mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 05:11:46 +00:00
jubnl
dd90c6d424
Root cause: claude.ai's MCP connector (spec 2025-06-18) requires the resource server to publish Protected Resource Metadata and return WWW-Authenticate on 401s to bind the /mcp endpoint to its AS. Without these, it silently shows no tools after OAuth. - Add /.well-known/oauth-protected-resource (RFC 9728) with addon gating - Emit WWW-Authenticate: Bearer resource_metadata=... on 401/auth-failure 403s - Open CORS (origin: *) on both .well-known/* endpoints per RFC 8414/9728 - Accept resource parameter at authorize + token endpoints (RFC 8707) - Store audience on oauth_tokens; validate on every MCP request - Refresh tokens inherit audience; add resource_parameter_supported to AS metadata - DB migration: ADD COLUMN audience TEXT to oauth_tokens - Gate collab MCP tools/resources by chat/notes/polls sub-features individually - Invalidate MCP sessions when collab sub-features are toggled in admin - Update test mocks and MCP.md
941 lines
36 KiB
TypeScript
941 lines
36 KiB
TypeScript
/**
|
|
* Unit tests for server/src/services/oauthService.ts.
|
|
*/
|
|
import { describe, it, expect, vi, beforeAll, beforeEach, afterAll } from 'vitest';
|
|
import crypto from 'crypto';
|
|
|
|
const { testDb, dbMock } = vi.hoisted(() => {
|
|
const Database = require('better-sqlite3');
|
|
const db = new Database(':memory:');
|
|
db.exec('PRAGMA journal_mode = WAL');
|
|
db.exec('PRAGMA foreign_keys = ON');
|
|
db.exec('PRAGMA busy_timeout = 5000');
|
|
const mock = {
|
|
db,
|
|
closeDb: () => {},
|
|
reinitialize: () => {},
|
|
getPlaceWithTags: () => null,
|
|
canAccessTrip: (tripId: any, userId: number) =>
|
|
db.prepare(`SELECT t.id, t.user_id FROM trips t LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ? WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)`).get(userId, tripId, userId),
|
|
isOwner: (tripId: any, userId: number) =>
|
|
!!db.prepare('SELECT id FROM trips WHERE id = ? AND user_id = ?').get(tripId, userId),
|
|
};
|
|
return { testDb: db, dbMock: mock };
|
|
});
|
|
|
|
vi.mock('../../../src/db/database', () => dbMock);
|
|
vi.mock('../../../src/config', () => ({
|
|
JWT_SECRET: 'test-jwt-secret-for-trek-testing-only',
|
|
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
|
updateJwtSecret: () => {},
|
|
}));
|
|
vi.mock('../../../src/services/apiKeyCrypto', () => ({
|
|
encrypt_api_key: (v: string) => v,
|
|
decrypt_api_key: (v: string) => v,
|
|
maybe_encrypt_api_key: (v: string) => v,
|
|
}));
|
|
vi.mock('../../../src/mcp/sessionManager', () => ({ revokeUserSessions: vi.fn(), revokeUserSessionsForClient: vi.fn(), sessions: new Map() }));
|
|
vi.mock('../../../src/demo/demo-reset', () => ({ saveBaseline: vi.fn() }));
|
|
vi.mock('../../../src/services/adminService', () => ({
|
|
isAddonEnabled: vi.fn().mockReturnValue(true),
|
|
getCollabFeatures: vi.fn().mockReturnValue({ chat: true, notes: true, polls: true, whatsnext: true }),
|
|
}));
|
|
|
|
import { createTables } from '../../../src/db/schema';
|
|
import { runMigrations } from '../../../src/db/migrations';
|
|
import { resetTestDb } from '../../helpers/test-db';
|
|
import { createUser } from '../../helpers/factories';
|
|
// PKCE helper — generates a valid code_verifier + code_challenge pair (RFC 7636)
|
|
function makePkce() {
|
|
const verifier = crypto.randomBytes(32).toString('base64url'); // 43 chars
|
|
const challenge = crypto.createHash('sha256').update(verifier).digest('base64url'); // 43 chars
|
|
return { verifier, challenge };
|
|
}
|
|
|
|
import {
|
|
createOAuthClient,
|
|
listOAuthClients,
|
|
deleteOAuthClient,
|
|
rotateOAuthClientSecret,
|
|
createAuthCode,
|
|
consumeAuthCode,
|
|
issueTokens,
|
|
getUserByAccessToken,
|
|
refreshTokens,
|
|
revokeToken,
|
|
listOAuthSessions,
|
|
revokeSession,
|
|
validateAuthorizeRequest,
|
|
verifyPKCE,
|
|
authenticateClient,
|
|
saveConsent,
|
|
getConsent,
|
|
isConsentSufficient,
|
|
} from '../../../src/services/oauthService';
|
|
import { isAddonEnabled } from '../../../src/services/adminService';
|
