npm - @dxheroes/local-mcp-backend - Versions diffs - 0.9.2 → 0.11.0 - Mend

@dxheroes/local-mcp-backend 0.9.2 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/.turbo/turbo-build.log +2 -2
package/CHANGELOG.md +52 -0
package/dist/__tests__/integration/mcp-proxy-auth-http.test.js +283 -0
package/dist/__tests__/integration/mcp-proxy-auth-http.test.js.map +1 -0
package/dist/__tests__/integration/oauth-authorize-callback.test.js +122 -0
package/dist/__tests__/integration/oauth-authorize-callback.test.js.map +1 -0
package/dist/__tests__/integration/proxy-auth.test.js +171 -110
package/dist/__tests__/integration/proxy-auth.test.js.map +1 -1
package/dist/__tests__/unit/auth.guard.test.js +23 -2
package/dist/__tests__/unit/auth.guard.test.js.map +1 -1
package/dist/common/filters/all-exceptions.filter.js +6 -0
package/dist/common/filters/all-exceptions.filter.js.map +1 -1
package/dist/main.js +63 -2
package/dist/main.js.map +1 -1
package/dist/modules/auth/auth.config.js +10 -5
package/dist/modules/auth/auth.config.js.map +1 -1
package/dist/modules/auth/auth.module.js +5 -2
package/dist/modules/auth/auth.module.js.map +1 -1
package/dist/modules/auth/auth.service.js +2 -2
package/dist/modules/auth/auth.service.js.map +1 -1
package/dist/modules/auth/mcp-oauth.guard.js +95 -0
package/dist/modules/auth/mcp-oauth.guard.js.map +1 -0
package/dist/modules/auth/mcp-oauth.utils.js +75 -0
package/dist/modules/auth/mcp-oauth.utils.js.map +1 -0
package/dist/modules/health/health.controller.js +1 -1
package/dist/modules/health/health.controller.js.map +1 -1
package/dist/modules/mcp/mcp.service.js +48 -8
package/dist/modules/mcp/mcp.service.js.map +1 -1
package/dist/modules/oauth/oauth.controller.js +78 -1
package/dist/modules/oauth/oauth.controller.js.map +1 -1
package/dist/modules/oauth/oauth.service.js +197 -1
package/dist/modules/oauth/oauth.service.js.map +1 -1
package/dist/modules/proxy/proxy.controller.js +152 -27
package/dist/modules/proxy/proxy.controller.js.map +1 -1
package/dist/modules/proxy/proxy.service.js +28 -4
package/dist/modules/proxy/proxy.service.js.map +1 -1
package/docker-entrypoint.sh +15 -2
package/package.json +9 -7
package/src/__tests__/integration/mcp-proxy-auth-http.test.ts +311 -0
package/src/__tests__/integration/oauth-authorize-callback.test.ts +155 -0
package/src/__tests__/integration/proxy-auth.test.ts +151 -168
package/src/__tests__/unit/auth.guard.test.ts +12 -2
package/src/common/filters/all-exceptions.filter.ts +11 -0
package/src/main.ts +56 -2
package/src/modules/auth/auth.config.ts +9 -4
package/src/modules/auth/auth.module.ts +3 -2
package/src/modules/auth/auth.service.ts +2 -2
package/src/modules/auth/mcp-oauth.guard.ts +102 -0
package/src/modules/auth/mcp-oauth.utils.ts +80 -0
package/src/modules/health/health.controller.ts +1 -1
package/src/modules/mcp/mcp.service.ts +54 -12
package/src/modules/oauth/oauth.controller.ts +84 -1
package/src/modules/oauth/oauth.service.ts +218 -1
package/src/modules/proxy/proxy.controller.ts +120 -25
package/src/modules/proxy/proxy.service.ts +26 -4
package/vitest.config.ts +2 -1

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,9 +1,9 @@
-> @dxheroes/local-mcp-backend@0.9.2 build /home/runner/work/local-mcp-gateway/local-mcp-gateway/apps/backend
+> @dxheroes/local-mcp-backend@0.11.0 build /home/runner/work/local-mcp-gateway/local-mcp-gateway/apps/backend
 > nest build
 - [46m[1m TSC [22m[49m[36m Initializing type checker...[39m
 ✔ [46m[1m TSC [22m[49m[36m Initializing type checker...[39m
 [32m> [39m[42m[1m TSC [22m[49m[32m Found 0 issues.[39m
 [36m> [39m[46m[1m SWC [22m[49m [36mRunning...[39m
-Successfully compiled: 56 files with swc (92.29ms)
+Successfully compiled: 60 files with swc (99.01ms)

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,57 @@
 # Changelog
+## [0.11.0](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.10.0...backend-v0.11.0) (2026-03-16)
+### Features
+* **auth:** enable toggle for email and password authentication ([a0c1dd0](https://github.com/DXHeroes/local-mcp-gateway/commit/a0c1dd0a192ffd4199af2bb00d9e83f1c526be5c))
+* **auth:** enhance MCP OAuth guard to support session cookies ([cc2f0d0](https://github.com/DXHeroes/local-mcp-gateway/commit/cc2f0d092150710691e8258c2fa3d891575e5a76))
