mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 21:31:46 +00:00
Maurice
20791a29a7
* Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer
Brownfield strangler migration of the backend onto NestJS modules
(auth, trips, days, places, assignments, packing, todo, budget,
reservations, collab, files, photos, journey, share, settings, backup,
oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories,
tags, notifications, system-notices) served through a per-prefix
dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT
httpOnly cookie auth, with behavioural parity for every route.
Client: React 19 upgrade, "page = wiring container + data hook"
pattern across all pages, per-domain Zustand stores bound to
@trek/shared contracts, and decomposition of the large components
(DayPlanSidebar, PackingListPanel, CollabNotes, FileManager,
MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal,
BudgetPanel, PlaceFormModal, ...) into focused render units backed by
in-file hooks.
Apply the shared global request pipeline (helmet/CSP, CORS, HSTS,
forced HTTPS, the global MFA policy and request logging) to the NestJS
instance as well, so a migrated route is protected identically to the
legacy fallback rather than bypassing it.
* Finish the NestJS migration — drop the legacy Express app
NestJS now serves the whole surface: every /api domain plus the platform
routes (uploads, /mcp, the OAuth/MCP SDK + /.well-known metadata and the
production SPA fallback). Removed server/src/app.ts, all of
server/src/routes/* and the strangler dispatcher; index.ts and the
integration suite share a single buildApp() bootstrap so prod and tests
can't drift.
- Platform/transport routes extracted to nest/platform/platform.routes.ts
and mounted before app.init() — Nest's router answers an unmatched
request with a 404, so a route registered after init is never reached.
The SPA fallback is a NotFoundException filter and the catch-all uses a
RegExp (Express 5's path-to-regexp rejects a bare '*').
- New modules: memories (/api/integrations/memories — the Journey
gallery's Immich/Synology proxy), addons (GET /api/addons) and the
cross-trip GET /api/reservations/upcoming.
- TrekExceptionFilter reproduces the old multer / err.statusCode handling
so upload rejections keep their 400/413 { error } body and non-ASCII
filenames survive (defParamCharset).
- addTripToJourney and the MCP get_journey_share_link tool gained the
trip-access check they were missing.
- Re-pointed the 34 integration tests + the websocket test onto the Nest
app; removed the now-meaningless Express-vs-Nest parity tests and a few
orphaned client components.
* Restore the reset-password rate limit and fix copyTrip reservation links
Two correctness/security gaps the NestJS migration introduced:
- POST /api/auth/reset-password lost its per-IP rate limiter. Restore it
(5 attempts / 15 min on a dedicated bucket, same as the old resetLimiter)
so reset tokens can't be brute-forced unthrottled. Covered by AUTH-019.
- copyTripById did not copy reservations.end_day_id (a day reference — now
remapped through dayMap like day_id) or needs_review, so a duplicated trip
lost multi-day transport end-day links and reset the review flag.
* Clean up dead code, dedupe helpers, fix the reset-password contract
- Remove server exports orphaned by the Express removal: the immich
album-link helpers, seven route-only service exports, getFileByIdFull;
de-export internal-only helpers (utcSuffix).
- De-duplicate verifyTripAccess (9 identical copies -> services/tripAccess.ts)
and avatarUrl (3 -> services/avatarUrl.ts); name the bcrypt cost
(BCRYPT_COST) and the email regex (EMAIL_REGEX). Public API unchanged.
- resetPasswordRequestSchema declared `password`, but the client sends and
the service reads `new_password` — rename it so the contract matches and
the client types resolve.
- Make ATLAS-013 deterministic: stub the admin-1 GeoJSON download instead of
fetching ~4600 features from GitHub during the test (it hung the suite).
* Make the client typecheck runnable (vitest/vite ambient types)
The client had no `typecheck` script and tsc couldn't even start (the
baseUrl deprecation errored out, same as server/shared already silence).
Add `ignoreDeprecations: "6.0"` to match the other workspaces, a `typecheck`
npm script, and a src/vite-env.d.ts referencing vite/client + vitest/globals
so tsc knows the test globals (describe/it/expect/vi). This turns ~3600
phantom "Cannot find name" errors into a real, measurable count (~590 actual
type errors remain, to be worked down). Type-only; no runtime change.
* Derive client domain types from the shared schema contracts
Add entity/response Zod schemas to @trek/shared (place, trip, assignment, day, budget, packing, reservation), each matched against the producing server service, and re-export them from client types.ts instead of the hand-written duplicates that had drifted (name/title, amount/total_price, owner_id/user_id, cover_url/cover_image, ...). Updates the call sites and test fixtures the corrected types surfaced; type-only, no runtime behaviour change.
* chore(db): log swallowed errors in addon-disable migration + guard against destructive migrations
The migration that disables the legacy "memories" addon swallowed any
error in an empty catch, as did ~30 other catch blocks in the migration
runner (column adds, the journey rebuild, index probes). Replace each
silent catch with the existing console.warn('[migrations] ...') log so
failures are visible. Control flow is unchanged: every step stays
non-fatal, nothing new is thrown.
Add a static guardrail test that scans the migration source and fails
when a new destructive statement (DROP TABLE / DROP COLUMN / TRUNCATE /
DELETE FROM / ALTER ... DROP) appears outside a reviewed allowlist, and
when an empty/silent catch block is reintroduced. The existing
destructive statements are all legitimate table rebuilds or
bounded cleanups and are recorded in the allowlist with a reason.
* Re-check SSRF on every redirect hop when resolving short links
Replace the one-shot checkSsrf + fetch(redirect:'follow') in the maps and place short-link resolvers with safeFetchFollow, which follows redirects manually and re-runs checkSsrf against the DNS-pinned IP of each hop (max 5). A redirect to an internal/loopback address is now blocked even when the initial URL is public, while legitimate cross-host redirects (goo.gl -> maps.google.com) still resolve.
