Built-in OAuth2 login-challenge handler (todo §6); /oauth2/login resolves a Hydra login challenge via the Kratos session — skip→accept(subject), live session→accept(identity id), no session→bounce to /login?return_to back here so Kratos lands on the challenge once signed in. New src/hydra-admin.ts (fetch client: get/accept/reject login request + HydraError, mirrors the kratos/keto clients) + src/oauth-login.ts (pure resolveLoginChallenge); wired in app.ts (the absolute return URL derives from the request Host + the SECURE_COOKIES scheme — a spoofed Host can't escape, Kratos validates return_to against its allow-list; /login now bakes return_to into the flow init), config.hydraAdminUrl (default http://hydra:4445), server builds the client, compose web now gates on hydra healthy (the app consumes it). A stale/invalid/consumed challenge (Hydra 4xx — back button, slow login) degrades to a recoverable 400, not a 500; a genuine Hydra 5xx outage still surfaces as 500. Tests-first: hydra-admin/oauth-login units + app/config/compose HTTP integration + full-stack e2e/oauth-login.spec.ts (compose.e2e-oauth.yml — registers an OAuth2 client, starts an auth flow, asserts the unauthenticated bounce and the authenticated accept; boot-verified then torn down). Stability-reviewer run as a local PR: APPROVE, no Critical/High; addressed its one warning (4xx→400 degrade). Deferred §9: document that prod allowed_return_urls entries must be exact origins with a trailing /. typecheck + 253 units + 8 visual + oauth-login E2E green. Consent handler + client registration are the next §6 items.
This commit is contained in:
@@ -0,0 +1,53 @@
|
||||
// OAuth2 login-challenge resolution (§6): given a Hydra login challenge, authenticate the user
|
||||
// via their Kratos session and accept — or bounce an unauthenticated user to the Kratos login UI.
|
||||
import { test } from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import type { AcceptLogin, HydraAdmin, LoginRequest } from "./hydra-admin.ts";
|
||||
import type { KratosPublic, Session } from "./kratos-public.ts";
|
||||
import { resolveLoginChallenge } from "./oauth-login.ts";
|
||||
|
||||
const CHALLENGE = "chal-1";
|
||||
const SUBJECT = "01902d5e-7b6c-7e3a-9f21-3c8d1e0a4b55";
|
||||
const SELF = "http://127.0.0.1:3000/oauth2/login?login_challenge=chal-1";
|
||||
|
||||
function stubHydra(login: LoginRequest, capture?: (b: AcceptLogin) => void): HydraAdmin {
|
||||
return {
|
||||
acceptLoginRequest: async (_c, body) => { capture?.(body); return { redirect: "http://hydra/oauth2/auth?login_verifier=v" }; },
|
||||
getLoginRequest: async () => login,
|
||||
rejectLoginRequest: async () => { throw new Error("unused"); },
|
||||
};
|
||||
}
|
||||
const stubKratos = (whoami: KratosPublic["whoami"]): KratosPublic => ({
|
||||
createLogoutFlow: async () => null,
|
||||
getFlow: async () => { throw new Error("unused"); },
|
||||
initBrowserFlow: async () => { throw new Error("unused"); },
|
||||
submitFlow: async () => { throw new Error("unused"); },
|
||||
whoami,
|
||||
});
|
||||
const session = (id: string): Session => ({ active: true, identity: { id } });
|
||||
|
||||
test("a live Kratos session accepts the login with that subject → Hydra redirect", async () => {
|
||||
let accepted: AcceptLogin | undefined;
|
||||
const hydra = stubHydra({ challenge: CHALLENGE, skip: false, subject: "" }, (b) => { accepted = b; });
|
||||
const out = await resolveLoginChallenge({ hydra, kratos: stubKratos(async () => session(SUBJECT)) }, CHALLENGE, "plainpages_session=s", SELF);
|
||||
assert.equal(out.redirect, "http://hydra/oauth2/auth?login_verifier=v");
|
||||
assert.equal(accepted?.subject, SUBJECT);
|
||||
assert.equal(accepted?.remember, true);
|
||||
});
|
||||
|
||||
test("skip (Hydra already authenticated) accepts the request's subject without checking Kratos", async () => {
|
||||
let accepted: AcceptLogin | undefined;
|
||||
let whoamiCalled = false;
|
||||
const hydra = stubHydra({ challenge: CHALLENGE, skip: true, subject: SUBJECT }, (b) => { accepted = b; });
|
||||
const kratos = stubKratos(async () => { whoamiCalled = true; return null; });
|
||||
const out = await resolveLoginChallenge({ hydra, kratos }, CHALLENGE, undefined, SELF);
|
||||
assert.equal(out.redirect, "http://hydra/oauth2/auth?login_verifier=v");
|
||||
assert.equal(accepted?.subject, SUBJECT);
|
||||
assert.equal(whoamiCalled, false, "skip short-circuits the Kratos check");
|
||||
});
|
||||
|
||||
test("no Kratos session bounces to the themed login UI, returning here once authenticated", async () => {
|
||||
const hydra = stubHydra({ challenge: CHALLENGE, skip: false, subject: "" });
|
||||
const out = await resolveLoginChallenge({ hydra, kratos: stubKratos(async () => null) }, CHALLENGE, undefined, SELF);
|
||||
assert.equal(out.redirect, `/login?return_to=${encodeURIComponent(SELF)}`);
|
||||
});
|
||||
Reference in New Issue
Block a user