+* **dependencies:** add new MCP packages to backend dependencies ([a29fdf4](https://github.com/DXHeroes/local-mcp-gateway/commit/a29fdf4c4af4db0b4df31a9b8a7d7f0fec5a5755))
+* **seo:** enhance SEO and session handling across frontend and backend ([2178043](https://github.com/DXHeroes/local-mcp-gateway/commit/21780436a9e93da63e3c6cec8318b4f8d1a6dbf6))
+### Dependencies
+* The following workspace dependencies were updated
+  * dependencies
+    * @dxheroes/local-mcp-core bumped to 0.8.1
+    * @dxheroes/local-mcp-database bumped to 0.5.4
+    * @dxheroes/mcp-abra-flexi bumped to 0.3.3
+    * @dxheroes/mcp-fakturoid bumped to 0.3.3
+    * @dxheroes/mcp-gemini-deep-research bumped to 0.5.7
+    * @dxheroes/mcp-merk bumped to 0.3.7
+    * @dxheroes/mcp-toggl bumped to 0.3.7
+  * devDependencies
+    * @dxheroes/local-mcp-config bumped to 0.4.12
+## [0.10.0](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.9.2...backend-v0.10.0) (2026-03-12)
+### Features
+* **auth:** implement MCP OAuth guard and enhance authentication flow ([14f6355](https://github.com/DXHeroes/local-mcp-gateway/commit/14f6355b7e3e1d2a2a757643c7bc1946aa1e09cd))
+* enhance OAuth integration and add custom headers support for MCP servers ([0904743](https://github.com/DXHeroes/local-mcp-gateway/commit/09047436072810f5876a2c92ba47f6f90f8f6103))
+### Code Refactoring
+* **auth:** streamline MCP OAuth guard and enhance configuration ([38972a3](https://github.com/DXHeroes/local-mcp-gateway/commit/38972a3c94c377d8f5d6c9c714d6ccab91765a99))
+* **database:** update OAuth models and migrations for improved schema ([a92b074](https://github.com/DXHeroes/local-mcp-gateway/commit/a92b07400050b30decdda1dc82f4647d49c38c91))
+### Dependencies
+* The following workspace dependencies were updated
+  * dependencies
+    * @dxheroes/local-mcp-core bumped to 0.8.0
+    * @dxheroes/local-mcp-database bumped to 0.5.3
+    * @dxheroes/mcp-gemini-deep-research bumped to 0.5.6
+    * @dxheroes/mcp-merk bumped to 0.3.6
+    * @dxheroes/mcp-toggl bumped to 0.3.6
+  * devDependencies
+    * @dxheroes/local-mcp-config bumped to 0.4.11
 ## [0.9.2](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.9.1...backend-v0.9.2) (2026-03-11)

package/dist/__tests__/integration/mcp-proxy-auth-http.test.js ADDED Viewed

@@ -0,0 +1,283 @@
+import { createServer } from "node:http";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { AllExceptionsFilter } from "../../common/filters/all-exceptions.filter.js";
+import { McpOAuthGuard } from "../../modules/auth/mcp-oauth.guard.js";
+import { createMcpProtectedResourceMetadata, resolvePublicAuthBaseUrl, resolvePublicBackendOrigin } from "../../modules/auth/mcp-oauth.utils.js";
+function createConfigService(values) {
+    return {
+        get: vi.fn((key)=>values[key])
+    };
+}
+function createAuthServiceMock() {
+    return {
+        validateMcpToken: vi.fn().mockResolvedValue(null),
+        getSession: vi.fn().mockResolvedValue(null)
+    };
+}
+async function startTestApp(options) {
+    const authService = createAuthServiceMock();
+    const configService = createConfigService({
+        'app.port': 3001,
+        BETTER_AUTH_URL: options?.backendUrl ?? 'http://localhost:3001'
+    });
+    const guard = new McpOAuthGuard(authService, configService);
+    const filter = new AllExceptionsFilter();
+    const backendOrigin = resolvePublicBackendOrigin(configService);
+    const authBaseUrl = resolvePublicAuthBaseUrl(configService);
+    const createRequest = (req)=>{
+        const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);
+        return {
+            method: req.method ?? 'GET',
+            url: `${url.pathname}${url.search}`,
+            headers: req.headers,
+            query: Object.fromEntries(url.searchParams.entries()),
+            user: undefined
+        };
+    };
+    const createResponse = (res)=>{
+        const response = {
+            setHeader (name, value) {
+                res.setHeader(name, value);
+                return response;
+            },
+            status (statusCode) {
+                res.statusCode = statusCode;
