@codefox-inc/oauth-provider 0.4.0 → 0.4.2

package/src/component/__tests__/handlers-protocol.test.ts

@@ -109,6 +109,27 @@ describe("OAuth handler protocol checks", () => {
         expect(issueAuthorizationCode).not.toHaveBeenCalled();
     });
 
+    test("authorization endpoint rejects unsupported request object parameters", async () => {
+        const issueAuthorizationCode = vi.fn(async () => "code");
+
+        for (const parameter of ["request", "request_uri"]) {
+            const response = await authorizeHandler(
+                {} as any,
+                new Request(`https://example.com/oauth/authorize?response_type=code&client_id=client&redirect_uri=https%3A%2F%2Fcb&scope=openid&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256&consent=approve&${parameter}=unsupported`, {
+                    method: "GET",
+                    headers: { Origin: "https://example.com" },
+                }),
+                { ...config, getUserId: async () => "user" },
+                makeApi({ mutations: { issueAuthorizationCode } as any })
+            );
+
+            expect(response.status).toBe(302);
+            const redirect = new URL(response.headers.get("Location") as string);
+            expect(redirect.searchParams.get("error")).toBe("invalid_request");
+        }
+        expect(issueAuthorizationCode).not.toHaveBeenCalled();
+    });
+
     test("authorization endpoint rejects code_challenge values outside PKCE ABNF", async () => {
         const issueAuthorizationCode = vi.fn(async () => "code");
 
@@ -149,6 +170,88 @@ describe("OAuth handler protocol checks", () => {
         );
     });
 
+    test("authorization endpoint allows prompt=none when existing consent covers the request", async () => {
+        const issueAuthorizationCode = vi.fn(async () => "silent-code");
+
+        const response = await authorizeHandler(
+            {} as any,
+            new Request("https://example.com/oauth/authorize?response_type=code&client_id=client&redirect_uri=https%3A%2F%2Fcb&scope=openid%20profile&prompt=none&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256", {
+                method: "GET",
+                headers: { Origin: "https://example.com" },
+            }),
+            { ...config, getUserId: async () => "user" },
+            makeApi({
+                queries: {
+                    getAuthorization: async () => ({
+                        userId: "user",
+                        clientId: "client",
+                        scopes: ["openid", "profile", "email"],
+                    }),
+                } as any,
+                mutations: { issueAuthorizationCode } as any,
+            })
+        );
+
+        expect(response.status).toBe(302);
+        const redirect = new URL(response.headers.get("Location") as string);
+        expect(redirect.searchParams.get("code")).toBe("silent-code");
+        expect(issueAuthorizationCode).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.objectContaining({ scopes: ["openid", "profile"] })
+        );
+    });
+
+    test("authorization endpoint preserves offline_access for prompt=none when prior consent covers it", async () => {
+        const issueAuthorizationCode = vi.fn(async () => "silent-code");
+
+        const response = await authorizeHandler(
+            {} as any,
+            new Request("https://example.com/oauth/authorize?response_type=code&client_id=client&redirect_uri=https%3A%2F%2Fcb&scope=openid%20offline_access&prompt=none&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256", {
+                method: "GET",
+                headers: { Origin: "https://example.com" },
+            }),
+            { ...config, getUserId: async () => "user" },
+            makeApi({
+                queries: {
+                    getAuthorization: async () => ({
+                        userId: "user",
+                        clientId: "client",
+                        scopes: ["openid", "offline_access"],
+                    }),
+                } as any,
+                mutations: { issueAuthorizationCode } as any,
+            })
+        );
+
+        expect(response.status).toBe(302);
+        expect(issueAuthorizationCode).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.objectContaining({ scopes: ["openid", "offline_access"] })
+        );
+    });
+
+    test("authorization endpoint returns server_error for prompt=none when component API is missing getAuthorization", async () => {
+        const issueAuthorizationCode = vi.fn(async () => "silent-code");
+
+        const response = await authorizeHandler(
+            {} as any,
+            new Request("https://example.com/oauth/authorize?response_type=code&client_id=client&redirect_uri=https%3A%2F%2Fcb&scope=openid&prompt=none&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256", {
+                method: "GET",
+                headers: { Origin: "https://example.com" },
+            }),
+            { ...config, getUserId: async () => "user" },
+            makeApi({
+                queries: { getAuthorization: undefined } as any,
+                mutations: { issueAuthorizationCode } as any,
+            })
+        );
+
+        expect(response.status).toBe(302);
+        const redirect = new URL(response.headers.get("Location") as string);
+        expect(redirect.searchParams.get("error")).toBe("server_error");
+        expect(issueAuthorizationCode).not.toHaveBeenCalled();
+    });
+
     test("authorization endpoint returns login_required for max_age it cannot safely satisfy", async () => {
         const issueAuthorizationCode = vi.fn(async () => "code");
 