* Reject WebSocket tokens minted before a password change
Stamp the user's password_version onto the ephemeral ws token and verify it on connect, closing the socket (4001) when it no longer matches, so a token issued before a password reset can't be replayed. Tokens minted without a version are treated as version 0, matching the JWT pv-claim semantics.
* fix(i18n): guard locale key parity and finish the OAuth consent page strings
Every non-en locale now exposes the exact same flat key set as en. Keys that
had drifted out of sync are backfilled with the English source value (tagged
en-fallback) so t() resolves a real string instead of relying on the silent
runtime fallback; no existing translation was touched and no key was removed.
Add a parity test that imports each aggregated locale bundle and asserts its
key set matches en, with a diagnostic listing of any missing/extra keys. This
complements the file-level check in shared/scripts by guarding the merged
export the app actually serves.
Finish internationalising OAuthAuthorizePage: the ~15 remaining hardcoded
English chrome strings now go through oauth.authorize.* keys (English source
in en, en-fallback placeholders elsewhere). Markup and behaviour are unchanged.
* Add semantic theme color tokens to Tailwind
Map the CSS theme variables from src/index.css (:root light / .dark dark) to named Tailwind utilities — bg-surface, text-content, border-edge, bg-accent and their variants. This gives components a Tailwind-native target for the theme colors so we can replace inline `style={{ ... 'var(--...)' }}` with utility classes without changing the rendered values.
* Surface silent store failures to the user and validate API responses in dev
Reservation toggle, todo/packing toggle and budget reorder were swallowing API errors after rolling back, so the user saw the change silently snap back with no explanation. Route those failures through the existing toast channel (new store/notify.ts bridges to window.__addToast, the same channel SystemNoticeBanner uses); the reservation toggle re-throws so ReservationsPanel's own translated toast finally fires. Also wire the existing parseInDev/checkInDev response validation into the maps and notification-test endpoints to catch contract drift in dev.
* Migrate static theme inline styles to Tailwind utilities and extract page sub-components
Replace the static, color-only inline `style={{ ... 'var(--bg-primary)' ... }}` props with the new semantic Tailwind utilities (bg-surface, text-content, border-edge, ...) wherever the result is byte-identical; dynamic/conditional theme styles and hardcoded status colors are left inline. Extract the Atlas country-search autocomplete, the Admin update banner, and two Journey dialogs into their own presentational components to shrink the oversized page files, keeping behaviour and markup identical.
* Remove the unrouted photos page and its dead photo components
PhotosPage was never wired into the router and its usePhotos hook read a tripStore photos slice that was never implemented; the Photos gallery, lightbox and upload components were only reachable through it. Per-trip photos now live in the Journey gallery (Immich/Synology). Removed the dead page, hook and components — the live Journey PhotoLightbox is a separate component and stays.
* Resolve the remaining client type errors and the trip.title navbar bug
Drive the client typecheck to zero without any/ts-ignore: convert the tripId route param to a number once at the page boundary so it matches the numeric props and store actions it feeds, fix trip.name -> trip.title (the wire field is title, so the old read rendered blank in the files/offline views), and tighten the scattered handler-arity, DOM-cast and untyped-payload sites. No runtime behaviour change.
* Convert the remaining dynamic and hardcoded inline styles to Tailwind utilities
Second styling pass over the components and pages: move conditional theme colors into className ternaries (bg-accent / bg-surface-hover etc.), turn reused CSSProperties constants into className constants, and express static hardcoded hex/rgba colors as Tailwind arbitrary values so the exact rendered colour is preserved. Truly dynamic styling (computed geometry, gradients, multi-part shadows, data-driven colours, the undefined --sidebar/--nav layout vars) stays inline as it cannot be expressed as a static class. Updated three component tests that asserted the old inline active-state styles to assert the equivalent utility class instead.
Verified: client typecheck 0, full client suite green, and a live light/dark render check in the dev server confirms the semantic theme tokens resolve correctly (the earlier 'transparent popups' were a stale dev server that pre-dated the tailwind.config token addition, not a code issue).
* Add eslint flat-config for client and server and gate typecheck, lint and pages in CI
client and server had lint scripts but no eslint config (only shared was linted in CI). Add flat configs mirroring shared's stack (js + typescript-eslint recommended + eslint-config-prettier) plus the client's react-hooks/react-refresh plugins. Pre-existing patterns in this never-linted code (explicit any, require() in the CommonJS server, empty catches, exhaustive-deps) are set to 'warn' rather than 'error' so the gate passes at 0 errors without a repo-wide reformat — these can be ratcheted to errors over time. Wire blocking typecheck + lint + lint:pages steps into the client and server CI jobs (now that both typechecks are clean) and promote the server typecheck from informational to blocking.
* Decompose the remaining God Components into hooks, helpers and sub-components
FE6: split the oversized page and panel components into thin layout shells plus colocated use<Component> hooks, .constants.ts, .helpers.ts (with tests) and presentational sub-components, following the established 'logic in a hook, render in slices' pattern. Behaviour, markup, classes and effect order are unchanged. Largest reductions: PackingListPanel 1598->42, FileManager 1055->36, AdminPage 1525->167, BudgetPanel 1266->146, JourneyDetailPage 2822->547, PlacesSidebar 945->66, CollabChat 861->106, CollabNotes 1417->532. DayPlanSidebar's drag-and-drop render body was left intact (ref-identity sensitive) and only its toolbar/modals/constants were extracted.
