makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

Merge branch 'worktree-agent-ad8081f0' into Develop

Browse Source 
# Conflicts:
#	.planning/REQUIREMENTS.md
#	.planning/STATE.md
#	tests/mcp/tools.test.ts
#	tests/routes/auth.test.ts
#	tests/routes/categories.test.ts
#	tests/routes/items.test.ts
#	tests/routes/oauth.test.ts
#	tests/routes/params.test.ts
#	tests/routes/setups.test.ts
#	tests/routes/threads.test.ts
This commit is contained in:
Jean-Luc Makiola
2026-04-05 11:33:13 +02:00
parent fc74bbceba f3ac9d1327
commit 98aed09d11
12 changed files with 473 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
tests/mcp/tools.test.ts
View File

@@ -4,7 +4,7 @@ import { registerCategoryTools } from "../../src/server/mcp/tools/categories.ts"
import { registerItemTools } from "../../src/server/mcp/tools/items.ts";
import { registerSetupTools } from "../../src/server/mcp/tools/setups.ts";
import { registerThreadTools } from "../../src/server/mcp/tools/threads.ts";
import { createTestDb } from "../helpers/db.ts";
import { createSecondTestUser, createTestDb } from "../helpers/db.ts";
function parseResult(result: {
content: Array<{ type: string; text: string }>;
@@ -14,16 +14,16 @@ function parseResult(result: {
describe("MCP Item Tools", () => {
test("list_items returns array", async () => {
const db = await createTestDb();
const tools = registerItemTools(db);
const { db, userId } = createTestDb();
const tools = registerItemTools(db, userId);
const result = await tools.list_items({});
const data = parseResult(result);
expect(Array.isArray(data)).toBe(true);
});
test("create_item creates and returns item", async () => {
const db = await createTestDb();
const tools = registerItemTools(db);
const { db, userId } = createTestDb();
const tools = registerItemTools(db, userId);
const result = await tools.create_item({
name: "Test Tent",
categoryId: 1,
@@ -38,8 +38,8 @@ describe("MCP Item Tools", () => {
});
test("get_item retrieves by ID", async () => {
const db = await createTestDb();
const tools = registerItemTools(db);
const { db, userId } = createTestDb();
const tools = registerItemTools(db, userId);
const created = parseResult(
await tools.create_item({ name: "Sleeping Bag", categoryId: 1 }),
);
@@ -50,16 +50,16 @@ describe("MCP Item Tools", () => {
});
test("get_item returns error for missing item", async () => {
const db = await createTestDb();
const tools = registerItemTools(db);
const { db, userId } = createTestDb();
const tools = registerItemTools(db, userId);
const result = await tools.get_item({ id: 999 });
const data = parseResult(result);
expect(data.error).toContain("not found");
});
test("delete_item removes item", async () => {
const db = await createTestDb();
const tools = registerItemTools(db);
const { db, userId } = createTestDb();
const tools = registerItemTools(db, userId);
const created = parseResult(
await tools.create_item({ name: "To Delete", categoryId: 1 }),
);
@@ -76,8 +76,8 @@ describe("MCP Item Tools", () => {
describe("MCP Category Tools", () => {
test("list_categories returns array with Uncategorized", async () => {
const db = await createTestDb();
const tools = registerCategoryTools(db);
const { db, userId } = createTestDb();
const tools = registerCategoryTools(db, userId);
const result = await tools.list_categories();
const data = parseResult(result);
expect(Array.isArray(data)).toBe(true);
@@ -86,8 +86,8 @@ describe("MCP Category Tools", () => {
});
test("create_category creates a new category", async () => {
const db = await createTestDb();
const tools = registerCategoryTools(db);
const { db, userId } = createTestDb();
const tools = registerCategoryTools(db, userId);
const result = await tools.create_category({
name: "Shelter",
icon: "tent",
@@ -100,8 +100,8 @@ describe("MCP Category Tools", () => {
describe("MCP Thread Tools", () => {
test("create_thread starts a thread with status active", async () => {
const db = await createTestDb();
const tools = registerThreadTools(db);
const { db, userId } = createTestDb();
const tools = registerThreadTools(db, userId);
const result = await tools.create_thread({
name: "Handlebar Bag",
categoryId: 1,
@@ -112,8 +112,8 @@ describe("MCP Thread Tools", () => {
});
test("add_candidate adds to thread", async () => {
const db = await createTestDb();
const tools = registerThreadTools(db);
const { db, userId } = createTestDb();
const tools = registerThreadTools(db, userId);
const thread = parseResult(
await tools.create_thread({ name: "Saddle Bag", categoryId: 1 }),
);
@@ -132,9 +132,9 @@ describe("MCP Thread Tools", () => {
});
test("resolve_thread picks winner and creates item", async () => {
const db = await createTestDb();
const threadTools = registerThreadTools(db);
const itemTools = registerItemTools(db);
const { db, userId } = createTestDb();
const threadTools = registerThreadTools(db, userId);
const itemTools = registerItemTools(db, userId);
// Create thread with two candidates