|
|
|
beforeAll(() => {
|
|
createTables(testDb);
|
|
runMigrations(testDb);
|
|
});
|
|
|
|
beforeEach(() => {
|
|
resetTestDb(testDb);
|
|
// Clear oauth tables manually since they're not in the standard reset list
|
|
testDb.exec('DELETE FROM oauth_tokens');
|
|
testDb.exec('DELETE FROM oauth_consents');
|
|
testDb.exec('DELETE FROM oauth_clients');
|
|
vi.mocked(isAddonEnabled).mockReturnValue(true);
|
|
});
|
|
|
|
afterAll(() => {
|
|
testDb.close();
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Helper
|
|
// ---------------------------------------------------------------------------
|
|
|
|
function makeClient(
|
|
userId: number,
|
|
overrides: Partial<{ name: string; redirectUris: string[]; scopes: string[] }> = {}
|
|
) {
|
|
return createOAuthClient(
|
|
userId,
|
|
overrides.name ?? 'Test Client',
|
|
overrides.redirectUris ?? ['https://example.com/callback'],
|
|
overrides.scopes ?? ['trips:read'],
|
|
);
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// createOAuthClient
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('createOAuthClient', () => {
|
|
it('creates a client successfully and returns client_secret only on creation', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = makeClient(user.id);
|
|
expect(result.error).toBeUndefined();
|
|
expect(result.client).toBeDefined();
|
|
expect(typeof result.client!.client_secret).toBe('string');
|
|
expect((result.client!.client_secret as string).startsWith('trekcs_')).toBe(true);
|
|
});
|
|
|
|
it('client_id is a UUID', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = makeClient(user.id);
|
|
expect(result.client!.client_id).toMatch(
|
|
/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
|
|
);
|
|
});
|
|
|
|
it('returns 400 error if name is empty', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, '', ['https://example.com/cb'], ['trips:read']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('Name');
|
|
});
|
|
|
|
it('returns 400 error if name exceeds 100 characters', () => {
|
|
const { user } = createUser(testDb);
|
|
const longName = 'A'.repeat(101);
|
|
const result = createOAuthClient(user.id, longName, ['https://example.com/cb'], ['trips:read']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('100');
|
|
});
|
|
|
|
it('returns 400 error if no redirect URIs provided', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', [], ['trips:read']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('redirect URI');
|
|
});
|
|
|
|
it('returns 400 error if more than 10 redirect URIs provided', () => {
|
|
const { user } = createUser(testDb);
|
|
const uris = Array.from({ length: 11 }, (_, i) => `https://example${i}.com/cb`);
|
|
const result = createOAuthClient(user.id, 'Test', uris, ['trips:read']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('10');
|
|
});
|
|
|
|
it('returns 400 error for invalid URI format', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', ['not-a-url'], ['trips:read']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('Invalid redirect URI');
|
|
});
|
|
|
|
it('returns 400 error for non-https URI (not localhost)', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', ['http://example.com/cb'], ['trips:read']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('HTTPS');
|
|
});
|
|
|
|
it('allows http://localhost redirect URI', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', ['http://localhost:3000/callback'], ['trips:read']);
|
|
expect(result.error).toBeUndefined();
|
|
expect(result.client).toBeDefined();
|
|
});
|
|
|
|
it('allows http://127.0.0.1 redirect URI', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', ['http://127.0.0.1:5000/callback'], ['trips:read']);
|
|
expect(result.error).toBeUndefined();
|
|
expect(result.client).toBeDefined();
|
|
});
|
|
|
|
it('returns 400 error if no scopes provided', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', ['https://example.com/cb'], []);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('scope');
|
|
});
|
|
|
|