@@ -230,6 +333,51 @@ describe("OAuth handler protocol checks", () => {
         await expect(response.json()).resolves.toMatchObject({ error: "invalid_target" });
     });
 
+    test("token endpoint delegates refresh-token reuse detection to rotation without a family revocation API", async () => {
+        const { privateKey } = await generateKeyPair("RS256", { extractable: true });
+        const privateKeyPem = await exportPKCS8(privateKey);
+        const rotateRefreshToken = vi.fn(async () => ({
+            error: "refresh_token_reuse_detected",
+            revokedTokens: 2,
+            authorizationDeleted: true,
+        }));
+        const updateAuthorizationLastUsed = vi.fn(async () => undefined);
+
+        const response = await tokenHandler(
+            {} as any,
+            new Request("https://example.com/oauth/token", {
+                method: "POST",
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    client_id: "client",
+                    refresh_token: "rotated-rt",
+                    client_secret: "secret",
+                }),
+            }),
+            { ...config, privateKey: privateKeyPem },
+            makeApi({
+                queries: {
+                    getRefreshToken: async () => ({
+                        clientId: "client",
+                        userId: "user",
+                        scopes: ["openid", "offline_access"],
+                        refreshTokenExpiresAt: Date.now() + 3600000,
+                        refreshTokenRotatedAt: Date.now() - 1000,
+                        refreshTokenFamilyId: "family",
+                        authorizationCode: "code",
+                    }),
+                } as any,
+                mutations: { rotateRefreshToken, updateAuthorizationLastUsed } as any,
+            })
+        );
+
+        expect(rotateRefreshToken).toHaveBeenCalledOnce();
+        expect(updateAuthorizationLastUsed).not.toHaveBeenCalled();
+        expect(response.status).toBe(400);
+        const body = await response.json();
+        expect(body.error).toBe("invalid_grant");
+    });
+
     test("token endpoint stores the default audience on refresh tokens when no resource is requested", async () => {
         const { privateKey, publicKey } = await generateKeyPair("RS256", { extractable: true });
         const privateKeyPem = await exportPKCS8(privateKey);
@@ -723,6 +871,40 @@ describe("OAuth handler protocol checks", () => {
         );
     });
 
+    test("DCR preserves provider-supported offline_access for later authorization requests", async () => {
+        const registerClient = vi.fn(async () => ({
+            clientId: "client",
+            clientSecret: "secret",
+            clientIdIssuedAt: 0,
+        }));
+
+        const response = await registerHandler(
+            {} as any,
+            new Request("https://example.com/oauth/register", {
+                method: "POST",
+                body: JSON.stringify({
+                    redirect_uris: ["https://client.example.com/cb"],
+                    scope: "openid profile email",
+                    token_endpoint_auth_method: "none",
+                }),
+                headers: { "Content-Type": "application/json" },
+            }),
+            config,
+            makeApi({ clientManagement: { registerClient } as any })
+        );
+
+        expect(response.status).toBe(201);
+        expect(registerClient).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.objectContaining({
+                scopes: ["openid", "profile", "email", "offline_access"],
+            })
+        );
+        await expect(response.json()).resolves.toMatchObject({
+            scope: "openid profile email offline_access",
+        });
+    });
+
     test("DCR rejects unsafe metadata URLs before saving", async () => {
         const registerClient = vi.fn();
 

