@crossauth/sveltekit 1.0.1 → 1.1.1

package/dist/tests/sveltekitadminclientendpoints.test.js

@@ -0,0 +1,330 @@
+// Copyright (c) 2026 Matthew Baker.  All rights reserved.  Licenced under the Apache Licence 2.0.  See LICENSE file
+import { MockRequestEvent } from './sveltemocks';
+import { test, expect } from 'vitest';
+import { makeServer, getCsrfToken, login } from './testshared';
+export var passwordResetData;
+test('SvelteKitAdminClientEndpoints.selectClients_user', async () => {
+    const { server, resolver, handle } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // select clients
+    let getRequest = new Request("http://ex.com/oauth/clients", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken,
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", getRequest, { id: "bob" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminClientEndpoints.searchClients(event, undefined, undefined, undefined, "bob");
+    expect(resp1?.ok).toBe(true);
+    expect(resp1?.clients?.length).toBe(1);
+});
+test('SvelteKitAdminClientEndpoints.selectClients_all', async () => {
+    const { server, resolver, handle } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // select clients
+    let getRequest = new Request("http://ex.com/oauth/clients", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken,
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", getRequest, { id: "bob" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminClientEndpoints.searchClients(event, undefined, undefined, undefined);
+    expect(resp1?.ok).toBe(true);
+    expect(resp1?.clients?.length).toBe(2);
+});
+test('SvelteKitAdminClientEndpoints.updateClient', async () => {
+    const { server, resolver, handle } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    let getRequest = new Request("http://ex.com/oauth/clients", {
+        method: "GET",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", getRequest, { client_id: "ABC" });
+    event.locals.csrfToken = csrfToken;
+    let status = 200;
+    let resp1 = {};
+    try {
+        resp1 = await server.sessionServer?.adminClientEndpoints.updateClientEndpoint.load(event);
+    }
+    catch (e) {
+        if (e && typeof (e) == "object" && "status" in e && typeof (e.status) == "number")
+            status = e.status;
+    }
+    expect(status).toBe(401);
+    event = new MockRequestEvent("1", getRequest, { client_id: "ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    status = 200;
+    try {
+        resp1 = await server.sessionServer?.adminClientEndpoints.updateClientEndpoint.load(event);
+    }
+    catch (e) {
+        if (e && typeof (e) == "object" && "status" in e && typeof (e.status) == "number")
+            status = e.status;
+    }
+    expect(status).toBe(200);
+    event = new MockRequestEvent("1", getRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.updateClientEndpoint.load(event);
+    expect(resp1?.ok).toBe(true);
+    let postRequest = new Request("http://ex.com/oauth/clients", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&client_name=newName&confidential=on&redirect_uri=http://uri1.com/redirect&authorizationCode=on",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    event = new MockRequestEvent("1", postRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.updateClientEndpoint.actions.default(event);
+    expect(resp1?.ok).toBe(true);
+    expect(resp1?.client?.client_name).toBe("newName");
+    expect(resp1?.plaintextSecret).toBeUndefined();
+    expect(resp1?.client?.client_secret).toContain("pbkdf2:sha256");
+    postRequest = new Request("http://ex.com/oauth/clients", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&client_name=newName&confidential=on&redirect_uri=http://uri1.com/redirect&authorizationCode=on&resetSecret=on",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    event = new MockRequestEvent("1", postRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.updateClientEndpoint.actions.default(event);
+    expect(resp1?.ok).toBe(true);
+    expect(resp1?.plaintextSecret).toBeDefined();
+    expect(resp1?.client?.client_secret).not.toContain("pbkdf2:sha256");
+});
+test('SvelteKitAdminClientEndpoints.deleteClient', async () => {
+    const { server, resolver, handle } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    let getRequest = new Request("http://ex.com/oauth/clients", {
+        method: "GET",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", getRequest, { client_id: "ABC" });
+    event.locals.csrfToken = csrfToken;
+    let status = 200;
