fix(sdk): this (enforceDPoP) flag needs to be flipped (#649)

mkleene · web-flow · commit dd65db18d5b4 · 2024-04-23T18:57:32.000Z
the flag was inverted incorrectly
diff --git a/service/internal/auth/authn.go b/service/internal/auth/authn.go
@@ -312,7 +312,7 @@ func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpo
 	}
 
 	_, tokenHasCNF := accessToken.Get("cnf")
-	if !tokenHasCNF && a.enforceDPoP {
+	if !tokenHasCNF && !a.enforceDPoP {
 		// this condition is not quite tight because it's possible that the `cnf` claim may
 		// come from token introspection
 		return accessToken, ctx, nil
diff --git a/service/internal/auth/authn_test.go b/service/internal/auth/authn_test.go
@@ -144,7 +144,7 @@ func (s *AuthSuite) SetupTest() {
 		context.Background(),
 		Config{
 			AuthNConfig: AuthNConfig{
-				EnforceDPoP: false,
+				EnforceDPoP: true,
 				Issuer:      s.server.URL,
 				Audience:    "test",
 			},
@@ -548,7 +548,7 @@ func makeDPoPToken(t *testing.T, tc dpopTestCase) string {
 
 func (s *AuthSuite) Test_Allowing_Auth_With_No_DPoP() {
 	authnConfig := AuthNConfig{
-		EnforceDPoP: true,
+		EnforceDPoP: false,
 		Issuer:      s.server.URL,
 		Audience:    "test",
 	}

Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,7 @@ func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpo`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`_, tokenHasCNF := accessToken.Get("cnf")`
`315`		`- if !tokenHasCNF && a.enforceDPoP {`
	`315`	`+ if !tokenHasCNF && !a.enforceDPoP {`
`316`	`316`	// this condition is not quite tight because it's possible that the `cnf` claim may
`317`	`317`	`// come from token introspection`
`318`	`318`	`return accessToken, ctx, nil`