refactor

2026-02-18 16:10:46 +01:00 · 2026-02-18 16:10:46 +01:00 · b5fc03e94f
commit b5fc03e94f
parent ac13a39e7c
2 changed files with 168 additions and 14 deletions
--- a/test/mv_web/controllers/auth_controller_test.exs
+++ b/test/mv_web/controllers/auth_controller_test.exs
@ -2,6 +2,7 @@ defmodule MvWeb.AuthControllerTest do
  use MvWeb.ConnCase, async: true
  import Phoenix.LiveViewTest
  import Phoenix.ConnTest
+  import ExUnit.CaptureLog

  # Helper to create an unauthenticated conn (preserves sandbox metadata)
  defp build_unauthenticated_conn(authenticated_conn) do
@ -269,7 +270,7 @@ defmodule MvWeb.AuthControllerTest do

      assert redirected_to(conn) == ~p"/sign-in"

-      assert get_flash(conn, :error) ==
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
               "The authentication server is currently unavailable. Please try again later."
    end

@ -291,7 +292,7 @@ defmodule MvWeb.AuthControllerTest do

      assert redirected_to(conn) == ~p"/sign-in"

-      assert get_flash(conn, :error) ==
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
               "Authentication configuration error. Please contact the administrator."
    end

@ -305,8 +306,105 @@ defmodule MvWeb.AuthControllerTest do

      assert redirected_to(conn) == ~p"/sign-in"

-      assert get_flash(conn, :error) ==
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
               "Unable to authenticate with OIDC. Please try again."
    end
  end
+
+  # Logging security tests - ensure no sensitive data is logged
+  describe "failure/3 logging security" do
+    test "does not log full URL with query params for Assent.ServerUnreachableError", %{
+      conn: authenticated_conn
+    } do
+      conn = build_unauthenticated_conn(authenticated_conn)
+
+      error = %Assent.ServerUnreachableError{
+        http_adapter: Assent.HTTPAdapter.Finch,
+        request_url: "https://auth.example.com/callback?token=secret123&code=abc456",
+        reason: %Mint.TransportError{reason: :econnrefused}
+      }
+
+      log =
+        capture_log(fn ->
+          MvWeb.AuthController.failure(conn, {:rauthy, :callback}, error)
+        end)
+
+      # Should log redacted URL (only scheme and host)
+      assert log =~ "https://auth.example.com"
+      # Should NOT log query parameters or tokens
+      refute log =~ "token=secret123"
+      refute log =~ "code=abc456"
+      refute log =~ "callback?token"
+    end
+
+    test "does not log sensitive data for Assent.InvalidResponseError", %{
+      conn: authenticated_conn
+    } do
+      conn = build_unauthenticated_conn(authenticated_conn)
+
+      error = %Assent.InvalidResponseError{
+        response: %Assent.HTTPAdapter.HTTPResponse{
+          status: 400,
+          headers: [],
+          body: "invalid_request"
+        }
+      }
+
+      log =
+        capture_log(fn ->
+          MvWeb.AuthController.failure(conn, {:rauthy, :callback}, error)
+        end)
+
+      # Should log error type but not full error details
+      assert log =~ "Authentication failure"
+      assert log =~ "rauthy"
+      # Should not log full error struct with inspect
+      refute log =~ "Assent.InvalidResponseError"
+    end
+
+    test "does not log full reason for unknown rauthy errors", %{
+      conn: authenticated_conn
+    } do
+      conn = build_unauthenticated_conn(authenticated_conn)
+      # Simulate an error that might contain sensitive data
+      error_with_sensitive_data = %{
+        token: "secret_token_123",
+        url: "https://example.com/callback?access_token=abc123",
+        error: :something_went_wrong
+      }
+
+      log =
+        capture_log(fn ->
+          MvWeb.AuthController.failure(conn, {:rauthy, :callback}, error_with_sensitive_data)
+        end)
+
+      # Should log error type but not full error details
+      assert log =~ "Authentication failure"
+      assert log =~ "rauthy"
+      # Should NOT log sensitive data
+      refute log =~ "secret_token_123"
+      refute log =~ "access_token=abc123"
+      refute log =~ "callback?access_token"
+    end
+
+    test "logs full reason for non-rauthy activities (password auth)", %{
+      conn: authenticated_conn
+    } do
+      conn = build_unauthenticated_conn(authenticated_conn)
+
+      reason = %AshAuthentication.Errors.AuthenticationFailed{
+        caused_by: %Ash.Error.Forbidden{errors: []}
+      }
+
+      log =
+        capture_log(fn ->
+          MvWeb.AuthController.failure(conn, {:password, :sign_in}, reason)
+        end)
+
+      # For non-rauthy activities, full reason is safe to log
+      assert log =~ "Authentication failure"
+      assert log =~ "password"
+      assert log =~ "AuthenticationFailed"
+    end
+  end
 end