it('returns 400 error for invalid scopes', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = createOAuthClient(user.id, 'Test', ['https://example.com/cb'], ['invalid:scope']);
|
|
expect(result.status).toBe(400);
|
|
expect(result.error).toContain('Invalid scopes');
|
|
});
|
|
|
|
it('enforces max 10 clients per user', () => {
|
|
const { user } = createUser(testDb);
|
|
for (let i = 0; i < 10; i++) {
|
|
const r = makeClient(user.id, { name: `Client ${i}` });
|
|
expect(r.error).toBeUndefined();
|
|
}
|
|
const eleventh = makeClient(user.id, { name: 'Eleventh' });
|
|
expect(eleventh.status).toBe(400);
|
|
expect(eleventh.error).toContain('10');
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// listOAuthClients
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('listOAuthClients', () => {
|
|
it('returns empty array for user with no clients', () => {
|
|
const { user } = createUser(testDb);
|
|
expect(listOAuthClients(user.id)).toEqual([]);
|
|
});
|
|
|
|
it('returns created clients with redirect_uris and allowed_scopes as arrays', () => {
|
|
const { user } = createUser(testDb);
|
|
makeClient(user.id, { name: 'Client A', redirectUris: ['https://a.com/cb'], scopes: ['trips:read', 'budget:read'] });
|
|
const clients = listOAuthClients(user.id);
|
|
expect(clients).toHaveLength(1);
|
|
expect(clients[0].name).toBe('Client A');
|
|
expect(Array.isArray(clients[0].redirect_uris)).toBe(true);
|
|
expect(Array.isArray(clients[0].allowed_scopes)).toBe(true);
|
|
expect(clients[0].allowed_scopes).toContain('trips:read');
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// deleteOAuthClient
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('deleteOAuthClient', () => {
|
|
it('deletes own client successfully', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientRowId = created.client!.id as string;
|
|
const result = deleteOAuthClient(user.id, clientRowId);
|
|
expect(result.success).toBe(true);
|
|
expect(listOAuthClients(user.id)).toHaveLength(0);
|
|
});
|
|
|
|
it('returns 404 for non-existent client', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = deleteOAuthClient(user.id, 'non-existent-id');
|
|
expect(result.status).toBe(404);
|
|
});
|
|
|
|
it("returns 404 for another user's client", () => {
|
|
const { user: owner } = createUser(testDb);
|
|
const { user: other } = createUser(testDb);
|
|
const created = makeClient(owner.id);
|
|
const result = deleteOAuthClient(other.id, created.client!.id as string);
|
|
expect(result.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// rotateOAuthClientSecret
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('rotateOAuthClientSecret', () => {
|
|
it('rotates secret and returns new client_secret starting with trekcs_', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const oldSecret = created.client!.client_secret as string;
|
|
const result = rotateOAuthClientSecret(user.id, created.client!.id as string);
|
|
expect(result.error).toBeUndefined();
|
|
expect(result.client_secret).toBeDefined();
|
|
expect((result.client_secret as string).startsWith('trekcs_')).toBe(true);
|
|
expect(result.client_secret).not.toBe(oldSecret);
|
|
});
|
|
|
|
it('returns 404 for non-existent client', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = rotateOAuthClientSecret(user.id, 'non-existent-id');
|
|
expect(result.status).toBe(404);
|
|
});
|
|
|
|
it('revokes old tokens after rotation', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const { access_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
expect(getUserByAccessToken(access_token)).not.toBeNull();
|
|
|
|
rotateOAuthClientSecret(user.id, created.client!.id as string);
|
|
|
|
expect(getUserByAccessToken(access_token)).toBeNull();
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// createAuthCode + consumeAuthCode
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('createAuthCode + consumeAuthCode', () => {
|
|
it('create code and consume it once returns the pending entry', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const code = createAuthCode({
|
|
clientId,
|
|
userId: user.id,
|
|
redirectUri: 'https://example.com/callback',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: 'abc123',
