smart_app_launch_test_kit 1.0.1 → 1.0.2

data/lib/smart_app_launch/app_redirect_test.rb

@@ -14,7 +14,7 @@ module SMARTAppLaunch
 
     input :url
     input :smart_auth_info, type: :auth_info, options: { mode: 'auth' }
-    output :state, :pkce_code_challenge, :pkce_code_verifier
+    output :state, :pkce_code_challenge, :pkce_code_verifier, :authorization_url
     receives_request :redirect
 
     def default_redirect_uri
@@ -104,6 +104,7 @@ module SMARTAppLaunch
       )
 
       info("Inferno redirecting browser to #{authorization_url}.")
+      output(authorization_url:)
 
       wait(
         identifier: state,

data/lib/smart_app_launch/client_suite/access_alca_interaction_test.rb

@@ -52,6 +52,8 @@ module SMARTAppLaunch
           description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
 
     output :launch_key
+    output :launch_urls
+    output :continuation_url
 
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
@@ -69,11 +71,13 @@ module SMARTAppLaunch
         )
       end
 
+      continuation_url = "#{client_resume_pass_url}?token=#{client_id}"
+      output(continuation_url:)
       wait(
         identifier: client_id,
         message: access_wait_dialog_app_launch_access_prefix(client_id, 'confidential asymmetric', client_fhir_base_url) +
                  access_wait_dialog_ehr_launch_instructions(smart_launch_urls, client_fhir_base_url) +
-                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+                 access_wait_dialog_access_response_and_continue_suffix(continuation_url)
       )
     end
   end

data/lib/smart_app_launch/client_suite/access_alcs_interaction_test.rb

@@ -52,6 +52,8 @@ module SMARTAppLaunch
           description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
 
     output :launch_key
+    output :launch_urls
+    output :continuation_url
 
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
@@ -69,11 +71,13 @@ module SMARTAppLaunch
         )
       end
 
+      continuation_url = "#{client_resume_pass_url}?token=#{client_id}"
+      output(continuation_url:)
       wait(
         identifier: client_id,
         message: access_wait_dialog_app_launch_access_prefix(client_id, 'confidential symmetric', client_fhir_base_url) +
                  access_wait_dialog_ehr_launch_instructions(smart_launch_urls, client_fhir_base_url) +
-                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+                 access_wait_dialog_access_response_and_continue_suffix(continuation_url)
       )
     end
   end

data/lib/smart_app_launch/client_suite/access_alp_interaction_test.rb

@@ -51,6 +51,8 @@ module SMARTAppLaunch
           description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
 
     output :launch_key
+    output :launch_urls
+    output :continuation_url
 
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
@@ -67,12 +69,14 @@ module SMARTAppLaunch
           'Input **Launch Context** is not valid JSON and will be disregarded when responding to token requests'
         )
       end
-
+      
+      continuation_url = "#{client_resume_pass_url}?token=#{client_id}"
+      output(continuation_url:)
       wait(
         identifier: client_id,
         message: access_wait_dialog_app_launch_access_prefix(client_id, 'public', client_fhir_base_url) +
                  access_wait_dialog_ehr_launch_instructions(smart_launch_urls, client_fhir_base_url) +
-                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+                 access_wait_dialog_access_response_and_continue_suffix(continuation_url)
       )
     end
   end

data/lib/smart_app_launch/client_suite/access_bsca_interaction_test.rb

@@ -31,6 +31,7 @@ module SMARTAppLaunch
           type: 'textarea',
           optional: true,
           description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+    output :continuation_url
 
     def client_suite_id
       return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
@@ -39,10 +40,12 @@ module SMARTAppLaunch
     end
 
     run do
+      continuation_url = "#{client_resume_pass_url}?token=#{client_id}"
+      output(continuation_url:)
       wait(
         identifier: client_id,
         message: access_wait_dialog_backend_services_access_prefix(client_id, client_fhir_base_url) + 
-                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+                 access_wait_dialog_access_response_and_continue_suffix(continuation_url)
       )
     end
   end

data/lib/smart_app_launch/client_suite/authentication_verification.rb

@@ -34,7 +34,7 @@ module SMARTAppLaunch
       return unless decoded_token.present?
 