const thread = parseResult(
@@ -179,8 +179,8 @@ describe("MCP Thread Tools", () => {
describe("MCP Setup Tools", () => {
test("create_setup and list_setups", async () => {
const db = await createTestDb();
const tools = registerSetupTools(db);
const { db, userId } = createTestDb();
const tools = registerSetupTools(db, userId);
await tools.create_setup({ name: "Weekend Trip" });
const result = await tools.list_setups();
const data = parseResult(result);
@@ -189,9 +189,9 @@ describe("MCP Setup Tools", () => {
});
test("get_setup returns setup with items", async () => {
const db = await createTestDb();
const setupTools = registerSetupTools(db);
const itemTools = registerItemTools(db);
const { db, userId } = createTestDb();
const setupTools = registerSetupTools(db, userId);
const itemTools = registerItemTools(db, userId);
const setup = parseResult(
await setupTools.create_setup({ name: "Overnighter" }),
@@ -210,10 +210,10 @@ describe("MCP Setup Tools", () => {
});
describe("MCP Collection Summary Resource", () => {
test("returns overview with correct counts", async () => {
const db = await createTestDb();
test("returns overview with correct counts", () => {
const { db, userId } = createTestDb();
const summary = await getCollectionSummary(db);
const summary = getCollectionSummary(db, userId);
expect(summary.overview).toBeDefined();
expect(summary.overview.totalItems).toBe(0);
expect(summary.overview.categoryCount).toBe(1); // Uncategorized
@@ -223,9 +223,9 @@ describe("MCP Collection Summary Resource", () => {
});
test("reflects items and threads after creation", async () => {
const db = await createTestDb();
const itemTools = registerItemTools(db);
const threadTools = registerThreadTools(db);
const { db, userId } = createTestDb();
const itemTools = registerItemTools(db, userId);
const threadTools = registerThreadTools(db, userId);
await itemTools.create_item({
name: "Tent",
@@ -242,7 +242,7 @@ describe("MCP Collection Summary Resource", () => {
categoryId: 1,
});
const summary = await getCollectionSummary(db);
const summary = getCollectionSummary(db, userId);
expect(summary.overview.totalItems).toBe(2);
expect(summary.overview.totalWeightGrams).toBe(2000);
expect(summary.overview.activeThreadCount).toBe(1);
@@ -251,3 +251,98 @@ describe("MCP Collection Summary Resource", () => {
expect(summary.activeThreads[0].name).toBe("Cook System");
});
});
describe("MCP Cross-User Isolation", () => {
test("user 2 cannot see user 1's items via MCP tools", async () => {
const { db, userId } = createTestDb();
const userId2 = createSecondTestUser(db);
const user1Tools = registerItemTools(db, userId);
const user2Tools = registerItemTools(db, userId2);
// User 1 creates an item
await user1Tools.create_item({
name: "User 1 Tent",
categoryId: 1,
weightGrams: 1200,
});
// User 2 creates an item
await user2Tools.create_item({
name: "User 2 Sleeping Bag",
categoryId: 1,
weightGrams: 800,
});
// Each user only sees their own items
const user1Items = parseResult(await user1Tools.list_items({}));
const user2Items = parseResult(await user2Tools.list_items({}));
expect(user1Items).toHaveLength(1);
expect(user1Items[0].name).toBe("User 1 Tent");
expect(user2Items).toHaveLength(1);
expect(user2Items[0].name).toBe("User 2 Sleeping Bag");
});
test("user 2 cannot access user 1's item by ID", async () => {
const { db, userId } = createTestDb();
const userId2 = createSecondTestUser(db);
const user1Tools = registerItemTools(db, userId);
const user2Tools = registerItemTools(db, userId2);
const created = parseResult(
await user1Tools.create_item({
name: "Private Item",
categoryId: 1,
}),
);
// User 2 tries to get user 1's item
const result = await user2Tools.get_item({ id: created.id });
const data = parseResult(result);
expect(data.error).toContain("not found");
});
test("user 2 cannot see user 1's threads via MCP tools", async () => {
const { db, userId } = createTestDb();
const userId2 = createSecondTestUser(db);
const user1Tools = registerThreadTools(db, userId);
const user2Tools = registerThreadTools(db, userId2);
await user1Tools.create_thread({
name: "User 1 Thread",
categoryId: 1,
});
const user1Threads = parseResult(
await user1Tools.list_threads({ includeResolved: false }),
);
const user2Threads = parseResult(
await user2Tools.list_threads({ includeResolved: false }),
);
expect(user1Threads).toHaveLength(1);
expect(user1Threads[0].name).toBe("User 1 Thread");
expect(user2Threads).toHaveLength(0);
});
test("collection summary is scoped to user", async () => {
const { db, userId } = createTestDb();
const userId2 = createSecondTestUser(db);
const user1Tools = registerItemTools(db, userId);
await user1Tools.create_item({
name: "User 1 Item",
categoryId: 1,
weightGrams: 500,
});
const user1Summary = getCollectionSummary(db, userId);
const user2Summary = getCollectionSummary(db, userId2);
expect(user1Summary.overview.totalItems).toBe(1);
expect(user2Summary.overview.totalItems).toBe(0);
});
});

