@civic/auth 0.0.1-beta.3 → 0.0.1-beta.30

package/test/integration/sdk.test.tsx

@@ -0,0 +1,266 @@
+import React from "react";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { OAuth2Client } from "oslo/oauth2";
+import { useAuth, useUser } from "@/reactjs/hooks/index.js";
+import { CivicAuthProvider } from "@/reactjs/providers/index.js";
+import {
+  render,
+  screen,
+  act,
+  fireEvent,
+  waitFor,
+} from "@testing-library/react";
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
+import "@testing-library/jest-dom";
+import * as jose from "jose";
+import tokensFixture from "../support/tokens.json";
+import * as oauthLib from "@/lib/oauth.js";
+import type { JWTVerifyResult, ResolvedKey } from "jose";
+
+const validTokens = { ...tokensFixture.local.validTokens };
+// Mock Component to test OAuth flow with useAuth
+const MockOAuthComponent = () => {
+  const { signIn, isAuthenticated } = useAuth();
+  const { user } = useUser();
+
+  const handleLogin = async () => {
+    try {
+      await signIn("redirect");
+      alert("Login Redirect Initiated");
+    } catch {
+      alert("Login Failed");
+    }
+  };
+
+  return (
+    <div>
+      <button onClick={handleLogin}>Login</button>
+      {user && (
+        <p data-testid="user-email">
+          User:
+          {user.email}
+        </p>
+      )}
+      {isAuthenticated && (
+        <p data-testid="session">Session authenticated:true</p>
+      )}
+    </div>
+  );
+};
+
+describe("OAuth login", () => {
+  const clientId = "test-client-id";
+  let mockOAuth2Client: OAuth2Client;
+  let originalWindowLocation: Location;
+  afterEach(vi.clearAllMocks);
+
+  vi.spyOn(oauthLib, "getOauthEndpoints").mockResolvedValue({
+    auth: "http://localhost:3001/oauth/auth",
+    token: "http://localhost:3001/oauth/token",
+    jwks: "http://localhost:3001/oauth/jwks",
+    userinfo: "http://localhost:3001/oauth/userinfo",
+  });
+  vi.mock("oslo/oauth2", () => ({
+    OAuth2Client: vi.fn(),
+    generateCodeVerifier: vi.fn(() => "mock-code-verifier"),
+    generateState: vi.fn(() => "mock-state"),
+  }));
+
+  vi.mock("jose", () => ({
+    jwtVerify: vi.fn(),
+    createRemoteJWKSet: vi.fn(),
+  }));
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.resetModules();
+
+    // Setup mock implementations
+    mockOAuth2Client = {
+      createAuthorizationURL: vi.fn(),
+      validateAuthorizationCode: vi.fn(),
+      refreshAccessToken: vi.fn(),
+      clientId: "test-client-id",
+    } as unknown as OAuth2Client;
+    vi.mocked(OAuth2Client).mockImplementation(() => mockOAuth2Client);
+
+    // Setup jose mocks
+    const mockJWKS = {
+      getKey: vi.fn().mockResolvedValue({ alg: "RS256" }),
+    };
+    vi.mocked(jose.createRemoteJWKSet).mockReturnValue(mockJWKS as any);
+    vi.mocked(jose.jwtVerify).mockResolvedValue({
+      payload: { sub: "user123", name: "Test User", email: "test@example.com" },
+      protectedHeader: { alg: "RS256" },
+    } as unknown as JWTVerifyResult<unknown> & ResolvedKey);
+
+    originalWindowLocation = window.location;
+    window.location = { href: "" } as Location;
+    global.alert = vi.fn();
+    // Mock window.open to prevent errors.
