makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity
Files
5fdf4c301908412c8e71ed1a8d85b984604bfc50
GearBox/tests/routes/oauth.test.ts
Jean-Luc Makiola 5fdf4c3019 docs: add MCP OAuth documentation and fix lint 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 09:27:34 +02:00

420 lines
12 KiB
TypeScript
Raw Blame History

import { beforeEach, describe, expect, it } from "bun:test";
import { createHash, randomBytes } from "node:crypto";
import { Hono } from "hono";
import { mcpRoutes } from "../../src/server/mcp/index.ts";
import { oauthRoutes, wellKnownRoute } from "../../src/server/routes/oauth.ts";
import { createUser } from "../../src/server/services/auth.service.ts";
import { createTestDb } from "../helpers/db.ts";
function createTestApp() {
const db = createTestDb();
const app = new Hono<{ Variables: { db?: any } }>();
app.use("*", async (c, next) => {
c.set("db", db);
await next();
});
app.route("/.well-known", wellKnownRoute);
app.route("/oauth", oauthRoutes);
return { app, db };
}
function createFullTestApp() {
const db = createTestDb();
const app = new Hono<{ Variables: { db?: any } }>();
app.use("*", async (c, next) => {
c.set("db", db);
await next();
});
app.route("/.well-known", wellKnownRoute);
app.route("/oauth", oauthRoutes);
app.route("/mcp", mcpRoutes);
return { app, db };
}
function generatePkce() {
const verifier = randomBytes(32).toString("hex");
const challenge = createHash("sha256").update(verifier).digest("base64url");
return { verifier, challenge };
}
describe("OAuth Routes", () => {
let app: Hono;
let db: ReturnType<typeof createTestDb>;
beforeEach(async () => {
const testApp = createTestApp();
app = testApp.app;
db = testApp.db;
await createUser(db, "admin", "secret123");
});
describe("GET /.well-known/oauth-authorization-server", () => {
it("returns 200 with correct metadata fields", async () => {
const res = await app.request("/.well-known/oauth-authorization-server");
expect(res.status).toBe(200);
const body = await res.json();
expect(body.issuer).toBeDefined();
expect(body.authorization_endpoint).toContain("/oauth/authorize");
expect(body.token_endpoint).toContain("/oauth/token");
expect(body.registration_endpoint).toContain("/oauth/register");
expect(body.response_types_supported).toEqual(["code"]);
expect(body.grant_types_supported).toEqual([
"authorization_code",
"refresh_token",
]);
expect(body.code_challenge_methods_supported).toEqual(["S256"]);
expect(body.token_endpoint_auth_methods_supported).toEqual(["none"]);
});
});
describe("POST /oauth/register", () => {
it("returns 201 with client_id, client_name, redirect_uris", async () => {
const res = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
expect(res.status).toBe(201);
const body = await res.json();
expect(body.client_id).toBeDefined();
expect(body.client_name).toBe("Test Client");
expect(body.redirect_uris).toEqual(["http://localhost:3000/callback"]);
});
it("returns 400 without redirect_uris", async () => {
const res = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ client_name: "Test Client" }),
});
expect(res.status).toBe(400);
});
});
describe("GET /oauth/authorize", () => {
it("returns 200 HTML with form when params are valid", async () => {
// Register a client first
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
const { client_id } = await regRes.json();
const { challenge } = generatePkce();
const params = new URLSearchParams({
response_type: "code",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "abc123",
});
const res = await app.request(`/oauth/authorize?${params}`);
expect(res.status).toBe(200);
const html = await res.text();
expect(html).toContain("GearBox");
expect(html).toContain("password");
expect(html).toContain("Test Client");
});
it("returns 400 with invalid client_id", async () => {
const { challenge } = generatePkce();
const params = new URLSearchParams({
response_type: "code",
client_id: "nonexistent",
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "abc123",
});
const res = await app.request(`/oauth/authorize?${params}`);
expect(res.status).toBe(400);
});
});
describe("POST /oauth/authorize", () => {
it("returns 200 HTML with error on wrong password", async () => {
// Register a client
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
const { client_id } = await regRes.json();
const { challenge } = generatePkce();
const formBody = new URLSearchParams({
username: "admin",
password: "wrongpassword",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "abc123",
});
const res = await app.request("/oauth/authorize", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: formBody.toString(),
});
expect(res.status).toBe(200);
const html = await res.text();
expect(html).toContain("Invalid");
});
});
describe("Full OAuth flow", () => {
it("register → authorize → token exchange", async () => {
// 1. Register client
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
const { client_id } = await regRes.json();
const { verifier, challenge } = generatePkce();
// 2. POST /oauth/authorize with correct credentials
const formBody = new URLSearchParams({
username: "admin",
password: "secret123",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "mystate",
