rose-ash/lib/identity/tests at b1be3a36ec8cf6cb413256428b9f3f2d72c6f052 - rose-ash - Gitea: Git with a cup of tea

coop/rose-ash

Files

History

giles 37b7d1635c identity: PKCE S256 (RFC 7636 §4.2) — now the erlang binary substrate is fixed

oauth.sx routes the PKCE check through pkce_ok: an S256 challenge carried as
{s256, Hash} compares crypto:hash(sha256, Verifier) =:= Hash; a bare
challenge stays plain (§4.1), so both methods coexist with no change to
existing flows (the bare path is the old =:= behaviour). Raw sha256 digests
are compared (base64url is wire encoding, omitted). New tests/pkce.sx (6,
incl. S256 through PAR). Verified pkce 6/6; substrate fix is in the
preceding commit. 239 total.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 14:12:10 +00:00

..

account.sx

identity: "disconnect app" — revoke_app(Subject, Client) (+4 tests)

2026-06-07 07:59:13 +00:00

api.sx

identity: service facade api.sx — login/verify/revoke/logout (10 tests, Phase 1 complete)

2026-06-07 00:00:05 +00:00

audit.sx

identity: trust-gated federated identity + cross-instance mapping (Phase 4 complete, +13)

2026-06-07 01:29:08 +00:00

cache.sx

identity: delegated grant-verification cache with generation invalidation (Phase 3 complete, +9)

2026-06-07 01:03:57 +00:00

clients.sx

identity: OAuth client registry — public/confidential clients + redirect allow-list (11 tests)

2026-06-07 02:03:44 +00:00

delegation.sx

identity: identity->acl delegation boundary — 401 gates before 403 (+8 tests)

2026-06-07 03:05:12 +00:00

device.sx

identity: device authorization grant (RFC 8628, +10 tests)

2026-06-07 02:39:03 +00:00

dynreg.sx

identity: dynamic client registration (RFC 7591, +5 tests)

2026-06-07 04:48:45 +00:00

exchange.sx

identity: token exchange — downscope into an independent token (RFC 8693, +8 tests)

2026-06-07 03:31:14 +00:00

expiry.sx

identity: access-token TTL via logical clock — expires_in (RFC 6749 §4.2.2, +8 tests)

2026-06-07 01:53:19 +00:00

facade.sx

identity: unify api.sx facade over audit + membership (+9 tests)

2026-06-07 02:51:48 +00:00

federation.sx

identity: trust-gated federated identity + cross-instance mapping (Phase 4 complete, +13)

2026-06-07 01:29:08 +00:00

grants.sx

identity: client-credentials grant (RFC 6749 §4.4, +9 tests)

2026-06-07 02:22:26 +00:00

introspect.sx

identity: RFC 7662 full introspection metadata — introspect_full (+9 tests)

2026-06-07 03:56:16 +00:00

membership.sx

identity: membership state machine + per-app grant projection (17 tests)

2026-06-07 00:54:51 +00:00

oauth.sx

identity: wire refresh into oauth + e2e flow tests (Phase 2 complete, +3 tests)

2026-06-07 00:35:10 +00:00

par.sx

identity: pushed authorization requests (PAR, RFC 9126, +7 tests)

2026-06-07 04:09:55 +00:00

pkce.sx

identity: PKCE S256 (RFC 7636 §4.2) — now the erlang binary substrate is fixed

2026-06-07 14:12:10 +00:00

registry.sx

identity: session registry — route by id and (subject, client) + SSO fan-out (9 tests)

2026-06-06 23:55:34 +00:00

session_mgmt.sx

identity: subject-wide session management — sessions + logout_all (+8 tests)

2026-06-07 03:16:21 +00:00

session.sx

identity: session-as-process — create/lookup/expire/revoke + idle timeout (11 tests)

2026-06-06 23:45:50 +00:00

sso.sx

identity: silent SSO prompt=none fast-path — one session, many clients (10 tests)

2026-06-07 00:45:15 +00:00

token.sx

identity: scope-as-set + scope narrowing on refresh (RFC 6749 §6, +6 tests)

2026-06-07 01:43:16 +00:00