+    vi.spyOn(window, "open").mockReturnValue(null);
+  });
+
+  afterEach(() => {
+    window.location = originalWindowLocation;
+  });
+
+  it("should set the correct auth url for login with redirect", async () => {
+    const windowAssign = vi.fn();
+    const redirectUri = "http://localhost:3001/callback";
+
+    vi.mocked(mockOAuth2Client.createAuthorizationURL).mockResolvedValue(
+      new URL(
+        "http://localhost:3001/oauth/auth?response_type=code&client_id=" +
+          clientId +
+          "&redirect_uri=" +
+          encodeURIComponent(redirectUri) +
+          "&scope=openid%20profile%20email&state=mock-state&code_challenge=mock-code-challenge&code_challenge_method=S256",
+      ),
+    );
+
+    window.location = {
+      ...originalWindowLocation,
+      assign: windowAssign,
+      replace: vi.fn(),
+      reload: vi.fn(),
+    };
+
+    const queryClient = new QueryClient();
+    render(
+      <QueryClientProvider client={queryClient}>
+        <CivicAuthProvider
+          clientId={clientId}
+          redirectUrl={redirectUri}
+          config={{
+            oauthServer: "http://localhost:3001",
+          }}
+        >
+          <MockOAuthComponent />
+        </CivicAuthProvider>
+      </QueryClientProvider>,
+    );
+
+    // Trigger the login button click, which initiates the OAuth flow
+    await act(async () => {
+      fireEvent.click(screen.getByText("Login"));
+    });
+
+    // Confirm that the sdk set the window.location.href to the auth url
+    const url = new URL(window.location.href);
+    expect(url.origin + url.pathname).toEqual(
+      "http://localhost:3001/oauth/auth",
+    );
+    expect(url.searchParams.get("response_type")).toEqual("code");
+    expect(url.searchParams.get("client_id")).toEqual(clientId);
+    expect(url.searchParams.get("redirect_uri")).toEqual(redirectUri);
+    expect(url.searchParams.get("scope")).toEqual("openid profile email");
+    expect(url.searchParams.get("state")).toBeTruthy(); // Ensure state is present
+    expect(url.searchParams.get("code_challenge")).toBeTruthy(); // Ensure code_challenge is present
+    expect(url.searchParams.get("code_challenge_method")).toEqual("S256");
+    expect(screen.queryByTestId("session")).not.toBeInTheDocument();
+  });
+
+  it("should initiate code exchange, validate tokens, and derive user from ID token", async () => {
+    const queryClient = new QueryClient();
+    const redirectUri = "http://localhost:3001/callback";
+
+    // Mock ID token with user information
+    const mockIdToken = validTokens.idToken;
+    const mockAccessToken = validTokens.accessToken;
+
+    // Mock oslo token exchange
+    const mockTokens = {
+      access_token: mockAccessToken,
+      id_token: mockIdToken,
+      refresh_token: "mock-refresh-token",
+      expires_in: 3600,
+    };
+    vi.mocked(mockOAuth2Client.validateAuthorizationCode).mockResolvedValue(
+      mockTokens,
+    );
+
+    // Prime storage and simulate redirect
+    await act(async () => {
+      localStorage.setItem(
+        "civic-auth:test-client-id",
+        JSON.stringify({
+          authenticated: false,
+          state: "mock-state",
+          codeVerifier: "mock-code-verifier",
+          displayMode: "redirect",
+        }),
+      );
+      window.location.pathname = "test-pathName";
+
+      // Configure window.location to simulate redirect
+      Object.defineProperty(window, "location", {
+        value: {
+          ...window.location,
+          origin: "http://mock-origin",
+        },
+        writable: true,
+      });
+      window.location.href = `${redirectUri}?code=test-code&state=mock-state`;
+
