test: expand test suite to 87.3% backend coverage
Add new integration test files covering previously untested routes:
- categories.test.ts — GET /api/categories
- oidc.test.ts — full OIDC login flow (callback, state, errors)
- settings.test.ts — GET/PUT /api/settings, bulk save
- tags.test.ts — CRUD for trip tags
- todo.test.ts — todo items CRUD and reorder
Add new unit test files covering service-layer logic:
- adminService.test.ts — user/invite management, packing templates, OIDC settings
- atlasService.test.ts — atlas search and place enrichment
- authServiceDb.test.ts — DB-backed auth helpers (login, register, MFA)
- backupService.test.ts — export/import/restore logic
- categoryService.test.ts — category CRUD
- dayService.test.ts — day management and accommodation helpers
- mapsService.test.ts — route/directions helpers
- oidcService.test.ts — OIDC state, auth code, role resolution, user upsert
- packingService.test.ts — packing item/bag/template operations
- placeService.test.ts — place CRUD and tag attachment
- settingsService.test.ts — settings get/set/bulk
- tagService.test.ts — tag CRUD
- todoService.test.ts — todo CRUD and reorder
- tripService.test.ts — trip CRUD, member management, archiving
- vacayService.test.ts — vacay integration helpers
- tripAccess.test.ts (middleware) — requireTripAccess middleware
Expand existing integration and unit test files with additional cases
across admin, atlas, auth, backup, collab, days, files, maps, memories
(Immich/Synology), notifications, places, reservations, share, vacay,
weather, auth middleware, ephemeral tokens, notification preferences,
permissions, SSRF guard, and WebSocket connection tests.
Update test helpers (factories.ts, test-db.ts) with new factory
functions and seed data required by the expanded suite.
Fix minor issues in server/src/routes/reservations.ts and
server/src/services/atlasService.ts surfaced by new test coverage.
Update sonar-project.properties to reflect new coverage thresholds.
2026-04-07 02:06:46 +08:00
|
|
|
/**
|
|
|
|
|
* Unit tests for oidcService — OIDC-SVC-001 through OIDC-SVC-025.
|
|
|
|
|
* Covers state management, auth codes, role resolution, findOrCreateUser,
|
|
|
|
|
* discover caching, and the ReDoS-sensitive issuer trailing-slash regex.
|
|
|
|
|
*/
|
|
|
|
|
import { describe, it, expect, vi, beforeAll, beforeEach, afterAll, afterEach } from 'vitest';
|
|
|
|
|
|
|
|
|
|
// ── DB setup ──────────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
const { testDb, dbMock } = vi.hoisted(() => {
|
|
|
|
|
const Database = require('better-sqlite3');
|
|
|
|
|
const db = new Database(':memory:');
|
|
|
|
|
db.exec('PRAGMA journal_mode = WAL');
|
|
|
|
|
db.exec('PRAGMA foreign_keys = ON');
|
|
|
|
|
db.exec('PRAGMA busy_timeout = 5000');
|
|
|
|
|
const mock = {
|
|
|
|
|
db,
|
|
|
|
|
closeDb: () => {},
|
|
|
|
|
reinitialize: () => {},
|
|
|
|
|
getPlaceWithTags: () => null,
|
|
|
|
|
canAccessTrip: (tripId: any, userId: number) =>
|
|
|
|
|
db.prepare(`
|
|
|
|
|
SELECT t.id, t.user_id FROM trips t
|
|
|
|
|
LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ?
|
|
|
|
|
WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)
|
|
|
|
|
`).get(userId, tripId, userId),
|
|
|
|
|
isOwner: (tripId: any, userId: number) =>
|
|
|
|
|
!!db.prepare('SELECT id FROM trips WHERE id = ? AND user_id = ?').get(tripId, userId),
|
|
|
|
|
};
|
|
|
|
|
return { testDb: db, dbMock: mock };
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
vi.mock('../../../src/db/database', () => dbMock);
|
|
|
|
|
vi.mock('../../../src/config', () => ({
|
|
|
|
|
JWT_SECRET: 'test-jwt-secret-for-trek-testing-only',
|
|
|
|
|
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
|
|
|
|
updateJwtSecret: () => {},
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
import { createTables } from '../../../src/db/schema';
|
|
|
|
|
import { runMigrations } from '../../../src/db/migrations';
|
|
|
|
|
import { resetTestDb } from '../../helpers/test-db';
|
|
|
|
|
import { createUser } from '../../helpers/factories';
|
|
|
|
|
import {
|
|
|
|
|
createState,
|
|
|
|
|
consumeState,
|
|
|
|
|
createAuthCode,
|
|
|
|
|
consumeAuthCode,
|
|
|
|
|
resolveOidcRole,
|
|
|
|
|
frontendUrl,
|
|
|
|
|
findOrCreateUser,
|
|
|
|
|
discover,
|
|
|
|
|
} from '../../../src/services/oidcService';
|
|
|
|
|
|
|
|
|
|
const MOCK_CONFIG = {
|
|
|
|
|
issuer: 'https://oidc.example.com',
|
|
|
|
|
clientId: 'client-id',
|
|
|
|
|
clientSecret: 'client-secret',
|
|
|
|
|
displayName: 'SSO',
|
|
|
|
|
discoveryUrl: null,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
beforeAll(() => {
|
|
|
|
|
createTables(testDb);
|
|
|
|
|
runMigrations(testDb);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
resetTestDb(testDb);
|
|
|
|
|
delete process.env.OIDC_ADMIN_VALUE;
|
|
|
|
|
delete process.env.OIDC_ADMIN_CLAIM;
|
|
|
|
|
delete process.env.NODE_ENV;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterAll(() => {
|
|
|
|
|
vi.unstubAllGlobals();
|
|
|
|
|
testDb.close();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── createState / consumeState ────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('createState / consumeState', () => {
|
|
|
|
|
it('OIDC-SVC-001: createState returns a hex token', () => {
|
|
|
|
|
const state = createState('https://example.com/callback');
|
|
|
|
|
expect(state).toMatch(/^[0-9a-f]{64}$/);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-002: consumeState returns stored data and deletes state', () => {
|
|
|
|
|
const state = createState('https://example.com/callback', 'invite-abc');
|
|
|
|
|
const data = consumeState(state);
|
|
|
|
|
expect(data).not.toBeNull();
|
|
|
|
|
expect(data!.redirectUri).toBe('https://example.com/callback');
|
|
|
|
|
expect(data!.inviteToken).toBe('invite-abc');
|
|
|
|
|
// State is consumed — second call returns null
|
|
|
|
|
expect(consumeState(state)).toBeNull();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-003: consumeState returns null for unknown state', () => {
|
|
|
|
|
expect(consumeState('not-a-real-state')).toBeNull();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-004: two different states do not conflict', () => {
|
|
|
|
|
const s1 = createState('http://a.example.com');
|
|
|
|
|
const s2 = createState('http://b.example.com');
|
|
|
|
|
expect(s1).not.toBe(s2);
|
|
|
|
|
expect(consumeState(s1)!.redirectUri).toBe('http://a.example.com');
|
|
|
|
|
expect(consumeState(s2)!.redirectUri).toBe('http://b.example.com');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── createAuthCode / consumeAuthCode ─────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('createAuthCode / consumeAuthCode', () => {
|
|
|
|
|
it('OIDC-SVC-005: createAuthCode returns a UUID-like string', () => {
|
|
|
|
|
const code = createAuthCode('my.jwt.token');
|
|
|
|
|
expect(typeof code).toBe('string');
|
|
|
|
|
expect(code.length).toBeGreaterThan(0);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-006: consumeAuthCode returns the stored token', () => {
|
|
|
|
|
const code = createAuthCode('real.jwt.here');
|
|
|
|
|
const result = consumeAuthCode(code);
|
|
|
|
|
expect('token' in result).toBe(true);
|
|
|
|
|
expect((result as { token: string }).token).toBe('real.jwt.here');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-007: auth code is single-use (second consume returns error)', () => {
|
|
|
|
|
