Trek_CN/server/tests/integration
jubnl 7c0a0d5f39
security(oauth): harden OAuth 2.1/MCP implementation (Critical + High + Medium findings)
Address 14 security findings from internal review of the OAuth 2.1 + MCP layer:

Critical:
- C1: Scope-gate all MCP resources (trips, budget, packing, collab, atlas, vacay, etc.)
- C2: Wire token/session revocation into active MCP session lifecycle per (user, client_id)
- C3: Refresh-token replay detection via parent_token_id chain + cascade revoke on replay

High:
- H1: Validate PKCE code_challenge (43-char base64url) and code_verifier (43–128 chars) format
- H2: Rate-limit /oauth/token (30/min), /authorize/validate (30/min), /oauth/revoke (10/min)
- H3: Strip client metadata from unauthenticated /authorize/validate responses (oracle prevention)
- H4: Constant-time secret comparison via crypto.timingSafeEqual (prevents timing attacks)
- H5: Collapse all invalid_grant cases to a single generic message; log specifics server-side

Medium:
- M1: Set Cache-Control: no-store + Pragma: no-cache on token endpoint responses
- M2: Return 404 (not 200/403) on discovery + revoke endpoints when MCP addon is disabled
- M4: Audit-log all OAuth lifecycle events (create, consent, issue, refresh, revoke, replay)
- M5: Union consent scopes on re-authorization instead of replacing existing grants
- M7: Require httpOnly cookie auth (not Bearer JWT) on all state-mutating OAuth endpoints
- M8: Strict Bearer scheme check in MCP token verification

Refactoring:
- Extract MCP session management (sessions Map, revokeUserSessions, revokeUserSessionsForClient)
  into mcp/sessionManager.ts to break the circular dependency between oauthService and mcp/index
- Extract verifyJwtAndLoadUser helper in auth middleware, shared by authenticate and new
  requireCookieAuth middleware

Tests:
- Fix all existing integration tests broken by the security hardening (OAUTH-019 to OAUTH-032)
- Add 13 new integration tests covering M1, M2, H1, H3, H5, M5, M7, C3
- Add 14 new unit tests covering C2, C3, H1, H3, M5 behaviors in oauthService
2026-04-10 02:03:27 +02:00
..
admin.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
assignments.test.ts test: apply suite review improvements (01–11) 2026-04-06 20:08:13 +02:00
atlas.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
auth.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
backup.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
budget.test.ts test(mcp): add tests for OAuth 2.1, addon gating, and budget reorder 2026-04-09 23:12:59 +02:00
categories.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
collab.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
dayNotes.test.ts Add comprehensive backend test suite (#339) 2026-04-03 13:17:53 +02:00
days.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
files.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
immich.test.ts refactor(server): replace node-fetch with native fetch + undici, fix photo integrations 2026-04-05 21:12:51 +02:00
maps.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
mcp.test.ts refactor(mcp): replace direct DB access with service layer calls 2026-04-04 18:12:53 +02:00
memories-immich.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
memories-synology.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
memories-unified.test.ts refactor(server): replace node-fetch with native fetch + undici, fix photo integrations 2026-04-05 21:12:51 +02:00
misc.test.ts test: apply suite review improvements (01–11) 2026-04-06 20:08:13 +02:00
notifications.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
oauth.test.ts security(oauth): harden OAuth 2.1/MCP implementation (Critical + High + Medium findings) 2026-04-10 02:03:27 +02:00
oidc.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
packing.test.ts test: apply suite review improvements (01–11) 2026-04-06 20:08:13 +02:00
places.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
profile.test.ts test: apply suite review improvements (01–11) 2026-04-06 20:08:13 +02:00
reservations.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
security.test.ts test: apply suite review improvements (01–11) 2026-04-06 20:08:13 +02:00
settings.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
share.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
tags.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
todo.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
trips.test.ts test: apply suite review improvements (01–11) 2026-04-06 20:08:13 +02:00
vacay.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
weather.test.ts test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00