test: add end-to-end OAuth to MCP flow integration test
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,7 @@ import { beforeEach, describe, expect, it } from "bun:test";
|
|||||||
import { Hono } from "hono";
|
import { Hono } from "hono";
|
||||||
import { createUser } from "../../src/server/services/auth.service.ts";
|
import { createUser } from "../../src/server/services/auth.service.ts";
|
||||||
import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts";
|
import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts";
|
||||||
|
import { mcpRoutes } from "../../src/server/mcp/index.ts";
|
||||||
import { createTestDb } from "../helpers/db.ts";
|
import { createTestDb } from "../helpers/db.ts";
|
||||||
|
|
||||||
function createTestApp() {
|
function createTestApp() {
|
||||||
@@ -17,6 +18,19 @@ function createTestApp() {
|
|||||||
return { app, db };
|
return { app, db };
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function createFullTestApp() {
|
||||||
|
const db = createTestDb();
|
||||||
|
const app = new Hono<{ Variables: { db?: any } }>();
|
||||||
|
app.use("*", async (c, next) => {
|
||||||
|
c.set("db", db);
|
||||||
|
await next();
|
||||||
|
});
|
||||||
|
app.route("/.well-known", wellKnownRoute);
|
||||||
|
app.route("/oauth", oauthRoutes);
|
||||||
|
app.route("/mcp", mcpRoutes);
|
||||||
|
return { app, db };
|
||||||
|
}
|
||||||
|
|
||||||
function generatePkce() {
|
function generatePkce() {
|
||||||
const verifier = randomBytes(32).toString("hex");
|
const verifier = randomBytes(32).toString("hex");
|
||||||
const challenge = createHash("sha256").update(verifier).digest("base64url");
|
const challenge = createHash("sha256").update(verifier).digest("base64url");
|
||||||
@@ -228,6 +242,103 @@ describe("OAuth Routes", () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe("Full OAuth → MCP Flow", () => {
|
||||||
|
it("complete flow: register → authorize → token → MCP call", async () => {
|
||||||
|
const { app, db } = createFullTestApp();
|
||||||
|
await createUser(db, "admin", "secret123");
|
||||||
|
const { verifier, challenge } = generatePkce();
|
||||||
|
|
||||||
|
// 1. Register client
|
||||||
|
const regRes = await app.request("/oauth/register", {
|
||||||
|
method: "POST",
|
||||||
|
headers: { "Content-Type": "application/json" },
|
||||||
|
body: JSON.stringify({
|
||||||
|
client_name: "Claude",
|
||||||
|
redirect_uris: ["http://localhost/cb"],
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
const { client_id } = await regRes.json();
|
||||||
|
|
||||||
|
// 2. Authorize (simulate form POST)
|
||||||
|
const authRes = await app.request(
|
||||||
|
`/oauth/authorize?response_type=code&client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost/cb")}&code_challenge=${challenge}&code_challenge_method=S256&state=test`,
|
||||||
|
{
|
||||||
|
method: "POST",
|
||||||
|
headers: { "Content-Type": "application/x-www-form-urlencoded" },
|
||||||
|
body: new URLSearchParams({
|
||||||
|
username: "admin",
|
||||||
|
password: "secret123",
|
||||||
|
client_id,
|
||||||
|
redirect_uri: "http://localhost/cb",
|
||||||
|
code_challenge: challenge,
|
||||||
|
code_challenge_method: "S256",
|
||||||
|
state: "test",
|
||||||
|
}).toString(),
|
||||||
|
},
|
||||||
|
);
|
||||||
|
const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
|
||||||
|
|
||||||
|
// 3. Exchange code for tokens
|
||||||
|
const tokenRes = await app.request("/oauth/token", {
|
||||||
|
method: "POST",
|
||||||
|
headers: { "Content-Type": "application/x-www-form-urlencoded" },
|
||||||
|
body: new URLSearchParams({
|
||||||
|
grant_type: "authorization_code",
|
||||||
|
code,
|
||||||
|
code_verifier: verifier,
|
||||||
|
client_id,
|
||||||
|
redirect_uri: "http://localhost/cb",
|
||||||
|
}).toString(),
|
||||||
|
});
|
||||||
|
const { access_token } = await tokenRes.json();
|
||||||
|
|
||||||
|
// 4. Use token to call MCP
|
||||||
|
const mcpRes = await app.request("/mcp", {
|
||||||
|
method: "POST",
|
||||||
|
headers: {
|
||||||
|
"Content-Type": "application/json",
|
||||||
|
Accept: "application/json, text/event-stream",
|
||||||
|
Authorization: `Bearer ${access_token}`,
|
||||||
|
},
|
||||||
|
body: JSON.stringify({
|
||||||
|
jsonrpc: "2.0",
|
||||||
|
method: "initialize",
|
||||||
|
params: {
|
||||||
|
protocolVersion: "2025-03-26",
|
||||||
|
capabilities: {},
|
||||||
|
clientInfo: { name: "test", version: "1.0" },
|
||||||
|
},
|
||||||
|
id: 1,
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
|
||||||
|
expect(mcpRes.status).toBe(200);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("rejects MCP call without auth when user exists", async () => {
|
||||||
|
const { app, db } = createFullTestApp();
|
||||||
|
await createUser(db, "admin", "secret123");
|
||||||
|
|
||||||
|
const mcpRes = await app.request("/mcp", {
|
||||||
|
method: "POST",
|
||||||
|
headers: { "Content-Type": "application/json" },
|
||||||
|
body: JSON.stringify({
|
||||||
|
jsonrpc: "2.0",
|
||||||
|
method: "initialize",
|
||||||
|
params: {
|
||||||
|
protocolVersion: "2025-03-26",
|
||||||
|
capabilities: {},
|
||||||
|
clientInfo: { name: "test", version: "1.0" },
|
||||||
|
},
|
||||||
|
id: 1,
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
|
||||||
|
expect(mcpRes.status).toBe(401);
|
||||||
|
expect(mcpRes.headers.get("www-authenticate")).toContain("Bearer");
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
describe("Token refresh", () => {
|
describe("Token refresh", () => {
|
||||||
it("exchanges refresh token for new tokens", async () => {
|
it("exchanges refresh token for new tokens", async () => {
|
||||||
// Full flow to get initial tokens
|
// Full flow to get initial tokens
|
||||||
|
|||||||
Reference in New Issue
Block a user