const code = createAuthCode('single.use.token');
|
|
|
|
|
consumeAuthCode(code); // first use
|
|
|
|
|
const second = consumeAuthCode(code);
|
|
|
|
|
expect('error' in second).toBe(true);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-008: consumeAuthCode returns error for unknown code', () => {
|
|
|
|
|
const result = consumeAuthCode('not-a-real-code');
|
|
|
|
|
expect('error' in result).toBe(true);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── resolveOidcRole ───────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('resolveOidcRole', () => {
|
|
|
|
|
it('OIDC-SVC-009: returns admin when isFirstUser is true', () => {
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x' }, true)).toBe('admin');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-010: returns user when no OIDC_ADMIN_VALUE is set', () => {
|
|
|
|
|
delete process.env.OIDC_ADMIN_VALUE;
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x', groups: ['admins'] }, false)).toBe('user');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-011: returns admin when groups array contains OIDC_ADMIN_VALUE', () => {
|
|
|
|
|
process.env.OIDC_ADMIN_VALUE = 'trek-admins';
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x', groups: ['trek-users', 'trek-admins'] }, false)).toBe('admin');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-012: returns user when groups array does not contain OIDC_ADMIN_VALUE', () => {
|
|
|
|
|
process.env.OIDC_ADMIN_VALUE = 'trek-admins';
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x', groups: ['trek-users'] }, false)).toBe('user');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-013: uses custom OIDC_ADMIN_CLAIM when set', () => {
|
|
|
|
|
process.env.OIDC_ADMIN_VALUE = 'superadmin';
|
|
|
|
|
process.env.OIDC_ADMIN_CLAIM = 'roles';
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x', roles: ['superadmin', 'editor'] }, false)).toBe('admin');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-014: handles string claim (exact match)', () => {
|
|
|
|
|
process.env.OIDC_ADMIN_VALUE = 'admin';
|
|
|
|
|
process.env.OIDC_ADMIN_CLAIM = 'role';
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x', role: 'admin' }, false)).toBe('admin');
|
|
|
|
|
expect(resolveOidcRole({ sub: 'x', role: 'editor' }, false)).toBe('user');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── frontendUrl ───────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('frontendUrl', () => {
|
|
|
|
|
it('OIDC-SVC-015: prepends localhost:5173 in non-production', () => {
|
|
|
|
|
delete process.env.NODE_ENV;
|
|
|
|
|
expect(frontendUrl('/login?oidc_code=abc')).toBe('http://localhost:5173/login?oidc_code=abc');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-016: returns bare path in production', () => {
|
|
|
|
|
process.env.NODE_ENV = 'production';
|
|
|
|
|
expect(frontendUrl('/login?oidc_code=abc')).toBe('/login?oidc_code=abc');
|
|
|
|
|
delete process.env.NODE_ENV;
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── discover ──────────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('discover', () => {
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
vi.unstubAllGlobals();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-017: fetches and returns discovery document', async () => {
|
|
|
|
|
const doc = {
|
|
|
|
|
authorization_endpoint: 'https://oidc.example.com/auth',
|
|
|
|
|
token_endpoint: 'https://oidc.example.com/token',
|
|
|
|
|
userinfo_endpoint: 'https://oidc.example.com/userinfo',
|
|
|
|
|
};
|
|
|
|
|
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
|
|
|
|
ok: true,
|
|
|
|
|
json: async () => doc,
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
// Use unique issuer to bypass module-level cache from other tests
|
|
|
|
|
const result = await discover('https://unique-1.example.com');
|
|
|
|
|
expect(result.authorization_endpoint).toBe(doc.authorization_endpoint);
|
|
|
|
|
expect(result.token_endpoint).toBe(doc.token_endpoint);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-018: throws when provider returns non-ok response', async () => {
|
|
|
|
|
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({ ok: false }));
|
|
|
|
|
