Skip to content

Add StreamServer authentication test coverage to grpc_authn_interceptor_test.go #698

Description

@coderabbitai

Summary

The GrpcAuthnInterceptor.StreamServer entrypoint is security-critical but currently has no unit-test coverage. A regression there could silently allow unauthenticated access on all streaming RPCs, bypassing the JWT authentication hardening introduced in PR #685.

Severity: High — unauthenticated streaming calls are possible if StreamServer has a logic gap.

Work required

Add StreamServer test cases to internal/auth/grpc_authn_interceptor_test.go that mirror the existing unary cases:

  • Rejects missing Authorization header on a private (non-anonymous) method → Unauthenticated
  • Rejects unsupported authorization scheme → Unauthenticated
  • Returns JWT validator error as a gRPC Unauthenticated status, handler not invoked
  • Rejects multiple Authorization headers → Unauthenticated
  • Allows anonymous methods without an Authorization header
  • Rejects invalid token on an anonymous method → Unauthenticated
  • Stores validated token in the stream context on success (TokenFromContext)

Use NewGrpcAuthnInterceptor(), MakeTokenString/MakeTokenObject/TokenFromContext, and MockJwtValidator with a small fake grpc.ServerStream that injects metadata via metadata.NewIncomingContext.

References

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions