chore: update test for oauthserver

staaldraad · staaldraad · commit fbf58a3dd119 · 2026-04-13T13:41:35.000+02:00
diff --git a/internal/api/oauthserver/authorize_test.go b/internal/api/oauthserver/authorize_test.go
@@ -136,11 +136,23 @@ func TestValidateRequestOriginEdgeCases(t *testing.T) {
 	tokenService := tokens.NewService(globalConfig, hooksMgr)
 	server := NewServer(globalConfig, conn, tokenService)
 
-	t.Run("Origin with different port should be allowed (hostname matching)", func(t *testing.T) {
+	t.Run("Origin with different port on non-localhost should be rejected", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/test", nil)
 		req.Header.Set("Origin", "https://example.com:8080")
 
-		// Should pass because hostname matches (IsRedirectURLValid allows different ports)
+		// Must be rejected: port mismatch on a non-loopback host.
+		// RFC 8252 Section 7.3 variable-port exception only applies to localhost.
+		err := server.validateRequestOrigin(req)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "unauthorized request origin")
+	})
+
+	t.Run("Origin with different port on localhost should be allowed (RFC 8252 Section 7.3)", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/test", nil)
+		req.Header.Set("Origin", "https://localhost:9999")
+
+		// Must be allowed: RFC 8252 Section 7.3 requires variable port support for
+		// loopback redirect URIs used by native apps.
 		err := server.validateRequestOrigin(req)
 		assert.NoError(t, err)
 	})