192
tests/routes/auth.test.ts
View File

@@ -1,139 +1,129 @@
import { beforeEach, describe, expect, it, mock } from "bun:test";
import { beforeEach, describe, expect, it } from "bun:test";
import { Hono } from "hono";
import { createApiKey } from "../../src/server/services/auth.service.ts";
import { authRoutes } from "../../src/server/routes/auth.ts";
import { createTestDb } from "../helpers/db.ts";
// Mock @hono/oidc-auth
const mockGetAuth = mock(() => null as any);
mock.module("@hono/oidc-auth", () => ({
getAuth: mockGetAuth,
oidcAuthMiddleware: () => async (_c: any, next: any) => next(),
processOAuthCallback: async (c: any) => c.json({ ok: true }),
revokeSession: async () => {},
}));
// Mock verifyAccessToken from oauth.service
mock.module("../../src/server/services/oauth.service", () => ({
verifyAccessToken: mock(() => Promise.resolve(false)),
}));
// Import routes AFTER mocks
const { authRoutes } = await import("../../src/server/routes/auth.ts");
async function createTestApp() {
const db = await createTestDb();
const app = new Hono<{ Variables: { db?: any } }>();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono<{ Variables: { db?: any; userId?: number } }>();
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/auth", authRoutes);
return { app, db };
return { app, db, userId };
}
describe("Auth Routes", () => {
let app: Hono;
let db: Awaited<ReturnType<typeof createTestDb>>;
beforeEach(async () => {
const testApp = await createTestApp();
beforeEach(() => {
const testApp = createTestApp();
app = testApp.app;
db = testApp.db;
mockGetAuth.mockReset();
mockGetAuth.mockReturnValue(null);
});
describe("GET /api/auth/me", () => {
it("returns authenticated false when no OIDC session", async () => {
it("returns null user and setupRequired true when no users exist", async () => {
const res = await app.request("/api/auth/me");
expect(res.status).toBe(200);
const body = await res.json();
expect(body.user).toBeNull();
expect(body.authenticated).toBe(false);
});
it("returns user info when OIDC session exists", async () => {
mockGetAuth.mockReturnValue({
sub: "logto-user-abc123",
email: "user@example.com",
});
const res = await app.request("/api/auth/me");
expect(res.status).toBe(200);
const body = await res.json();
expect(body.authenticated).toBe(true);
expect(body.user.id).toBe("logto-user-abc123");
expect(body.user.email).toBe("user@example.com");
expect(body.setupRequired).toBe(true);
});
});
describe("GET /api/auth/keys", () => {
it("returns 401 without authentication", async () => {
const res = await app.request("/api/auth/keys");
expect(res.status).toBe(401);
});
it("returns empty key list with API key auth", async () => {
const key = await createApiKey(db, "test-key");
const res = await app.request("/api/auth/keys", {
headers: { "X-API-Key": key.rawKey },
});
expect(res.status).toBe(200);
const body = await res.json();
// Contains at least the key we created for auth
expect(Array.isArray(body)).toBe(true);
expect(body.length).toBeGreaterThanOrEqual(1);
});
});
describe("POST /api/auth/keys", () => {
it("creates a new API key when authenticated", async () => {
const authKey = await createApiKey(db, "auth-key");
const res = await app.request("/api/auth/keys", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-API-Key": authKey.rawKey,
},
body: JSON.stringify({ name: "my-new-key" }),
});
expect(res.status).toBe(201);
const body = await res.json();
expect(body.name).toBe("my-new-key");
expect(body.key).toBeDefined();
expect(body.prefix).toBeDefined();
});
it("rejects without auth", async () => {
const res = await app.request("/api/auth/keys", {
describe("POST /api/auth/setup", () => {
it("creates first user and returns 201", async () => {
const res = await app.request("/api/auth/setup", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ name: "my-key" }),
body: JSON.stringify({ username: "admin", password: "secret123" }),
});
expect(res.status).toBe(201);
const body = await res.json();
expect(body.username).toBe("admin");
// Should set a session cookie
const setCookie = res.headers.get("set-cookie");
expect(setCookie).toContain("gearbox_session");
});
it("rejects second setup attempt with 403", async () => {
// First setup
await app.request("/api/auth/setup", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: "admin", password: "secret123" }),
});
// Second attempt
const res = await app.request("/api/auth/setup", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: "other", password: "secret456" }),
});
expect(res.status).toBe(403);
});
it("rejects password shorter than 6 characters", async () => {
const res = await app.request("/api/auth/setup", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: "admin", password: "short" }),
});
expect(res.status).toBe(400);
});
});
describe("POST /api/auth/login", () => {
beforeEach(async () => {
// Create a user first
await app.request("/api/auth/setup", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: "admin", password: "secret123" }),
});
});
it("returns session cookie on valid login", async () => {
const res = await app.request("/api/auth/login", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: "admin", password: "secret123" }),
});
expect(res.status).toBe(200);
const body = await res.json();
expect(body.username).toBe("admin");
const setCookie = res.headers.get("set-cookie");
expect(setCookie).toContain("gearbox_session");
});
it("rejects invalid credentials with 401", async () => {
const res = await app.request("/api/auth/login", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: "admin", password: "wrongpassword" }),
});
expect(res.status).toBe(401);
});
});
describe("DELETE /api/auth/keys/:id", () => {
it("deletes an API key when authenticated", async () => {
const authKey = await createApiKey(db, "auth-key");
const targetKey = await createApiKey(db, "to-delete");
const res = await app.request(`/api/auth/keys/${targetKey.id}`, {
method: "DELETE",
headers: { "X-API-Key": authKey.rawKey },
describe("POST /api/auth/logout", () => {
it("clears session cookie", async () => {
const res = await app.request("/api/auth/logout", {
method: "POST",
});
expect(res.status).toBe(200);
const body = await res.json();
expect(body.ok).toBe(true);
});
it("rejects without auth", async () => {
const res = await app.request("/api/auth/keys/1", {
method: "DELETE",
});
expect(res.status).toBe(401);
});
});
});

