diff --git a/server/deviceflowhandlers_test.go b/server/deviceflowhandlers_test.go
index 3f3ea81e..ec7bf29d 100644
--- a/server/deviceflowhandlers_test.go
+++ b/server/deviceflowhandlers_test.go
@@ -222,8 +222,9 @@ func TestDeviceCallback(t *testing.T) {
code: "somecode",
error: "Error Condition",
},
- expectedResponseCode: http.StatusBadRequest,
- expectedServerResponse: "Error Condition: \n",
+ expectedResponseCode: http.StatusBadRequest,
+ // Note: Error details should NOT be displayed to user anymore.
+ // Instead, a safe generic message is shown.
},
{
testName: "Expired Auth Code",
@@ -352,8 +353,9 @@ func TestDeviceCallback(t *testing.T) {
code: "somecode",
error: "",
},
- expectedResponseCode: http.StatusBadRequest,
- expectedServerResponse: "<script>console.log(window);</script>: \n",
+ expectedResponseCode: http.StatusBadRequest,
+ // Note: XSS data should NOT be displayed to user anymore.
+ // Instead, a safe generic message is shown.
},
}
for _, tc := range tests {
@@ -413,6 +415,29 @@ func TestDeviceCallback(t *testing.T) {
t.Errorf("%s: Unexpected Response. Expected %q got %q", tc.testName, tc.expectedServerResponse, result)
}
}
+
+ // Special check for error message safety tests
+ if tc.testName == "Prevent cross-site scripting" || tc.testName == "Error During Authorization" {
+ result, _ := io.ReadAll(rr.Body)
+ responseBody := string(result)
+
+ // Error details should NOT be present in the response (for security)
+ if tc.testName == "Prevent cross-site scripting" {
+ if strings.Contains(responseBody, "