* Fix duplicate React keys in the file-assign place list
When a place is assigned to the same day more than once it appeared twice in a day's list, so the place-button key={p.id} collided and React warned about duplicate keys. Key by place id + render index so siblings stay unique. Pre-existing in the old FileManager; behaviour unchanged.
* Format the shared package and drop an unused import to satisfy the lint gate
The i18n and schema changes added code that wasn't prettier-formatted, and place.schema.ts imported categorySchema without using it. Run prettier over shared and remove the import so 'npm run lint' + 'format:check' pass.
* Install all workspaces in the server CI job so SWC's native binary is present
The server vitest config transforms via unplugin-swc, which needs @swc/core's platform-specific native binary. A workspace-scoped 'npm ci --workspace server' skips that optional dependency, so vitest failed to load the config on the Linux runner. Use a full 'npm ci'.
* Re-resolve dependencies with npm install in the server CI job for SWC
Full 'npm ci' still skipped @swc/core's Linux native binary because the committed lockfile was generated on Windows and lacks the Linux optional-dep install metadata. 'npm install' re-resolves and fetches the platform-matching binary, which the server's unplugin-swc transform needs to load vitest.config.ts.
* Install @swc/core's Linux binary explicitly in the server CI job
Neither npm ci nor npm install fetched @swc/core-linux-x64-gnu on the Linux runner because the lockfile was generated on Windows and lacks the Linux optional-dep metadata. Add a step that installs the matching @swc/core-linux-x64-gnu version (no-save, no-lockfile) so unplugin-swc can load the server's vitest config.
* Use legacy-peer-deps when installing the SWC Linux binary in CI
The explicit @swc/core-linux-x64-gnu install re-resolved the tree and hit the pre-existing lucide-react/react-19 peer conflict that the lockfile was generated around. Add --legacy-peer-deps so the step matches the project's resolution and installs the binary.
* Keep the lockfile when installing the SWC binary so other deps stay pinned
Dropping --no-package-lock made npm re-resolve the whole tree and upgrade eslint, whose newer recommended config flagged no-useless-assignment as an error in the server lint step. Keep the lockfile so only @swc/core-linux-x64-gnu is added and every other dependency (incl. eslint) stays at its locked version.
1441 lines
63 KiB
TypeScript
1441 lines
63 KiB
TypeScript
/**
|
|
* OAuth 2.1 integration tests.
|
|
* Covers oauthPublicRouter (/.well-known, /oauth/token, /oauth/revoke)
|
|
* and oauthApiRouter (/api/oauth/*).
|
|
*/
|
|
import { describe, it, expect, vi, beforeAll, beforeEach, afterAll } from 'vitest';
|
|
import request from 'supertest';
|
|
import type { Application } from 'express';
|
|
import type { INestApplication } from '@nestjs/common';
|
|
import crypto from 'crypto';
|
|
|
|
const { testDb, dbMock } = vi.hoisted(() => {
|
|
const Database = require('better-sqlite3');
|
|
const db = new Database(':memory:');
|
|
db.exec('PRAGMA journal_mode = WAL');
|
|
db.exec('PRAGMA foreign_keys = ON');
|
|
db.exec('PRAGMA busy_timeout = 5000');
|
|
const mock = {
|
|
db,
|
|
closeDb: () => {},
|
|
reinitialize: () => {},
|
|
getPlaceWithTags: (placeId: number) => {
|
|
const place: any = db.prepare(`SELECT p.*, c.name as category_name, c.color as category_color, c.icon as category_icon FROM places p LEFT JOIN categories c ON p.category_id = c.id WHERE p.id = ?`).get(placeId);
|
|
if (!place) return null;
|
|
const tags = db.prepare(`SELECT t.* FROM tags t JOIN place_tags pt ON t.id = pt.tag_id WHERE pt.place_id = ?`).all(placeId);
|
|
return { ...place, category: place.category_id ? { id: place.category_id, name: place.category_name, color: place.category_color, icon: place.category_icon } : null, tags };
|
|
},
|
|
canAccessTrip: (tripId: any, userId: number) =>
|
|
db.prepare(`SELECT t.id, t.user_id FROM trips t LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ? WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)`).get(userId, tripId, userId),
|
|
isOwner: (tripId: any, userId: number) =>
|
|
!!db.prepare('SELECT id FROM trips WHERE id = ? AND user_id = ?').get(tripId, userId),
|
|
};
|
|
return { testDb: db, dbMock: mock };
|
|
});
|
|
|
|
vi.mock('../../src/db/database', () => dbMock);
|
|
vi.mock('../../src/config', () => ({
|
|
JWT_SECRET: 'test-jwt-secret-for-trek-testing-only',
|
|
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
|
updateJwtSecret: () => {},
|
|
DEFAULT_LANGUAGE: 'en',
|
|
}));
|
|
|
|
const { isAddonEnabledMock } = vi.hoisted(() => {
|
|
const isAddonEnabledMock = vi.fn().mockReturnValue(true);
|
|
return { isAddonEnabledMock };
|
|
});
|
|
vi.mock('../../src/services/adminService', async (importOriginal) => {
|
|
const actual = await importOriginal<typeof import('../../src/services/adminService')>();
|
|
return { ...actual, isAddonEnabled: isAddonEnabledMock };
|
|
});
|
|
|
|
vi.mock('../../src/services/notifications', async (importOriginal) => {
|
|
const actual = await importOriginal<typeof import('../../src/services/notifications')>();
|
|
return { ...actual, getMcpSafeUrl: () => 'https://trek.example.com' };
|
|
});
|
|
|
|
vi.mock('../../src/websocket', () => ({ broadcast: vi.fn(), broadcastToUser: vi.fn() }));
|
|
vi.mock('../../src/mcp/sessionManager', () => ({ revokeUserSessions: vi.fn(), revokeUserSessionsForClient: vi.fn(), sessions: new Map() }));
|
|
|
|
import { buildApp } from '../../src/bootstrap';
|
|
import { createTables } from '../../src/db/schema';
|
|
import { runMigrations } from '../../src/db/migrations';
|
|
import { resetTestDb, resetRateLimits } from '../helpers/test-db';
|
|
import { createUser } from '../helpers/factories';
|
|
import { authCookie } from '../helpers/auth';
|
|
import { createOAuthClient, createAuthCode, getUserByAccessToken } from '../../src/services/oauthService';
|
|
|
|
let nestApp: INestApplication;
|
|
let app: Application;
|
|
|
|
// PKCE helpers
|
|
function makePkce() {
|
|
const verifier = crypto.randomBytes(32).toString('base64url');
|
|
const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
|
|
return { verifier, challenge };
|
|
}
|
|
|
|
// A7: under the unified Nest app the adminService mock only reaches the directly
|
|
// imported isAddonEnabled (OauthService.mcpEnabled); oauthService.ts reads the
|
|
// addon state through its own import that the Nest module graph loads unmocked,
|
|
// so it falls back to the real DB row. Drive BOTH so the MCP-enabled state is
|
|
// consistent across mcpEnabled() AND validateAuthorizeRequest()/token/revoke.