       check_jwt_header(decoded_token.header, request_num)
-      check_jwt_payload(decoded_token.payload, jti_list, request_num)
+      check_jwt_payload(decoded_token.unverified_payload, jti_list, request_num)
       check_jwt_signature(decoded_token, request_num)
     end
 

data/lib/smart_app_launch/client_suite/client_descriptions.rb

@@ -91,15 +91,16 @@ module SMARTAppLaunch
 
         launch_query_string = Rack::Utils.build_query({ iss: fhir_base_url, launch: launch_key })
         ehr_launch_locations = smart_launch_urls.split(',').map { |launch_url| "#{launch_url}?#{launch_query_string}" }
+        output(launch_urls: ehr_launch_locations.join(','))
+        
         ehr_launch_links_string = ehr_launch_locations.map { |url| "- [launch](#{url})" }.join("\n")
-
         "\n\nOr open one of the following links in a new tab to perform an EHR launch:\n#{ehr_launch_links_string}\n\n"
       else
         ''
       end
     end
 
-    def access_wait_dialog_access_response_and_continue_suffix(client_id, resume_pass_url)
+    def access_wait_dialog_access_response_and_continue_suffix(continuation_url)
       <<~SUFFIX
         Inferno will respond to requests with either:
         - A resource from the Bundle in the **Available Resources** input if the request is a read matching
@@ -107,7 +108,7 @@ module SMARTAppLaunch
         - Otherwise, the contents of the **Default FHIR Response** if provided.
         - Otherwise, an OperationOutcome indicating nothing to echo.
 
-        [Click here](#{resume_pass_url}?token=#{client_id}) once the client has made a data access request.
+        [Click here](#{continuation_url}) once the client has made a data access request.
       SUFFIX
     end
   end

data/lib/smart_app_launch/cors_metadata_request_test.rb

@@ -33,10 +33,17 @@ module SMARTAppLaunch
 
       assert_response_status(200)
       inferno_origin = Inferno::Application['inferno_host']
-      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
-      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
-      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
-             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+      
+      if url.starts_with?(inferno_origin)
+        info 'No CORS headers required: Inferno and the target server are on the same host.'
+      else
+        cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+        assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+        assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+              "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+      end
+
+      
     end
   end
 end

data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb

@@ -41,10 +41,14 @@ module SMARTAppLaunch
       assert_response_status(200)
 
       inferno_origin = Inferno::Application['inferno_host']
-      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
-      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
-      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
-             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+      if url.starts_with?(inferno_origin)
+        info 'No CORS headers required: Inferno and the target server are on the same host.'
+      else
+        cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+        assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+        assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+              "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+      end
     end
   end
 end

data/lib/smart_app_launch/cors_token_exchange_test.rb

@@ -28,10 +28,14 @@ module SMARTAppLaunch
       skip_if request.status != 200, 'Previous request was unsuccessful, cannot check for CORS support'
 
       inferno_origin = Inferno::Application['inferno_host']
-      cors_header = request.response_header('Access-Control-Allow-Origin')&.value
-
-      assert cors_header == inferno_origin || cors_header == '*',
-             "Request must have `Access-Control-Allow-Origin` header containing `#{inferno_origin}`"
+      if request.url.starts_with?(inferno_origin)
+        info 'No CORS headers required: Inferno and the target server are on the same host.'
+      else
+        cors_header = request.response_header('Access-Control-Allow-Origin')&.value
+
+        assert cors_header == inferno_origin || cors_header == '*',
+              "Request must have `Access-Control-Allow-Origin` header containing `#{inferno_origin}`"
+      end
     end
   end
 end

data/lib/smart_app_launch/cors_well_known_endpoint_test.rb

@@ -33,10 +33,14 @@ module SMARTAppLaunch
                      'Origin' => inferno_origin })
       assert_response_status(200)
 