package/src/component/__tests__/oauth.test.ts

@@ -37,8 +37,11 @@ describe("OAuth 2.1 Flow", () => {
         expect(result.clientSecret).toBeDefined();
 
         // Check DB for Hash
-        const clientInDb = await t.query(api.queries.getClient, {
-            clientId: result.clientId
+        const clientInDb = await t.run(async (ctx: any) => {
+            return await ctx.db
+                .query("oauthClients")
+                .withIndex("by_client_id", (q: any) => q.eq("clientId", result.clientId))
+                .unique();
         });
         expect(clientInDb).toBeDefined();
         // Secret in DB should NOT be the plain secret returned
@@ -1671,7 +1674,7 @@ describe("OAuth 2.1 Flow", () => {
         expect(response.status).toBe(400);
         const body = await response.json();
         expect(body.error).toBe("invalid_request");
-        expect(body.error_description).toContain("Database error");
+        expect(body.error_description).toBe("Invalid client metadata");
     });
 
     test("Register Handler: succeeds with confidential client", async () => {
@@ -2019,7 +2022,7 @@ describe("OAuth 2.1 Flow", () => {
         expect(response.status).toBe(400);
         const body = await response.json();
         expect(body.error).toBe("invalid_request");
-        expect(body.error_description).toBe("Database error");
+        expect(body.error_description).toBe("Invalid request");
     });
 
     test("Authorize Handler: returns error when getUserId not configured", async () => {
@@ -2142,14 +2145,14 @@ describe("OAuth 2.1 Flow", () => {
             refreshTokenExpiresAt: Date.now() + 864000000,
         });
 
-        // 3. Verify Old Token Gone (tokens are stored as hashes)
+        // 3. Verify Old Token Kept as Rotation Tombstone (tokens are stored as hashes)
         const oldTokenHash = await hashToken(oldRefreshToken);
         const oldTokenRecord = await t.run(async (ctx) => {
             return await ctx.db.query("oauthTokens")
                 .filter(q => q.eq(q.field("refreshToken"), oldTokenHash))
                 .first();
         });
-        expect(oldTokenRecord).toBeNull();
+        expect(oldTokenRecord?.refreshTokenRotatedAt).toBeDefined();
 
         // 4. Verify New Token Exists (stored as hash)
         const newTokenHash = await hashToken(newRefreshToken);
@@ -2163,8 +2166,8 @@ describe("OAuth 2.1 Flow", () => {
         expect(newTokenRecord?.accessToken).toBe(await hashToken(accessToken));
 
         // 5. Replay Attack (Try to rotate old token again)
-        await expect(t.mutation(api.mutations.rotateRefreshToken, {
-            oldRefreshToken: oldRefreshToken, // Already used/deleted
+        const replayResult: any = await t.mutation(api.mutations.rotateRefreshToken, {
+            oldRefreshToken: oldRefreshToken, // Already used/rotated
             accessToken: "at2",
             refreshToken: "rt2",
             clientId: client.clientId,
@@ -2172,7 +2175,8 @@ describe("OAuth 2.1 Flow", () => {
             scopes: ["openid"],
             expiresAt: Date.now() + 3600000,
             refreshTokenExpiresAt: Date.now() + 864000000,
-        })).rejects.toThrow(); // Should fail "invalid_grant"
+        });
+        expect(replayResult.error).toBe("refresh_token_reuse_detected");
     });
 
