add authn state assertions to sso tests

Author: ezekg

features/api/v1/tokens/generate.feature

@@ -2533,7 +2533,7 @@ Feature: Generate authentication token
           "header": "Authorization"
         },
         "links": {
-          "redirect": "https://api.workos.test/sso/authorize?domain_hint=keygen.example&[email protected]"
+          "redirect": "https://api.workos.test/sso/authorize?domain_hint=keygen.example&[email protected]&state=eyJlbWFpbCI6Inpla2VAa2V5Z2VuLmV4YW1wbGUiLCJlbnZpcm9ubWVudF9pZCI6bnVsbH0"
         }
       }
       """

features/auth/sso.feature

@@ -974,7 +974,7 @@ Feature: SSO
     And time is frozen at "2552-02-28T00:00:00.000Z"
     When I send a GET request to "//auth.keygen.sh/sso?code=test_123"
     Then the response status should be "303"
-    And the response headers should contain "Location" with "https://api.workos.test/sso/authorize?domain_hint=lumon.example&[email protected]"
+    And the response headers should contain "Location" with "https://api.workos.test/sso/authorize?domain_hint=lumon.example&[email protected]&state=eyJlbWFpbCI6Im1hcmtAbHVtb24uZXhhbXBsZSIsImVudmlyb25tZW50X2lkIjpudWxsfQ"
     And the response headers should not contain "Set-Cookie"
     And there should be 0 "sessions"
     And time is unfrozen

features/step_definitions/resource_steps.rb

@@ -160,8 +160,11 @@
 end
 
 Given /^the current account has SSO (?:configured|stubbed) for "([^\"]*)"$/ do |domain|
-  allow(WorkOS::SSO).to receive(:authorization_url).and_wrap_original do |*, domain_hint:, login_hint:, **|
-    "https://api.workos.test/sso/authorize?domain_hint=#{domain_hint}&login_hint=#{login_hint}"
+  allow(WorkOS::SSO).to receive(:authorization_url).and_wrap_original do |*, domain_hint:, login_hint:, state:, **|
+    dec = Keygen::EE::SSO.decrypt_state(state, secret_key: @account.secret_key)
+    enc = Base64.urlsafe_encode64(dec.to_json, padding: false)
+
+    "https://api.workos.test/sso/authorize?domain_hint=#{domain_hint}&login_hint=#{login_hint}&state=#{enc}"
   end
 
   @account.update!(
@@ -171,12 +174,15 @@
 end
 
 Given /^the account "([^\"]*)" has SSO (?:configured|stubbed) for "([^\"]*)"$/ do |id, domain|
-  allow(WorkOS::SSO).to receive(:authorization_url).and_wrap_original do |*, domain_hint:, login_hint:, **|
-    "https://api.workos.test/sso/authorize?domain_hint=#{domain_hint}&login_hint=#{login_hint}"
-  end
-
   account = FindByAliasService.call(Account, id:, aliases: :slug)
 
+  allow(WorkOS::SSO).to receive(:authorization_url).and_wrap_original do |*, domain_hint:, login_hint:, state:, **|
+    dec = Keygen::EE::SSO.decrypt_state(state, secret_key: account.secret_key)
+    enc = Base64.urlsafe_encode64(dec.to_json, padding: false)
+
+    "https://api.workos.test/sso/authorize?domain_hint=#{domain_hint}&login_hint=#{login_hint}&state=#{enc}"
+  end
+
   account.update!(
     sso_organization_id: account.sso_organization_id.presence || "test_org_#{SecureRandom.hex}",
     sso_organization_domains: account.sso_organization_domains.presence || [domain],