92 lines
5.6 KiB
TypeScript
92 lines
5.6 KiB
TypeScript
// OAuth2 consent-challenge resolution (§6): given a Hydra consent challenge, auto-accept a
|
|
// first-party (or Hydra-skipped) client granting the requested scopes, else show a consent
|
|
// screen; on submit accept (allow) or reject (deny). id_token claims come from the Kratos identity.
|
|
import { test } from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import type { AcceptConsent, ConsentRequest, HydraAdmin } from "./hydra-admin.ts";
|
|
import type { KratosPublic, Session } from "./kratos-public.ts";
|
|
import { acceptConsent, rejectConsent, resolveConsentChallenge } from "./oauth-consent.ts";
|
|
|
|
const CHALLENGE = "cons-1";
|
|
const SUBJECT = "01902d5e-7b6c-7e3a-9f21-3c8d1e0a4b55";
|
|
const REDIRECT = "http://hydra/oauth2/auth?consent_verifier=v";
|
|
const DENIED = "http://client/cb?error=access_denied";
|
|
|
|
function stubHydra(consent: ConsentRequest, capture?: (b: AcceptConsent) => void): HydraAdmin {
|
|
const unused = async () => { throw new Error("unused"); };
|
|
return {
|
|
acceptConsentRequest: async (_c, body) => { capture?.(body); return { redirect: REDIRECT }; },
|
|
acceptLoginRequest: unused,
|
|
acceptLogoutRequest: unused,
|
|
createClient: unused,
|
|
deleteClient: unused,
|
|
getClient: unused,
|
|
getConsentRequest: async () => consent,
|
|
getLoginRequest: unused,
|
|
listClients: unused,
|
|
rejectConsentRequest: async () => ({ redirect: DENIED }),
|
|
rejectLoginRequest: unused,
|
|
};
|
|
}
|
|
const stubKratos = (whoami: KratosPublic["whoami"]): KratosPublic => ({
|
|
createLogoutFlow: async () => null,
|
|
getFlow: async () => { throw new Error("unused"); },
|
|
initBrowserFlow: async () => { throw new Error("unused"); },
|
|
submitFlow: async () => { throw new Error("unused"); },
|
|
whoami,
|
|
});
|
|
const sessionWith = (traits?: Record<string, unknown>): Session => ({ active: true, identity: { id: SUBJECT, ...(traits ? { traits } : {}) } });
|
|
const consent = (over: Partial<ConsentRequest> = {}): ConsentRequest =>
|
|
({ challenge: CHALLENGE, client: { client_name: "Acme Reports" }, requested_scope: ["openid", "profile"], skip: false, subject: SUBJECT, ...over });
|
|
|
|
test("a Hydra-skipped client auto-accepts, granting the requested scopes + audience + id_token from the identity", async () => {
|
|
let granted: AcceptConsent | undefined;
|
|
const hydra = stubHydra(consent({ requested_access_token_audience: ["https://api"], requested_scope: ["openid", "email"], skip: true }), (b) => { granted = b; });
|
|
const kratos = stubKratos(async () => sessionWith({ email: "ada@x.io", name: { first: "Ada", last: "Lovelace" } }));
|
|
const out = await resolveConsentChallenge({ hydra, kratos }, CHALLENGE, "plainpages_session=s");
|
|
assert.equal(out.redirect, REDIRECT);
|
|
assert.equal(out.view, undefined);
|
|
assert.deepEqual(granted?.grant_scope, ["openid", "email"]);
|
|
assert.deepEqual(granted?.grant_access_token_audience, ["https://api"]);
|
|
assert.deepEqual(granted?.session, { id_token: { email: "ada@x.io", name: "Ada Lovelace" } });
|
|
});
|
|
|
|
test("a first-party client (metadata.first_party) auto-accepts even without skip; no identity ⇒ no id_token", async () => {
|
|
let granted: AcceptConsent | undefined;
|
|
const hydra = stubHydra(consent({ client: { client_name: "Internal", metadata: { first_party: true } }, requested_scope: ["openid"] }), (b) => { granted = b; });
|
|
const out = await resolveConsentChallenge({ hydra, kratos: stubKratos(async () => null) }, CHALLENGE, undefined);
|
|
assert.equal(out.redirect, REDIRECT);
|
|
assert.deepEqual(granted?.grant_scope, ["openid"]);
|
|
assert.equal(granted?.session, undefined);
|
|
});
|
|
|
|
test("a third-party client shows the consent screen (no auto-accept); the account is named when signed in, omitted otherwise", async () => {
|
|
let accepted = false;
|
|
const hydra = stubHydra(consent(), () => { accepted = true; });
|
|
const signedIn = await resolveConsentChallenge({ hydra, kratos: stubKratos(async () => sessionWith({ email: "ada@x.io" })) }, CHALLENGE, "plainpages_session=s");
|
|
assert.equal(signedIn.redirect, undefined);
|
|
assert.deepEqual(signedIn.view, { account: "ada@x.io", challenge: CHALLENGE, client: "Acme Reports", scopes: ["openid", "profile"] });
|
|
assert.equal(accepted, false);
|
|
// No session ⇒ the screen still renders but names no account.
|
|
const anon = await resolveConsentChallenge({ hydra: stubHydra(consent()), kratos: stubKratos(async () => null) }, CHALLENGE, undefined);
|
|
assert.equal(anon.view?.account, undefined);
|
|
});
|
|
|
|
test("acceptConsent re-reads the challenge's scopes (never client-supplied) and projects id_token only when the session subject matches", async () => {
|
|
let matched: AcceptConsent | undefined;
|
|
const redirect = await acceptConsent({ hydra: stubHydra(consent(), (b) => { matched = b; }), kratos: stubKratos(async () => sessionWith({ email: "ada@x.io" })) }, CHALLENGE, "plainpages_session=s");
|
|
assert.equal(redirect, REDIRECT);
|
|
assert.deepEqual(matched?.grant_scope, ["openid", "profile"]); // re-read from the challenge, not the form
|
|
assert.deepEqual(matched?.session, { id_token: { email: "ada@x.io" } });
|
|
// A session whose identity differs from the challenge subject must not leak its claims into the grant.
|
|
let mismatched: AcceptConsent | undefined;
|
|
const other: Session = { active: true, identity: { id: "01902d5e-0000-7e3a-9f21-3c8d1e0a4b55", traits: { email: "mallory@x.io" } } };
|
|
await acceptConsent({ hydra: stubHydra(consent(), (b) => { mismatched = b; }), kratos: stubKratos(async () => other) }, CHALLENGE, "plainpages_session=s");
|
|
assert.equal(mismatched?.session, undefined);
|
|
});
|
|
|
|
test("rejectConsent rejects with access_denied → the client's error redirect", async () => {
|
|
const redirect = await rejectConsent({ hydra: stubHydra(consent()), kratos: stubKratos(async () => null) }, CHALLENGE);
|
|
assert.equal(redirect, DENIED);
|
|
});
|