Test cases

go.mod

@@ -135,7 +135,7 @@ require (
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
@@ -255,6 +255,7 @@ require (
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/oracle/oci-go-sdk/v65 v65.55.0 // indirect
 	github.com/packethost/packngo v0.28.1 // indirect

go.sum

@@ -302,6 +302,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -889,6 +891,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
+github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk=
+github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw=
 github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU=
 github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=

internal/auth/oauth2.go

@@ -119,6 +119,14 @@ func NewAuthenticationService(ctx context.Context, params AuthenticationServiceP
 		return nil, errors.E(op, errors.CodeServerConfiguration, err, "failed to create oidc provider")
 	}
 
+	if params.SessionCookieMaxAge == 0 {
+		return nil, errors.E(op, errors.CodeServerConfiguration, err, "session cookie max age not set")
+	}
+
+	if params.SessionTokenExpiry == 0 {
+		return nil, errors.E(op, errors.CodeServerConfiguration, err, "session token expiry not set")
+	}
+
 	return &AuthenticationService{
 		provider: provider,
 		oauthConfig: oauth2.Config{
@@ -384,7 +392,7 @@ func (as *AuthenticationService) CreateBrowserSession(
 	secureCookies bool,
 	email string,
 ) error {
-	const op = errors.Op("")
+	const op = errors.Op("auth.AuthenticationService.CreateBrowserSession")
 
 	session, err := as.sessionStore.Get(r, SessionName)
 	if err != nil {
@@ -407,12 +415,12 @@ func (as *AuthenticationService) CreateBrowserSession(
 // retrieving new access tokens upon expiry. If this cannot be done, the cookie
 // is deleted and an error is returned.
 func (as *AuthenticationService) AuthenticateBrowserSession(ctx context.Context, w http.ResponseWriter, req *http.Request) (context.Context, error) {
-	const op = errors.Op("")
+	const op = errors.Op("auth.AuthenticationService.AuthenticateBrowserSession")
 
 	// Get the session for this cookie
 	session, err := as.sessionStore.Get(req, SessionName)
 	if err != nil {
-		return ctx, errors.E(op, err)
+		return ctx, errors.E(op, err, "failed to retrieve session")
 	}
 
 	// Get the identity id (email)
@@ -424,7 +432,7 @@ func (as *AuthenticationService) AuthenticateBrowserSession(ctx context.Context,
 	// If it's not ok, kill their session
 	if err != nil {
 		session.Options.MaxAge = -1
-		if err = session.Save(req, w); err != nil {
+		if err := session.Save(req, w); err != nil {
 			return ctx, errors.E(op, err)
 		}
 		return ctx, errors.E(op, err)
@@ -444,7 +452,7 @@ func (as *AuthenticationService) AuthenticateBrowserSession(ctx context.Context,
 
 // validateAndUpdateAccessToken
 func (as *AuthenticationService) validateAndUpdateAccessToken(ctx context.Context, email any) error {
-	const op = errors.Op("")
+	const op = errors.Op("auth.AuthenticationService.validateAndUpdateAccessToken")
 
 	// Cast the email, it is any because we pass it through the context when authenticating
 	// with cookies and it makes sense to handle the casting here
@@ -489,7 +497,7 @@ func (as *AuthenticationService) validateAndUpdateAccessToken(ctx context.Contex
 //
 // This is to be called only when a token is expired.
 func (as *AuthenticationService) refreshIdentitiesToken(ctx context.Context, email string, t *oauth2.Token) error {
-	const op = errors.Op("")
+	const op = errors.Op("auth.AuthenticationService.refreshIdentitiesToken")
 
 	tSrc := as.oauthConfig.TokenSource(ctx, t)