|
|
function setMcpEnabled(enabled: boolean) {
|
|
isAddonEnabledMock.mockReturnValue(enabled);
|
|
testDb.prepare(
|
|
"INSERT OR REPLACE INTO addons (id, name, description, type, icon, enabled, sort_order) VALUES ('mcp', 'MCP', 'AI assistant integration', 'integration', 'Terminal', ?, 12)"
|
|
).run(enabled ? 1 : 0);
|
|
}
|
|
|
|
beforeAll(async () => {
|
|
createTables(testDb);
|
|
runMigrations(testDb);
|
|
nestApp = await buildApp();
|
|
app = nestApp.getHttpAdapter().getInstance();
|
|
});
|
|
|
|
beforeEach(() => {
|
|
resetTestDb(testDb);
|
|
resetRateLimits(nestApp);
|
|
setMcpEnabled(true);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await nestApp.close();
|
|
testDb.close();
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Discovery document
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('GET /.well-known/oauth-authorization-server', () => {
|
|
it('OAUTH-001 — returns RFC 8414 discovery document', async () => {
|
|
const res = await request(app).get('/.well-known/oauth-authorization-server');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.issuer).toBe('https://trek.example.com');
|
|
expect(res.body.authorization_endpoint).toContain('/oauth/authorize');
|
|
expect(res.body.token_endpoint).toContain('/oauth/token');
|
|
expect(Array.isArray(res.body.scopes_supported)).toBe(true);
|
|
expect(res.body.scopes_supported.length).toBeGreaterThan(0);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Issue #959 regression tests
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('RFC 9728 — path-based protected resource metadata (issue #959 bug 1)', () => {
|
|
it('OAUTH-959A — /.well-known/oauth-protected-resource/mcp returns JSON (not SPA HTML)', async () => {
|
|
const res = await request(app).get('/.well-known/oauth-protected-resource/mcp');
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers['content-type']).toMatch(/json/);
|
|
expect(res.body.resource).toContain('/mcp');
|
|
expect(Array.isArray(res.body.authorization_servers)).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('DCR scope optional — ChatGPT compatibility (issue #959 bug 2)', () => {
|
|
it('OAUTH-959B — POST /oauth/register without scope field returns 201 with default scopes', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/register')
|
|
.set('Content-Type', 'application/json')
|
|
.send({ redirect_uris: ['https://chatgpt.example.com/cb'], token_endpoint_auth_method: 'none' });
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.client_id).toBeDefined();
|
|
expect(typeof res.body.scope).toBe('string');
|
|
expect(res.body.scope.length).toBeGreaterThan(0);
|
|
});
|
|
|
|
it('OAUTH-959C — POST /oauth/register with explicit scope registers only requested scopes', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/register')
|
|
.set('Content-Type', 'application/json')
|
|
.send({ redirect_uris: ['https://example.com/cb'], token_endpoint_auth_method: 'none', scope: 'trips:read' });
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.scope).toBe('trips:read');
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// POST /oauth/token — authorization_code grant
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('POST /oauth/token — authorization_code grant', () => {
|
|
it('OAUTH-002 — missing client_id returns 401 invalid_client', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({ grant_type: 'authorization_code', code: 'x', redirect_uri: 'https://example.com/cb', code_verifier: 'y' });
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('OAUTH-003 — MCP addon disabled returns 404', async () => {
|
|
setMcpEnabled(false);
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({ grant_type: 'authorization_code', client_id: 'x', client_secret: 'y', code: 'z', redirect_uri: 'https://r.example.com/cb', code_verifier: 'v' });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('OAUTH-004 — missing code/redirect_uri/code_verifier returns 400 invalid_request', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({ grant_type: 'authorization_code', client_id: 'x', client_secret: 'y' });
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('OAUTH-005 — invalid auth code returns 400 invalid_grant', async () => {
|
|
const { user } = createUser(testDb);
|
|
const clientResult = createOAuthClient(user.id, 'TestApp', ['https://app.example.com/cb'], ['trips:read']);
|
|
const client = clientResult.client!;
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: client.client_id,
|
|
client_secret: clientResult.client!.client_secret,
|
|
code: 'invalid-code-xyz',
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: 'verifier',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('OAUTH-006 — client_id mismatch returns 400 invalid_grant', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r1 = createOAuthClient(user.id, 'App1', ['https://app1.example.com/cb'], ['trips:read']);
|
|
const r2 = createOAuthClient(user.id, 'App2', ['https://app2.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
// Create code for client1
|
|
const code = createAuthCode({
|
|
clientId: r1.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app1.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
// Try to use it with client2
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r2.client!.client_id,
|
|
client_secret: r2.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app1.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('OAUTH-007 — redirect_uri mismatch returns 400 invalid_grant', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://wrong.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('OAUTH-008 — wrong client_secret returns 401 invalid_client (timing-safe check)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: 'wrong-secret',
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('OAUTH-009 — PKCE failure returns 400 invalid_grant', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: 'this-is-a-wrong-verifier',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('OAUTH-010 — happy path: exchange auth code for tokens', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.access_token).toBeDefined();
|
|
expect(res.body.refresh_token).toBeDefined();
|
|
expect(res.body.token_type).toBe('Bearer');
|
|
expect(typeof res.body.expires_in).toBe('number');
|
|
expect(res.body.scope).toBe('trips:read');
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// POST /oauth/token — refresh_token grant
