feat: add OAuth 2.1 endpoints (register, authorize, token)

Add well-known metadata, dynamic client registration, authorization flow with PKCE, and token exchange/refresh endpoints with route-level integration tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 09:22:58 +02:00
parent 7309c080df
commit 1fad25726d
3 changed files with 573 additions and 0 deletions
--- a/tests/routes/oauth.test.ts
+++ b/tests/routes/oauth.test.ts
@@ -0,0 +1,303 @@
+import { createHash, randomBytes } from "node:crypto";
+import { beforeEach, describe, expect, it } from "bun:test";
+import { Hono } from "hono";
+import { createUser } from "../../src/server/services/auth.service.ts";
+import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts";
+import { createTestDb } from "../helpers/db.ts";
+
+function createTestApp() {
+	const db = createTestDb();
+	const app = new Hono<{ Variables: { db?: any } }>();
+	app.use("*", async (c, next) => {
+		c.set("db", db);
+		await next();
+	});
+	app.route("/.well-known", wellKnownRoute);
+	app.route("/oauth", oauthRoutes);
+	return { app, db };
+}
+
+function generatePkce() {
+	const verifier = randomBytes(32).toString("hex");
+	const challenge = createHash("sha256").update(verifier).digest("base64url");
+	return { verifier, challenge };
+}
+
+describe("OAuth Routes", () => {
+	let app: Hono;
+	let db: ReturnType<typeof createTestDb>;
+
+	beforeEach(async () => {
+		const testApp = createTestApp();
+		app = testApp.app;
+		db = testApp.db;
+		await createUser(db, "admin", "secret123");
+	});
+
+	describe("GET /.well-known/oauth-authorization-server", () => {
+		it("returns 200 with correct metadata fields", async () => {
+			const res = await app.request("/.well-known/oauth-authorization-server");
+			expect(res.status).toBe(200);
+
+			const body = await res.json();
+			expect(body.issuer).toBeDefined();
+			expect(body.authorization_endpoint).toContain("/oauth/authorize");
+			expect(body.token_endpoint).toContain("/oauth/token");
+			expect(body.registration_endpoint).toContain("/oauth/register");
+			expect(body.response_types_supported).toEqual(["code"]);
+			expect(body.grant_types_supported).toEqual(["authorization_code", "refresh_token"]);
+			expect(body.code_challenge_methods_supported).toEqual(["S256"]);
+			expect(body.token_endpoint_auth_methods_supported).toEqual(["none"]);
+		});
+	});
+
+	describe("POST /oauth/register", () => {
+		it("returns 201 with client_id, client_name, redirect_uris", async () => {
+			const res = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					client_name: "Test Client",
+					redirect_uris: ["http://localhost:3000/callback"],
+				}),
+			});
+
+			expect(res.status).toBe(201);
+			const body = await res.json();
+			expect(body.client_id).toBeDefined();
+			expect(body.client_name).toBe("Test Client");
+			expect(body.redirect_uris).toEqual(["http://localhost:3000/callback"]);
+		});
+
+		it("returns 400 without redirect_uris", async () => {
+			const res = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ client_name: "Test Client" }),
+			});
+
+			expect(res.status).toBe(400);
+		});
+	});
+
+	describe("GET /oauth/authorize", () => {
+		it("returns 200 HTML with form when params are valid", async () => {
+			// Register a client first
+			const regRes = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					client_name: "Test Client",
+					redirect_uris: ["http://localhost:3000/callback"],
+				}),
+			});
+			const { client_id } = await regRes.json();
+			const { challenge } = generatePkce();
+
+			const params = new URLSearchParams({
+				response_type: "code",
+				client_id,
+				redirect_uri: "http://localhost:3000/callback",
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: "abc123",
+			});
+
+			const res = await app.request(`/oauth/authorize?${params}`);
+			expect(res.status).toBe(200);
+
+			const html = await res.text();
+			expect(html).toContain("GearBox");
+			expect(html).toContain("password");
+			expect(html).toContain("Test Client");
+		});
+
+		it("returns 400 with invalid client_id", async () => {
+			const { challenge } = generatePkce();
+			const params = new URLSearchParams({
+				response_type: "code",
+				client_id: "nonexistent",
+				redirect_uri: "http://localhost:3000/callback",
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: "abc123",
+			});
+
+			const res = await app.request(`/oauth/authorize?${params}`);
+			expect(res.status).toBe(400);
+		});
+	});
+
+	describe("POST /oauth/authorize", () => {
+		it("returns 200 HTML with error on wrong password", async () => {
+			// Register a client