});
const authRes = await app.request("/oauth/authorize", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: formBody.toString(),
redirect: "manual",
});
expect(authRes.status).toBe(302);
const location = authRes.headers.get("location")!;
expect(location).toContain("code=");
expect(location).toContain("state=mystate");
const redirectUrl = new URL(location);
const code = redirectUrl.searchParams.get("code")!;
// 3. Exchange code for tokens
const tokenBody = new URLSearchParams({
grant_type: "authorization_code",
code,
code_verifier: verifier,
client_id,
redirect_uri: "http://localhost:3000/callback",
});
const tokenRes = await app.request("/oauth/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: tokenBody.toString(),
});
expect(tokenRes.status).toBe(200);
const tokens = await tokenRes.json();
expect(tokens.access_token).toBeDefined();
expect(tokens.refresh_token).toBeDefined();
expect(tokens.token_type).toBe("Bearer");
expect(tokens.expires_in).toBe(3600);
});
});
describe("Full OAuth → MCP Flow", () => {
it("complete flow: register → authorize → token → MCP call", async () => {
const { app, db } = createFullTestApp();
await createUser(db, "admin", "secret123");
const { verifier, challenge } = generatePkce();
// 1. Register client
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Claude",
redirect_uris: ["http://localhost/cb"],
}),
});
const { client_id } = await regRes.json();
// 2. Authorize (simulate form POST)
const authRes = await app.request(
`/oauth/authorize?response_type=code&client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost/cb")}&code_challenge=${challenge}&code_challenge_method=S256&state=test`,
{
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
username: "admin",
password: "secret123",
client_id,
redirect_uri: "http://localhost/cb",
code_challenge: challenge,
code_challenge_method: "S256",
state: "test",
}).toString(),
},
);
const code = new URL(authRes.headers.get("location")!).searchParams.get(
"code",
)!;
// 3. Exchange code for tokens
const tokenRes = await app.request("/oauth/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
grant_type: "authorization_code",
code,
code_verifier: verifier,
client_id,
redirect_uri: "http://localhost/cb",
}).toString(),
});
const { access_token } = await tokenRes.json();
// 4. Use token to call MCP
const mcpRes = await app.request("/mcp", {
method: "POST",
headers: {
"Content-Type": "application/json",
Accept: "application/json, text/event-stream",
Authorization: `Bearer ${access_token}`,
},
body: JSON.stringify({
jsonrpc: "2.0",
method: "initialize",
params: {
protocolVersion: "2025-03-26",
capabilities: {},
clientInfo: { name: "test", version: "1.0" },
},
id: 1,
}),
});
expect(mcpRes.status).toBe(200);
});
it("rejects MCP call without auth when user exists", async () => {
const { app, db } = createFullTestApp();
await createUser(db, "admin", "secret123");
const mcpRes = await app.request("/mcp", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
jsonrpc: "2.0",
method: "initialize",
params: {
protocolVersion: "2025-03-26",
capabilities: {},
clientInfo: { name: "test", version: "1.0" },
},
id: 1,
}),
});
expect(mcpRes.status).toBe(401);
expect(mcpRes.headers.get("www-authenticate")).toContain("Bearer");
});
});
describe("Token refresh", () => {
it("exchanges refresh token for new tokens", async () => {
// Full flow to get initial tokens
const regRes = await app.request("/oauth/register", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_name: "Test Client",
redirect_uris: ["http://localhost:3000/callback"],
}),
});
const { client_id } = await regRes.json();
const { verifier, challenge } = generatePkce();
const formBody = new URLSearchParams({
username: "admin",
password: "secret123",
client_id,
redirect_uri: "http://localhost:3000/callback",
code_challenge: challenge,
code_challenge_method: "S256",
state: "s",
});
const authRes = await app.request("/oauth/authorize", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: formBody.toString(),
redirect: "manual",
});
const location = authRes.headers.get("location")!;
const code = new URL(location).searchParams.get("code")!;
const tokenBody = new URLSearchParams({
grant_type: "authorization_code",
code,
code_verifier: verifier,
client_id,
redirect_uri: "http://localhost:3000/callback",
});
const tokenRes = await app.request("/oauth/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: tokenBody.toString(),
});
const tokens = await tokenRes.json();
// Now refresh
const refreshBody = new URLSearchParams({
grant_type: "refresh_token",
refresh_token: tokens.refresh_token,
client_id,
});
const refreshRes = await app.request("/oauth/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: refreshBody.toString(),
});
expect(refreshRes.status).toBe(200);
const newTokens = await refreshRes.json();
expect(newTokens.access_token).toBeDefined();
expect(newTokens.refresh_token).toBeDefined();
expect(newTokens.token_type).toBe("Bearer");
expect(newTokens.expires_in).toBe(3600);
// Should be different tokens
expect(newTokens.access_token).not.toBe(tokens.access_token);
});
});
});
Reference in New Issue View Git Blame Copy Permalink