+      // Render the AuthProvider with the mock OAuth component
+      render(
+        <QueryClientProvider client={queryClient}>
+          <CivicAuthProvider
+            clientId={clientId}
+            redirectUrl={redirectUri}
+            config={{
+              oauthServer: "http://localhost:3001",
+            }}
+          >
+            <MockOAuthComponent />
+          </CivicAuthProvider>
+        </QueryClientProvider>,
+      );
+    });
+
+    expect(mockOAuth2Client.validateAuthorizationCode).toHaveBeenCalledWith(
+      "test-code",
+      {
+        codeVerifier: "mock-code-verifier",
+      },
+    );
+
+    // Check that jose.jwtVerify was called for id_token validation
+    await waitFor(() => {
+      expect(jose.jwtVerify).toHaveBeenCalledWith(
+        mockIdToken,
+        expect.any(Object),
+        {
+          issuer: ["http://localhost:3001", "http://localhost:3001/"],
+          audience: clientId,
+        },
+      );
+    });
+
+    // Check that jose.jwtVerify was called for access_token validation
+    await waitFor(() => {
+      expect(jose.jwtVerify).toHaveBeenCalledWith(
+        mockAccessToken,
+        expect.any(Object),
+        {
+          issuer: ["http://localhost:3001", "http://localhost:3001/"],
+        },
+      );
+    });
+
+    // Check that the authenticated flag is set in the session
+    await waitFor(() => {
+      expect(screen.queryByTestId("session")).toHaveTextContent(
+        "Session authenticated:true",
+      );
+    });
+
+    // Check that the user info derived from the ID token is displayed
+    await waitFor(() => {
+      expect(screen.queryByTestId("user-email")).toHaveTextContent(
+        "User:ghost@civic.com",
+      );
+    });
+  });
+});

package/test/support/fixtures.ts

@@ -0,0 +1,56 @@
+const oauthWellKnownResponse = {
+  authorization_endpoint: "https://auth-dev.civic.com/oauth/auth",
+  claims_parameter_supported: false,
+  claims_supported: [
+    "sub",
+    "forwardedTokens",
+    "email",
+    "name",
+    "family_name",
+    "picture",
+    "login_method",
+    "sid",
+    "auth_time",
+    "iss",
+  ],
+  code_challenge_methods_supported: ["S256"],
+  end_session_endpoint: "https://auth-dev.civic.com/oauth/session/end",
+  grant_types_supported: ["implicit", "authorization_code", "refresh_token"],
+  issuer: "https://auth-dev.civic.com/oauth/",
+  jwks_uri: "https://auth-dev.civic.com/oauth/jwks",
+  authorization_response_iss_parameter_supported: true,
+  response_modes_supported: ["form_post", "fragment", "query"],
+  response_types_supported: ["code id_token", "code", "id_token", "none"],
+  scopes_supported: [
+    "openid",
+    "offline_access",
+    "forwardedTokens",
+    "email",
+    "profile",
+  ],
+  subject_types_supported: ["public"],
+  token_endpoint_auth_methods_supported: [
+    "client_secret_basic",
+    "client_secret_jwt",
+    "client_secret_post",
+    "private_key_jwt",
+    "none",
+  ],
+  token_endpoint_auth_signing_alg_values_supported: [
+    "HS256",
+    "RS256",
+    "PS256",
+    "ES256",
+    "EdDSA",
+  ],
+  token_endpoint: "https://auth-dev.civic.com/oauth/token",
+  id_token_signing_alg_values_supported: ["PS256", "RS256"],
+  pushed_authorization_request_endpoint:
+    "https://auth-dev.civic.com/oauth/request",
+  request_parameter_supported: false,
+  request_uri_parameter_supported: false,
+  userinfo_endpoint: "https://auth-dev.civic.com/oauth/me",
+  claim_types_supported: ["normal"],
+};
+
+export { oauthWellKnownResponse };

package/test/support/tokens.json

@@ -0,0 +1,26 @@
+{
+    "local": {