-      cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
-      assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
-      assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
-             "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+      if request.url.starts_with?(inferno_origin)
+        info 'No CORS headers required: Inferno and the target server are on the same host.'
+      else
+        cors_allow_origin = request.response_header('Access-Control-Allow-Origin')&.value
+        assert cors_allow_origin.present?, 'No `Access-Control-Allow-Origin` header received.'
+        assert cors_allow_origin == inferno_origin || cors_allow_origin == '*',
+              "`Access-Control-Allow-Origin` must be `#{inferno_origin}`, but received: `#{cors_allow_origin}`"
+      end
     end
   end
 end

data/lib/smart_app_launch/version.rb

@@ -1,4 +1,4 @@
 module SMARTAppLaunch
-  VERSION = '1.0.1'.freeze
-  LAST_UPDATED = '2026-05-12'.freeze
+  VERSION = '1.0.2'.freeze
+  LAST_UPDATED = '2026-05-22'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
-- Stephen MacVicar
+- Inferno Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-12 00:00:00.000000000 Z
+date: 2026-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -50,14 +50,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '3.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: tls_test_kit
   requirement: !ruby/object:Gem::Requirement
@@ -165,7 +165,6 @@ dependencies:
 description: Inferno Tests for the SMART Application Launch Framework Implementation
   Guide
 email:
-- inferno@groups.mitre.org
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -183,6 +182,35 @@ files:
 - config/presets/smart_access_brands_example_2.json
 - config/presets/smart_access_brands_example_3.json
 - config/presets/smart_access_brands_example_4.json
+- execution_scripts/README.md
+- execution_scripts/client_vs_server/access_data_and_continue_client.rb
+- execution_scripts/client_vs_server/smart_v22_backend_services_with_commands.yaml
+- execution_scripts/client_vs_server/smart_v22_backend_services_with_commands_client_expected.json
+- execution_scripts/client_vs_server/smart_v22_backend_services_with_commands_server_expected.json
+- execution_scripts/client_vs_server/smart_v22_backend_services_with_commands_server_no_tls_expected.json
+- execution_scripts/client_vs_server/smart_v22_confidential_symmetric_with_commands.yaml
+- execution_scripts/client_vs_server/smart_v22_confidential_symmetric_with_commands_client_expected.json
+- execution_scripts/client_vs_server/smart_v22_confidential_symmetric_with_commands_client_no_tls_expected.json
+- execution_scripts/client_vs_server/smart_v22_confidential_symmetric_with_commands_server_expected.json
+- execution_scripts/client_vs_server/smart_v22_confidential_symmetric_with_commands_server_no_tls_expected.json
+- execution_scripts/client_vs_server/smart_v22_public_with_commands.yaml
+- execution_scripts/client_vs_server/smart_v22_public_with_commands_client_expected.json
+- execution_scripts/client_vs_server/smart_v22_public_with_commands_client_no_tls_expected.json
+- execution_scripts/client_vs_server/smart_v22_public_with_commands_server_expected.json
+- execution_scripts/client_vs_server/smart_v22_public_with_commands_server_no_tls_expected.json
+- execution_scripts/client_vs_server/visit_and_wait_to_return_to_inferno.rb
+- execution_scripts/reference_server/base_ref_server_authorize.rb
+- execution_scripts/reference_server/base_ref_server_ehr_launch.rb
+- execution_scripts/reference_server/ref_server_authorize_85_all_scopes.rb
+- execution_scripts/reference_server/ref_server_authorize_launched_all_scopes.rb
+- execution_scripts/reference_server/ref_server_ehr_launch_85.rb
+- execution_scripts/reference_server/smart_v1_vs_reference_server_with_commands.yaml
+- execution_scripts/reference_server/smart_v1_vs_reference_server_with_commands_expected.json
+- execution_scripts/reference_server/smart_v22_vs_reference_server_with_commands.yaml
+- execution_scripts/reference_server/smart_v22_vs_reference_server_with_commands_expected.json
+- execution_scripts/reference_server/smart_v22_vs_reference_server_with_commands_same_host_expected.json
+- execution_scripts/reference_server/smart_v2_vs_reference_server_with_commands.yaml
+- execution_scripts/reference_server/smart_v2_vs_reference_server_with_commands_expected.json
 - lib/smart_app_launch/app_launch_test.rb
 - lib/smart_app_launch/app_redirect_test.rb
 - lib/smart_app_launch/app_redirect_test_stu2.rb