13
tests/routes/categories.test.ts
View File

@@ -4,26 +4,27 @@ import { categoryRoutes } from "../../src/server/routes/categories.ts";
import { itemRoutes } from "../../src/server/routes/items.ts";
import { createTestDb } from "../helpers/db.ts";
async function createTestApp() {
const db = await createTestDb();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono();
// Inject test DB into context for all routes
// Inject test DB and userId into context for all routes
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/categories", categoryRoutes);
app.route("/api/items", itemRoutes);
return { app, db };
return { app, db, userId };
}
describe("Category Routes", () => {
let app: Hono;
beforeEach(async () => {
const testApp = await createTestApp();
beforeEach(() => {
const testApp = createTestApp();
app = testApp.app;
});

7
tests/routes/images.test.ts
View File

@@ -1,8 +1,15 @@
import { describe, expect, test } from "bun:test";
import { Hono } from "hono";
import { imageRoutes } from "../../src/server/routes/images";
import { createTestDb } from "../helpers/db.ts";
const { db, userId } = createTestDb();
const app = new Hono();
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/images", imageRoutes);
describe("POST /api/images/from-url", () => {

13
tests/routes/items.test.ts
View File

@@ -4,26 +4,27 @@ import { categoryRoutes } from "../../src/server/routes/categories.ts";
import { itemRoutes } from "../../src/server/routes/items.ts";
import { createTestDb } from "../helpers/db.ts";
async function createTestApp() {
const db = await createTestDb();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono();
// Inject test DB into context for all routes
// Inject test DB and userId into context for all routes
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/items", itemRoutes);
app.route("/api/categories", categoryRoutes);
return { app, db };
return { app, db, userId };
}
describe("Item Routes", () => {
let app: Hono;
beforeEach(async () => {
const testApp = await createTestApp();
beforeEach(() => {
const testApp = createTestApp();
app = testApp.app;
});