     // ==========================================
@@ -2448,7 +2452,7 @@ describe("OAuth 2.1 Flow", () => {
         expect(auths[0].clientWebsite).toBe("https://example.com");
     });
 
-    test("Authorization: upsertAuthorization (merge scopes)", async () => {
+    test("Authorization: upsertAuthorization replaces scopes with the latest consent", async () => {
         const userId = "user-1";
         const client = await t.mutation(api.clientManagement.registerClient, {
             name: "Client",
@@ -2464,7 +2468,7 @@ describe("OAuth 2.1 Flow", () => {
             scopes: ["openid"]
         });
 
-        // Second authorization (should merge scopes)
+        // Second authorization narrows/replaces the stored grant.
         await t.mutation(api.mutations.upsertAuthorization, {
             userId,
             clientId: client.clientId,
@@ -2475,8 +2479,7 @@ describe("OAuth 2.1 Flow", () => {
             userId,
             clientId: client.clientId
         });
-        expect(auth?.scopes).toContain("openid");
-        expect(auth?.scopes).toContain("profile");
+        expect(auth?.scopes).toEqual(["profile"]);
     });
 
     test("Authorization: updateAuthorizationLastUsed", async () => {
@@ -2996,7 +2999,7 @@ codeHash: "test-code-hash",
         ).rejects.toThrow("invalid_code_verifier");
     });
 
-    test("consumeAuthCode: rejects plain PKCE verification failure", async () => {
+    test("consumeAuthCode: rejects stored plain PKCE method", async () => {
         const userId = "test-user-id";
         const client = await t.mutation(api.clientManagement.registerClient, {
             name: "Test Client",
@@ -3027,7 +3030,7 @@ codeHash: "test-code-hash",
                 redirectUri: "https://cb",
                 codeVerifier: "wrong-verifier",
             })
-        ).rejects.toThrow("invalid_code_verifier");
+        ).rejects.toThrow("unsupported_code_challenge_method");
     });
 