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
const entry = consumeAuthCode(code);
|
|
expect(entry).not.toBeNull();
|
|
expect(entry!.userId).toBe(user.id);
|
|
expect(entry!.clientId).toBe(clientId);
|
|
});
|
|
|
|
it('returns null for non-existent code', () => {
|
|
expect(consumeAuthCode('does-not-exist')).toBeNull();
|
|
});
|
|
|
|
it('consuming same code twice returns null (one-time use)', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const code = createAuthCode({
|
|
clientId,
|
|
userId: user.id,
|
|
redirectUri: 'https://example.com/callback',
|
|
scopes: ['trips:read'],
|
|
codeChallenge: 'abc123',
|
|
codeChallengeMethod: 'S256',
|
|
});
|
|
|
|
consumeAuthCode(code);
|
|
expect(consumeAuthCode(code)).toBeNull();
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// issueTokens + getUserByAccessToken
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('issueTokens + getUserByAccessToken', () => {
|
|
it('issues tokens with correct prefixes', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const tokens = issueTokens(clientId, user.id, ['trips:read']);
|
|
expect(tokens.access_token.startsWith('trekoa_')).toBe(true);
|
|
expect(tokens.refresh_token.startsWith('trekrf_')).toBe(true);
|
|
expect(tokens.token_type).toBe('Bearer');
|
|
expect(typeof tokens.expires_in).toBe('number');
|
|
});
|
|
|
|
it('getUserByAccessToken returns user and scopes for a valid token', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const { access_token } = issueTokens(clientId, user.id, ['trips:read', 'budget:write']);
|
|
const info = getUserByAccessToken(access_token);
|
|
expect(info).not.toBeNull();
|
|
expect(info!.user.email).toBe(user.email);
|
|
expect(info!.scopes).toContain('trips:read');
|
|
expect(info!.scopes).toContain('budget:write');
|
|
});
|
|
|
|
it('getUserByAccessToken returns null for unknown token', () => {
|
|
expect(getUserByAccessToken('trekoa_unknown')).toBeNull();
|
|
});
|
|
|
|
it('getUserByAccessToken returns null for revoked token', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const { access_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
revokeToken(access_token, clientId);
|
|
expect(getUserByAccessToken(access_token)).toBeNull();
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// refreshTokens
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('refreshTokens', () => {
|
|
it('exchanges a refresh token for a new token pair', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
const { refresh_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
const result = refreshTokens(refresh_token, clientId, rawSecret);
|
|
expect(result.error).toBeUndefined();
|
|
expect(result.tokens).toBeDefined();
|
|
expect(result.tokens!.access_token.startsWith('trekoa_')).toBe(true);
|
|
});
|
|
|
|
it('old tokens are revoked after refresh (rotation)', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
const { access_token, refresh_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
refreshTokens(refresh_token, clientId, rawSecret);
|
|
expect(getUserByAccessToken(access_token)).toBeNull();
|
|
});
|
|
|
|
it('returns invalid_grant for unknown refresh token', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
const result = refreshTokens('trekrf_unknown', clientId, rawSecret);
|
|
expect(result.error).toBe('invalid_grant');
|
|
expect(result.status).toBe(400);
|
|
});
|
|
|
|
it('returns invalid_grant for revoked token', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
const { access_token, refresh_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
revokeToken(access_token, clientId);
|
|
const result = refreshTokens(refresh_token, clientId, rawSecret);
|
|
expect(result.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('returns invalid_client for wrong client_secret', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const { refresh_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
const result = refreshTokens(refresh_token, clientId, 'wrong-secret');
|
|
expect(result.error).toBe('invalid_client');
|
|
