63 lines
3.1 KiB
TypeScript
63 lines
3.1 KiB
TypeScript
// OAuth2 login-challenge resolution: given a Hydra login challenge, authenticate the user
|
|
// via their Kratos session and accept — or bounce an unauthenticated user to the Kratos login UI.
|
|
import { test } from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import type { AcceptLogin, HydraAdmin, LoginRequest } from "./hydra-admin.ts";
|
|
import type { KratosPublic, Session } from "./kratos-public.ts";
|
|
import { resolveLoginChallenge } from "./oauth-login.ts";
|
|
|
|
const CHALLENGE = "chal-1";
|
|
const SUBJECT = "01902d5e-7b6c-7e3a-9f21-3c8d1e0a4b55";
|
|
const SELF = "http://127.0.0.1:3000/oauth2/login?login_challenge=chal-1";
|
|
|
|
function stubHydra(login: LoginRequest, capture?: (b: AcceptLogin) => void): HydraAdmin {
|
|
const unused = async () => { throw new Error("unused"); };
|
|
return {
|
|
acceptConsentRequest: unused,
|
|
acceptLoginRequest: async (_c, body) => { capture?.(body); return { redirect: "http://hydra/oauth2/auth?login_verifier=v" }; },
|
|
acceptLogoutRequest: unused,
|
|
createClient: unused,
|
|
deleteClient: unused,
|
|
getClient: unused,
|
|
getConsentRequest: unused,
|
|
getLoginRequest: async () => login,
|
|
listClients: unused,
|
|
rejectConsentRequest: unused,
|
|
rejectLoginRequest: unused,
|
|
};
|
|
}
|
|
const stubKratos = (whoami: KratosPublic["whoami"]): KratosPublic => ({
|
|
createLogoutFlow: async () => null,
|
|
getFlow: async () => { throw new Error("unused"); },
|
|
initBrowserFlow: async () => { throw new Error("unused"); },
|
|
submitFlow: async () => { throw new Error("unused"); },
|
|
whoami,
|
|
});
|
|
const session = (id: string): Session => ({ active: true, identity: { id } });
|
|
|
|
test("a live Kratos session accepts the login with that subject → Hydra redirect", async () => {
|
|
let accepted: AcceptLogin | undefined;
|
|
const hydra = stubHydra({ challenge: CHALLENGE, skip: false, subject: "" }, (b) => { accepted = b; });
|
|
const out = await resolveLoginChallenge({ hydra, kratos: stubKratos(async () => session(SUBJECT)) }, CHALLENGE, "plainpages_session=s", SELF);
|
|
assert.equal(out.redirect, "http://hydra/oauth2/auth?login_verifier=v");
|
|
assert.equal(accepted?.subject, SUBJECT);
|
|
assert.equal(accepted?.remember, true);
|
|
});
|
|
|
|
test("skip (Hydra already authenticated) accepts the request's subject without checking Kratos", async () => {
|
|
let accepted: AcceptLogin | undefined;
|
|
let whoamiCalled = false;
|
|
const hydra = stubHydra({ challenge: CHALLENGE, skip: true, subject: SUBJECT }, (b) => { accepted = b; });
|
|
const kratos = stubKratos(async () => { whoamiCalled = true; return null; });
|
|
const out = await resolveLoginChallenge({ hydra, kratos }, CHALLENGE, undefined, SELF);
|
|
assert.equal(out.redirect, "http://hydra/oauth2/auth?login_verifier=v");
|
|
assert.equal(accepted?.subject, SUBJECT);
|
|
assert.equal(whoamiCalled, false, "skip short-circuits the Kratos check");
|
|
});
|
|
|
|
test("no Kratos session bounces to the themed login UI, returning here once authenticated", async () => {
|
|
const hydra = stubHydra({ challenge: CHALLENGE, skip: false, subject: "" });
|
|
const out = await resolveLoginChallenge({ hydra, kratos: stubKratos(async () => null) }, CHALLENGE, undefined, SELF);
|
|
assert.equal(out.redirect, `/login?return_to=${encodeURIComponent(SELF)}`);
|
|
});
|