     test("consumeAuthCode: rejects expired code", async () => {

package/src/component/__tests__/rfc-compliance.test.ts

@@ -510,6 +510,189 @@ describe("OAuth 2.1 RFC Compliance", () => {
       expect(result1.userId).toBeDefined();
       // Note: Refresh token rotation is tested at handler level where tokens are issued
     });
+
+    test("refresh token reuse revokes the active token family and authorization", async () => {
+      const t = convexTest(schema, modules);
+
+      const client = await t.mutation(api.clientManagement.registerClient, {
+        name: "Reuse Detection Client",
+        type: "public",
+        redirectUris: ["https://example.com/callback"],
+        scopes: ["openid", "offline_access"],
+      });
+
+      await t.mutation(api.mutations.upsertAuthorization, {
+        userId: "user123",
+        clientId: client.clientId,
+        scopes: ["openid", "offline_access"],
+      });
+
+      await t.mutation(api.mutations.saveTokens, {
+        accessToken: "access-token-1",
+        refreshToken: "refresh-token-1",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+        authorizationCode: "authorization-code-family",
+      });
+
+      await t.mutation(api.mutations.rotateRefreshToken, {
+        oldRefreshToken: "refresh-token-1",
+        accessToken: "access-token-2",
+        refreshToken: "refresh-token-2",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+      });
+
+      const reuseResult: any = await t.mutation(api.mutations.rotateRefreshToken, {
+        oldRefreshToken: "refresh-token-1",
+        accessToken: "access-token-3",
+        refreshToken: "refresh-token-3",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+      });
+
+      expect(reuseResult.error).toBe("refresh_token_reuse_detected");
+
+      const remainingTokens = await t.run(async (ctx) => {
+        return await ctx.db
+          .query("oauthTokens")
+          .filter((q) => q.eq(q.field("clientId"), client.clientId))
+          .collect();
+      });
+      expect(remainingTokens).toHaveLength(0);
+
+      const authorization = await t.query(api.queries.getAuthorization, {
+        userId: "user123",
+        clientId: client.clientId,
+      });
+      expect(authorization).toBeNull();
+    });
+
+    test("refresh token reuse after multiple rotations revokes the whole token family", async () => {
+      const t = convexTest(schema, modules);
+
+      const client = await t.mutation(api.clientManagement.registerClient, {
+        name: "Multi Rotate Reuse Client",
+        type: "public",
+        redirectUris: ["https://example.com/callback"],
+        scopes: ["openid", "offline_access"],
+      });
+
+      await t.mutation(api.mutations.upsertAuthorization, {
+        userId: "user123",
+        clientId: client.clientId,
+        scopes: ["openid", "offline_access"],
+      });
+
+      await t.mutation(api.mutations.saveTokens, {
+        accessToken: "access-token-1",
+        refreshToken: "refresh-token-1",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+        authorizationCode: "authorization-code-family",
+      });
+
+      await t.mutation(api.mutations.rotateRefreshToken, {
+        oldRefreshToken: "refresh-token-1",
+        accessToken: "access-token-2",
+        refreshToken: "refresh-token-2",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+      });
+
+      await t.mutation(api.mutations.rotateRefreshToken, {
+        oldRefreshToken: "refresh-token-2",
+        accessToken: "access-token-3",
+        refreshToken: "refresh-token-3",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+      });
+
+      const reuseResult: any = await t.mutation(api.mutations.rotateRefreshToken, {
+        oldRefreshToken: "refresh-token-2",
+        accessToken: "access-token-4",
+        refreshToken: "refresh-token-4",
+        clientId: client.clientId,
+        userId: "user123",
+        scopes: ["openid", "offline_access"],
+        expiresAt: Date.now() + 3600000,
+        refreshTokenExpiresAt: Date.now() + 2592000000,
+      });
+
+      expect(reuseResult.error).toBe("refresh_token_reuse_detected");
+
+      const remainingTokens = await t.run(async (ctx) => {
+        return await ctx.db
+          .query("oauthTokens")
+          .filter((q) => q.eq(q.field("clientId"), client.clientId))
+          .collect();
+      });
+      expect(remainingTokens).toHaveLength(0);
+
+      const authorization = await t.query(api.queries.getAuthorization, {
+        userId: "user123",
+        clientId: client.clientId,
+      });
+      expect(authorization).toBeNull();
+    });
+
+    test("cleanupExpired preserves rotated refresh-token tombstones while descendants are active", async () => {
+      const t = convexTest(schema, modules);
+
+      await t.run(async (ctx) => {
+        await ctx.db.insert("oauthTokens", {
+          accessToken: "a".repeat(64),
+          refreshToken: "b".repeat(64),
+          clientId: "client",
+          userId: "user",
+          scopes: ["openid", "offline_access"],
+          expiresAt: Date.now() - 31 * 24 * 60 * 60 * 1000,
+          refreshTokenExpiresAt: Date.now() - 1000,
+          authorizationCode: "authorization-code-family",
+          refreshTokenFamilyId: "family",
+          refreshTokenRotatedAt: Date.now() - 30 * 24 * 60 * 60 * 1000,
+        });
+        await ctx.db.insert("oauthTokens", {
+          accessToken: "c".repeat(64),
+          refreshToken: "d".repeat(64),
+          clientId: "client",
+          userId: "user",
+          scopes: ["openid", "offline_access"],
+          expiresAt: Date.now() - 1000,
+          refreshTokenExpiresAt: Date.now() + 30 * 24 * 60 * 60 * 1000,
+          authorizationCode: "authorization-code-family",
+          refreshTokenFamilyId: "family",
+        });
+      });
+
+      await t.mutation(internal.mutations.cleanupExpired, {});
+
+      const tombstone = await t.run(async (ctx) => {
+        return await ctx.db
+          .query("oauthTokens")
+          .withIndex("by_refresh_token", (q) => q.eq("refreshToken", "b".repeat(64)))
+          .unique();
+      });
+      expect(tombstone?.refreshTokenRotatedAt).toBeDefined();
+    });
   });
 
   describe("Section 5.1 - Bearer Token Usage", () => {
@@ -739,6 +922,12 @@ describe("OAuth 2.1 RFC Compliance", () => {
       expect(codeData.userId).toBe("user123");
       expect(codeData.codeHash).toBeDefined(); // Verify codeHash is returned
 
