import { beforeEach, describe, expect, it } from "bun:test"; import { createHash, randomBytes } from "node:crypto"; import { Hono } from "hono"; import { mcpRoutes } from "../../src/server/mcp/index.ts"; import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts"; import { createUser } from "../../src/server/services/auth.service.ts"; import { createTestDb } from "../helpers/db.ts"; function createTestApp() { const db = createTestDb(); const app = new Hono<{ Variables: { db?: any } }>(); app.use("*", async (c, next) => { c.set("db", db); await next(); }); app.route("/.well-known", wellKnownRoute); app.route("/oauth", oauthRoutes); return { app, db }; } function createFullTestApp() { const db = createTestDb(); const app = new Hono<{ Variables: { db?: any } }>(); app.use("*", async (c, next) => { c.set("db", db); await next(); }); app.route("/.well-known", wellKnownRoute); app.route("/oauth", oauthRoutes); app.route("/mcp", mcpRoutes); return { app, db }; } function generatePkce() { const verifier = randomBytes(32).toString("hex"); const challenge = createHash("sha256").update(verifier).digest("base64url"); return { verifier, challenge }; } describe("OAuth Routes", () => { let app: Hono; let db: ReturnType; beforeEach(async () => { const testApp = createTestApp(); app = testApp.app; db = testApp.db; await createUser(db, "admin", "secret123"); }); describe("GET /.well-known/oauth-authorization-server", () => { it("returns 200 with correct metadata fields", async () => { const res = await app.request("/.well-known/oauth-authorization-server"); expect(res.status).toBe(200); const body = await res.json(); expect(body.issuer).toBeDefined(); expect(body.authorization_endpoint).toContain("/oauth/authorize"); expect(body.token_endpoint).toContain("/oauth/token"); expect(body.registration_endpoint).toContain("/oauth/register"); expect(body.response_types_supported).toEqual(["code"]); expect(body.grant_types_supported).toEqual([ "authorization_code", "refresh_token", ]); expect(body.code_challenge_methods_supported).toEqual(["S256"]); expect(body.token_endpoint_auth_methods_supported).toEqual(["none"]); }); }); describe("POST /oauth/register", () => { it("returns 201 with client_id, client_name, redirect_uris", async () => { const res = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Test Client", redirect_uris: ["http://localhost:3000/callback"], }), }); expect(res.status).toBe(201); const body = await res.json(); expect(body.client_id).toBeDefined(); expect(body.client_name).toBe("Test Client"); expect(body.redirect_uris).toEqual(["http://localhost:3000/callback"]); }); it("returns 400 without redirect_uris", async () => { const res = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Test Client" }), }); expect(res.status).toBe(400); }); }); describe("GET /oauth/authorize", () => { it("returns 200 HTML with form when params are valid", async () => { // Register a client first const regRes = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Test Client", redirect_uris: ["http://localhost:3000/callback"], }), }); const { client_id } = await regRes.json(); const { challenge } = generatePkce(); const params = new URLSearchParams({ response_type: "code", client_id, redirect_uri: "http://localhost:3000/callback", code_challenge: challenge, code_challenge_method: "S256", state: "abc123", }); const res = await app.request(`/oauth/authorize?${params}`); expect(res.status).toBe(200); const html = await res.text(); expect(html).toContain("GearBox"); expect(html).toContain("password"); expect(html).toContain("Test Client"); }); it("returns 400 with invalid client_id", async () => { const { challenge } = generatePkce(); const params = new URLSearchParams({ response_type: "code", client_id: "nonexistent", redirect_uri: "http://localhost:3000/callback", code_challenge: challenge, code_challenge_method: "S256", state: "abc123", }); const res = await app.request(`/oauth/authorize?${params}`); expect(res.status).toBe(400); }); }); describe("POST /oauth/authorize", () => { it("returns 200 HTML with error on wrong password", async () => { // Register a client const regRes = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Test Client", redirect_uris: ["http://localhost:3000/callback"], }), }); const { client_id } = await regRes.json(); const { challenge } = generatePkce(); const formBody = new URLSearchParams({ username: "admin", password: "wrongpassword", client_id, redirect_uri: "http://localhost:3000/callback", code_challenge: challenge, code_challenge_method: "S256", state: "abc123", }); const res = await app.request("/oauth/authorize", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: formBody.toString(), }); expect(res.status).toBe(200); const html = await res.text(); expect(html).toContain("Invalid"); }); }); describe("Full OAuth flow", () => { it("register → authorize → token exchange", async () => { // 1. Register client const regRes = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Test Client", redirect_uris: ["http://localhost:3000/callback"], }), }); const { client_id } = await regRes.json(); const { verifier, challenge } = generatePkce(); // 2. POST /oauth/authorize with correct credentials const formBody = new URLSearchParams({ username: "admin", password: "secret123", client_id, redirect_uri: "http://localhost:3000/callback", code_challenge: challenge, code_challenge_method: "S256", state: "mystate", }); const authRes = await app.request("/oauth/authorize", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: formBody.toString(), redirect: "manual", }); expect(authRes.status).toBe(302); const location = authRes.headers.get("location")!; expect(location).toContain("code="); expect(location).toContain("state=mystate"); const redirectUrl = new URL(location); const code = redirectUrl.searchParams.get("code")!; // 3. Exchange code for tokens const tokenBody = new URLSearchParams({ grant_type: "authorization_code", code, code_verifier: verifier, client_id, redirect_uri: "http://localhost:3000/callback", }); const tokenRes = await app.request("/oauth/token", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: tokenBody.toString(), }); expect(tokenRes.status).toBe(200); const tokens = await tokenRes.json(); expect(tokens.access_token).toBeDefined(); expect(tokens.refresh_token).toBeDefined(); expect(tokens.token_type).toBe("Bearer"); expect(tokens.expires_in).toBe(3600); }); }); describe("Full OAuth → MCP Flow", () => { it("complete flow: register → authorize → token → MCP call", async () => { const { app, db } = createFullTestApp(); await createUser(db, "admin", "secret123"); const { verifier, challenge } = generatePkce(); // 1. Register client const regRes = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Claude", redirect_uris: ["http://localhost/cb"], }), }); const { client_id } = await regRes.json(); // 2. Authorize (simulate form POST) const authRes = await app.request( `/oauth/authorize?response_type=code&client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost/cb")}&code_challenge=${challenge}&code_challenge_method=S256&state=test`, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams({ username: "admin", password: "secret123", client_id, redirect_uri: "http://localhost/cb", code_challenge: challenge, code_challenge_method: "S256", state: "test", }).toString(), }, ); const code = new URL(authRes.headers.get("location")!).searchParams.get( "code", )!; // 3. Exchange code for tokens const tokenRes = await app.request("/oauth/token", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams({ grant_type: "authorization_code", code, code_verifier: verifier, client_id, redirect_uri: "http://localhost/cb", }).toString(), }); const { access_token } = await tokenRes.json(); // 4. Use token to call MCP const mcpRes = await app.request("/mcp", { method: "POST", headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", Authorization: `Bearer ${access_token}`, }, body: JSON.stringify({ jsonrpc: "2.0", method: "initialize", params: { protocolVersion: "2025-03-26", capabilities: {}, clientInfo: { name: "test", version: "1.0" }, }, id: 1, }), }); expect(mcpRes.status).toBe(200); }); it("rejects MCP call without auth when user exists", async () => { const { app, db } = createFullTestApp(); await createUser(db, "admin", "secret123"); const mcpRes = await app.request("/mcp", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ jsonrpc: "2.0", method: "initialize", params: { protocolVersion: "2025-03-26", capabilities: {}, clientInfo: { name: "test", version: "1.0" }, }, id: 1, }), }); expect(mcpRes.status).toBe(401); expect(mcpRes.headers.get("www-authenticate")).toContain("Bearer"); }); }); describe("Token refresh", () => { it("exchanges refresh token for new tokens", async () => { // Full flow to get initial tokens const regRes = await app.request("/oauth/register", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ client_name: "Test Client", redirect_uris: ["http://localhost:3000/callback"], }), }); const { client_id } = await regRes.json(); const { verifier, challenge } = generatePkce(); const formBody = new URLSearchParams({ username: "admin", password: "secret123", client_id, redirect_uri: "http://localhost:3000/callback", code_challenge: challenge, code_challenge_method: "S256", state: "s", }); const authRes = await app.request("/oauth/authorize", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: formBody.toString(), redirect: "manual", }); const location = authRes.headers.get("location")!; const code = new URL(location).searchParams.get("code")!; const tokenBody = new URLSearchParams({ grant_type: "authorization_code", code, code_verifier: verifier, client_id, redirect_uri: "http://localhost:3000/callback", }); const tokenRes = await app.request("/oauth/token", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: tokenBody.toString(), }); const tokens = await tokenRes.json(); // Now refresh const refreshBody = new URLSearchParams({ grant_type: "refresh_token", refresh_token: tokens.refresh_token, client_id, }); const refreshRes = await app.request("/oauth/token", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: refreshBody.toString(), }); expect(refreshRes.status).toBe(200); const newTokens = await refreshRes.json(); expect(newTokens.access_token).toBeDefined(); expect(newTokens.refresh_token).toBeDefined(); expect(newTokens.token_type).toBe("Bearer"); expect(newTokens.expires_in).toBe(3600); // Should be different tokens expect(newTokens.access_token).not.toBe(tokens.access_token); }); }); });