await expect(discover('https://bad-issuer.example.com')).rejects.toThrow();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── issuer trailing-slash regex (ReDoS guard) ─────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('getOidcConfig issuer trailing-slash regex', () => {
|
|
|
|
|
it('OIDC-SVC-019: /\\/+$/ strips trailing slashes in < 5ms', () => {
|
|
|
|
|
// The regex /\/+$/ in getOidcConfig: issuer.replace(/\/+$/, '')
|
|
|
|
|
// Adversarial input: many trailing slashes — should not backtrack catastrophically
|
|
|
|
|
const adversarial = 'https://oidc.example.com' + '/'.repeat(10000);
|
|
|
|
|
const start = Date.now();
|
|
|
|
|
const result = adversarial.replace(/\/+$/, '');
|
|
|
|
|
const elapsed = Date.now() - start;
|
|
|
|
|
expect(result).toBe('https://oidc.example.com');
|
|
|
|
|
expect(elapsed).toBeLessThan(100);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── findOrCreateUser ──────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('findOrCreateUser', () => {
|
|
|
|
|
it('OIDC-SVC-020: finds existing user by oidc_sub', () => {
|
|
|
|
|
const { user } = createUser(testDb, { email: 'alice@example.com' });
|
|
|
|
|
// Link the sub manually
|
|
|
|
|
testDb.prepare('UPDATE users SET oidc_sub = ?, oidc_issuer = ? WHERE id = ?')
|
|
|
|
|
.run('sub-alice-123', MOCK_CONFIG.issuer, user.id);
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-alice-123', email: 'alice@example.com', name: 'Alice' },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
expect((result as { user: any }).user.id).toBe(user.id);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-021: finds existing user by email when no sub match', () => {
|
|
|
|
|
const { user } = createUser(testDb, { email: 'bob@example.com' });
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-bob-new', email: 'bob@example.com', name: 'Bob' },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
expect((result as { user: any }).user.id).toBe(user.id);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-022: creates new user when registration is open', () => {
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-new-1', email: 'newuser@example.com', name: 'New User' },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
const newUser = testDb.prepare("SELECT * FROM users WHERE email = 'newuser@example.com'").get();
|
|
|
|
|
expect(newUser).toBeDefined();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-023: first user gets admin role', () => {
|
|
|
|
|
// DB is empty after resetTestDb
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-first', email: 'first@example.com', name: 'First' },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
expect((result as { user: any }).user.role).toBe('admin');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-024: returns registration_disabled error when registration is off', () => {
|
|
|
|
|
createUser(testDb, { email: 'existing@example.com' });
|
|
|
|
|
testDb.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES ('allow_registration', 'false')").run();
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-blocked', email: 'blocked@example.com', name: 'Blocked' },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
expect('error' in result).toBe(true);
|
|
|
|
|
expect((result as { error: string }).error).toBe('registration_disabled');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-025: links oidc_sub when existing user has none', () => {
|
|
|
|
|
const { user } = createUser(testDb, { email: 'charlie@example.com' });
|
|
|
|
|
// Ensure no oidc_sub set
|
|
|
|
|
testDb.prepare('UPDATE users SET oidc_sub = NULL, oidc_issuer = NULL WHERE id = ?').run(user.id);
|
|
|
|
|
|
|
|
|
|
findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-charlie-linked', email: 'charlie@example.com', name: 'Charlie' },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const updated = testDb.prepare('SELECT oidc_sub FROM users WHERE id = ?').get(user.id) as any;
|
|
|
|
|
expect(updated.oidc_sub).toBe('sub-charlie-linked');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-026: existing user role is updated when OIDC claim mapping changes it', () => {
|
|
|
|
|
const { user } = createUser(testDb, { email: 'diana@example.com', role: 'user' });
|
|
|
|
|
// Link oidc_sub manually so the user is found by sub lookup
|
|
|
|
|
testDb.prepare('UPDATE users SET oidc_sub = ?, oidc_issuer = ? WHERE id = ?')