+                return response;
+            },
+            json (body) {
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify(body));
+            }
+        };
+        return response;
+    };
+    const handleGuardedRoute = async (nodeRequest, nodeResponse, responseBody)=>{
+        const request = createRequest(nodeRequest);
+        const response = createResponse(nodeResponse);
+        const context = {
+            switchToHttp: ()=>({
+                    getRequest: ()=>request,
+                    getResponse: ()=>response
+                })
+        };
+        const host = {
+            switchToHttp: ()=>({
+                    getRequest: ()=>request,
+                    getResponse: ()=>response
+                })
+        };
+        try {
+            await guard.canActivate(context);
+            response.json(responseBody(request));
+        } catch (error) {
+            filter.catch(error, host);
+        }
+    };
+    const server = await new Promise((resolve)=>{
+        const listeningServer = createServer(async (req, res)=>{
+            const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);
+            if (req.method === 'GET' && url.pathname === '/api/mcp/test') {
+                await handleGuardedRoute(req, res, (request)=>({
+                        ok: true,
+                        userId: request.user?.id ?? null
+                    }));
+                return;
+            }
+            if (req.method === 'GET' && url.pathname === '/api/mcp/sse') {
+                await handleGuardedRoute(req, res, (request)=>({
+                        ok: true,
+                        token: request.query.access_token ?? null,
+                        userId: request.user?.id ?? null
+                    }));
+                return;
+            }
+            if (req.method === 'GET' && url.pathname === '/.well-known/oauth-protected-resource') {
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify(createMcpProtectedResourceMetadata(configService)));
+                return;
+            }
+            if (req.method === 'GET' && url.pathname === '/.well-known/oauth-authorization-server') {
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify({
+                    issuer: backendOrigin,
+                    authorization_endpoint: `${authBaseUrl}/mcp/authorize`,
+                    token_endpoint: `${authBaseUrl}/mcp/token`,
+                    registration_endpoint: `${authBaseUrl}/mcp/register`,
+                    jwks_uri: `${authBaseUrl}/mcp/jwks`,
+                    response_types_supported: [
+                        'code'
+                    ],
+                    grant_types_supported: [
+                        'authorization_code',
+                        'refresh_token'
+                    ],
+                    code_challenge_methods_supported: [
+                        'S256'
+                    ]
+                }));
+                return;
+            }
+            if (req.method === 'POST' && url.pathname === '/api/auth/mcp/register') {
+                res.statusCode = 201;
+                res.setHeader('content-type', 'application/json');
+                res.end(JSON.stringify({
+                    client_id: 'cursor-client',
+                    client_secret: 'cursor-secret',
+                    redirect_uris: [
+                        'https://cursor.sh/callback'
+                    ]
+                }));
+                return;
+            }
+            res.statusCode = 404;
+            res.end();
+        }).listen(0, ()=>resolve(listeningServer));
+    });
+    const address = server.address();
+    if (!address || typeof address === 'string') {
+        throw new Error('Failed to resolve test server address');
+    }
+    return {
+        close: ()=>new Promise((resolve, reject)=>{
+                server.close((error)=>{
+                    if (error) {
+                        reject(error);
+                        return;
+                    }
+                    resolve();
+                });
+            }),
+        authService,
+        baseUrl: `http://127.0.0.1:${address.port}`
+    };
+}
