porchlight/tests
Johan Lundberg 71a7c23bdd
fix(security): verify S256 PKCE when relying parties use it
idpyoidc advertised PKCE support but did not actually verify the code
challenge at the token endpoint, so a sent code_challenge provided no
protection. Enable the PKCE add-on restricted to S256.

Configured as non-essential: relying parties that do not send a
code_challenge continue to work (no breaking change), but any RP that uses
PKCE must use S256, and the code_verifier is verified at token exchange.
Flip essential=True (or per-client pkce_essential) to require PKCE once all
clients have migrated.

Refs: porchlight-s48

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 11:00:30 +02:00
..
e2e test: allow disabling rate limiting for e2e runs 2026-06-03 16:32:32 +02:00
test_admin fix: resolve all ruff lint errors and type checker warnings 2026-03-31 15:48:46 +02:00
test_auth_routes fix(security): invite links must not log in accounts with credentials 2026-06-04 10:51:01 +02:00
test_authn fix: resolve all ruff lint errors and type checker warnings 2026-03-31 15:48:46 +02:00
test_invite fix(security): consume magic-link tokens atomically 2026-06-04 10:46:38 +02:00
test_manage chore: create package structure with src layout 2026-02-12 14:39:07 +01:00
test_oidc fix(security): verify S256 PKCE when relying parties use it 2026-06-04 11:00:30 +02:00
test_store fix(security): consume magic-link tokens atomically 2026-06-04 10:46:38 +02:00
__init__.py chore: create package structure with src layout 2026-02-12 14:39:07 +01:00
conftest.py feat: add rate limiting middleware for authentication endpoints 2026-03-31 15:23:51 +02:00
test_admin_groups_validation.py style: apply ruff formatting to new files 2026-03-31 15:36:08 +02:00
test_admin_invite_validation.py style: apply ruff formatting to new files 2026-03-31 15:36:08 +02:00
test_app.py fix: resolve all ruff lint errors and type checker warnings 2026-03-31 15:48:46 +02:00
test_authn_active.py style: apply ruff formatting to new files 2026-03-31 15:36:08 +02:00
test_cli.py feat: add initial-admin CLI command 2026-02-18 11:29:13 +01:00
test_client_registration.py refactor: fix lint warnings and remove stale type: ignore comments 2026-02-18 13:08:03 +01:00
test_config.py refactor: fix lint warnings and remove stale type: ignore comments 2026-02-18 13:08:03 +01:00
test_csrf.py feat: wire CSRF middleware and harden session cookie 2026-02-19 13:45:58 +01:00
test_manage_profile.py feat: wire ProfileUpdate validation into manage profile route 2026-03-10 15:36:47 +01:00
test_models.py update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
test_password_change.py style: apply ruff formatting to new files 2026-03-31 15:36:08 +02:00
test_rate_limit.py feat: add rate limiting middleware for authentication endpoints 2026-03-31 15:23:51 +02:00
test_userid.py update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
test_validation.py fix(security): escape user input in validation error HTML 2026-06-04 10:23:32 +02:00