+        "validTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImNpdmljLWF1dGgtdG9rZW4tc2lnbmVyLWtleSJ9.eyJzdWIiOiIzMzZmNDQ1Zi1hZjcxLTQxYzYtODNlZC00NjJhY2ZiNTU1YjYiLCJlbWFpbCI6Imdob3N0QGNpdmljLmNvbSIsImZvcndhcmRlZFRva2VucyI6eyJkdW1teSI6eyJhY2Nlc3NfdG9rZW4iOiIiLCJleHBpcmVzX2luIjozNjAwLCJpZF90b2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SW10bGVYTjBiM0psTFVOSVFVNUhSUzFOUlNKOS5leUp6ZFdJaU9pSjBaWE4wSWl3aVlYUmZhR0Z6YUNJNklrcEdVbkZRZUhsZmJGYzFVaTFIV0dabE9Ia3lja0VpTENKaGRXUWlPaUp0ZVMxamJHbGxiblFpTENKbGVIQWlPakUzTWprd05qZ3hOVFVzSW1saGRDSTZNVGN5T1RBMk5EVTFOU3dpYVhOeklqb2lhSFIwY0RvdkwyeHZZMkZzYUc5emREbzVNRGt3SW4wLm11TGg2T2s0YVIyb0V3RC1yUFZXck5RY24xMFZqSjVmN0hUUHVNSk50NFBFVUEyVkttZnRKdHdEOXB5WVVNUngybkhHaWRIMVIyemhwbUpWclVUaDl4SDVpNkQxckx5VHA2UXFTbm9RQ1lYTFA3bzdJRWdLcTkta1R0TUhWS2t1LU1qX2FvNk05TUFaN3llYnpCR3dJcHVYcFRZY3JwMC1EQVZLSW94LVV1b0lfSkljbURWSExtbjJfUEhMZ0Z1Y3ctMTlVZFgyYUlTM19kSDRqQ01CLXp4Y0xGTmV6SlVfV1BRVTNYUEhyQk83M3lMWTU2NmEyb1RVczV3Tkh4bWJKOXdBWXJSRHJSQVBrcml2R2s1WEhNSG5RX21OUlUxNGhSc2N3Y25vOC1NZnNlZlRHc1JsbDdSRXpiaUFWUzZjY2hHV0ItVXJJWk92R0p6UjFlZGRjQSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJ0b2tlbl90eXBlIjoiQmVhcmVyIn19LCJub25jZSI6IjEyMzQ1Njc4OTAiLCJhdF9oYXNoIjoiVFZjelNRMERIeElHY2t1VzducDYydyIsImF1ZCI6ImRlbW8tY2xpZW50LTEiLCJleHAiOjE3MjkwNjgxNTYsImlhdCI6MTcyOTA2NDU1NiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAxIn0.NNvOtkls3wjivcCWYanqWr8_cHzf7by2_6mSF_qeNqJ8zt7ZPmKh2R6WbnrlYVsym0sMYueR9m_bDGsNZNrwXGPABz4ff7TV5LH8LO1W_fdPemMBlIDdRwc0DZx7BUIKqwvciQ1lHx-2xv-6gH7TZVX7Dwvv-zArLpLkmzrec4EV0Wyn-WYAZFqMMpPvEUCCxkp_AWMh9P8ax3ExSHPAMu5_skJo1nJTK5lri3DNU31IuXvLz2JFYusDViFDwu5wx_TSC1S-hsRQd_aK_wGGifqfuwuGRX43ZEDqRcB5lgBAfc8v1kxYu5HhF07C63zMLZjJg66pGBHwNWp5r-Q4K-2xBXDU6TP-4YYikvwqIOjlRiz_RP_kEBrioqNRvwk8SU2laJ7g7st_4q86RiXPS4uN31o5eDSCiM5dd0OdC2IUZorC5pMym-IzuHEJhWr68psczj3dUKxbLbuoH-827CQt-8Vv8znfS7ck8I0YDXjVSKhBYXoCnzXpwJ-c9OcPIbquTQrqeogGqTlA6Nt-23rC7Ave8xOcRQZrJ1Ec5c5eD_4MoSYw3q90b6AT6U3tY3ewYQMdg4Ro9x-hFu7uCuurDZgnyugpM7dBATaFfR3ar9nRtdMyPrU2LhEeZS2iwSvP7wuWJpIkjxFy3znFrsFBTa_WbD0BJSOfl1j5G94",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImNpdmljLWF1dGgtdG9rZW4tc2lnbmVyLWtleSJ9.eyJqdGkiOiJjS2xCVW1jZW0tVjE3RzM4N1AyTUIiLCJzdWIiOiIzMzZmNDQ1Zi1hZjcxLTQxYzYtODNlZC00NjJhY2ZiNTU1YjYiLCJpYXQiOjE3MjkwNjQ1NTYsImV4cCI6MTcyOTA2ODE1NiwiY2xpZW50X2lkIjoiZGVtby1jbGllbnQtMSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMSIsImF1ZCI6ImNpdmljIn0.gsX--7GtdF1JYQi5Spt6GfcvZ_8EZxkpO8GljfoXJw-cRYhP98-w9IADZBn87ekH914pnUTxp1x_oLhTWGBrR_yMsHRYim_gkVv8t-dnOEAR4IzDByG7kd58TM_blbY-yma0Cb-O3XRGgrdkvw2PjMeHfTSl3tlYx0c47PS8WegOkYkQcfyPUUNEsUFA8e5qzmkMCdwFWHaox-fQaaNpFrO0wCRWOvYr3vFnrLU87Ds7AOaurZUYaFgxqcMsg3zhZXB2pslqS2p9pmQO3Yi0m8-ntX5P18TWX6oOdBbOLqJX3R5s2GAAm9tYJOeBz-JpTucmn4OaL3OyJvIZqM-7EAVtHdnVYUjzGarNu4_b-rcj66mkSNBbquqjAmRBQ5nnRMkmWZxkf6BKgOwmuONLaU4soZEc_AUNtcKIRzbYmBvrgBlPZr5lvkSKIynKlDCbhsB7O_yBRijVesQrau5ReUcXdbJMRj1U5goBnWXV8y8xZFVKwJvx5WdQVUz2tjmtTO8xMK0ORcWdJShIzlhvQrUsjuiFKWytlbRckIdrllsNLfTFbIvQLa9Pmi-FgrJtm-wD3RoHlNgtjGiHjN-YfWCauTcSn9Xd8TbjIc8D43LuRR2Oh3c78GrEVerbnmTjXh6UFZ6ZXkrkarVst8KQMtPiUo9_DdtJP6ghXLXdo6A"
+        },
+        "expiredTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjoxNjk3OTU5OTI1LCJpYXQiOjE2NjY0MjM5MjUsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyJ9.MO0IdxEyNiOq4E5QdtpfSbnXQKiN8euC2ac0E0VWggUP4o5yoz29gqAzETP_omvOBfOn4hJjXTDPGqKXKg-Lz-oLdzF71aztskCerwDuB5PdqyCGMS9Qa2j40FTJ7RkuBG9PISUpGWYfZ28q7u94h8GyWtqRtPAF2aPD1rvckk-WTXLeMqEWtfEy0yCJ4MvEwp6MUgeb7EwRKUZ_cuVCE5Xm8rNebO9b2I3Jqdg8cNNyAxEYkWERBcfFtOfaQYD_8DNJvpNpJvZXAowaab7dzNgGBAxhTQ7s4S9h-Ly2nQIAIpbff_A4baI6rOqWfFxdzrxcFt34x0S_90Z3MXNziAb-ocG0WkPewRm0hvrF4E-zFTM4guTvtol0cKw9qWLb_JE-Idm9Zq-abkOS6FvM2E0j1iqKjT1GqM_EhOdIMzOidqxlls5v2UaaJ34PvR_1yTopm6Lguhr6uX3CW_F4A5tGAxsReeUDdGQAhkPYqZp8zjPUxjCA3cJEnMSGWHgqiBJ5lCLeH-SaccT828pSqYL8FrN0Qts3ILaElVVECHiWhN90lGaBSPw8pn19odH70wH651C2eonWKAKQMpNheGmyjrGE8n0jPwz-p-8ISp5H793wlWiTH2ay33METj0Vbgg-G1p1xcWD5WR4X-uyH1f-iNupvVNYn8mf0iPxM-I",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJleHAiOjE2OTc5NTk5MjUsImlhdCI6MTY2NjQyMzkyNSwiY2xpZW50X2lkIjoiZGVtby1jbGllbnQtMSIsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyIsImF1ZCI6ImNpdmljIn0.HxnjNL8P7K0WHoCQXpvbxtu_yTrcdudj4GI4fjQZEoVXJ14IkssKUa3aJGWZ2vJkxqIogoLmywYFBjvLZqcc1vo3Q-aLlVEb7EkjsQU4Qo8BMsJ0ZS2_4cDewt9WBUrMA-fDy3UwgoxHlM5OCjQ5lKAPLLm2FJDJ-djFOf_z0le9FOZ4MqkU7u_lc57e0jdCwSZmIRIU5DPX90jh-p2r8OxBwRorjAwuiiu59wTtYyEpfdicSwb7mM7hM6nFp-zl14ogWGCiW20_Lx0sz-1EfzUgw-rH2xW5R_QDUQtHJ15Pq0mtck77i608y2IElnQgwYlmSmn7gpSUoNB7Bh7cBckRfV1YHh8CoReQOKjtfCbhZYVdFDuuUaIEYmI_E9W-C4BKWJkdtX3kCy576jCx15-N7VBzVYIpkOVHHeZdRkMLVJCts2W84it0lCXgMg7KfOcuv8Lzqj_IrSBmP6jgKiOhWJ0eWQLrKGBKOS5IxhK6kyQjZSKy8Yj-N_iBt1PP4e-EWBL2jlQ81ycm4_qgUmiADryUVRchUUAyT-y5TD_LTb2gu-7h_ElKFJ_9scWjxn-SguJi2ObYaFqTes9cNtMFLP3mi9wHhlCngb5_Bw1goV0XHR1H-PSX-XOQ0MzTK7KA8uT1PHbRCsHEFkjMaZgWEwfxTqXVt2LzT6PH_Qs"
+        }
+    },
+    "dev": {
+        "validTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjozMjUyODU5NDc1NCwiaWF0IjoxNzI5MDY2NTY4LCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8ifQ.vRQtCQqzV_m62rClHrOtiV7C2zBDOp6h51IgPvlX4-z9x5BDmgckZpNfxPo-Skl7Un5HwTmnqfEyrdsIUScI86Nf_jVt6oEwM1YE2PwygHPW6oE4-Nlipcpll7zNaQQTBVpfuz1bEC7xRqM3quH-RT_hEB4em8YrN0uIBtPrBJ3JpzSnjrLkdziLiSQbejYMLM69WCRCc0pT1V8oBRWxq3fd6s71ajZ8X-KIf5p5Nc24FzidK6X3Yb7pD9sq8BlqbGIDpdXJXNCPJz8kpN9AiggAJUpYeNV2zi0rm5O5-C8UHwOVkAd7SCc_rBxoUxJ9K8B_RX3mo0wKzjY_BVLrvba4R9Nbl5JYkaWPnvKaZDEebjdb3eHdljeomEtP1uYNOqTGqY0Pj8312WNjC6-HtDQFevzmZKYqLtExGuGMuj81V9QUO_SAWzPKZ_wgscJzdR_lFgCqL2uOE0CL6LcnXefyqiMMtsIh2BuBKBJHzCmBf26ezaOuR_hRH4wbJ2rawiqSInhwedeHC1MoVsEWcjealUJspWCfbTqGF-ewTmRAvXffkNjOiQNtclt63ap9gbE89tsNlG_TFICbHFAbn4rNTq6e1gpgke1Ouf9ex1UXrZb9HdfeN5o9-7IsPlEWblkxDKxqcj6YAukETfW7wYzt4tV_sxqO_uxiHhczRU8",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJpYXQiOjE3MjkwNjY1NjgsImV4cCI6MzI1Mjg1OTQ3NTQsImNsaWVudF9pZCI6ImRlbW8tY2xpZW50LTEiLCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8iLCJhdWQiOiJjaXZpYyJ9.CzQ_WXqFobV_fafE3K2dIUttvcFDxOGMT_GnUmdyg5HLB1MRCQYZItwZof_h-LdQp8suo4XyneclOJnQhCzlmDjOcEZOns_joh91t-zDX1jXIQNqC_evpzvfr5Rubz26gsKljk642ru0gkaH8cLHPJx3jgvtBrQzbLbzKJZRIhWqthrqdcKHKeUxN6g-LAFqQG7d-tP6cL_X1Q29IBpJ49SkpYFEDslLwQ_LU5zal_k-2tEyU6DfoFWB9hbNfBQy16SJzgDBDnZ3DadDSRjpXBwRa7m9ALa3A_qVln3K4wuTR46LFDqMKNAqf_sfy5tIJ6Zja5ehwxqmMwXtHomZY9OtfHDE511AZ6wGSagEpexe3eV-2TVwTvJBZnqfeLnnzlF9Z6qqq65lJ5XhO34Ylxnt-kqLqPOPwp-rYCJna-tUsEKAokkqKnHf2FycMQAaBx0grk5yyD2Y4CttlCfbdehoFSyWtTFvkjkk7MebLXqvMbqxXSmKaBn7Of0W6E9Qs6nJ5gWMaVuD9gc2H-BvQAQBUSYpl0TB_yPJKbiRb03HvvgZUdgB9XI9e5YFSMA0K_0SPtx4AgSLH2Coz-NxwLUtP22PUTNmm-04r8Sj0SVWw9w9mW4YXU3U4BGI_0fmIW3BMGgDk_9ghsumaNYKSe1P4qFLqh2jqEov0MagLck"
+        },
+        "differentSignerTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjozMjUyODU5NDc1NCwiaWF0IjoxNzI5MDY2NTY4LCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8ifQ.hEPfoJRHEttdCUttpFI1e5fVrPIboOsAqwNsnXR0ANpl9qJjbYgkwPhpTaoujCI2LoNmTNqTxdFuq19g03-EMIJCvfv2hi4NOSXCzk94EFumDLaKQNvSnyXBb3LolD45-OqRBUycvQcWgynRSCS_GaGncJ_qPfFarThwYuzRKF7XvBlQf7FbdnVAWwpuP9AU6dJDLZNJChm3wRrubsbMLzhtWbFhTAlrp7ACLoCkx6c3_IZs35Wcn-5DfdBRGYicrJvaqQ4xBTTLR0lE23VsLMPDAqgdcCOIduCobq6FuY8hAGkJwOZ-cW81KYrCGQn_47GDfaP_BsAUM4YblcCuAQ",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJpYXQiOjE3MjkwNjY1NjgsImV4cCI6MzI1Mjg1OTQ3NTQsImNsaWVudF9pZCI6ImRlbW8tY2xpZW50LTEiLCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8iLCJhdWQiOiJjaXZpYyJ9.VXHpr2yV7fk7ggPurT5zSlfcTrC6VfMGqt5KUi9bw3raetbwC7zdPNtNdcwLEGL1O-JvQB2JH6aDc24bLv6h2yyxNZufoq9LHQKZpJYEe6nEaeTIZkWG0TeKa1Kpj4Gq2C7ooNMPKdjb8hYu_4PN8uaB7z1jM55CLPr-SvSiOqpyZDDc92zShlYTGcUVKFUIM4mQ-vZv8064ck4L1ca0H3LvMegdiUg0WUcDttzcfRpqv9jw1g-CNGx4I-0Bqlb_EqGuY345-0_iH3AsMvFuhQn1SltYYrLLWm9drMpQh3YGtFGqu21Oz-geRrpfAmxRBF7fcgDC-0kwroP2ARymDw"