+describe('MCP proxy auth HTTP contract', ()=>{
+    let close;
+    let authService;
+    let baseUrl;
+    beforeEach(async ()=>{
+        const result = await startTestApp({
+            backendUrl: 'http://localhost:9631'
+        });
+        close = result.close;
+        authService = result.authService;
+        baseUrl = result.baseUrl;
+    });
+    afterEach(async ()=>{
+        if (close) {
+            await close();
+        }
+    });
+    it('returns 401 with MCP discovery headers when token is missing', async ()=>{
+        const response = await fetch(`${baseUrl}/api/mcp/test`);
+        const body = await response.json();
+        expect(response.status).toBe(401);
+        expect(response.headers.get('access-control-expose-headers')).toBe('WWW-Authenticate');
+        expect(response.headers.get('www-authenticate')).toContain('resource_metadata=');
+        expect(response.headers.get('www-authenticate')).toContain('resource_metadata_uri=');
+        expect(body.message).toBe('Bearer token required');
+    });
+    it('serves protected resource metadata with Better Auth-backed URLs', async ()=>{
+        const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body).toEqual({
+            resource: 'http://localhost:9631/api/mcp',
+            authorization_servers: [
+                'http://localhost:9631'
+            ],
+            bearer_methods_supported: [
+                'header'
+            ],
+            scopes_supported: [
+                'openid',
+                'profile',
+                'email',
+                'offline_access'
+            ],
+            jwks_uri: 'http://localhost:9631/api/auth/mcp/jwks',
+            resource_signing_alg_values_supported: [
+                'RS256',
+                'none'
+            ]
+        });
+    });
+    it('serves authorization server metadata with MCP registration endpoint', async ()=>{
+        const response = await fetch(`${baseUrl}/.well-known/oauth-authorization-server`);
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body.registration_endpoint).toBe('http://localhost:9631/api/auth/mcp/register');
+        expect(body.authorization_endpoint).toBe('http://localhost:9631/api/auth/mcp/authorize');
+        expect(body.token_endpoint).toBe('http://localhost:9631/api/auth/mcp/token');
+    });
+    it('exposes the advertised registration endpoint', async ()=>{
+        const response = await fetch(`${baseUrl}/api/auth/mcp/register`, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json'
+            },
+            body: JSON.stringify({
+                redirect_uris: [
+                    'https://cursor.sh/callback'
+                ]
+            })
+        });
+        const body = await response.json();
+        expect(response.status).toBe(201);
+        expect(body.client_id).toBe('cursor-client');
+    });
+    it('accepts access_token query params for SSE fallback', async ()=>{
+        authService.validateMcpToken.mockResolvedValue({
+            id: 'user-sse',
+            name: 'SSE User',
+            email: 'sse@example.com'
+        });
+        const response = await fetch(`${baseUrl}/api/mcp/sse?access_token=sse-token`);
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body).toEqual({
+            ok: true,
+            token: 'sse-token',
+            userId: 'user-sse'
+        });
+        expect(authService.validateMcpToken).toHaveBeenCalledWith('sse-token');
+    });
+    it('accepts session cookie when no Bearer token is present', async ()=>{
+        authService.getSession.mockResolvedValue({
+            user: {
+                id: 'cookie-user',
+                name: 'Cookie User',
+                email: 'cookie@example.com'
+            },
+            session: {
+                id: 'sess-1',
+                userId: 'cookie-user'
+            }
+        });
+        const response = await fetch(`${baseUrl}/api/mcp/test`, {
+            headers: {
+                cookie: 'better-auth.session_token=valid-session'
+            }
+        });
+        const body = await response.json();
+        expect(response.status).toBe(200);
+        expect(body).toEqual({
+            ok: true,
