test: add end-to-end OAuth to MCP flow integration test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-04 09:26:25 +02:00
parent f01add3943
commit 6dcb421fb0
1 changed files with 111 additions and 0 deletions
--- a/tests/routes/oauth.test.ts
+++ b/tests/routes/oauth.test.ts
@@ -3,6 +3,7 @@ import { beforeEach, describe, expect, it } from "bun:test";
 import { Hono } from "hono";
 import { createUser } from "../../src/server/services/auth.service.ts";
 import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts";
+import { mcpRoutes } from "../../src/server/mcp/index.ts";
 import { createTestDb } from "../helpers/db.ts";

 function createTestApp() {
@@ -17,6 +18,19 @@ function createTestApp() {
 	return { app, db };
 }

+function createFullTestApp() {
+	const db = createTestDb();
+	const app = new Hono<{ Variables: { db?: any } }>();
+	app.use("*", async (c, next) => {
+		c.set("db", db);
+		await next();
+	});
+	app.route("/.well-known", wellKnownRoute);
+	app.route("/oauth", oauthRoutes);
+	app.route("/mcp", mcpRoutes);
+	return { app, db };
+}
+
 function generatePkce() {
 	const verifier = randomBytes(32).toString("hex");
 	const challenge = createHash("sha256").update(verifier).digest("base64url");
@@ -228,6 +242,103 @@ describe("OAuth Routes", () => {
 		});
 	});

+	describe("Full OAuth → MCP Flow", () => {
+		it("complete flow: register → authorize → token → MCP call", async () => {
+			const { app, db } = createFullTestApp();
+			await createUser(db, "admin", "secret123");
+			const { verifier, challenge } = generatePkce();
+
+			// 1. Register client
+			const regRes = await app.request("/oauth/register", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					client_name: "Claude",
+					redirect_uris: ["http://localhost/cb"],
+				}),
+			});
+			const { client_id } = await regRes.json();
+
+			// 2. Authorize (simulate form POST)
+			const authRes = await app.request(
+				`/oauth/authorize?response_type=code&client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost/cb")}&code_challenge=${challenge}&code_challenge_method=S256&state=test`,
+				{
+					method: "POST",
+					headers: { "Content-Type": "application/x-www-form-urlencoded" },
+					body: new URLSearchParams({
+						username: "admin",
+						password: "secret123",
+						client_id,
+						redirect_uri: "http://localhost/cb",
+						code_challenge: challenge,
+						code_challenge_method: "S256",
+						state: "test",
+					}).toString(),
+				},
+			);
+			const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+			// 3. Exchange code for tokens
+			const tokenRes = await app.request("/oauth/token", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: new URLSearchParams({
+					grant_type: "authorization_code",
+					code,
+					code_verifier: verifier,
+					client_id,
+					redirect_uri: "http://localhost/cb",
+				}).toString(),
+			});
+			const { access_token } = await tokenRes.json();
+
+			// 4. Use token to call MCP
+			const mcpRes = await app.request("/mcp", {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Accept: "application/json, text/event-stream",
+					Authorization: `Bearer ${access_token}`,
+				},
+				body: JSON.stringify({
+					jsonrpc: "2.0",
+					method: "initialize",
+					params: {
+						protocolVersion: "2025-03-26",
+						capabilities: {},
+						clientInfo: { name: "test", version: "1.0" },
+					},
+					id: 1,
+				}),
+			});
+
+			expect(mcpRes.status).toBe(200);
+		});
+
+		it("rejects MCP call without auth when user exists", async () => {
+			const { app, db } = createFullTestApp();
+			await createUser(db, "admin", "secret123");
+
+			const mcpRes = await app.request("/mcp", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					jsonrpc: "2.0",
+					method: "initialize",
+					params: {
+						protocolVersion: "2025-03-26",
+						capabilities: {},
+						clientInfo: { name: "test", version: "1.0" },
+					},
+					id: 1,
+				}),
+			});
+
+			expect(mcpRes.status).toBe(401);
+			expect(mcpRes.headers.get("www-authenticate")).toContain("Bearer");
+		});
+	});
+
 	describe("Token refresh", () => {
 		it("exchanges refresh token for new tokens", async () => {
 			// Full flow to get initial tokens