|
|
|
|
|
.run('sub-diana-role', MOCK_CONFIG.issuer, user.id);
|
|
|
|
|
|
|
|
|
|
process.env.OIDC_ADMIN_VALUE = 'admins';
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-diana-role', email: 'diana@example.com', name: 'Diana', groups: ['admins'] },
|
|
|
|
|
MOCK_CONFIG
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
expect((result as { user: any }).user.role).toBe('admin');
|
|
|
|
|
|
|
|
|
|
const dbUser = testDb.prepare('SELECT role FROM users WHERE id = ?').get(user.id) as any;
|
|
|
|
|
expect(dbUser.role).toBe('admin');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-027: new user with valid invite token increments used_count', () => {
|
|
|
|
|
const { user: creator } = createUser(testDb, { email: 'creator@example.com' });
|
|
|
|
|
testDb.prepare(
|
|
|
|
|
"INSERT INTO invite_tokens (token, max_uses, used_count, created_by) VALUES ('tok-valid', 5, 0, ?)"
|
|
|
|
|
).run(creator.id);
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-invite-user', email: 'invitee@example.com', name: 'Invitee' },
|
|
|
|
|
MOCK_CONFIG,
|
|
|
|
|
'tok-valid'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
|
|
|
|
|
const token = testDb.prepare("SELECT used_count FROM invite_tokens WHERE token = 'tok-valid'").get() as any;
|
|
|
|
|
expect(token.used_count).toBe(1);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-028: new user with expired invite token is created but invite is ignored', () => {
|
|
|
|
|
const { user: creator } = createUser(testDb, { email: 'creator2@example.com' });
|
|
|
|
|
testDb.prepare(
|
|
|
|
|
"INSERT INTO invite_tokens (token, max_uses, used_count, expires_at, created_by) VALUES ('tok-expired', 5, 0, '2000-01-01T00:00:00.000Z', ?)"
|
|
|
|
|
).run(creator.id);
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-expired-invite', email: 'expired-invitee@example.com', name: 'ExpiredInvitee' },
|
|
|
|
|
MOCK_CONFIG,
|
|
|
|
|
'tok-expired'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// User is still created because open registration is allowed
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
const newUser = testDb.prepare("SELECT id FROM users WHERE email = 'expired-invitee@example.com'").get();
|
|
|
|
|
expect(newUser).toBeDefined();
|
|
|
|
|
|
|
|
|
|
// Invite used_count must remain 0 (token was treated as invalid)
|
|
|
|
|
const token = testDb.prepare("SELECT used_count FROM invite_tokens WHERE token = 'tok-expired'").get() as any;
|
|
|
|
|
expect(token.used_count).toBe(0);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-029: new user with max_uses exceeded invite token is created but invite is ignored', () => {
|
|
|
|
|
const { user: creator } = createUser(testDb, { email: 'creator3@example.com' });
|
|
|
|
|
testDb.prepare(
|
|
|
|
|
"INSERT INTO invite_tokens (token, max_uses, used_count, created_by) VALUES ('tok-full', 1, 1, ?)"
|
|
|
|
|
).run(creator.id);
|
|
|
|
|
|
|
|
|
|
const result = findOrCreateUser(
|
|
|
|
|
{ sub: 'sub-full-invite', email: 'full-invitee@example.com', name: 'FullInvitee' },
|
|
|
|
|
MOCK_CONFIG,
|
|
|
|
|
'tok-full'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// User is still created because open registration is allowed
|
|
|
|
|
expect('user' in result).toBe(true);
|
|
|
|
|
const newUser = testDb.prepare("SELECT id FROM users WHERE email = 'full-invitee@example.com'").get();
|
|
|
|
|
expect(newUser).toBeDefined();
|
|
|
|
|
|
|
|
|
|
// Invite used_count must remain 1 (token was treated as invalid)
|
|
|
|
|
const token = testDb.prepare("SELECT used_count FROM invite_tokens WHERE token = 'tok-full'").get() as any;
|
|
|
|
|
expect(token.used_count).toBe(1);
|
|
|
|
|
});
|
|
|
|
|
});
|
test: add comprehensive coverage for OAuth scopes, MCP, and core services
Adds new and expanded test suites across client and server to cover the
OAuth 2.1 scope system, MCP session manager, collab service, unified
memories helpers, OIDC service, budget slice, and OAuth authorize page.