expect(result.status).toBe(401);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// revokeToken
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('revokeToken', () => {
|
|
it('after revoking access token, getUserByAccessToken returns null', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const { access_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
expect(getUserByAccessToken(access_token)).not.toBeNull();
|
|
|
|
revokeToken(access_token, clientId);
|
|
expect(getUserByAccessToken(access_token)).toBeNull();
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// listOAuthSessions + revokeSession
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('listOAuthSessions + revokeSession', () => {
|
|
it('lists active sessions', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
issueTokens(clientId, user.id, ['trips:read']);
|
|
const sessions = listOAuthSessions(user.id);
|
|
expect(sessions).toHaveLength(1);
|
|
expect(sessions[0].client_id).toBe(clientId);
|
|
});
|
|
|
|
it('revoked session is not listed', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const { access_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
revokeToken(access_token, clientId);
|
|
const sessions = listOAuthSessions(user.id);
|
|
expect(sessions).toHaveLength(0);
|
|
});
|
|
|
|
it('revokeSession returns 404 for unknown session', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = revokeSession(user.id, 99999);
|
|
expect(result.status).toBe(404);
|
|
});
|
|
|
|
it('revokeSession by session id removes session from list', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
issueTokens(clientId, user.id, ['trips:read']);
|
|
const sessions = listOAuthSessions(user.id);
|
|
const sessionId = sessions[0].id as number;
|
|
|
|
const result = revokeSession(user.id, sessionId);
|
|
expect(result.success).toBe(true);
|
|
expect(listOAuthSessions(user.id)).toHaveLength(0);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// validateAuthorizeRequest
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('validateAuthorizeRequest', () => {
|
|
// Use a proper 43-char S256 code_challenge to pass H1 format validation
|
|
const { challenge: VALID_CHALLENGE } = makePkce();
|
|
|
|
function makeParams(overrides: Partial<{
|
|
response_type: string;
|
|
client_id: string;
|
|
redirect_uri: string;
|
|
scope: string;
|
|
code_challenge: string;
|
|
code_challenge_method: string;
|
|
}> = {}) {
|
|
return {
|
|
response_type: 'code',
|
|
client_id: '',
|
|
redirect_uri: 'https://example.com/callback',
|
|
scope: 'trips:read',
|
|
code_challenge: VALID_CHALLENGE,
|
|
code_challenge_method: 'S256',
|
|
...overrides,
|
|
};
|
|
}
|
|
|
|
it('returns mcp_disabled when isAddonEnabled returns false', () => {
|
|
vi.mocked(isAddonEnabled).mockReturnValue(false);
|
|
const result = validateAuthorizeRequest(makeParams({ client_id: 'x' }), null);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('mcp_disabled');
|
|
});
|
|
|
|
it('requires response_type=code', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = validateAuthorizeRequest(makeParams({ response_type: 'token', client_id: 'x' }), user.id);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('unsupported_response_type');
|
|
});
|
|
|
|
it('requires PKCE with S256', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = validateAuthorizeRequest(makeParams({ client_id: 'x', code_challenge_method: 'plain' }), user.id);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('requires valid client_id', () => {
|
|
const { user } = createUser(testDb);
|
|
const result = validateAuthorizeRequest(makeParams({ client_id: 'nonexistent' }), user.id);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('invalid_client');
|
|
});
|
|
|
|
it('validates redirect_uri against registered URIs', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id, { redirectUris: ['https://example.com/callback'] });
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const result = validateAuthorizeRequest(
|
|
makeParams({ client_id: clientId, redirect_uri: 'https://evil.com/callback' }),
|
|
user.id
