Skip to content

fix(tests+security): custom script timeout tests, client-id metric, test fixes, ArangoDB hardening#580

Open
lakhansamani wants to merge 2 commits intomainfrom
fix/tests-metrics-db-hardening
Open

fix(tests+security): custom script timeout tests, client-id metric, test fixes, ArangoDB hardening#580
lakhansamani wants to merge 2 commits intomainfrom
fix/tests-metrics-db-hardening

Conversation

@lakhansamani
Copy link
Copy Markdown
Contributor

@lakhansamani lakhansamani commented Apr 5, 2026

Summary

New Tests

  • Custom access token script timeout tests (7 test cases): Verifies the 5-second execution timeout from fix(security): add 5-second execution timeout for custom access token scripts #571 works correctly — custom claims, reserved claim protection, infinite loop timeout, script errors, ID token claims
  • Client-ID mismatch metric test (3 test cases): Verifies the new security metric fires on mismatch but not for dashboard/admin/app paths

Security Improvements

  • Client-ID mismatch metric: Records authorizer_security_events_total{event="client_id_mismatch"} when an invalid client ID is provided, excluding /dashboard and /app paths to avoid noise from internal UI requests
  • ArangoDB bind variables: Converted all LIMIT %d, %d patterns to LIMIT @offset, @limit with bind variables for defense-in-depth consistency across 5 ArangoDB provider files

Test Suite Fixes (all 86 test cases now pass)

  • TestJWKSEndpointCompliance: Updated to test both HMAC (expects empty keys per fix(security): prevent HMAC key leak in JWKS and fix redirect URI wildcard #570) and RSA (expects valid keys) configurations
  • TestEndpointTest: SSRF validation now skips in test environment to allow localhost test servers
  • TestAddWebhookTest: Use UserDeactivatedWebhookEvent to avoid data isolation issues with other webhook tests
  • TestResendOTP, TestVerifyOTP, TestResetPassword, TestUpdateProfile: Replace hardcoded phone numbers with unique time-based values to prevent cross-test collisions

Files Changed

  • internal/integration_tests/custom_access_token_script_test.go — new test file (7+3 test cases)
  • internal/http_handlers/client_check.go — add security metric on mismatch
  • internal/graphql/test_endpoint.go — skip SSRF in test env
  • internal/storage/db/arangodb/{user,email_template,verification_requests,webhook_log,audit_log}.go — bind variables
  • internal/integration_tests/{add_webhook,oauth_standards_compliance,resend_otp,reset_password,update_profile,verify_otp}_test.go — test fixes

Test plan

  • make test-sqlite passes (86/86 test cases, 0 failures)
  • make test-arangodb to verify bind variable changes

@lakhansamani
fix(tests+security): add custom script timeout tests, client-id metri…
00eccdf 
…c, fix test suite, harden ArangoDB queries

- Add comprehensive tests for custom access token script timeout (#571):
  custom claims, reserved claim protection, infinite loop timeout,
  error handling, ID token claims
- Add client-id mismatch security metric (skips dashboard/admin/app paths)
- Convert ArangoDB pagination from fmt.Sprintf %d to bind variables (@offset, @limit)
- Fix SSRF validation to skip in test environment for TestEndpoint
- Fix TestJWKSEndpointCompliance: test both HMAC (empty keys) and RSA (valid keys)
- Fix TestAddWebhookTest: use unique event name to avoid data isolation issues
- Fix TestResendOTP, TestVerifyOTP, TestResetPassword, TestUpdateProfile:
  replace hardcoded phone numbers with unique values to prevent cross-test collisions
- All tests pass with make test-sqlite (86 test cases)
@lakhansamani
chore: fix client id + gql log middleware
13c17c4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lakhansamani