+            userId: 'cookie-user'
+        });
+        expect(authService.getSession).toHaveBeenCalled();
+    });
+    it('returns 401 when session cookie is invalid and no Bearer token', async ()=>{
+        authService.getSession.mockResolvedValue(null);
+        const response = await fetch(`${baseUrl}/api/mcp/test`, {
+            headers: {
+                cookie: 'better-auth.session_token=expired'
+            }
+        });
+        const body = await response.json();
+        expect(response.status).toBe(401);
+        expect(body.message).toBe('Bearer token required');
+    });
+});
+//# sourceMappingURL=mcp-proxy-auth-http.test.js.map

package/dist/__tests__/integration/mcp-proxy-auth-http.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/__tests__/integration/mcp-proxy-auth-http.test.ts"],"sourcesContent":["import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';\nimport type { ConfigService } from '@nestjs/config';\nimport { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';\nimport { AllExceptionsFilter } from '../../common/filters/all-exceptions.filter.js';\nimport { AuthService, type AuthUser } from '../../modules/auth/auth.service.js';\nimport { McpOAuthGuard } from '../../modules/auth/mcp-oauth.guard.js';\nimport {\n createMcpProtectedResourceMetadata,\n resolvePublicAuthBaseUrl,\n resolvePublicBackendOrigin,\n} from '../../modules/auth/mcp-oauth.utils.js';\n\ntype MockAuthService = {\n validateMcpToken: ReturnType<typeof vi.fn>;\n getSession: ReturnType<typeof vi.fn>;\n};\n\ntype MockConfigService = {\n get: ReturnType<typeof vi.fn>;\n};\n\nfunction createConfigService(values: Record<string, unknown>): MockConfigService {\n return {\n get: vi.fn((key: string) => values[key]),\n };\n}\n\nfunction createAuthServiceMock(): MockAuthService {\n return {\n validateMcpToken: vi.fn().mockResolvedValue(null),\n getSession: vi.fn().mockResolvedValue(null),\n };\n}\n\nasync function startTestApp(options?: {\n backendUrl?: string;\n}): Promise<{\n close: () => Promise<void>;\n authService: MockAuthService;\n baseUrl: string;\n}> {\n const authService = createAuthServiceMock();\n const configService = createConfigService({\n 'app.port': 3001,\n BETTER_AUTH_URL: options?.backendUrl ?? 'http://localhost:3001',\n });\n const guard = new McpOAuthGuard(authService as unknown as AuthService, configService as never);\n const filter = new AllExceptionsFilter();\n const backendOrigin = resolvePublicBackendOrigin(configService as unknown as ConfigService);\n const authBaseUrl = resolvePublicAuthBaseUrl(configService as unknown as ConfigService);\n\n const createRequest = (req: IncomingMessage) => {\n const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);\n return {\n method: req.method ?? 'GET',\n url: `${url.pathname}${url.search}`,\n headers: req.headers,\n query: Object.fromEntries(url.searchParams.entries()),\n user: undefined,\n };\n };\n\n const createResponse = (res: ServerResponse) => {\n const response = {\n setHeader(name: string, value: string) {\n res.setHeader(name, value);\n return response;\n },\n status(statusCode: number) {\n res.statusCode = statusCode;\n return response;\n },\n json(body: unknown) {\n res.setHeader('content-type', 'application/json');\n res.end(JSON.stringify(body));\n },\n };\n\n return response;\n };\n\n const handleGuardedRoute = async (\n nodeRequest: IncomingMessage,\n nodeResponse: ServerResponse,\n responseBody: (request: ReturnType<typeof createRequest>) => Record<string, unknown>\n ) => {\n const request = createRequest(nodeRequest);\n const response = createResponse(nodeResponse);\n const context = {\n switchToHttp: () => ({\n getRequest: () => request,\n getResponse: () => response,\n }),\n } as never;\n\n const host = {\n switchToHttp: () => ({\n getRequest: () => request,\n getResponse: () => response,\n }),\n } as never;\n\n try {\n await guard.canActivate(context);\n response.json(responseBody(request));\n } catch (error) {\n filter.catch(error, host);\n }\n };\n\n const server = await new Promise<import('node:http').Server>((resolve) => {\n const listeningServer = createServer(async (req, res) => {\n const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);\n\n