node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard

Published 20 hours ago • verified publisher icon node-oauth

Add security consideration section to integration tests

Open jankapunkt opened this issue 4 years ago • 3 comments

We should add tests to fully cover section 10 - security considerations and cover as much as possible that can be covered without going into implementation details.

jankapunkt avatar Nov 14 '21 10:11 jankapunkt

I love this idea. I'm going to outline the tests and push a new security branch to start the discussion.

jwerre avatar Nov 15 '21 15:11 jwerre

I created a security branch and started outlining some of the tests here.

This is going to take some time and I'm not sure how much of this is going to be testable without a client but I think it's a good goal. I'll continue to outline the tests and hopefully those will generate some good discussions. Thanks again for bringing this up @jankapunkt

jwerre avatar Nov 15 '21 17:11 jwerre

Actually some interesting stuff. Like the authorization code should not be used multiple times, but if it is then revoke all access tokens based on the authorization code.

So some of these tests mean that we have to store some additional data, like a reference to the authorizationcode (code itself or e.g. a sha1 hash) in the access token) to be able to revoke all access tokens based on that authorization code in that case.

Uzlopak avatar Nov 17 '21 09:11 Uzlopak