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('POST /oauth/token — refresh_token grant', () => {
|
|
it('OAUTH-011 — missing refresh_token returns 400 invalid_request', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({ grant_type: 'refresh_token', client_id: 'x', client_secret: 'y' });
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('OAUTH-012 — invalid refresh token returns 400 invalid_grant', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token: 'invalid-refresh-token',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('OAUTH-013 — happy path: issue then refresh tokens', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
// Exchange code for tokens
|
|
const tokenRes = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(tokenRes.status).toBe(200);
|
|
const { refresh_token } = tokenRes.body;
|
|
|
|
// Use refresh token to get new tokens
|
|
const refreshRes = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token,
|
|
});
|
|
expect(refreshRes.status).toBe(200);
|
|
expect(refreshRes.body.access_token).toBeDefined();
|
|
expect(refreshRes.body.refresh_token).toBeDefined();
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// POST /oauth/token — unsupported grant_type
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('POST /oauth/token — unsupported grant_type', () => {
|
|
it('OAUTH-014 — returns 400 unsupported_grant_type', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({ grant_type: 'password', client_id: 'x', client_secret: 'y' });
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('unsupported_grant_type');
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// POST /oauth/revoke
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('POST /oauth/revoke', () => {
|
|
it('OAUTH-015 — missing params returns 400 invalid_request', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/revoke')
|
|
.send({ token: 'x' });
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('OAUTH-016 — wrong client_secret returns 401 invalid_client', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/revoke')
|
|
.send({ token: 'sometoken', client_id: r.client!.client_id, client_secret: 'wrong' });
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('OAUTH-017 — valid revoke returns 200 even for unknown token (RFC 7009)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/revoke')
|
|
.send({ token: 'nonexistent-token', client_id: r.client!.client_id, client_secret: r.client!.client_secret });
|
|
expect(res.status).toBe(200);
|
|
});
|
|
|
|
it('OAUTH-018 — happy path: issue token, revoke it, verify refresh no longer works', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const tokenRes = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(tokenRes.status).toBe(200);
|
|
const { refresh_token } = tokenRes.body;
|
|
|
|
// Revoke the refresh token
|
|
const revokeRes = await request(app)
|
|
.post('/oauth/revoke')
|
|
.send({ token: refresh_token, client_id: r.client!.client_id, client_secret: r.client!.client_secret });
|
|
expect(revokeRes.status).toBe(200);
|
|
|
|
// Try to use the revoked token — should fail
|
|
const retryRes = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token,
|
|
});
|
|
expect(retryRes.status).toBe(400);
|
|
expect(retryRes.body.error).toBe('invalid_grant');
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// GET /api/oauth/authorize/validate
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('GET /api/oauth/authorize/validate', () => {
|
|
it('OAUTH-019 — returns 404 when MCP addon disabled (M2: prevents feature fingerprinting)', async () => {
|
|
setMcpEnabled(false);
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.query({ response_type: 'code', client_id: 'x', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read', code_challenge: 'c', code_challenge_method: 'S256' });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('OAUTH-020 — returns 200 with valid:false for wrong response_type (authenticated)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const { challenge } = makePkce();
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({ response_type: 'token', client_id: 'x', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read', code_challenge: challenge, code_challenge_method: 'S256' });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('unsupported_response_type');
|
|
});
|
|
|
|
it('OAUTH-021 — returns 200 with valid:false for missing PKCE', async () => {
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.query({ response_type: 'code', client_id: 'x', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read' });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('OAUTH-022 — returns 200 with valid:false for unknown client_id (authenticated)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const { challenge } = makePkce();
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({ response_type: 'code', client_id: 'unknown-client', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read', code_challenge: challenge, code_challenge_method: 'S256' });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('OAUTH-023 — returns 200 with valid:false for mismatched redirect_uri (authenticated)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://evil.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_redirect_uri');
|
|
});
|
|
|
|
it('OAUTH-024 — returns 200 with valid:false for empty scope (authenticated)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: '',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_scope');
|
|
});
|
|
|
|
it('OAUTH-025a — narrows scope to allowed intersection when client lacks some requested scopes (authenticated)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read trips:delete',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(true);
|
|
// trips:delete was dropped — only trips:read granted
|
|
expect(res.body.scopes).toEqual(['trips:read']);
|
|
});
|
|
|
|
it('OAUTH-025b — returns 200 with valid:false when no requested scope is allowed (authenticated)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'budget:write',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_scope');
|
|
});
|
|
|
|
it('OAUTH-026 — unauthenticated valid request returns loginRequired=true (H3: minimal response, no client info)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(true);
|
|
expect(res.body.loginRequired).toBe(true);
|
|
// H3: client name and scopes must NOT be revealed to unauthenticated callers