if (req.method === 'GET' && url.pathname === '/api/mcp/test') {\n await handleGuardedRoute(req, res, (request) => ({\n ok: true,\n userId: (request as { user?: AuthUser }).user?.id ?? null,\n }));\n return;\n }\n\n if (req.method === 'GET' && url.pathname === '/api/mcp/sse') {\n await handleGuardedRoute(req, res, (request) => ({\n ok: true,\n token: request.query.access_token ?? null,\n userId: (request as { user?: AuthUser }).user?.id ?? null,\n }));\n return;\n }\n\n if (req.method === 'GET' && url.pathname === '/.well-known/oauth-protected-resource') {\n res.setHeader('content-type', 'application/json');\n res.end(JSON.stringify(createMcpProtectedResourceMetadata(configService as unknown as ConfigService)));\n return;\n }\n\n if (req.method === 'GET' && url.pathname === '/.well-known/oauth-authorization-server') {\n res.setHeader('content-type', 'application/json');\n res.end(\n JSON.stringify({\n issuer: backendOrigin,\n authorization_endpoint: `${authBaseUrl}/mcp/authorize`,\n token_endpoint: `${authBaseUrl}/mcp/token`,\n registration_endpoint: `${authBaseUrl}/mcp/register`,\n jwks_uri: `${authBaseUrl}/mcp/jwks`,\n response_types_supported: ['code'],\n grant_types_supported: ['authorization_code', 'refresh_token'],\n code_challenge_methods_supported: ['S256'],\n })\n );\n return;\n }\n\n if (req.method === 'POST' && url.pathname === '/api/auth/mcp/register') {\n res.statusCode = 201;\n res.setHeader('content-type', 'application/json');\n res.end(\n JSON.stringify({\n client_id: 'cursor-client',\n client_secret: 'cursor-secret',\n redirect_uris: ['https://cursor.sh/callback'],\n })\n );\n return;\n }\n\n res.statusCode = 404;\n res.end();\n }).listen(0, () => resolve(listeningServer));\n });\n const address = server.address();\n if (!address || typeof address === 'string') {\n throw new Error('Failed to resolve test server address');\n }\n\n return {\n close: () =>\n new Promise<void>((resolve, reject) => {\n server.close((error) => {\n if (error) {\n reject(error);\n return;\n }\n resolve();\n });\n }),\n authService,\n baseUrl: `http://127.0.0.1:${address.port}`,\n };\n}\n\ndescribe('MCP proxy auth HTTP contract', () => {\n let close: (() => Promise<void>) | undefined;\n let authService: MockAuthService;\n let baseUrl: string;\n\n beforeEach(async () => {\n const result = await startTestApp({\n backendUrl: 'http://localhost:9631',\n });\n close = result.close;\n authService = result.authService;\n baseUrl = result.baseUrl;\n });\n\n afterEach(async () => {\n if (close) {\n await close();\n }\n });\n\n it('returns 401 with MCP discovery headers when token is missing', async () => {\n const response = await fetch(`${baseUrl}/api/mcp/test`);\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(401);\n expect(response.headers.get('access-control-expose-headers')).toBe('WWW-Authenticate');\n expect(response.headers.get('www-authenticate')).toContain('resource_metadata=');\n expect(response.headers.get('www-authenticate')).toContain('resource_metadata_uri=');\n expect(body.message).toBe('Bearer token required');\n });\n\n it('serves protected resource metadata with Better Auth-backed URLs', async () => {\n const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(200);\n expect(body).toEqual({\n resource: 'http://localhost:9631/api/mcp',\n authorization_servers: ['http://localhost:9631'],\n bearer_methods_supported: ['header'],\n scopes_supported: ['openid', 'profile', 'email', 'offline_access'],\n jwks_uri: 'http://localhost:9631/api/auth/mcp/jwks',\n resource_signing_alg_values_supported: ['RS256', 'none'],\n });\n });\n\n it('serves authorization server metadata with MCP registration endpoint', async () => {\n const response = await fetch(`${baseUrl}/.well-known/oauth-authorization-server`);\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(200);\n expect(body.registration_endpoint).toBe('http://localhost:9631/api/auth/mcp/register');\n expect(body.authorization_endpoint).toBe('http://localhost:9631/api/auth/mcp/authorize');\n expect(body.token_endpoint).toBe('http://localhost:9631/api/auth/mcp/token');\n });\n\n it('exposes the advertised registration endpoint', async () => {\n const response = await fetch(`${baseUrl}/api/auth/mcp/register`, {\n method: 'POST',\n headers: {\n 'content-type': 'application/json',\n },\n body: JSON.stringify({\n redirect_uris: ['https://cursor.sh/callback'],\n }),\n });\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(201);\n expect(body.client_id).toBe('cursor-client');\n });\n\n it('accepts access_token query params for SSE fallback', async () => {\n authService.validateMcpToken.mockResolvedValue({\n id: 'user-sse',\n name: 'SSE User',\n email: 'sse@example.com',\n });\n\n const response = await fetch(`${baseUrl}/api/mcp/sse?access_token=sse-token`);\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(200);\n expect(body).toEqual({\n ok: true,\n token: 'sse-token',\n userId: 'user-sse',\n });\n expect(authService.validateMcpToken).toHaveBeenCalledWith('sse-token');\n });\n\n it('accepts session cookie when no Bearer token is present', async () => {\n authService.getSession.mockResolvedValue({\n user: { id: 'cookie-user', name: 'Cookie User', email: 'cookie@example.com' },\n session: { id: 'sess-1', userId: 'cookie-user' },\n });\n\n const response = await fetch(`${baseUrl}/api/mcp/test`, {\n headers: { cookie: 'better-auth.session_token=valid-session' },\n });\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(200);\n expect(body).toEqual({ ok: true, userId: 'cookie-user' });\n expect(authService.getSession).toHaveBeenCalled();\n });\n\n it('returns 401 when session cookie is invalid and no Bearer token', async () => {\n authService.getSession.mockResolvedValue(null);\n\n const response = await fetch(`${baseUrl}/api/mcp/test`, {\n headers: { cookie: 'better-auth.session_token=expired' },\n });\n const body = (await response.json()) as Record<string, unknown>;\n\n expect(response.status).toBe(401);\n expect(body.message).toBe('Bearer token required');\n });\n});\n"],"names":["createServer","afterEach","beforeEach","describe","expect","it","vi","AllExceptionsFilter","McpOAuthGuard","createMcpProtectedResourceMetadata","resolvePublicAuthBaseUrl","resolvePublicBackendOrigin","createConfigService","values","get","fn","key","createAuthServiceMock","validateMcpToken","mockResolvedValue","getSession","startTestApp","options","authService","configService","BETTER_AUTH_URL","backendUrl","guard","filter","backendOrigin","authBaseUrl","createRequest","req","url","URL","headers","host","method","pathname","search","query","Object","fromEntries","searchParams","entries","user","undefined","createResponse","res","response","setHeader","name","value","status","statusCode","json","body","end","JSON","stringify","handleGuardedRoute","nodeRequest","nodeResponse","responseBody","request","context","switchToHttp","getRequest","getResponse","canActivate","error","catch","server","Promise","resolve","listeningServer","ok","userId","id","token","access_token","issuer","authorization_endpoint","token_endpoint","registration_endpoint","jwks_uri","response_types_supported","grant_types_supported","code_challenge_methods_supported","client_id","client_secret","redirect_uris","listen","address","Error","close","reject","baseUrl","port","result","fetch","toBe","toContain","message","toEqual","resource","authorization_servers","bearer_methods_supported","scopes_supported","resource_signing_alg_values_supported","email","toHaveBeenCalledWith","session","cookie","toHaveBeenCalled"],"mappings":"AAAA,SAASA,YAAY,QAAmD,YAAY;AAEpF,SAASC,SAAS,EAAEC,UAAU,EAAEC,QAAQ,EAAEC,MAAM,EAAEC,EAAE,EAAEC,EAAE,QAAQ,SAAS;AACzE,SAASC,mBAAmB,QAAQ,gDAAgD;AAEpF,SAASC,aAAa,QAAQ,wCAAwC;AACtE,SACEC,kCAAkC,EAClCC,wBAAwB,EACxBC,0BAA0B,QACrB,wCAAwC;AAW/C,SAASC,oBAAoBC,MAA+B;IAC1D,OAAO;QACLC,KAAKR,GAAGS,EAAE,CAAC,CAACC,MAAgBH,MAAM,CAACG,IAAI;IACzC;AACF;AAEA,SAASC;IACP,OAAO;QACLC,kBAAkBZ,GAAGS,EAAE,GAAGI,iBAAiB,CAAC;QAC5CC,YAAYd,GAAGS,EAAE,GAAGI,iBAAiB,CAAC;IACxC;AACF;AAEA,eAAeE,aAAaC,OAE3B;IAKC,MAAMC,cAAcN;IACpB,MAAMO,gBAAgBZ,oBAAoB;QACxC,YAAY;QACZa,iBAAiBH,SAASI,cAAc;IAC1C;IACA,MAAMC,QAAQ,IAAInB,cAAce,aAAuCC;IACvE,MAAMI,SAAS,IAAIrB;IACnB,MAAMsB,gBAAgBlB,2BAA2Ba;IACjD,MAAMM,cAAcpB,yBAAyBc;IAE7C,MAAMO,gBAAgB,CAACC;QACrB,MAAMC,MAAM,IAAIC,IAAIF,IAAIC,GAAG,IAAI,KAAK,CAAC,OAAO,EAAED,IAAIG,OAAO,CAACC,IAAI,IAAI,aAAa;QAC/E,OAAO;YACLC