Files
plainpages/src/oauth-login.test.ts
T

63 lines
3.1 KiB
TypeScript

// OAuth2 login-challenge resolution: given a Hydra login challenge, authenticate the user
// via their Kratos session and accept — or bounce an unauthenticated user to the Kratos login UI.
import { test } from "node:test";
import assert from "node:assert/strict";
import type { AcceptLogin, HydraAdmin, LoginRequest } from "./hydra-admin.ts";
import type { KratosPublic, Session } from "./kratos-public.ts";
import { resolveLoginChallenge } from "./oauth-login.ts";
const CHALLENGE = "chal-1";
const SUBJECT = "01902d5e-7b6c-7e3a-9f21-3c8d1e0a4b55";
const SELF = "http://127.0.0.1:3000/oauth2/login?login_challenge=chal-1";
function stubHydra(login: LoginRequest, capture?: (b: AcceptLogin) => void): HydraAdmin {
const unused = async () => { throw new Error("unused"); };
return {
acceptConsentRequest: unused,
acceptLoginRequest: async (_c, body) => { capture?.(body); return { redirect: "http://hydra/oauth2/auth?login_verifier=v" }; },
acceptLogoutRequest: unused,
createClient: unused,
deleteClient: unused,
getClient: unused,
getConsentRequest: unused,
getLoginRequest: async () => login,
listClients: unused,
rejectConsentRequest: unused,
rejectLoginRequest: unused,
};
}
const stubKratos = (whoami: KratosPublic["whoami"]): KratosPublic => ({
createLogoutFlow: async () => null,
getFlow: async () => { throw new Error("unused"); },
initBrowserFlow: async () => { throw new Error("unused"); },
submitFlow: async () => { throw new Error("unused"); },
whoami,
});
const session = (id: string): Session => ({ active: true, identity: { id } });
test("a live Kratos session accepts the login with that subject → Hydra redirect", async () => {
let accepted: AcceptLogin | undefined;
const hydra = stubHydra({ challenge: CHALLENGE, skip: false, subject: "" }, (b) => { accepted = b; });
const out = await resolveLoginChallenge({ hydra, kratos: stubKratos(async () => session(SUBJECT)) }, CHALLENGE, "plainpages_session=s", SELF);
assert.equal(out.redirect, "http://hydra/oauth2/auth?login_verifier=v");
assert.equal(accepted?.subject, SUBJECT);
assert.equal(accepted?.remember, true);
});
test("skip (Hydra already authenticated) accepts the request's subject without checking Kratos", async () => {
let accepted: AcceptLogin | undefined;
let whoamiCalled = false;
const hydra = stubHydra({ challenge: CHALLENGE, skip: true, subject: SUBJECT }, (b) => { accepted = b; });
const kratos = stubKratos(async () => { whoamiCalled = true; return null; });
const out = await resolveLoginChallenge({ hydra, kratos }, CHALLENGE, undefined, SELF);
assert.equal(out.redirect, "http://hydra/oauth2/auth?login_verifier=v");
assert.equal(accepted?.subject, SUBJECT);
assert.equal(whoamiCalled, false, "skip short-circuits the Kratos check");
});
test("no Kratos session bounces to the themed login UI, returning here once authenticated", async () => {
const hydra = stubHydra({ challenge: CHALLENGE, skip: false, subject: "" });
const out = await resolveLoginChallenge({ hydra, kratos: stubKratos(async () => null) }, CHALLENGE, undefined, SELF);
assert.equal(out.redirect, `/login?return_to=${encodeURIComponent(SELF)}`);
});