|
|
expect(res.body.client).toBeUndefined();
|
|
expect(res.body.allowed_scopes).toBeUndefined();
|
|
});
|
|
|
|
it('OAUTH-027 — authenticated with no prior consent returns consentRequired=true with client details', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(true);
|
|
expect(res.body.consentRequired).toBe(true);
|
|
// Authenticated users get full client info (unlike unauthenticated H3 path)
|
|
expect(res.body.client).toBeDefined();
|
|
expect(res.body.scopes).toBeDefined();
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// POST /api/oauth/authorize
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('POST /api/oauth/authorize', () => {
|
|
it('OAUTH-028 — unauthenticated returns 401', async () => {
|
|
const res = await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.send({ approved: true, client_id: 'x', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read', code_challenge: 'c', code_challenge_method: 'S256' });
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
it('OAUTH-029 — 403 when MCP disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ approved: true, client_id: 'x', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read', code_challenge: 'c', code_challenge_method: 'S256' });
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
it('OAUTH-030 — user denied returns redirect with error=access_denied', async () => {
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({
|
|
approved: false,
|
|
client_id: 'any',
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: 'c',
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.redirect).toContain('error=access_denied');
|
|
});
|
|
|
|
it('OAUTH-031 — invalid params returns 400', async () => {
|
|
const { user } = createUser(testDb);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({
|
|
approved: true,
|
|
client_id: 'unknown-client',
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
it('OAUTH-032 — happy path: approve returns redirect with code', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({
|
|
approved: true,
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.redirect).toBeDefined();
|
|
expect(res.body.redirect).toContain('code=');
|
|
expect(res.body.redirect).not.toContain('error=');
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Client CRUD
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Client CRUD — /api/oauth/clients', () => {
|
|
it('OAUTH-033 — GET returns 403 when addon disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/clients')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
it('OAUTH-034 — GET returns 200 with clients list', async () => {
|
|
const { user } = createUser(testDb);
|
|
createOAuthClient(user.id, 'MyApp', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/clients')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(Array.isArray(res.body.clients)).toBe(true);
|
|
expect(res.body.clients).toHaveLength(1);
|
|
expect(res.body.clients[0].name).toBe('MyApp');
|
|
});
|
|
|
|
it('OAUTH-035 — POST creates client and returns 201 with client_secret', async () => {
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/clients')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ name: 'NewApp', redirect_uris: ['https://newapp.example.com/cb'], allowed_scopes: ['trips:read'] });
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.client).toBeDefined();
|
|
expect(res.body.client.client_id).toBeDefined();
|
|
expect(res.body.client.client_secret).toBeDefined();
|
|
expect(res.body.client.name).toBe('NewApp');
|
|
});
|
|
|
|
it('OAUTH-036 — POST returns 403 when addon disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/clients')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({ name: 'App', redirect_uris: ['https://app.example.com/cb'], allowed_scopes: ['trips:read'] });
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
it('OAUTH-037 — POST /clients/:id/rotate rotates secret', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.post(`/api/oauth/clients/${r.client!.id}/rotate`)
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.client_secret).toBeDefined();
|
|
expect(res.body.client_secret).not.toBe(r.client!.client_secret);
|
|
});
|
|
|
|
it('OAUTH-038 — DELETE /clients/:id deletes client', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.delete(`/api/oauth/clients/${r.client!.id}`)
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.success).toBe(true);
|
|
});
|
|
|
|
it('OAUTH-039 — DELETE /clients/:id returns 404 for non-existent', async () => {
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.delete('/api/oauth/clients/nonexistent-id')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Sessions
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('Sessions — /api/oauth/sessions', () => {
|
|
it('OAUTH-040 — GET returns 403 when addon disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/sessions')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
it('OAUTH-041 — GET returns 200 with sessions list', async () => {
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.get('/api/oauth/sessions')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(200);
|
|
expect(Array.isArray(res.body.sessions)).toBe(true);
|
|
});
|
|
|
|
it('OAUTH-042 — DELETE /sessions/:id revokes session', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
// Get a token so there's a session to revoke
|
|
await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
|
|
const sessionsRes = await request(app)
|
|
.get('/api/oauth/sessions')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(sessionsRes.body.sessions).toHaveLength(1);
|
|
|
|
const sessionId = sessionsRes.body.sessions[0].id;
|
|
const deleteRes = await request(app)
|
|
.delete(`/api/oauth/sessions/${sessionId}`)
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(deleteRes.status).toBe(200);
|
|
expect(deleteRes.body.success).toBe(true);
|
|
});
|
|
|
|
it('OAUTH-043 — DELETE /sessions/:id returns 404 for non-existent', async () => {
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.delete('/api/oauth/sessions/99999')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('OAUTH-044 — DELETE /sessions/:id returns 403 when addon disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const { user } = createUser(testDb);
|
|
|
|
const res = await request(app)
|
|
.delete('/api/oauth/sessions/1')
|
|
.set('Cookie', authCookie(user.id));
|
|
expect(res.status).toBe(403);