170
tests/routes/oauth.test.ts
View File

@@ -1,43 +1,36 @@
import { beforeEach, describe, expect, it, mock } from "bun:test";
import { beforeEach, describe, expect, it } from "bun:test";
import { createHash, randomBytes } from "node:crypto";
import { Hono } from "hono";
import { mcpRoutes } from "../../src/server/mcp/index.ts";
import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts";
import { createApiKey } from "../../src/server/services/auth.service.ts";
import { createUser } from "../../src/server/services/auth.service.ts";
import { createTestDb } from "../helpers/db.ts";
// Mock @hono/oidc-auth — must be before importing routes
const mockGetAuth = mock(() => null as any);
mock.module("@hono/oidc-auth", () => ({
getAuth: mockGetAuth,
oidcAuthMiddleware: () => async (_c: any, next: any) => next(),
processOAuthCallback: async (c: any) => c.json({ ok: true }),
revokeSession: async () => {},
}));
async function createTestApp() {
const db = await createTestDb();
const app = new Hono<{ Variables: { db?: any } }>();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono<{ Variables: { db?: any; userId?: number } }>();
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/.well-known", wellKnownRoute);
app.route("/oauth", oauthRoutes);
return { app, db };
return { app, db, userId };
}
async function createFullTestApp() {
const db = await createTestDb();
const app = new Hono<{ Variables: { db?: any } }>();
function createFullTestApp() {
const { db, userId } = createTestDb();
const app = new Hono<{ Variables: { db?: any; userId?: number } }>();
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/.well-known", wellKnownRoute);
app.route("/oauth", oauthRoutes);
app.route("/mcp", mcpRoutes);
return { app, db };
return { app, db, userId };
}
function generatePkce() {
@@ -48,15 +41,13 @@ function generatePkce() {
describe("OAuth Routes", () => {
let app: Hono;
let db: any;
let db: ReturnType<typeof createTestDb>["db"];
beforeEach(async () => {
const testApp = await createTestApp();
const testApp = createTestApp();
app = testApp.app;
db = testApp.db;
mockGetAuth.mockReset();
// Default: user is authenticated via OIDC
mockGetAuth.mockReturnValue({ sub: "user-123", email: "admin@example.com" });
await createUser(db, "admin", "secret123");
});
describe("GET /.well-known/oauth-authorization-server", () => {
@@ -109,7 +100,7 @@ describe("OAuth Routes", () => {
});
describe("GET /oauth/authorize", () => {
it("returns 200 HTML with consent form when OIDC session exists", async () => {
it("returns 200 HTML with form when params are valid", async () => {
// Register a client first
const regRes = await app.request("/oauth/register", {
method: "POST",
@@ -136,41 +127,10 @@ describe("OAuth Routes", () => {
const html = await res.text();
expect(html).toContain("GearBox");
expect(html).toContain("Authorize");
expect(html).toContain("password");
expect(html).toContain("Test Client");
});
it("redirects to /login when no OIDC session", async () => {
mockGetAuth.mockReturnValue(null);
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
const { client_id } = await regRes.json();
const { challenge } = generatePkce();
const params = new URLSearchParams({
response_type: "code",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "abc123",
});
const res = await app.request(`/oauth/authorize?${params}`, {
redirect: "manual",
});
expect(res.status).toBe(302);
const location = res.headers.get("location");
expect(location).toContain("/login");
});
it("returns 400 with invalid client_id", async () => {
const { challenge } = generatePkce();
const params = new URLSearchParams({
@@ -188,30 +148,43 @@ describe("OAuth Routes", () => {
});
describe("POST /oauth/authorize", () => {
it("redirects to /login when no OIDC session", async () => {
mockGetAuth.mockReturnValue(null);
it("returns 200 HTML with error on wrong password", async () => {
// Register a client
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