+        },
+        "expiredTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjoxNjk3OTU5OTI1LCJpYXQiOjE2NjY0MjM5MjUsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyJ9.MO0IdxEyNiOq4E5QdtpfSbnXQKiN8euC2ac0E0VWggUP4o5yoz29gqAzETP_omvOBfOn4hJjXTDPGqKXKg-Lz-oLdzF71aztskCerwDuB5PdqyCGMS9Qa2j40FTJ7RkuBG9PISUpGWYfZ28q7u94h8GyWtqRtPAF2aPD1rvckk-WTXLeMqEWtfEy0yCJ4MvEwp6MUgeb7EwRKUZ_cuVCE5Xm8rNebO9b2I3Jqdg8cNNyAxEYkWERBcfFtOfaQYD_8DNJvpNpJvZXAowaab7dzNgGBAxhTQ7s4S9h-Ly2nQIAIpbff_A4baI6rOqWfFxdzrxcFt34x0S_90Z3MXNziAb-ocG0WkPewRm0hvrF4E-zFTM4guTvtol0cKw9qWLb_JE-Idm9Zq-abkOS6FvM2E0j1iqKjT1GqM_EhOdIMzOidqxlls5v2UaaJ34PvR_1yTopm6Lguhr6uX3CW_F4A5tGAxsReeUDdGQAhkPYqZp8zjPUxjCA3cJEnMSGWHgqiBJ5lCLeH-SaccT828pSqYL8FrN0Qts3ILaElVVECHiWhN90lGaBSPw8pn19odH70wH651C2eonWKAKQMpNheGmyjrGE8n0jPwz-p-8ISp5H793wlWiTH2ay33METj0Vbgg-G1p1xcWD5WR4X-uyH1f-iNupvVNYn8mf0iPxM-I",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJleHAiOjE2OTc5NTk5MjUsImlhdCI6MTY2NjQyMzkyNSwiY2xpZW50X2lkIjoiZGVtby1jbGllbnQtMSIsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyIsImF1ZCI6ImNpdmljIn0.HxnjNL8P7K0WHoCQXpvbxtu_yTrcdudj4GI4fjQZEoVXJ14IkssKUa3aJGWZ2vJkxqIogoLmywYFBjvLZqcc1vo3Q-aLlVEb7EkjsQU4Qo8BMsJ0ZS2_4cDewt9WBUrMA-fDy3UwgoxHlM5OCjQ5lKAPLLm2FJDJ-djFOf_z0le9FOZ4MqkU7u_lc57e0jdCwSZmIRIU5DPX90jh-p2r8OxBwRorjAwuiiu59wTtYyEpfdicSwb7mM7hM6nFp-zl14ogWGCiW20_Lx0sz-1EfzUgw-rH2xW5R_QDUQtHJ15Pq0mtck77i608y2IElnQgwYlmSmn7gpSUoNB7Bh7cBckRfV1YHh8CoReQOKjtfCbhZYVdFDuuUaIEYmI_E9W-C4BKWJkdtX3kCy576jCx15-N7VBzVYIpkOVHHeZdRkMLVJCts2W84it0lCXgMg7KfOcuv8Lzqj_IrSBmP6jgKiOhWJ0eWQLrKGBKOS5IxhK6kyQjZSKy8Yj-N_iBt1PP4e-EWBL2jlQ81ycm4_qgUmiADryUVRchUUAyT-y5TD_LTb2gu-7h_ElKFJ_9scWjxn-SguJi2ObYaFqTes9cNtMFLP3mi9wHhlCngb5_Bw1goV0XHR1H-PSX-XOQ0MzTK7KA8uT1PHbRCsHEFkjMaZgWEwfxTqXVt2LzT6PH_Qs"
+        }
+    }
+}

package/test/unit/lib/oauth.test.ts

@@ -0,0 +1,72 @@
+import {
+  getOauthEndpoints,
+  getIssuerVariations,
+  displayModeFromState,
+  generateState,
+} from "@/lib/oauth.js";
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { oauthWellKnownResponse } from "../../support/fixtures.js";
+
+describe("getOauthEndpoints", () => {
+  afterEach(vi.clearAllMocks);
+
+  beforeEach(() => {
+    global.fetch = vi.fn().mockResolvedValue({
+      json: vi.fn().mockResolvedValue(oauthWellKnownResponse),
+    });
+  });
+
+  it("should translate the response from the auth server into an endpoints object", async () => {
+    const response = await getOauthEndpoints("https://example.com");
+    expect(response).toEqual({
+      auth: "https://auth-dev.civic.com/oauth/auth",
+      token: "https://auth-dev.civic.com/oauth/token",
+      jwks: "https://auth-dev.civic.com/oauth/jwks",
+      userinfo: "https://auth-dev.civic.com/oauth/me",
+    });
+  });
+});
+
+describe("getIssuerVariations", () => {
+  it("should return an array of variations of the issuer", () => {
+    const issuer = "https://example.com";
+    const variations = getIssuerVariations(issuer);
+    expect(variations).toEqual(["https://example.com", "https://example.com/"]);
+  });
+});
+
+describe("displayModeFromState", () => {
+  it("should return the display mode from the state", () => {
+    const state = "state";
+    const displayMode = "redirect";
+    const result = displayModeFromState(state, displayMode);
+
+    expect(result).toEqual(displayMode);
+  });
+
+  it("should extract the display mode correctly from state", () => {
+    const state =