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// Security behavior tests (M1, M2, H1, H3, H5, M5, M7, C3)
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('M1 — Cache-Control headers on /oauth/token', () => {
|
|
it('OAUTH-SEC-001 — token endpoint sets Cache-Control: no-store', async () => {
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({ grant_type: 'authorization_code', client_id: 'x', client_secret: 'y', code: 'z', redirect_uri: 'https://r.example.com/cb', code_verifier: 'v' });
|
|
expect(res.headers['cache-control']).toBe('no-store');
|
|
});
|
|
});
|
|
|
|
describe('M2 — 404 when MCP disabled on discovery + revoke endpoints', () => {
|
|
it('OAUTH-SEC-002 — /.well-known/oauth-authorization-server returns 404 when disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const res = await request(app).get('/.well-known/oauth-authorization-server');
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('OAUTH-SEC-003 — /oauth/revoke returns 404 when disabled', async () => {
|
|
setMcpEnabled(false);
|
|
const res = await request(app)
|
|
.post('/oauth/revoke')
|
|
.send({ token: 'x', client_id: 'y', client_secret: 'z' });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('H1 — PKCE format validation', () => {
|
|
it('OAUTH-SEC-004 — short code_challenge (<43 chars) rejected on /authorize/validate', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: 'tooshort',
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('OAUTH-SEC-005 — wrong code_verifier format rejected on /oauth/token (invalid_grant)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
// Submit a valid-looking but wrong-format verifier (too short)
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: 'short',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_grant');
|
|
});
|
|
});
|
|
|
|
describe('H3 — Unauthenticated /authorize/validate returns minimal response', () => {
|
|
it('OAUTH-SEC-006 — invalid request by unauthenticated caller returns generic error (no oracle)', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { challenge } = makePkce();
|
|
|
|
// Deliberately wrong redirect_uri — should get generic error, not invalid_redirect_uri
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://evil.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(false);
|
|
expect(res.body.error).toBe('invalid_request');
|
|
// Must not leak specific error type or client details
|
|
expect(res.body.error).not.toBe('invalid_redirect_uri');
|
|
expect(res.body.client).toBeUndefined();
|
|
});
|
|
});
|
|
|
|
describe('H5 — All invalid_grant cases return identical response body', () => {
|
|
it('OAUTH-SEC-007 — expired/bad code, client_id mismatch, redirect_uri mismatch all return same body', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
// Bad code
|
|
const res1 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code: 'bad-code-xyz',
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
|
|
// Redirect URI mismatch (need fresh code since code is single-use)
|
|
const code2 = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
const res2 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code: code2,
|
|
redirect_uri: 'https://wrong.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
|
|
expect(res1.status).toBe(400);
|
|
expect(res2.status).toBe(400);
|
|
expect(res1.body.error).toBe('invalid_grant');
|
|
expect(res2.body.error).toBe('invalid_grant');
|
|
// Both must use exactly the same error_description (H5)
|
|
expect(res1.body.error_description).toBe(res2.body.error_description);
|
|
});
|
|
});
|
|
|
|
describe('M5 — Consent scope union (re-authorize adds to existing consent)', () => {
|
|
it('OAUTH-SEC-008 — second consent adds new scope without losing old scope', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read', 'places:read']);
|
|
const { challenge: ch1 } = makePkce();
|
|
const { challenge: ch2 } = makePkce();
|
|
|
|
// First consent: trips:read
|
|
await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({
|
|
approved: true,
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: ch1,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
|
|
// Second consent: places:read — should not drop trips:read
|
|
await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Cookie', authCookie(user.id))
|
|
.send({
|
|
approved: true,
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'places:read',
|
|
code_challenge: ch2,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
|
|
// Re-validate with trips:read — should now be auto-approved (consentRequired=false)
|
|
const { challenge: ch3 } = makePkce();
|
|
const res = await request(app)
|
|
.get('/api/oauth/authorize/validate')
|
|
.set('Cookie', authCookie(user.id))
|
|
.query({
|
|
response_type: 'code',
|
|
client_id: r.client!.client_id,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
scope: 'trips:read',
|
|
code_challenge: ch3,
|
|
code_challenge_method: 'S256',
|
|
});
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.valid).toBe(true);
|
|
expect(res.body.consentRequired).toBeFalsy();
|
|
});
|
|
});
|
|
|
|
describe('M7 — Cookie-only auth on privileged OAuth endpoints', () => {
|
|
it('OAUTH-SEC-009 — POST /api/oauth/authorize rejects Bearer JWT (no cookie)', async () => {
|
|
const { user } = createUser(testDb);
|
|
// Use a valid JWT in Authorization header (no cookie) — must be rejected
|
|
const jwt = require('jsonwebtoken');
|
|
const token = jwt.sign({ id: user.id }, 'test-jwt-secret-for-trek-testing-only', { algorithm: 'HS256' });
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/authorize')
|
|
.set('Authorization', `Bearer ${token}`)
|
|
.send({ approved: true, client_id: 'x', redirect_uri: 'https://r.example.com/cb', scope: 'trips:read', code_challenge: 'c', code_challenge_method: 'S256' });
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.code).toBe('COOKIE_AUTH_REQUIRED');
|
|
});
|
|
|
|
it('OAUTH-SEC-010 — POST /api/oauth/clients rejects Bearer JWT (no cookie)', async () => {
|
|
const jwt = require('jsonwebtoken');
|
|
const { user } = createUser(testDb);
|
|
const token = jwt.sign({ id: user.id }, 'test-jwt-secret-for-trek-testing-only', { algorithm: 'HS256' });
|
|
|
|
const res = await request(app)
|
|
.post('/api/oauth/clients')
|
|
.set('Authorization', `Bearer ${token}`)
|
|
.send({ name: 'App', redirect_uris: ['https://app.example.com/cb'], allowed_scopes: ['trips:read'] });
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.code).toBe('COOKIE_AUTH_REQUIRED');
