test(axum): cover JWT claim fallbacks and missing-context rejection#753
Conversation
Add `tests/auth_fallbacks.rs` exercising verifier and extractor branches
that the happy-path integration tests do not reach:
- Token omitting `sub` exercises the `unwrap_or("unknown")` fallback in
`verify_bearer_token`.
- Token omitting `iss` exercises the `unwrap_or_default()` fallback for
the `iss` claim (jsonwebtoken only validates `iss` when present).
- Token omitting `aud` exercises the `unwrap_or_default()` fallback for
the `aud` claim (jsonwebtoken only validates `aud` when present).
- `TestAuthContext::from_request_parts` returns `401 UNAUTHORIZED` with
`"missing auth context"` when no middleware injected the context.
The `exp.unwrap_or_default()` branch is unreachable via the public
middleware (`exp` is in `required_spec_claims` by default), so no test
is added for it; the rationale is documented in the file's header
comment.
Co-authored-by: Claude <noreply@anthropic.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary
Adds 4 tests in
crates/uselesskey-axum/tests/auth_fallbacks.rscovering JWT claim-fallback branches and the extractor-missing rejection path. Tokens are hand-crafted withjsonwebtokendirectly (matching the pattern intests/integration.rs) so individual claims can be omitted.Tests added:
missing_sub_claim_falls_back_to_unknown_sentinel— token omittingsubexercises theunwrap_or("unknown")fallback.missing_iss_claim_falls_back_to_empty_string— token omittingissexercises theunwrap_or_default()fallback foriss.missing_aud_claim_falls_back_to_empty_string— token omittingaudexercises theunwrap_or_default()fallback foraud.test_auth_context_extractor_rejects_when_not_injected— extractor returns401 UNAUTHORIZEDwith body"missing auth context"when no middleware injected the context.The verifier's deterministic signing key is recreated by mirroring the
DeterministicJwksPhasederivation (auth-suite:primarylabel). Tests follow the panic-freeTestResult<()>/require_ok/ensure_eq!pattern fromtests/accessors.rs.Test plan
cargo test -p uselesskey-axum— 4 new + 25 existing tests pass.cargo clippy -p uselesskey-axum --tests --all-features -- -D warnings— clean.cargo fmt --check— clean.Notes
Missing
expclaim intentionally skipped: not reachable through the public middleware.jsonwebtoken10.4 includesexpinValidation::required_spec_claimsby default, so a token withoutexpis rejected bydecode::<Value>(returnsMissingRequiredClaim) before extraction runs. Theexp.unwrap_or_default()line inverify_bearer_tokenis defensive code unreachable via public API. Rationale documented in the test file's module-level comment.Generated by Claude Code