|
|
);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('invalid_redirect_uri');
|
|
});
|
|
|
|
it('validates scope against client allowed_scopes', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id, { scopes: ['trips:read'] });
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const result = validateAuthorizeRequest(
|
|
makeParams({ client_id: clientId, scope: 'budget:write' }),
|
|
user.id
|
|
);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('invalid_scope');
|
|
});
|
|
|
|
it('returns loginRequired when userId is null', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const result = validateAuthorizeRequest(makeParams({ client_id: clientId }), null);
|
|
expect(result.valid).toBe(true);
|
|
expect(result.loginRequired).toBe(true);
|
|
});
|
|
|
|
it('returns consentRequired=true when consent not yet saved', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const result = validateAuthorizeRequest(makeParams({ client_id: clientId }), user.id);
|
|
expect(result.valid).toBe(true);
|
|
expect(result.consentRequired).toBe(true);
|
|
});
|
|
|
|
it('returns consentRequired=false when consent already saved and sufficient', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
saveConsent(clientId, user.id, ['trips:read']);
|
|
const result = validateAuthorizeRequest(makeParams({ client_id: clientId }), user.id);
|
|
expect(result.valid).toBe(true);
|
|
expect(result.consentRequired).toBe(false);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// verifyPKCE
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('verifyPKCE', () => {
|
|
it('returns true for valid code_verifier / code_challenge pair (SHA256 base64url)', () => {
|
|
const verifier = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
|
|
const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
|
|
expect(verifyPKCE(verifier, challenge)).toBe(true);
|
|
});
|
|
|
|
it('returns false for wrong verifier', () => {
|
|
const verifier = 'correct-verifier';
|
|
const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
|
|
expect(verifyPKCE('wrong-verifier', challenge)).toBe(false);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// authenticateClient
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('authenticateClient', () => {
|
|
it('returns client row for correct credentials', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
const client = authenticateClient(clientId, rawSecret);
|
|
expect(client).not.toBeNull();
|
|
expect(client!.client_id).toBe(clientId);
|
|
});
|
|
|
|
it('returns null for wrong secret', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
expect(authenticateClient(clientId, 'wrong-secret')).toBeNull();
|
|
});
|
|
|
|
it('returns null for unknown client_id', () => {
|
|
expect(authenticateClient('unknown-client-id', 'any-secret')).toBeNull();
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// saveConsent + getConsent + isConsentSufficient
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('saveConsent + getConsent + isConsentSufficient', () => {
|
|
it('saves and retrieves consent', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
saveConsent(clientId, user.id, ['trips:read', 'budget:write']);
|
|
const consent = getConsent(clientId, user.id);
|
|
expect(consent).not.toBeNull();
|
|
expect(consent).toContain('trips:read');
|
|
expect(consent).toContain('budget:write');
|
|
});
|
|
|
|
it('isConsentSufficient returns true when all requested scopes are in existing', () => {
|
|
expect(isConsentSufficient(['trips:read', 'budget:write'], ['trips:read'])).toBe(true);
|
|
expect(isConsentSufficient(['trips:read', 'budget:write'], ['trips:read', 'budget:write'])).toBe(true);
|
|
});
|
|
|
|
it('isConsentSufficient returns false when some scopes are missing', () => {
|
|
expect(isConsentSufficient(['trips:read'], ['trips:read', 'budget:write'])).toBe(false);
|
|
expect(isConsentSufficient([], ['trips:read'])).toBe(false);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// M5 — saveConsent unions instead of replacing
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('saveConsent — scope union (M5)', () => {