+    let resp1 = {};
+    try {
+        resp1 = await server.sessionServer?.adminClientEndpoints.deleteClientEndpoint.load(event);
+    }
+    catch (e) {
+        if (e && typeof (e) == "object" && "status" in e && typeof (e.status) == "number")
+            status = e.status;
+    }
+    expect(status).toBe(401);
+    event = new MockRequestEvent("1", getRequest, { client_id: "ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    status = 200;
+    try {
+        resp1 = await server.sessionServer?.adminClientEndpoints.deleteClientEndpoint.load(event);
+    }
+    catch (e) {
+        if (e && typeof (e) == "object" && "status" in e && typeof (e.status) == "number")
+            status = e.status;
+    }
+    expect(status).toBe(200);
+    event = new MockRequestEvent("1", getRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.deleteClientEndpoint.load(event);
+    expect(resp1?.ok).toBe(true);
+    let postRequest = new Request("http://ex.com/oauth/clients", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken,
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    event = new MockRequestEvent("1", postRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.deleteClientEndpoint.actions.default(event);
+    expect(resp1?.ok).toBe(true);
+});
+test('SvelteKitAdminClientEndpoints.createClient', async () => {
+    const { server, resolver, handle } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    let getRequest = new Request("http://ex.com/oauth/clients", {
+        method: "GET",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", getRequest, {});
+    event.locals.csrfToken = csrfToken;
+    let status = 200;
+    let resp1 = {};
+    try {
+        resp1 = await server.sessionServer?.adminClientEndpoints.createClientEndpoint.load(event);
+    }
+    catch (e) {
+        if (e && typeof (e) == "object" && "status" in e && typeof (e.status) == "number")
+            status = e.status;
+    }
+    expect(status).toBe(401);
+    event = new MockRequestEvent("1", getRequest, {});
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.createClientEndpoint.load(event);
+    expect(resp1?.ok).toBe(true);
+    let postRequest = new Request("http://ex.com/oauth/clients", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&client_name=newName&confidential=on&redirect_uri=http://uri1.com/redirect&authorizationCode=on",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    event = new MockRequestEvent("1", postRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.createClientEndpoint.actions.default(event);
+    expect(resp1?.ok).toBe(true);
+    expect(resp1?.client?.client_name).toBe("newName");
+    expect(resp1?.plaintextSecret).toBeUndefined();
+    expect(resp1?.client?.client_secret).not.toContain("pbkdf2:sha256");
+    expect(resp1?.client?.userid).toBeUndefined();
+});
+test('SvelteKitAdminClientEndpoints.createClientForUser', async () => {
+    const { server, resolver, handle } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    let getRequest = new Request("http://ex.com/oauth/clients", {
+        method: "GET",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", getRequest, {});
+    event.locals.csrfToken = csrfToken;
+    let status = 200;
+    let resp1 = {};
+    try {
+        resp1 = await server.sessionServer?.adminClientEndpoints.createClientEndpoint.load(event);
+    }
+    catch (e) {
+        if (e && typeof (e) == "object" && "status" in e && typeof (e.status) == "number")
+            status = e.status;
+    }
+    expect(status).toBe(401);
+    event = new MockRequestEvent("1", getRequest, {});
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.createClientEndpoint.load(event);
+    expect(resp1?.ok).toBe(true);
+    let postRequest = new Request("http://ex.com/oauth/clients?userid=bob", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&client_name=newName&confidential=on&redirect_uri=http://uri1.com/redirect&authorizationCode=on&userid=bob",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    event = new MockRequestEvent("1", postRequest, { client_id: "bob_ABC" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    resp1 = await server.sessionServer?.adminClientEndpoints.createClientEndpoint.actions.default(event);
+    expect(resp1?.ok).toBe(true);
+    expect(resp1?.client?.client_name).toBe("newName");
+    expect(resp1?.plaintextSecret).toBeUndefined();
+    expect(resp1?.client?.client_secret).not.toContain("pbkdf2:sha256");
+    expect(resp1?.client?.userid).toBe("bob");
+});