+			const regRes = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					client_name: "Test Client",
+					redirect_uris: ["http://localhost:3000/callback"],
+				}),
+			});
+			const { client_id } = await regRes.json();
+			const { challenge } = generatePkce();
+
+			const formBody = new URLSearchParams({
+				username: "admin",
+				password: "wrongpassword",
+				client_id,
+				redirect_uri: "http://localhost:3000/callback",
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: "abc123",
+			});
+
+			const res = await app.request("/oauth/authorize", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: formBody.toString(),
+			});
+
+			expect(res.status).toBe(200);
+			const html = await res.text();
+			expect(html).toContain("Invalid");
+		});
+	});
+
+	describe("Full OAuth flow", () => {
+		it("register → authorize → token exchange", async () => {
+			// 1. Register client
+			const regRes = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					client_name: "Test Client",
+					redirect_uris: ["http://localhost:3000/callback"],
+				}),
+			});
+			const { client_id } = await regRes.json();
+			const { verifier, challenge } = generatePkce();
+
+			// 2. POST /oauth/authorize with correct credentials
+			const formBody = new URLSearchParams({
+				username: "admin",
+				password: "secret123",
+				client_id,
+				redirect_uri: "http://localhost:3000/callback",
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: "mystate",
+			});
+
+			const authRes = await app.request("/oauth/authorize", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: formBody.toString(),
+				redirect: "manual",
+			});
+
+			expect(authRes.status).toBe(302);
+			const location = authRes.headers.get("location")!;
+			expect(location).toContain("code=");
+			expect(location).toContain("state=mystate");
+
+			const redirectUrl = new URL(location);
+			const code = redirectUrl.searchParams.get("code")!;
+
+			// 3. Exchange code for tokens
+			const tokenBody = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				code_verifier: verifier,
+				client_id,
+				redirect_uri: "http://localhost:3000/callback",
+			});
+
+			const tokenRes = await app.request("/oauth/token", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: tokenBody.toString(),
+			});
+
+			expect(tokenRes.status).toBe(200);
+			const tokens = await tokenRes.json();
+			expect(tokens.access_token).toBeDefined();
+			expect(tokens.refresh_token).toBeDefined();
+			expect(tokens.token_type).toBe("Bearer");
+			expect(tokens.expires_in).toBe(3600);
+		});
+	});
+
+	describe("Token refresh", () => {
+		it("exchanges refresh token for new tokens", async () => {
+			// Full flow to get initial tokens
+			const regRes = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					client_name: "Test Client",
+					redirect_uris: ["http://localhost:3000/callback"],
+				}),
+			});
+			const { client_id } = await regRes.json();
+			const { verifier, challenge } = generatePkce();
+
+			const formBody = new URLSearchParams({
+				username: "admin",
+				password: "secret123",
+				client_id,
+				redirect_uri: "http://localhost:3000/callback",
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: "s",
+			});
+
+			const authRes = await app.request("/oauth/authorize", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: formBody.toString(),
+				redirect: "manual",
+			});
+
+			const location = authRes.headers.get("location")!;
+			const code = new URL(location).searchParams.get("code")!;
+
+			const tokenBody = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				code_verifier: verifier,
+				client_id,
+				redirect_uri: "http://localhost:3000/callback",
+			});
+
+			const tokenRes = await app.request("/oauth/token", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: tokenBody.toString(),
+			});
+			const tokens = await tokenRes.json();
+
+			// Now refresh
+			const refreshBody = new URLSearchParams({
+				grant_type: "refresh_token",
+				refresh_token: tokens.refresh_token,
+				client_id,
+			});
+
+			const refreshRes = await app.request("/oauth/token", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: refreshBody.toString(),
+			});
+
+			expect(refreshRes.status).toBe(200);
+			const newTokens = await refreshRes.json();
+			expect(newTokens.access_token).toBeDefined();
+			expect(newTokens.refresh_token).toBeDefined();
+			expect(newTokens.token_type).toBe("Bearer");
+			expect(newTokens.expires_in).toBe(3600);
+			// Should be different tokens
+			expect(newTokens.access_token).not.toBe(tokens.access_token);
+		});
+	});
+});