feat(pkce): per client policy

[james-d-elliott]

This adds a PKCE policy control on a per-client basis and overhauls the testing of this particular handler and the particular error messages it returns.

Summary by CodeRabbit

• New Features
  • Enhanced PKCE Flow with per-client enforcement policy.
  • Introduced a customizable token prefix in CoreStrategy.
• Bug Fixes
  • Fixed issues related to session generation and fetching in PKCE Flow.
• Refactor
  • Updated type assertion in OAuth2PKCEFactory function for improved storage handling.
  • Replaced usage of regexp with fmt in PKCE handler for more efficient error handling.
  • Renamed PKCERequestStorage interface to Storage for clarity.
• Documentation
  • Added regular expression validation for verifier formats in PKCE.

[coderabbitai]

Warning

Rate Limit Exceeded

@james-d-elliott has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 24 minutes and 44 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.
Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.
Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between c4913a3 and c8f4c46.

Walkthrough

The changes bring significant enhancements to the PKCE Flow, focusing on improving security and flexibility in OAuth2 flows. Key improvements include the introduction of a per-client enforcement policy, refined session management, customizable CoreStrategy with token prefix options, and better error handling and reporting for PKCE-related issues.

Changes

Files	Summary
README.md, client.go, compose/.../compose_pkce.go	Enhanced PKCE Flow with per-client policy, session improvements, customizable token prefix, and updated type assertion for Storage.
authorize_response.go	Modified AddParameter for specific constant checks and parameter additions.
handler/pkce/const.go	Introduced verifierWrongFormat regex for verifier format validation.
handler/pkce/handler.go	Replaced regexp with fmt, improved error handling, refined PKCE validation logic, and enhanced error reporting.
handler/pkce/storage.go	Renamed PKCERequestStorage to Storage, impacting PKCE session retrieval, creation, and deletion declarations.

Poem

🐇✨
In the land of code and byte,
A rabbit hopped with great delight.
PKCE flows, now strong and bright,
Security tight, through day and night.
With each hop, a bug took flight,
"To safer realms!" our code's kite.
🌟🐾

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between c4913a3 and c88f309.

Files selected for processing (8)

• README.md (2 hunks)
• authorize_response.go (1 hunks)
• client.go (1 hunks)
• compose/compose_pkce.go (1 hunks)
• handler/pkce/const.go (1 hunks)
• handler/pkce/handler.go (10 hunks)
• handler/pkce/handler_test.go (1 hunks)
• handler/pkce/storage.go (1 hunks)

Files not summarized due to errors (1)

• handler/pkce/handler_test.go: Error: Message exceeds token limit

Additional comments: 12

handler/pkce/const.go (1)

• 5-7: The regular expression used for verifierWrongFormat correctly matches characters not allowed in a PKCE code verifier, aligning with the PKCE specification. This ensures that only valid characters are used, enhancing security.

handler/pkce/storage.go (1)

• 12-12: Renaming PKCERequestStorage to Storage provides a more generic and flexible interface name, suitable for managing PKCE request sessions. This change enhances clarity and adaptability in handling PKCE sessions.

compose/compose_pkce.go (1)

• 16-16: Updating the type assertion to pkce.Storage in the OAuth2PKCEFactory function aligns with the recent changes to the PKCE storage interface, ensuring consistency and correct behavior in PKCE session management.

authorize_response.go (1)

• 47-47: The modification to the AddParameter method, adding a conditional check for a specific constant before setting the code field, enhances the method's safety and ensures that only intended parameters can modify the authorization response's state.

README.md (1)

• 42-42: The documentation updates in the README.md file accurately reflect the enhancements made to the PKCE Flow, including the introduction of a per-client enforcement policy and a customizable token prefix feature. These updates provide clear and helpful information on the changes.

client.go (1)

• 49-55: The introduction of the ProofKeyCodeExchangeClient interface, extending the Client interface with PKCE-related methods, is a significant enhancement. It aligns with the PR's objectives to improve security and flexibility in the PKCE flow by allowing per-client PKCE enforcement.

handler/pkce/handler.go (2)

• 11-11: Replacing the regexp package with fmt for error formatting improves the readability and maintainability of error messages related to PKCE handling.
• 38-49: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [31-62]

The updates to the PKCE validation logic and the introduction of more detailed error reporting significantly enhance the robustness and clarity of the PKCE flow handling. These changes are crucial for improving security and providing clearer feedback in case of errors.

handler/pkce/handler_test.go (4)

• 23-352: The test cases within TestHandler_HandleAuthorizeEndpointRequest are comprehensive and cover a wide range of scenarios, including different PKCE enforcement policies and error conditions. However, there are a few areas that could be improved for clarity and maintainability:

1. Repeated Setup Logic: The setup logic within each test case is quite repetitive, especially the configuration of config and store. Consider refactoring this setup into a helper function to reduce duplication and improve readability.

2. Error Message Consistency: Ensure that the error messages are consistent and accurately describe the test scenario. For example, in the test case "ShouldFailNoPKCEButRequiredForClient", the error message could be more specific about why PKCE is required for the client.

3. Use of context.TODO(): While using context.TODO() in tests is generally acceptable, it's a good practice to use a real context with a timeout to prevent tests from hanging indefinitely if something goes wrong. Consider adding a timeout to these contexts.

4. Magic Strings: There are several instances where "magic strings" are used, such as the client ID "test" and the PKCE challenge method "S256". It's a good practice to define these as constants at the top of your test file to avoid typos and make it easier to update these values in the future.

Consider refactoring the test setup logic into a helper function, adding timeouts to contexts, and defining commonly used strings as constants to improve the maintainability and readability of your tests.

• 401-1278: The TestHandler_HandleTokenEndpointRequest function effectively tests various scenarios related to token endpoint requests, including PKCE verification and error handling. Similar to the previous function, there are areas for improvement:

1. Refactor Setup Logic: Similar to TestHandler_HandleAuthorizeEndpointRequest, the setup logic is repetitive across test cases. Refactoring this into a helper function would improve readability and maintainability.

2. Context with Timeout: Consider using a real context with a timeout instead of context.TODO() to prevent tests from hanging indefinitely under certain conditions.

3. Constants for Repeated Strings: Define commonly used strings, such as client IDs and PKCE challenge methods, as constants to avoid repetition and potential typos.

4. Error Message Clarity: Review the error messages to ensure they accurately describe the test scenario and provide clear guidance on the expected behavior or error condition.

Refactor repetitive setup logic into helper functions, use contexts with timeouts, define commonly used strings as constants, and ensure error messages are clear and descriptive to improve the quality and maintainability of your tests.

• 1325-1346: The miscellaneous tests in TestMiscellaneous provide basic coverage for CanSkipClientAuth and PopulateTokenEndpointResponse methods. These tests are straightforward and do not exhibit any major issues. However, consider the following for future test enhancements:

1. Additional Assertions: For PopulateTokenEndpointResponse, besides checking for no errors, it might be beneficial to assert that the response is populated as expected based on the input request.

2. Context Usage: As with previous functions, consider using a context with a timeout for better control over test execution time.

While the current tests are adequate for basic validation, adding more detailed assertions and using contexts with timeouts could further improve test robustness and maintainability.

• 1348-1364: The TestPKCEClient struct and its methods are well-defined and serve their purpose within the test suite. However, consider adding comments to document the purpose of each method and the struct itself. This will improve code readability and help future maintainers understand the role of TestPKCEClient in the test suite.

Add comments to the TestPKCEClient struct and its methods to improve code documentation and readability.