-
Notifications
You must be signed in to change notification settings - Fork 32
Expand file tree
/
Copy pathsession_test.go
More file actions
132 lines (104 loc) · 3.39 KB
/
session_test.go
File metadata and controls
132 lines (104 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
// @oagen-ignore-file
package workos_test
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/workos/workos-go/v7"
)
func TestSealData_UnsealData_RoundTrip(t *testing.T) {
password := "my-super-secret-password"
data := map[string]interface{}{
"user_id": "user_123",
"email": "test@example.com",
"active": true,
}
sealed, err := workos.SealData(data, password)
require.NoError(t, err)
require.NotEmpty(t, sealed)
result, err := workos.UnsealData(sealed, password)
require.NoError(t, err)
require.Equal(t, "user_123", result["user_id"])
require.Equal(t, "test@example.com", result["email"])
require.Equal(t, true, result["active"])
}
func TestUnsealData_WrongPassword(t *testing.T) {
password := "correct-password"
data := map[string]interface{}{
"secret": "value",
}
sealed, err := workos.SealData(data, password)
require.NoError(t, err)
_, err = workos.UnsealData(sealed, "wrong-password")
require.Error(t, err)
require.Contains(t, err.Error(), "failed to decrypt")
}
func TestSealData_HexKey(t *testing.T) {
// A valid 64-character hex string (32 bytes decoded).
hexKey := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
data := map[string]interface{}{
"key": "value",
}
sealed, err := workos.SealData(data, hexKey)
require.NoError(t, err)
result, err := workos.UnsealData(sealed, hexKey)
require.NoError(t, err)
require.Equal(t, "value", result["key"])
}
func TestSealData_NestedData(t *testing.T) {
password := "test-password"
data := map[string]interface{}{
"user": map[string]interface{}{
"name": "Alice",
"roles": []interface{}{"admin", "editor"},
},
"count": float64(42),
}
sealed, err := workos.SealData(data, password)
require.NoError(t, err)
result, err := workos.UnsealData(sealed, password)
require.NoError(t, err)
user, ok := result["user"].(map[string]interface{})
require.True(t, ok)
require.Equal(t, "Alice", user["name"])
roles, ok := user["roles"].([]interface{})
require.True(t, ok)
require.Len(t, roles, 2)
require.Equal(t, "admin", roles[0])
require.Equal(t, "editor", roles[1])
require.Equal(t, float64(42), result["count"])
}
func TestSealData_EmptyMap(t *testing.T) {
password := "test-password"
data := map[string]interface{}{}
sealed, err := workos.SealData(data, password)
require.NoError(t, err)
result, err := workos.UnsealData(sealed, password)
require.NoError(t, err)
require.Empty(t, result)
}
func TestSealData_ProducesDifferentCiphertexts(t *testing.T) {
password := "test-password"
data := map[string]interface{}{"key": "value"}
sealed1, err := workos.SealData(data, password)
require.NoError(t, err)
sealed2, err := workos.SealData(data, password)
require.NoError(t, err)
// Due to random nonces, the ciphertexts should differ.
require.NotEqual(t, sealed1, sealed2)
// But both should decrypt to the same data.
r1, err := workos.UnsealData(sealed1, password)
require.NoError(t, err)
r2, err := workos.UnsealData(sealed2, password)
require.NoError(t, err)
require.Equal(t, r1, r2)
}
func TestUnsealData_InvalidBase64(t *testing.T) {
_, err := workos.UnsealData("not-valid-base64!!!", "password")
require.Error(t, err)
require.Contains(t, err.Error(), "failed to decode")
}
func TestUnsealData_TruncatedCiphertext(t *testing.T) {
// Very short base64 that decodes to fewer bytes than a GCM nonce.
_, err := workos.UnsealData("AQID", "password")
require.Error(t, err)
}