Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
github.com/oauth2-proxy/mockoidc
- Version published
- Created
mockoidc
A Mock OpenID Connect Server for Authentication Unit and Integration Tests.
Created by @NickMeves and @egrif during the Greenhouse Software 2021 Q1 Hack Day.
Usage
Import the package
import "github.com/oauth2-proxy/mockoidc"
Start the MockOIDC Server. This will spin up a minimal OIDC server in its own goroutine. It will listen on localhost on a random port.
Then pull its configuration to integrate it with your application. Begin testing!
m, _ := mockoidc.Run()
defer m.Shutdown()
cfg := m.Config()
// type Config struct {
// ClientID string
// ClientSecret string
// Issuer string
//
// AccessTTL time.Duration
// RefreshTTL time.Duration
// }
RunTLS
Alternatively, if you provide your own tls.Config, the server can run with
TLS:
tlsConfig = &tls.Config{
// ...your TLS settings
}
m, _ := mockoidc.RunTLS(tlsConfig)
defer m.Shutdown()
Endpoints
The following endpoints are implemented. They can either be pulled from the
OIDC discovery document (m.Issuer() + "/.well-known/openid-configuration)
or retrieved directly from the MockOIDC server.
m, _ := mockoidc.Run()
defer m.Shutdown()
m.Issuer()
m.DiscoveryEndpoint()
m.AuthorizationEndpoint()
m.TokenEndpoint()
m.UserinfoEndpoint()
m.JWKSEndpoint()
Seeding Users and Codes
By default, calls to the authorization_endpoint will start a session as if
the mockoidc.DefaultUser() had logged in, and it will return a random code
for the token_endpoint. The User in the session started by this call to the
authorization_endpoint will be the one in the tokens returned by the
subsequent token_endpoint call.
These can be seeded with your own test Users & codes that will be returned:
m, _ := mockoidc.Run()
defer m.Shutdown()
user := &mockoidc.User{
// User details...
}
// Add the User to the queue, this will be returned by the next login
m.QueueUser(user)
// Preset the code returned by the next login
m.QueueCode("12345")
// ...Request to m.AuthorizationEndpoint()
Forcing Errors
Arbitrary errors can also be queued for handlers to return instead of their default behavior:
m, err := mockoidc.Run()
defer m.Shutdown()
m.QueueError(&mockoidc.ServerError{
Code: http.StatusInternalServerError,
Error: mockoidc.InternalServerError,
Description: "Some Custom Description",
})
Manipulating Time
To accurately test token expiration scenarios, the MockOIDC server's view of time is completely mutable.
You can override the server's view of time.Now
mockoidc.NowFunc = func() { //...custom logic }
As tests are running, you can fast-forward time to critical test points (e.g. Access & Refresh Token expirations).
m, _ := mockoidc.Run()
m.FastForward(time.Duration(1) * time.Hour)
Synchronizing with jwt-go time
Even though we can fast-forward time, the underlying tokens processed by the jwt-go library still have timing logic.
We need to synchronize our timer with theirs:
m, _ := mockoidc.Run()
defer m.Shutdown()
// Overrides jwt.TimeFunc to m.Now
reset := m.Synchronize()
// reset is a mockoidc.ResetTime function that reverts jwt.TimeFunc to
// its original state
defer reset()
Manual Configuration
Everything started up with mockoidc.Run() can be done manually giving the
opportunity to finely tune the settings:
// Create a fresh RSA Private Key for token signing
rsaKey, _ := rsa.GenerateKey(rand.Reader, 2048)
// Create an unstarted MockOIDC server
m, _ := mockoidc.NewServer(rsaKey)
// Create the net.Listener on the exact IP:Port you want
ln, _ := net.Listen("tcp", "127.0.0.1:8080")
tlsConfig = &tls.Config{
// ...your TLS settings
}
// tlsConfig can be nil if you want HTTP
m.Start(ln, tlsConfig)
defer m.Shutdown()
Nearly all the MockOIDC struct is public. If you want to update any settings
to predefined values (e.g. clientID, clientSecret, AccessTTL,
RefreshTTL) you can before calling m.Start.
Additional internal components of the MockOIDC server are public if you need to tamper with them as well:
type MockOIDC struct {
// ...other stuff
// Normally, these would be private. Expose them publicly for
// power users.
Server *http.Server
Keypair *Keypair
SessionStore *SessionStore
UserQueue *UserQueue
ErrorQueue *ErrorQueue
}
Adding Middleware
When configuring the MockOIDC server manually, you have the opportunity to add custom middleware before starting the server (e.g. request logging, test validators, etc).
m, _ := mockoidc.NewServer(nil)
middleware := func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
// custom middleware logic here...
next.ServeHTTP(rw, req)
// custom middleware logic here...
})
}
m.AddMiddleware(middleware)
FAQs
Unknown package
Package last updated on 14 Feb 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024