+      "eyJ1dWlkIjoiMGY0NWU5YWItY2U1Ni00OWZiLTlkYmUtOGQ3ZmM3YTI3NDFhIiwiZGlzcGxheU1vZGUiOiJpZnJhbWUiLCJzZXJ2ZXJUb2tlbkV4Y2hhbmdlIjp0cnVlfQ";
+    const displayMode = "redirect";
+    const result = displayModeFromState(state, displayMode);
+
+    expect(result).toEqual("iframe");
+  });
+});
+
+describe("generateState", () => {
+  it("should generate a state string", () => {
+    const state = generateState("redirect");
+
+    expect(state).toBeTruthy();
+    expect(state).toHaveLength(96);
+  });
+
+  it('should generate a state string with "serverTokenExchange" key', () => {
+    const state = generateState("redirect", true);
+
+    expect(state).toBeTruthy();
+    const decoded = atob(state);
+    expect(JSON.parse(decoded)).toHaveProperty("serverTokenExchange", true);
+  });
+});

package/test/unit/logger.test.ts

@@ -0,0 +1,175 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import debug from "debug";
+import { createLogger } from "../../src/lib/logger.js";
+
+// Mock the debug package
+vi.mock("debug", () => {
+  const debugInstance = vi.fn();
+  const debug = vi.fn(() => debugInstance);
+  // Add color property to match debug package API
+  Object.defineProperty(debugInstance, "color", {
+    set: vi.fn(),
+    get: vi.fn(),
+  });
+  return { default: debug };
+});
+
+describe("Logger", () => {
+  let mockDebug: ReturnType<typeof debug>;
+  let debugInstance: ReturnType<typeof vi.fn>;
+  let logger: ReturnType<typeof createLogger>;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockDebug = debug as unknown as ReturnType<typeof debug>;
+    debugInstance = mockDebug("test") as unknown as ReturnType<typeof vi.fn>;
+    logger = createLogger("test");
+  });
+
+  it("should create debug instances with correct namespaces", () => {
+    logger = createLogger("api:routes");
+
+    // Verify that debug was called with the correct namespaces
+    expect(mockDebug).toHaveBeenCalledWith("@civic/auth:api:routes:debug");
+    expect(mockDebug).toHaveBeenCalledWith("@civic/auth:api:routes:info");
+    expect(mockDebug).toHaveBeenCalledWith("@civic/auth:api:routes:warn");
+    expect(mockDebug).toHaveBeenCalledWith("@civic/auth:api:routes:error");
+  });
+
+  it("should log debug messages with context", () => {
+    const context = { requestId: "123", userId: "456" };
+    logger.debug("Processing request", context);
+
+    expect(debugInstance).toHaveBeenCalledWith("Processing request", context);
+  });
+
+  it("should log info messages with multiple arguments", () => {
+    const requestId = "123";
+    const duration = 456;
+    logger.info("Request completed", { requestId, duration });
+
+    expect(debugInstance).toHaveBeenCalledWith("Request completed", {
+      requestId,
+      duration,
+    });
+  });
+
+  it("should log warning messages with structured data", () => {
+    const warning = {
+      code: "RATE_LIMIT",
+      requestId: "123",
+      limit: 100,
+      current: 95,
+    };
+
+    logger.warn("Rate limit approaching", warning);
+
+    expect(debugInstance).toHaveBeenCalledWith(
+      "Rate limit approaching",
+      warning,
+    );
+  });
+
+  it("should log error messages with error objects", () => {
+    const error = new Error("Database connection failed");
+    const context = {
+      requestId: "123",
+      operation: "getUserProfile",
+    };
+
+    logger.error("Operation failed", { error, ...context });
+
+    expect(debugInstance).toHaveBeenCalledWith("Operation failed", {
+      error,
+      ...context,
+    });
+  });
+
+  it("should handle undefined arguments", () => {
+    logger.info("Simple message");
+
+    expect(debugInstance).toHaveBeenCalledWith("Simple message");
+  });
+
+  it("should handle null values in context", () => {