+      await t.mutation(api.mutations.upsertAuthorization, {
+        userId: "user123",
+        clientId: client.clientId,
+        scopes: ["openid", "profile"],
+      });
+
       // Save tokens using the returned codeHash
       await t.mutation(api.mutations.saveTokens, {
         accessToken: "test-access-token",
@@ -796,6 +985,12 @@ describe("OAuth 2.1 RFC Compliance", () => {
 
       expect(tokensAfter.length).toBe(0); // All tokens should be deleted
 
+      const authorizationAfter = await t.query(api.queries.getAuthorization, {
+        userId: "user123",
+        clientId: client.clientId,
+      });
+      expect(authorizationAfter).toBeNull();
+
       await expect(
         t.mutation(api.mutations.saveTokens, {
           accessToken: "replayed-access-token",
@@ -810,6 +1005,44 @@ describe("OAuth 2.1 RFC Compliance", () => {
       ).rejects.toThrow("authorization_code_reuse_detected");
     });
 
+    test("used auth code tombstone survives while descendant refresh tokens are still valid", async () => {
+      const t = convexTest(schema, modules);
+
+      await t.run(async (ctx) => {
+        await ctx.db.insert("oauthCodes", {
+          code: "b".repeat(64),
+          clientId: "client",
+          userId: "user",
+          scopes: ["openid", "offline_access"],
+          redirectUri: "https://cb",
+          codeChallenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
+          codeChallengeMethod: "S256",
+          expiresAt: Date.now() - 31 * 24 * 60 * 60 * 1000,
+          usedAt: Date.now() - 31 * 24 * 60 * 60 * 1000,
+        });
+        await ctx.db.insert("oauthTokens", {
+          accessToken: "a".repeat(64),
+          refreshToken: "c".repeat(64),
+          clientId: "client",
+          userId: "user",
+          scopes: ["openid", "offline_access"],
+          expiresAt: Date.now() - 1000,
+          refreshTokenExpiresAt: Date.now() + 29 * 24 * 60 * 60 * 1000,
+          authorizationCode: "b".repeat(64),
+        });
+      });
+
+      await t.mutation(internal.mutations.cleanupExpired, {});
+
+      const remaining = await t.run(async (ctx) => {
+        return await ctx.db
+          .query("oauthCodes")
+          .withIndex("by_code", (q) => q.eq("code", "b".repeat(64)))
+          .unique();
+      });
+      expect(remaining).not.toBeNull();
+    });
+
     test("RFC Line 1136: Single use enforcement - code is marked as used", async () => {
       const t = convexTest(schema, modules);
 

package/src/component/clientManagement.ts

@@ -26,6 +26,7 @@ function isValidRedirectUri(uri: string): boolean {
     const isLoopback =
         host === "localhost" ||
         host === "127.0.0.1" ||
+        host === "[::1]" ||
         host === "::1";
 
     if (parsed.protocol === "https:") return true;
@@ -212,6 +213,16 @@ export const deleteClient = mutation({
             await ctx.db.delete(code._id);
         }
 
+        // Delete all authorization records for this client
+        const authorizations = await ctx.db
+            .query("oauthAuthorizations")
+            .filter(q => q.eq(q.field("clientId"), args.clientId))
+            .collect();
+
+        for (const authorization of authorizations) {
+            await ctx.db.delete(authorization._id);
+        }
+
         // Delete the client
         await ctx.db.delete(client._id);