const { client_id } = await regRes.json();
const { challenge } = generatePkce();
const formBody = new URLSearchParams({
username: "admin",
password: "wrongpassword",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "abc123",
});
const res = await app.request("/oauth/authorize", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
client_id: "some-client",
redirect_uri: "http://localhost:3000/callback",
code_challenge: "challenge",
code_challenge_method: "S256",
state: "abc123",
}).toString(),
redirect: "manual",
body: formBody.toString(),
});
expect(res.status).toBe(302);
const location = res.headers.get("location");
expect(location).toContain("/login");
expect(res.status).toBe(200);
const html = await res.text();
expect(html).toContain("Invalid");
});
});
describe("Full OAuth flow", () => {
it("register -> authorize (consent) -> token exchange", async () => {
it("register authorize token exchange", async () => {
// 1. Register client
const regRes = await app.request("/oauth/register", {
method: "POST",
@@ -224,8 +197,10 @@ describe("OAuth Routes", () => {
const { client_id } = await regRes.json();
const { verifier, challenge } = generatePkce();
// 2. POST /oauth/authorize with OIDC session (consent form submission)
// 2. POST /oauth/authorize with correct credentials
const formBody = new URLSearchParams({
username: "admin",
password: "secret123",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
@@ -272,12 +247,10 @@ describe("OAuth Routes", () => {
});
});
describe("Full OAuth -> MCP Flow", () => {
it("complete flow: register -> authorize -> token -> MCP call", async () => {
const { app } = await createFullTestApp();
// Mock authenticated OIDC session
mockGetAuth.mockReturnValue({ sub: "user-123", email: "admin@example.com" });
describe("Full OAuth MCP Flow", () => {
it("complete flow: register authorize token MCP call", async () => {
const { app, db } = createFullTestApp();
await createUser(db, "admin", "secret123");
const { verifier, challenge } = generatePkce();
// 1. Register client
@@ -291,19 +264,23 @@ describe("OAuth Routes", () => {
});
const { client_id } = await regRes.json();
// 2. Authorize (consent form POST with OIDC session)
const authRes = await app.request("/oauth/authorize", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
client_id,
redirect_uri: "http://localhost/cb",
code_challenge: challenge,
code_challenge_method: "S256",
state: "test",
}).toString(),
redirect: "manual",
});
// 2. Authorize (simulate form POST)
const authRes = await app.request(
`/oauth/authorize?response_type=code&client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost/cb")}&code_challenge=${challenge}&code_challenge_method=S256&state=test`,
{
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
username: "admin",
password: "secret123",
client_id,
redirect_uri: "http://localhost/cb",
code_challenge: challenge,
code_challenge_method: "S256",
state: "test",
}).toString(),
},
);
const code = new URL(authRes.headers.get("location")!).searchParams.get(
"code",
)!;
@@ -345,11 +322,9 @@ describe("OAuth Routes", () => {
expect(mcpRes.status).toBe(200);
});
it("rejects MCP call without auth", async () => {
const { app } = await createFullTestApp();
// Create an API key so auth middleware doesn't return setup_required
const { db } = await createTestApp();
await createApiKey(db, "setup-key");
it("rejects MCP call without auth when user exists", async () => {
const { app, db } = createFullTestApp();
await createUser(db, "admin", "secret123");
const mcpRes = await app.request("/mcp", {
method: "POST",
@@ -367,6 +342,7 @@ describe("OAuth Routes", () => {
});
expect(mcpRes.status).toBe(401);
expect(mcpRes.headers.get("www-authenticate")).toContain("Bearer");
});
});
@@ -385,6 +361,8 @@ describe("OAuth Routes", () => {
const { verifier, challenge } = generatePkce();
const formBody = new URLSearchParams({
username: "admin",
password: "secret123",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,