+    const context = {
+      userId: null,
+      sessionId: undefined,
+      requestId: "123",
+    };
+
+    logger.debug("User context", context);
+
+    expect(debugInstance).toHaveBeenCalledWith("User context", context);
+  });
+
+  // Testing different logger namespaces
+  describe("Logger namespaces", () => {
+    it("should create db logger with correct namespace", () => {
+      const dbLogger = createLogger("api:db");
+      dbLogger.info("DB Operation");
+
+      expect(mockDebug).toHaveBeenCalledWith("@civic/auth:api:db:info");
+    });
+
+    it("should create auth handler logger with correct namespace", () => {
+      const authLogger = createLogger("api:handlers:auth");
+      authLogger.debug("Auth check");
+
+      expect(mockDebug).toHaveBeenCalledWith(
+        "@civic/auth:api:handlers:auth:debug",
+      );
+    });
+  });
+
+  // Integration-style tests
+  describe("Real-world scenarios", () => {
+    it("should log complete request lifecycle", () => {
+      const requestLogger = createLogger("api:request");
+      const requestId = "123";
+      const start = Date.now();
+
+      requestLogger.debug("Request started", {
+        requestId,
+        method: "GET",
+        path: "/api/users",
+      });
+      requestLogger.info("Processing request", { requestId, userId: "456" });
+      requestLogger.debug("DB query executed", { requestId, duration: 50 });
+      requestLogger.info("Request completed", {
+        requestId,
+        duration: Date.now() - start,
+        status: 200,
+      });
+
+      expect(debugInstance).toHaveBeenCalledTimes(4);
+    });
+
+    it("should log error scenario with full context", () => {
+      const requestLogger = createLogger("api:request");
+      const requestId = "123";
+      const error = new Error("Invalid user input");
+      const context = {
+        userId: "456",
+        input: { email: "invalid" },
+        validation: { failed: true, errors: ["Invalid email format"] },
+      };
+
+      requestLogger.debug("Validating input", {
+        requestId,
+        input: context.input,
+      });
+      requestLogger.warn("Validation failed", {
+        requestId,
+        validation: context.validation,
+      });
+      requestLogger.error("Request failed", {
+        requestId,
+        error,
+        context,
+      });
+
+      expect(debugInstance).toHaveBeenCalledTimes(3);
+    });
+  });
+});

package/test/unit/nextjs/NextAuthProvider.test.tsx

@@ -0,0 +1,38 @@
+import { render } from "@testing-library/react";
+import { describe, it, vi, expect } from "vitest";
+import { CivicNextAuthProvider } from "@/nextjs/providers/NextAuthProvider.js";
+import { resolveAuthConfig } from "@/nextjs/config.js";
+import React from "react";
+
+vi.mock("@/nextjs/config.js", () => ({
+  resolveAuthConfig: vi.fn(() => ({
+    clientId: "test-client-id",
+    oauthServer: "https://example.com",
+    callbackUrl: "https://example.com/callback",
+    challengeUrl: "https://example.com/challenge",
+    logoutUrl: "https://example.com/logout",
+  })),
+}));
+
+vi.mock("@/nextjs/hooks/useUserCookie", () => ({
+  useUserCookie: vi.fn(),
+}));
+
+vi.mock("@/nextjs/hooks/useTokenCookie", () => ({
+  useTokenCookie: vi.fn(),
+}));
+
+describe("CivicNextAuthProvider", () => {
+  it("should call resolveAuthConfig with no arguments", () => {
+    const children = <div>Test Content</div>;
+
+    render(
+      <CivicNextAuthProvider>
+        {children}
+      </CivicNextAuthProvider>
+    );
+
+    // The Next implementation should take all config from the next.config.js file, no config taken from provider props.
+    expect(resolveAuthConfig).toHaveBeenCalledWith();
+  });
+});