chore: add failing test

ory · Jul 17, 2024 · 7a956c8 · 7a956c8
1 parent 8350625
commit 7a956c8
Showing 1 changed file with 62 additions and 3 deletions.
diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go
@@ -943,8 +943,69 @@ func TestStrategy(t *testing.T) {
 				body := ioutilx.MustReadAll(res.Body)
 				tc.expect(t, res, body)
 			})
-
 		}
+
+		t.Run("case=submitting the same idToken twice should fail", func(t *testing.T) {
+			t.Run("flow=login", func(t *testing.T) {
+				nonce := randx.MustString(16, randx.Alpha)
+				sub := testhelpers.RandomEmail()
+				idToken := fmt.Sprintf(`{
+					"iss": "https://appleid.apple.com",
+					"sub": "%s",
+					"nonce": "%s"
+				}`, sub, nonce)
+
+				provider := "test-provider"
+
+				f := newAPILoginFlow(t, returnTS.URL, time.Minute)
+				action := assertFormValues(t, f.ID, provider)
+				v := url.Values{
+					"id_token":       {idToken},
+					"provider":       {provider},
+					"id_token_nonce": {nonce},
+				}
+
+				res, err := cl.PostForm(action, v)
+				require.NoError(t, err)
+				body := ioutilx.MustReadAll(res.Body)
+				require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body)
+
+				res, err = cl.PostForm(action, v)
+				require.NoError(t, err)
+				body = ioutilx.MustReadAll(res.Body)
+				require.Equal(t, "The id_token has already been used", gjson.GetBytes(body, "error.reason").String(), "%s", body)
+			})
+
+			t.Run("flow=registration", func(t *testing.T) {
+				nonce := randx.MustString(16, randx.Alpha)
+				sub := testhelpers.RandomEmail()
+				idToken := fmt.Sprintf(`{
+				"iss": "https://appleid.apple.com",
+				"sub": "%s",
+				"nonce": "%s"
+			}`, sub, nonce)
+
+				provider := "test-provider"
+
+				f := newAPIRegistrationFlow(t, returnTS.URL, time.Minute)
+				action := assertFormValues(t, f.ID, provider)
+				v := url.Values{
+					"id_token":       {idToken},
+					"provider":       {provider},
+					"id_token_nonce": {nonce},
+				}
+
+				res, err := cl.PostForm(action, v)
+				require.NoError(t, err)
+				body := ioutilx.MustReadAll(res.Body)
+				require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body)
+
+				res, err = cl.PostForm(action, v)
+				require.NoError(t, err)
+				body = ioutilx.MustReadAll(res.Body)
+				require.Equal(t, "The id_token has already been used", gjson.GetBytes(body, "error.reason").String(), "%s", body)
+			})
+		})
 	})
 
 	t.Run("case=login without registered account with return_to", func(t *testing.T) {
@@ -1005,7 +1066,6 @@ func TestStrategy(t *testing.T) {
 	})
 
 	t.Run("case=register, merge, and complete data", func(t *testing.T) {
-
 		for _, tc := range []struct{ name, provider string }{
 			{name: "idtoken", provider: "valid"},
 			{name: "userinfo", provider: "claimsViaUserInfo"},
@@ -1042,7 +1102,6 @@ func TestStrategy(t *testing.T) {
 				})
 			})
 		}
-
 	})
 
 	t.Run("case=should fail to register and return fresh login flow if email is already being used by password credentials", func(t *testing.T) {