akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

fix: enhance invite token validation for hex format and case sensitivity

Browse Source
This commit is contained in:
GitHub Actions
2026-03-18 22:15:39 +00:00
parent 19b388d865
commit bf89c2603d
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/api/tests/user_smtp_audit_test.go
+6 -2
View File
@@ -120,9 +120,13 @@ func TestInviteToken_MustBeUnguessable(t *testing.T) {
// Token MUST be at least 32 bytes (64 hex chars = 256 bits of entropy)
require.GreaterOrEqual(t, len(token), 64, "invite token must be at least 64 hex chars (256 bits); got len=%d token=%q", len(token), token)
// Token must decode cleanly as lowercase hex — hex.DecodeString rejects uppercase and non-hex chars
// Token must be valid hex (all characters in [0-9a-f]).
// hex.DecodeString accepts both cases, so check for lowercase explicitly:
// hex.EncodeToString (used by generateSecureToken) always emits lowercase,
// so uppercase would indicate a regression in the token-generation path.
_, err := hex.DecodeString(token)
require.NoError(t, err, "invite token must be valid lowercase hex; got %q", token)
require.NoError(t, err, "invite token must be valid hex; got %q", token)
require.Equal(t, strings.ToLower(token), token, "invite token must be lowercase hex (as produced by hex.EncodeToString); got %q", token)
}
func TestInviteToken_ExpiredCannotBeUsed(t *testing.T) {