Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: enforce refresh token rotation and old-token rejection

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2026-01-08 06:17:15 +01:00
parent d744aa8393
commit 058c69b414
1 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/integration/complete_api_endpoints_integration_test.go
View File

@@ -589,18 +589,22 @@ func TestIntegration_CompleteAPIEndpoints(t *testing.T) {
response := assertJSONResponse(t, request, http.StatusOK)
if data, ok := getDataFromResponse(response); ok {
if newAccessToken, ok := data["access_token"].(string); ok {
if newAccessToken == "" {
t.Error("Expected new access token in refresh response")
}
newAccessToken, _ := data["access_token"].(string)
if newAccessToken == "" {
t.Error("Expected new access token in refresh response")
}
if newRefreshToken, ok := data["refresh_token"].(string); ok {
if newRefreshToken != "" && newRefreshToken == originalRefreshToken {
t.Log("Refresh token rotation may not be implemented (same token returned)")
}
}
newRefreshToken, _ := data["refresh_token"].(string)
if newRefreshToken == "" {
t.Error("Expected new refresh token in refresh response")
}
if newRefreshToken == originalRefreshToken {
t.Error("Expected refresh token to rotate")
}
}
request = makePostRequestWithJSON(t, ctx.Router, "/api/auth/refresh", map[string]any{"refresh_token": originalRefreshToken})
assertErrorResponse(t, request, http.StatusUnauthorized)
})
t.Run("Refresh_After_Account_Lock", func(t *testing.T) {