Also extends SonarQube coverage exclusions to include bootstrapping files
(migrations, scheduler, main.tsx, types.ts) that are not meaningfully
testable.
2026-04-11 20:07:56 +08:00
|
|
|
|
|
|
|
|
// ── exchangeCodeForToken ──────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('exchangeCodeForToken', () => {
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
vi.unstubAllGlobals();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-030: sends correct POST body and returns token data', async () => {
|
|
|
|
|
const { exchangeCodeForToken } = await import('../../../src/services/oidcService');
|
|
|
|
|
|
|
|
|
|
const mockTokenData = { access_token: 'tok', token_type: 'Bearer' };
|
|
|
|
|
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
|
|
|
|
ok: true,
|
|
|
|
|
status: 200,
|
|
|
|
|
json: async () => mockTokenData,
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const doc = { token_endpoint: 'https://oidc.example.com/token' } as any;
|
|
|
|
|
const result = await exchangeCodeForToken(doc, 'auth-code-123', 'https://app/callback', 'client-id', 'client-secret');
|
|
|
|
|
|
|
|
|
|
expect(result.access_token).toBe('tok');
|
|
|
|
|
expect(result._ok).toBe(true);
|
|
|
|
|
expect(result._status).toBe(200);
|
|
|
|
|
|
|
|
|
|
const fetchCall = (fetch as ReturnType<typeof vi.fn>).mock.calls[0];
|
|
|
|
|
expect(fetchCall[0]).toBe('https://oidc.example.com/token');
|
|
|
|
|
expect(fetchCall[1].method).toBe('POST');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-031: reflects _ok=false when provider returns error status', async () => {
|
|
|
|
|
const { exchangeCodeForToken } = await import('../../../src/services/oidcService');
|
|
|
|
|
|
|
|
|
|
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
|
|
|
|
ok: false,
|
|
|
|
|
status: 400,
|
|
|
|
|
json: async () => ({ error: 'invalid_grant' }),
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const doc = { token_endpoint: 'https://oidc.example.com/token' } as any;
|
|
|
|
|
const result = await exchangeCodeForToken(doc, 'bad-code', 'https://app/callback', 'c', 's');
|
|
|
|
|
|
|
|
|
|
expect(result._ok).toBe(false);
|
|
|
|
|
expect(result._status).toBe(400);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// ── getUserInfo ───────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
describe('getUserInfo', () => {
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
vi.unstubAllGlobals();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('OIDC-SVC-032: fetches userinfo with Bearer token and returns parsed JSON', async () => {
|
|
|
|
|
const { getUserInfo } = await import('../../../src/services/oidcService');
|
|
|
|
|
|
|
|
|
|
const userInfoData = { sub: 'user-sub', email: 'user@example.com', name: 'User Name' };
|
|
|
|
|
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
|
|
|
|
json: async () => userInfoData,
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const result = await getUserInfo('https://oidc.example.com/userinfo', 'access-token-123');
|
|
|
|
|
|
|
|
|
|
expect(result.sub).toBe('user-sub');
|
|
|
|
|
expect(result.email).toBe('user@example.com');
|
|
|
|
|
|
|
|
|
|
const fetchCall = (fetch as ReturnType<typeof vi.fn>).mock.calls[0];
|
|
|
|
|
expect(fetchCall[1].headers.Authorization).toBe('Bearer access-token-123');
|
|
|
|
|
});
|
|
|
|
|
});
|