feat(role): role bind

2026-01-31 17:23:56 +08:00
parent 4dc46659c9
commit 41cdbb5b29
30 changed files with 1773 additions and 52 deletions
--- a/tests/refresh_token_smoke.rs
+++ b/tests/refresh_token_smoke.rs
@@ -0,0 +1,107 @@
+use hmac::{Hmac, Mac};
+use iam_service::models::{CreateTenantRequest, CreateUserRequest, LoginRequest};
+use iam_service::services::{AuthService, TenantService};
+use sha2::Sha256;
+use sqlx::PgPool;
+use uuid::Uuid;
+
+fn fingerprint(pepper: &str, token: &str) -> String {
+    let mut mac = Hmac::<Sha256>::new_from_slice(pepper.as_bytes()).unwrap();
+    mac.update(token.as_bytes());
+    hex::encode(mac.finalize().into_bytes())
+}
+
+#[tokio::test]
+async fn refresh_token_rotate_and_expire_cases()
+-> Result<(), Box<dyn std::error::Error>> {
+    let database_url = match std::env::var("DATABASE_URL") {
+        Ok(v) if !v.trim().is_empty() => v,
+        _ => return Ok(()),
+    };
+
+    let pool = PgPool::connect(&database_url).await?;
+
+    let has_fingerprint: bool = sqlx::query_scalar(
+        r#"
+        SELECT EXISTS (
+          SELECT 1 FROM information_schema.columns
+          WHERE table_schema='public' AND table_name='refresh_tokens' AND column_name='token_fingerprint'
+        )
+        "#,
+    )
+    .fetch_one(&pool)
+    .await?;
+    if !has_fingerprint {
+        return Ok(());
+    }
+
+    let pepper = "test-pepper";
+    let tenant_service = TenantService::new(pool.clone());
+    let auth_service = AuthService::new(pool.clone(), pepper.to_string());
+
+    let tenant = tenant_service
+        .create_tenant(CreateTenantRequest {
+            name: format!("refresh-{}", Uuid::new_v4()),
+            config: None,
+        })
+        .await?;
+
+    let user = auth_service
+        .register(
+            tenant.id,
+            CreateUserRequest {
+                email: format!("u-{}@example.com", Uuid::new_v4()),
+                password: "Password12345".to_string(),
+            },
+        )
+        .await?;
+
+    let login = auth_service
+        .login(
+            tenant.id,
+            LoginRequest {
+                email: user.email.clone(),
+                password: "Password12345".to_string(),
+            },
+        )
+        .await?;
+
+    let old_refresh = login.refresh_token.clone();
+
+    let refreshed = auth_service
+        .refresh_access_token(old_refresh.clone())
+        .await?;
+    assert_ne!(refreshed.refresh_token, old_refresh);
+    assert!(!refreshed.access_token.is_empty());
+
+    let second = auth_service.refresh_access_token(old_refresh.clone()).await;
+    assert!(second.is_err());
+
+    let invalid = auth_service
+        .refresh_access_token("not-a-real-token".to_string())
+        .await;
+    assert!(invalid.is_err());
+
+    let login2 = auth_service
+        .login(
+            tenant.id,
+            LoginRequest {
+                email: user.email.clone(),
+                password: "Password12345".to_string(),
+            },
+        )
+        .await?;
+    let fp = fingerprint(pepper, &login2.refresh_token);
+    sqlx::query("UPDATE refresh_tokens SET expires_at = NOW() - INTERVAL '1 second' WHERE token_fingerprint = $1")
+        .bind(fp)
+        .execute(&pool)
+        .await?;
+
+    let expired = auth_service
+        .refresh_access_token(login2.refresh_token.clone())
+        .await;
+    assert!(expired.is_err());
+
+    Ok(())
+}
+