From 4024efb1f92d2d80d4946f6e44fd8779699d7ee6 Mon Sep 17 00:00:00 2001
From: Stefan Markmann <stefan@markmann.net>
Date: Sat, 17 Jan 2026 13:58:00 +0100
Subject: [PATCH] test: Add specific OAuth redirect assertions per code review
 feedback

Improve TestAuthOnlyEndpointRedirectWithSkipProviderButton to verify
that the Location header actually redirects to the OAuth provider's
authorize endpoint with required parameters (client_id, redirect_uri,
state), not just that a Location header exists.

Signed-off-by: Stefan Markmann <stefan@markmann.net>
---
 oauthproxy_test.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/oauthproxy_test.go b/oauthproxy_test.go
index 77c237aa..489a1b69 100644
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@@ -1144,6 +1144,13 @@ func TestAuthOnlyEndpointRedirectWithSkipProviderButton(t *testing.T) {
 	assert.Equal(t, http.StatusFound, test.rw.Code)
 	location := test.rw.Header().Get("Location")
 	assert.NotEmpty(t, location, "Expected Location header for redirect")
+
+	// Verify the redirect points to the OAuth provider's authorize endpoint
+	// and contains key OAuth parameters
+	assert.Contains(t, location, "/oauth/authorize", "Expected redirect to OAuth authorize endpoint")
+	assert.Contains(t, location, "client_id=", "Expected client_id in redirect URL")
+	assert.Contains(t, location, "redirect_uri=", "Expected redirect_uri in redirect URL")
+	assert.Contains(t, location, "state=", "Expected state parameter in redirect URL")
 }
 
 func TestAuthOnlyEndpointUnauthorizedOnExpiration(t *testing.T) {