|
|
});
|
|
|
|
it('OAUTH-SEC-011 — DELETE /api/oauth/sessions/:id rejects Bearer JWT (no cookie)', async () => {
|
|
const jwt = require('jsonwebtoken');
|
|
const { user } = createUser(testDb);
|
|
const token = jwt.sign({ id: user.id }, 'test-jwt-secret-for-trek-testing-only', { algorithm: 'HS256' });
|
|
|
|
const res = await request(app)
|
|
.delete('/api/oauth/sessions/1')
|
|
.set('Authorization', `Bearer ${token}`);
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.code).toBe('COOKIE_AUTH_REQUIRED');
|
|
});
|
|
});
|
|
|
|
describe('C3 — Refresh token replay detection', () => {
|
|
it('OAUTH-SEC-012 — replaying a rotated (old) refresh token returns invalid_grant', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
// Get initial tokens
|
|
const t1 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
expect(t1.status).toBe(200);
|
|
const originalRefreshToken = t1.body.refresh_token;
|
|
|
|
// Rotate once (legitimate use)
|
|
const t2 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token: originalRefreshToken,
|
|
});
|
|
expect(t2.status).toBe(200);
|
|
|
|
// Replay the original (now rotated/revoked) refresh token — must be rejected
|
|
const t3 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token: originalRefreshToken,
|
|
});
|
|
expect(t3.status).toBe(400);
|
|
expect(t3.body.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('OAUTH-SEC-013 — replaying old token also invalidates the new chain', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'App', ['https://app.example.com/cb'], ['trips:read']);
|
|
const { verifier, challenge } = makePkce();
|
|
|
|
const code = createAuthCode({
|
|
clientId: r.client!.client_id as string,
|
|
userId: user.id,
|
|
redirectUri: 'https://app.example.com/cb',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: challenge,
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const t1 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'authorization_code',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
code,
|
|
redirect_uri: 'https://app.example.com/cb',
|
|
code_verifier: verifier,
|
|
});
|
|
const originalRefreshToken = t1.body.refresh_token;
|
|
|
|
// Legitimate rotate — get new token
|
|
const t2 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token: originalRefreshToken,
|
|
});
|
|
const newRefreshToken = t2.body.refresh_token;
|
|
|
|
// Replay original — triggers chain revocation
|
|
await request(app).post('/oauth/token').send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token: originalRefreshToken,
|
|
});
|
|
|
|
// New token (from legitimate rotation) must also be dead now
|
|
const t4 = await request(app).post('/oauth/token').send({
|
|
grant_type: 'refresh_token',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
refresh_token: newRefreshToken,
|
|
});
|
|
expect(t4.status).toBe(400);
|
|
expect(t4.body.error).toBe('invalid_grant');
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
// POST /oauth/token — client_credentials grant
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
describe('POST /oauth/token — client_credentials grant', () => {
|
|
it('OAUTH-CC-001 — happy path: issues access token with no refresh_token', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read'], null, { allowsClientCredentials: true });
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.access_token).toBeDefined();
|
|
expect(res.body.token_type).toBe('Bearer');
|
|
expect(typeof res.body.expires_in).toBe('number');
|
|
expect(res.body.scope).toBe('trips:read');
|
|
expect(res.body.refresh_token).toBeUndefined();
|
|
});
|
|
|
|
it('OAUTH-CC-002 — issued token resolves to the client owner user', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read'], null, { allowsClientCredentials: true });
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
const info = getUserByAccessToken(res.body.access_token);
|
|
expect(info).not.toBeNull();
|
|
expect(info!.user.id).toBe(user.id);
|
|
expect(info!.scopes).toEqual(['trips:read']);
|
|
});
|
|
|
|
it('OAUTH-CC-003 — wrong client_secret returns 401 invalid_client', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read'], null, { allowsClientCredentials: true });
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
client_secret: 'trekcs_wrong',
|
|
});
|
|
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('OAUTH-CC-004 — missing client_secret returns 401 invalid_client', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read'], null, { allowsClientCredentials: true });
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
});
|
|
|
|
expect(res.status).toBe(401);
|
|
expect(res.body.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('OAUTH-CC-005 — non-machine client returns 400 unauthorized_client', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'BrowserApp', ['https://app.example.com/cb'], ['trips:read']);
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
});
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('unauthorized_client');
|
|
});
|
|
|
|
it('OAUTH-CC-006 — scope narrowing: requested subset is honoured', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read', 'places:read'], null, { allowsClientCredentials: true });
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
scope: 'trips:read',
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.scope).toBe('trips:read');
|
|
});
|
|
|
|
it('OAUTH-CC-007 — scope outside allowed_scopes returns 400 invalid_scope', async () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read'], null, { allowsClientCredentials: true });
|
|
|
|
const res = await request(app)
|
|
.post('/oauth/token')
|
|
.send({
|
|
grant_type: 'client_credentials',
|
|
client_id: r.client!.client_id,
|
|
client_secret: r.client!.client_secret,
|
|
scope: 'places:write',
|
|
});
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe('invalid_scope');
|
|
});
|
|
|
|
it('OAUTH-CC-008 — createOAuthClient with allowsClientCredentials succeeds without redirect URIs', () => {
|
|
const { user } = createUser(testDb);
|
|
const r = createOAuthClient(user.id, 'Machine', [], ['trips:read'], null, { allowsClientCredentials: true });
|
|
|
|
expect(r.error).toBeUndefined();
|
|
expect(r.client).toBeDefined();
|
|
expect(r.client!.allows_client_credentials).toBe(true);
|
|
expect((r.client!.redirect_uris as string[]).length).toBe(0);
|
|
expect(r.client!.client_secret).toBeDefined();
|
|
});
|
|
}); |