|
|
it('unioning scopes: approving B after A leaves both in consent', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id, { scopes: ['trips:read', 'budget:write'] });
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
saveConsent(clientId, user.id, ['trips:read']);
|
|
saveConsent(clientId, user.id, ['budget:write']);
|
|
|
|
const consent = getConsent(clientId, user.id);
|
|
expect(consent).toContain('trips:read');
|
|
expect(consent).toContain('budget:write');
|
|
});
|
|
|
|
it('re-approving a superset scope still preserves previously-consented scopes', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id, { scopes: ['trips:read', 'trips:write'] });
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
saveConsent(clientId, user.id, ['trips:read', 'trips:write']);
|
|
// approve only trips:read on a later request
|
|
saveConsent(clientId, user.id, ['trips:read']);
|
|
|
|
const consent = getConsent(clientId, user.id);
|
|
// trips:write should NOT be removed (union semantics)
|
|
expect(consent).toContain('trips:read');
|
|
expect(consent).toContain('trips:write');
|
|
});
|
|
|
|
it('consent is sufficient after sequential approvals — no re-prompt needed', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id, { scopes: ['trips:read', 'budget:write'] });
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
saveConsent(clientId, user.id, ['trips:read']);
|
|
saveConsent(clientId, user.id, ['budget:write']);
|
|
|
|
// Should not require consent again for either scope
|
|
expect(isConsentSufficient(getConsent(clientId, user.id)!, ['trips:read'])).toBe(true);
|
|
expect(isConsentSufficient(getConsent(clientId, user.id)!, ['budget:write'])).toBe(true);
|
|
expect(isConsentSufficient(getConsent(clientId, user.id)!, ['trips:read', 'budget:write'])).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// C2 — getUserByAccessToken returns clientId
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('getUserByAccessToken — includes clientId (C2)', () => {
|
|
it('returns clientId matching the issuing OAuth client', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const { access_token } = issueTokens(clientId, user.id, ['trips:read']);
|
|
const info = getUserByAccessToken(access_token);
|
|
expect(info).not.toBeNull();
|
|
expect(info!.clientId).toBe(clientId);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// C3 — Refresh token replay detection and chain revocation
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('refreshTokens — replay detection (C3)', () => {
|
|
it('replaying a revoked refresh token returns invalid_grant', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
// Issue tokens, then rotate once (old token becomes revoked)
|
|
const { refresh_token: firstRefresh } = issueTokens(clientId, user.id, ['trips:read']);
|
|
const rotateResult = refreshTokens(firstRefresh, clientId, rawSecret);
|
|
expect(rotateResult.error).toBeUndefined();
|
|
const { refresh_token: secondRefresh } = rotateResult.tokens!;
|
|
|
|
// Replay the FIRST (now revoked) refresh token
|
|
const replayResult = refreshTokens(firstRefresh, clientId, rawSecret);
|
|
expect(replayResult.error).toBe('invalid_grant');
|
|
expect(replayResult.status).toBe(400);
|
|
});
|
|
|
|
it('replaying a revoked token also revokes the entire rotation chain', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
// Issue → rotate once
|
|
const { refresh_token: first } = issueTokens(clientId, user.id, ['trips:read']);
|
|
const r1 = refreshTokens(first, clientId, rawSecret);
|
|
const { access_token: access2, refresh_token: second } = r1.tokens!;
|
|
|
|
// Replay first (revoked) refresh token → chain revoke
|
|
refreshTokens(first, clientId, rawSecret);
|
|
|
|
// The rotated access token should also be dead now
|
|
expect(getUserByAccessToken(access2)).toBeNull();
|
|
|
|
// The second refresh token should also be revoked
|
|
const r2 = refreshTokens(second, clientId, rawSecret);
|
|
expect(r2.error).toBe('invalid_grant');
|
|
});
|
|
|
|