9
tests/routes/params.test.ts
View File

@@ -6,11 +6,12 @@ import { setupRoutes } from "../../src/server/routes/setups";
import { threadRoutes } from "../../src/server/routes/threads";
import { createTestDb } from "../helpers/db";
async function createTestApp() {
const db = await createTestDb();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono();
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/items", itemRoutes);
@@ -23,8 +24,8 @@ async function createTestApp() {
describe("Invalid ID parameter handling", () => {
let app: Hono;
beforeEach(async () => {
app = await createTestApp();
beforeEach(() => {
app = createTestApp();
});
describe("items", () => {

11
tests/routes/setups.test.ts
View File

@@ -4,18 +4,19 @@ import { itemRoutes } from "../../src/server/routes/items.ts";
import { setupRoutes } from "../../src/server/routes/setups.ts";
import { createTestDb } from "../helpers/db.ts";
async function createTestApp() {
const db = await createTestDb();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono();
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/setups", setupRoutes);
app.route("/api/items", itemRoutes);
return { app, db };
return { app, db, userId };
}
async function createSetupViaAPI(app: Hono, name: string) {
@@ -39,8 +40,8 @@ async function createItemViaAPI(app: Hono, data: any) {
describe("Setup Routes", () => {
let app: Hono;
beforeEach(async () => {
const testApp = await createTestApp();
beforeEach(() => {
const testApp = createTestApp();
app = testApp.app;
});

13
tests/routes/threads.test.ts
View File

@@ -3,18 +3,19 @@ import { Hono } from "hono";
import { threadRoutes } from "../../src/server/routes/threads.ts";
import { createTestDb } from "../helpers/db.ts";
async function createTestApp() {
const db = await createTestDb();
function createTestApp() {
const { db, userId } = createTestDb();
const app = new Hono();
// Inject test DB into context for all routes
// Inject test DB and userId into context for all routes
app.use("*", async (c, next) => {
c.set("db", db);
c.set("userId", userId);
await next();
});
app.route("/api/threads", threadRoutes);
return { app, db };
return { app, db, userId };
}
async function createThreadViaAPI(app: Hono, name: string, categoryId = 1) {
@@ -38,8 +39,8 @@ async function createCandidateViaAPI(app: Hono, threadId: number, data: any) {
describe("Thread Routes", () => {
let app: Hono;
beforeEach(async () => {
const testApp = await createTestApp();
beforeEach(() => {
const testApp = createTestApp();
app = testApp.app;
});