package/dist/tests/sveltekitadminendpoints.test.js

@@ -0,0 +1,242 @@
+// Copyright (c) 2026 Matthew Baker.  All rights reserved.  Licenced under the Apache Licence 2.0.  See LICENSE file
+import { MockRequestEvent } from './sveltemocks';
+import { test, expect } from 'vitest';
+import { makeServer, getCsrfToken, login } from './testshared';
+import { UserState } from '@crossauth/common';
+export var passwordResetData;
+test('SvelteKitAdminEndpoints.deleteUser', async () => {
+    const { server, resolver, handle, userStorage } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // delete user
+    let postRequest = new Request("http://ex.com/admin/users/delete", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken,
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", postRequest, { id: "bob" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminEndpoints.deleteUser(event);
+    expect(resp1?.ok).toBe(true);
+    let found = false;
+    try {
+        await userStorage.getUserByUsername("bob");
+        found = true;
+    }
+    catch (e) { }
+    expect(found).toBe(false);
+});
+test('SvelteKitAdminEndpoints.createUser', async () => {
+    const { server, resolver, handle, userStorage } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // create user
+    let postRequest = new Request("http://ex.com/admin/users/create", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&" +
+            "username=mary&" +
+            "password=maryPass123" +
+            "repeat_password=maryPass123&" +
+            "user_email=mary@mary.com&" +
+            "user_phone=12345",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", postRequest, {});
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminEndpoints.createUser(event);
+    expect(resp1?.ok).toBe(true);
+    let found = false;
+    try {
+        await userStorage.getUserByUsername("mary");
+        found = true;
+    }
+    catch (e) { }
+    expect(found).toBe(true);
+});
+test('SvelteKitAdminEndpoints.createUserNoPassword', async () => {
+    const { server, resolver, handle, userStorage } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // @ts-ignore
+    server["sessionServer"]["sessionManager"]["tokenEmailer"]["_sendPasswordResetToken"] = async function (token, email, extraData) {
+        passwordResetData = { token, extraData };
+    };
+    // create user
+    let postRequest = new Request("http://ex.com/admin/users/create", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&" +
+            "username=mary&" +
+            "user_email=mary@mary.com&" +
+            "user_phone=12345",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", postRequest, {});
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminEndpoints.createUser(event);
+    expect(resp1?.ok).toBe(true);
+    let newUser = undefined;
+    try {
+        const resp2 = await userStorage.getUserByUsername("mary", { skipActiveCheck: true });
+        newUser = resp2.user;
+    }
+    catch (e) { }
+    expect(newUser).toBeDefined();
+    expect(newUser?.state).toBe(UserState.passwordResetNeeded);
+});
+test('SvelteKitAdminEndpoints.createUserFactor2', async () => {
+    const { server, resolver, handle, userStorage } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // create user
+    let postRequest = new Request("http://ex.com/admin/users/create", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&" +
+            "username=mary&" +
+            "user_email=mary@mary.com&" +
+            "user_phone=12345&" +
+            "password=maryPass123" +
+            "repeat_password=maryPass123&" +
+            "factor2=dummyFactor2",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", postRequest, {});
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminEndpoints.createUser(event);
+    expect(resp1?.ok).toBe(true);
+    let newUser = undefined;
+    try {
+        const resp2 = await userStorage.getUserByUsername("mary", { skipActiveCheck: true });
+        newUser = resp2.user;
+    }
+    catch (e) { }
+    expect(newUser).toBeDefined();
+    expect(newUser?.state).toBe(UserState.factor2ResetNeeded);
+});
+test('SvelteKitAdminEndpoints.createUserFactor2NoPassword', async () => {
+    const { server, resolver, handle, userStorage } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // @ts-ignore
+    server["sessionServer"]["sessionManager"]["tokenEmailer"]["_sendPasswordResetToken"] = async function (token, email, extraData) {
+        passwordResetData = { token, extraData };
+    };
+    // create user
+    let postRequest = new Request("http://ex.com/admin/users/create", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&" +
+            "username=mary&" +
+            "user_email=mary@mary.com&" +
+            "user_phone=12345&" +
+            "factor2=dummyFactor2",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", postRequest, {});
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    let resp1 = await server.sessionServer?.adminEndpoints.createUser(event);
+    expect(resp1?.ok).toBe(true);
+    let newUser = undefined;
+    try {
+        const resp2 = await userStorage.getUserByUsername("mary", { skipActiveCheck: true });
+        newUser = resp2.user;
+    }
+    catch (e) { }
+    expect(newUser).toBeDefined();
+    expect(newUser?.state).toBe(UserState.passwordAndFactor2ResetNeeded);
+});
+test('SvelteKitAdminEndpoints.updateUser', async () => {
+    const { server, resolver, handle, userStorage } = await makeServer();
+    // log in
+    let resp = await login(server, resolver, handle, "admin", "adminPass123");
+    let loginEvent = resp.event;
+    loginEvent = resp.event;
+    const { csrfToken, csrfCookieValue } = await getCsrfToken(server, resolver, handle);
+    let sessionCookieValue = loginEvent.cookies.get("SESSIONID");
+    let sessionId = server.sessionServer?.sessionManager.getSessionId(sessionCookieValue ?? "");
+    // create user
+    let postRequest = new Request("http://ex.com/admin/users/edit", {
+        method: "POST",
+        body: "csrfToken=" + csrfToken + "&" +
+            "user_email=bob1@bob.com",
+        headers: [
+            ["cookie", "CSRFTOKEN=" + csrfCookieValue],
+            ["cookie", "SESSIONID=" + sessionCookieValue],
+            ["content-type", "application/x-www-form-urlencoded"],
+        ]
+    });
+    let event = new MockRequestEvent("1", postRequest, { id: "bob" });
+    event.locals.csrfToken = csrfToken;
+    event.locals.sessionId = sessionId;
+    event.locals.authType = "cookie";
+    event.locals.user = loginEvent.locals.user;
+    const { user } = await userStorage.getUserByUsername("bob");
+    let resp1 = await server.sessionServer?.adminEndpoints.updateUser(user, event);
+    expect(resp1?.ok).toBe(true);
+    let newUser = undefined;
+    try {
+        const resp2 = await userStorage.getUserByUsername("bob");
+        newUser = resp2.user;
+    }
+    catch (e) { }
+    expect(newUser).toBeDefined();
+    expect(newUser?.email).toBe("bob1@bob.com");
+});