it('new rotation chain after replay is independent', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const rawSecret = created.client!.client_secret as string;
|
|
|
|
const { refresh_token: first } = issueTokens(clientId, user.id, ['trips:read']);
|
|
// Rotate once
|
|
const r1 = refreshTokens(first, clientId, rawSecret);
|
|
const { refresh_token: second } = r1.tokens!;
|
|
// Rotate again on the second token
|
|
const r2 = refreshTokens(second, clientId, rawSecret);
|
|
expect(r2.error).toBeUndefined();
|
|
const { refresh_token: third } = r2.tokens!;
|
|
|
|
// Replay the first revoked token → revokes chain containing first+second+third
|
|
refreshTokens(first, clientId, rawSecret);
|
|
|
|
// third should now be revoked too (it's in the same chain)
|
|
const r3 = refreshTokens(third, clientId, rawSecret);
|
|
expect(r3.error).toBe('invalid_grant');
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// H1 — PKCE code_challenge / code_verifier format validation
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('verifyPKCE — format validation (H1)', () => {
|
|
it('returns false for a code_verifier that is too short (< 43 chars)', () => {
|
|
const { challenge } = makePkce();
|
|
expect(verifyPKCE('short', challenge)).toBe(false);
|
|
});
|
|
|
|
it('returns false for a code_verifier that is too long (> 128 chars)', () => {
|
|
const { challenge } = makePkce();
|
|
const longVerifier = 'a'.repeat(129);
|
|
expect(verifyPKCE(longVerifier, challenge)).toBe(false);
|
|
});
|
|
|
|
it('returns false for a code_verifier with invalid characters', () => {
|
|
const { challenge } = makePkce();
|
|
const badVerifier = 'A'.repeat(42) + ' '; // space is not allowed
|
|
expect(verifyPKCE(badVerifier, challenge)).toBe(false);
|
|
});
|
|
|
|
it('returns true for a valid 43-char verifier matching its challenge', () => {
|
|
const { verifier, challenge } = makePkce();
|
|
expect(verifyPKCE(verifier, challenge)).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('validateAuthorizeRequest — PKCE format (H1)', () => {
|
|
it('returns invalid_request when code_challenge is shorter than 43 chars', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
const result = validateAuthorizeRequest({
|
|
response_type: 'code',
|
|
client_id: clientId,
|
|
redirect_uri: 'https://example.com/callback',
|
|
scope: 'trips:read',
|
|
code_challenge: 'tooshort',
|
|
code_challenge_method: 'S256',
|
|
}, user.id);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('invalid_request');
|
|
});
|
|
|
|
it('returns invalid_request when code_challenge contains invalid characters', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
|
|
// 43 chars but includes '=' which is not base64url
|
|
const badChallenge = '='.repeat(43);
|
|
const result = validateAuthorizeRequest({
|
|
response_type: 'code',
|
|
client_id: clientId,
|
|
redirect_uri: 'https://example.com/callback',
|
|
scope: 'trips:read',
|
|
code_challenge: badChallenge,
|
|
code_challenge_method: 'S256',
|
|
}, user.id);
|
|
expect(result.valid).toBe(false);
|
|
expect(result.error).toBe('invalid_request');
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// H3 — validateAuthorizeRequest: loginRequired response strips client info
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('validateAuthorizeRequest — unauthenticated strips client info (H3)', () => {
|
|
it('loginRequired response does not include client.name or allowed_scopes', () => {
|
|
const { user } = createUser(testDb);
|
|
const created = makeClient(user.id);
|
|
const clientId = created.client!.client_id as string;
|
|
const { challenge } = makePkce();
|
|
|
|
const result = validateAuthorizeRequest({
|
|
response_type: 'code',
|
|
client_id: clientId,
|
|
redirect_uri: 'https://example.com/callback',
|
|
scope: 'trips:read',
|
|
code_challenge: challenge,
|
|
code_challenge_method: 'S256',
|
|
}, null /* unauthenticated */);
|
|
|
|
expect(result.valid).toBe(true);
|
|
expect(result.loginRequired).toBe(true);
|
|
// Must NOT expose client metadata to unauthenticated callers
|
|
expect(result.client).toBeUndefined();
|
|
expect(result.scopes).toBeUndefined();
|
|
});
|
|
});
|