain('oidc_error=id_token_invalid');
+  });
+
+  it('OIDC-010c: userinfo.sub does not match id_token.sub → redirects with subject_mismatch error', async () => {
+    mockDiscover.mockResolvedValueOnce(MOCK_DISCOVERY_DOC);
+    mockExchangeCode.mockResolvedValueOnce({ access_token: 'tok', id_token: 'fake.id.token', _ok: true, _status: 200 });
+    mockVerifyIdToken.mockResolvedValueOnce({ ok: true, claims: { sub: 'sub-from-token' } });
+    mockGetUserInfo.mockResolvedValueOnce({
+      sub: 'sub-different-from-userinfo',
+      email: 'alice@example.com',
+      name: 'Alice',
+    });
+
+    const state = oidcService.createState('http://localhost:3001/api/auth/oidc/callback');
+
+    const res = await request(app).get(`/api/auth/oidc/callback?code=anycode&state=${state}`);
+
+    expect(res.status).toBe(302);
+    expect(res.headers.location).toContain('oidc_error=subject_mismatch');
+  });
+
  it('OIDC-010: registration disabled for new user → redirects with registration_disabled error', async () => {
    // Need at least one existing user so isFirstUser=false
    createUser(testDb, { email: 'existing@example.com' });