package/dist/tests/sveltekitapikeyserver.test.js

@@ -0,0 +1,44 @@
+// Copyright (c) 2026 Matthew Baker.  All rights reserved.  Licenced under the Apache Licence 2.0.  See LICENSE file
+import { MockRequestEvent } from './sveltemocks';
+import { test, expect } from 'vitest';
+import { makeServer } from './testshared';
+test('SvelteApiKeyServer.hookWithGetNoKey', async () => {
+    const { resolver, handle } = await makeServer();
+    const getRequest = new Request("http://ex.com/test", { method: "GET" });
+    let event = new MockRequestEvent("1", getRequest, { "param1": "value1" });
+    await handle({ event: event, resolve: resolver.mockResolve });
+    expect(event.locals.user).toBeUndefined();
+    expect(event.locals.apiKey).toBeUndefined();
+});
+test('SvelteApiKeyServer.validKeyAuthenticates', async () => {
+    let { apiKeyManager, userStorage, resolver, handle } = await makeServer(false, true);
+    expect(apiKeyManager).toBeDefined();
+    if (apiKeyManager) {
+        const { user } = await userStorage.getUserByUsername("bob");
+        const { token } = await apiKeyManager.createKey("default", user.id);
+        const getRequest = new Request("http://ex.com/test", {
+            method: "GET",
+            headers: { authorization: apiKeyManager.authScheme + " " + token }
+        });
+        let event = new MockRequestEvent("1", getRequest, { "param1": "value1" });
+        await handle({ event: event, resolve: resolver.mockResolve });
+        expect(event.locals.user?.username).toBe("bob");
+        expect(event.locals.apiKey).toBeDefined();
+    }
+});
+test('SvelteApiKeyServer.invalidKeyDoesntAuthenticate', async () => {
+    let { apiKeyManager, userStorage, resolver, handle } = await makeServer(false, true);
+    expect(apiKeyManager).toBeDefined();
+    if (apiKeyManager) {
+        const { user } = await userStorage.getUserByUsername("bob");
+        const { token } = await apiKeyManager.createKey("default", user.id);
+        const getRequest = new Request("http://ex.com/test", {
+            method: "GET",
+            headers: { authorization: apiKeyManager.authScheme + " " + token + "x" }
+        });
+        let event = new MockRequestEvent("1", getRequest, { "param1": "value1" });
+        await handle({ event: event, resolve: resolver.mockResolve });
+        expect(event.locals.user).toBeUndefined();
+        expect(event.locals.apiKey).toBeUndefined();
+    }
+});

package/dist/tests/sveltekitoauthclient.test.d.ts

@@ -1,11 +1,11 @@
 export declare function oauthLogin(options?: {}): Promise<{
-    server: import('..').SvelteKitServer;
-    authServer: import('@crossauth/backend').OAuthAuthorizationServer;
+    server: import("..").SvelteKitServer;
+    authServer: import("@crossauth/backend").OAuthAuthorizationServer;
     sessionCookieValue: string | undefined;
     sessionId: string | undefined;
     access_token: any;
     refresh_token: any;
-    keyStorage: import('@crossauth/backend').InMemoryKeyStorage;
-    userStorage: import('@crossauth/backend').InMemoryUserStorage;
-    clientStorage: import('@crossauth/backend').InMemoryOAuthClientStorage;
+    keyStorage: import("@crossauth/backend").InMemoryKeyStorage;
+    userStorage: import("@crossauth/backend").InMemoryUserStorage;
+    clientStorage: import("@crossauth/backend").InMemoryOAuthClientStorage;
 }>;