,QAAQL,IAAIK,MAAM,IAAI;YACtBJ,KAAK,GAAGA,IAAIK,QAAQ,GAAGL,IAAIM,MAAM,EAAE;YACnCJ,SAASH,IAAIG,OAAO;YACpBK,OAAOC,OAAOC,WAAW,CAACT,IAAIU,YAAY,CAACC,OAAO;YAClDC,MAAMC;QACR;IACF;IAEA,MAAMC,iBAAiB,CAACC;QACtB,MAAMC,WAAW;YACfC,WAAUC,IAAY,EAAEC,KAAa;gBACnCJ,IAAIE,SAAS,CAACC,MAAMC;gBACpB,OAAOH;YACT;YACAI,QAAOC,UAAkB;gBACvBN,IAAIM,UAAU,GAAGA;gBACjB,OAAOL;YACT;YACAM,MAAKC,IAAa;gBAChBR,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CAACC,KAAKC,SAAS,CAACH;YACzB;QACF;QAEA,OAAOP;IACT;IAEA,MAAMW,qBAAqB,OACzBC,aACAC,cACAC;QAEA,MAAMC,UAAUjC,cAAc8B;QAC9B,MAAMZ,WAAWF,eAAee;QAChC,MAAMG,UAAU;YACdC,cAAc,IAAO,CAAA;oBACnBC,YAAY,IAAMH;oBAClBI,aAAa,IAAMnB;gBACrB,CAAA;QACF;QAEA,MAAMb,OAAO;YACX8B,cAAc,IAAO,CAAA;oBACnBC,YAAY,IAAMH;oBAClBI,aAAa,IAAMnB;gBACrB,CAAA;QACF;QAEA,IAAI;YACF,MAAMtB,MAAM0C,WAAW,CAACJ;YACxBhB,SAASM,IAAI,CAACQ,aAAaC;QAC7B,EAAE,OAAOM,OAAO;YACd1C,OAAO2C,KAAK,CAACD,OAAOlC;QACtB;IACF;IAEA,MAAMoC,SAAS,MAAM,IAAIC,QAAoC,CAACC;QAC5D,MAAMC,kBAAkB3E,aAAa,OAAOgC,KAAKgB;YAC/C,MAAMf,MAAM,IAAIC,IAAIF,IAAIC,GAAG,IAAI,KAAK,CAAC,OAAO,EAAED,IAAIG,OAAO,CAACC,IAAI,IAAI,aAAa;YAE/E,IAAIJ,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,iBAAiB;gBAC5D,MAAMsB,mBAAmB5B,KAAKgB,KAAK,CAACgB,UAAa,CAAA;wBAC/CY,IAAI;wBACJC,QAAQ,AAACb,QAAgCnB,IAAI,EAAEiC,MAAM;oBACvD,CAAA;gBACA;YACF;YAEA,IAAI9C,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,gBAAgB;gBAC3D,MAAMsB,mBAAmB5B,KAAKgB,KAAK,CAACgB,UAAa,CAAA;wBAC/CY,IAAI;wBACJG,OAAOf,QAAQxB,KAAK,CAACwC,YAAY,IAAI;wBACrCH,QAAQ,AAACb,QAAgCnB,IAAI,EAAEiC,MAAM;oBACvD,CAAA;gBACA;YACF;YAEA,IAAI9C,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,yCAAyC;gBACpFU,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CAACC,KAAKC,SAAS,CAAClD,mCAAmCe;gBAC1D;YACF;YAEA,IAAIQ,IAAIK,MAAM,KAAK,SAASJ,IAAIK,QAAQ,KAAK,2CAA2C;gBACtFU,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CACLC,KAAKC,SAAS,CAAC;oBACbsB,QAAQpD;oBACRqD,wBAAwB,GAAGpD,YAAY,cAAc,CAAC;oBACtDqD,gBAAgB,GAAGrD,YAAY,UAAU,CAAC;oBAC1CsD,uBAAuB,GAAGtD,YAAY,aAAa,CAAC;oBACpDuD,UAAU,GAAGvD,YAAY,SAAS,CAAC;oBACnCwD,0BAA0B;wBAAC;qBAAO;oBAClCC,uBAAuB;wBAAC;wBAAsB;qBAAgB;oBAC9DC,kCAAkC;wBAAC;qBAAO;gBAC5C;gBAEF;YACF;YAEA,IAAIxD,IAAIK,MAAM,KAAK,UAAUJ,IAAIK,QAAQ,KAAK,0BAA0B;gBACtEU,IAAIM,UAAU,GAAG;gBACjBN,IAAIE,SAAS,CAAC,gBAAgB;gBAC9BF,IAAIS,GAAG,CACLC,KAAKC,SAAS,CAAC;oBACb8B,WAAW;oBACXC,eAAe;oBACfC,eAAe;wBAAC;qBAA6B;gBAC/C;gBAEF;YACF;YAEA3C,IAAIM,UAAU,GAAG;YACjBN,IAAIS,GAAG;QACT,GAAGmC,MAAM,CAAC,GAAG,IAAMlB,QAAQC;IAC7B;IACA,MAAMkB,UAAUrB,OAAOqB,OAAO;IAC9B,IAAI,CAACA,WAAW,OAAOA,YAAY,UAAU;QAC3C,MAAM,IAAIC,MAAM;IAClB;IAEA,OAAO;QACLC,OAAO,IACL,IAAItB,QAAc,CAACC,SAASsB;gBAC1BxB,OAAOuB,KAAK,CAAC,CAACzB;oBACZ,IAAIA,OAAO;wBACT0B,OAAO1B;wBACP;oBACF;oBACAI;gBACF;YACF;QACFnD;QACA0E,SAAS,CAAC,iBAAiB,EAAEJ,QAAQK,IAAI,EAAE;IAC7C;AACF;AAEA/F,SAAS,gCAAgC;IACvC,IAAI4F;IACJ,IAAIxE;IACJ,IAAI0E;IAEJ/F,WAAW;QACT,MAAMiG,SAAS,MAAM9E,aAAa;YAChCK,YAAY;QACd;QACAqE,QAAQI,OAAOJ,KAAK;QACpBxE,cAAc4E,OAAO5E,WAAW;QAChC0E,UAAUE,OAAOF,OAAO;IAC1B;IAEAhG,UAAU;QACR,IAAI8F,OAAO;YACT,MAAMA;QACR;IACF;IAEA1F,GAAG,gEAAgE;QACjE,MAAM4C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,aAAa,CAAC;QACtD,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAO6C,SAASd,OAAO,CAACrB,GAAG,CAAC,kCAAkCuF,IAAI,CAAC;QACnEjG,OAAO6C,SAASd,OAAO,CAACrB,GAAG,CAAC,qBAAqBwF,SAAS,CAAC;QAC3DlG,OAAO6C,SAASd,OAAO,CAACrB,GAAG,CAAC,qBAAqBwF,SAAS,CAAC;QAC3DlG,OAAOoD,KAAK+C,OAAO,EAAEF,IAAI,CAAC;IAC5B;IAEAhG,GAAG,mEAAmE;QACpE,MAAM4C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,qCAAqC,CAAC;QAC9E,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAOoD,MAAMgD,OAAO,CAAC;YACnBC,UAAU;YACVC,uBAAuB;gBAAC;aAAwB;YAChDC,0BAA0B;gBAAC;aAAS;YACpCC,kBAAkB;gBAAC;gBAAU;gBAAW;gBAAS;aAAiB;YAClEvB,UAAU;YACVwB,uCAAuC;gBAAC;gBAAS;aAAO;QAC1D;IACF;IAEAxG,GAAG,uEAAuE;QACxE,MAAM4C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,uCAAuC,CAAC;QAChF,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAOoD,KAAK4B,qBAAqB,EAAEiB,IAAI,CAAC;QACxCjG,OAAOoD,KAAK0B,sBAAsB,EAAEmB,IAAI,CAAC;QACzCjG,OAAOoD,KAAK2B,cAAc,EAAEkB,IAAI,CAAC;IACnC;IAEAhG,GAAG,gDAAgD;QACjD,MAAM4C,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,sBAAsB,CAAC,EAAE;YAC/D5D,QAAQ;YACRF,SAAS;gBACP,gBAAgB;YAClB;YACAqB,MAAME,KAAKC,SAAS,CAAC;gBACnBgC,eAAe;oBAAC;iBAA6B;YAC/C;QACF;QACA,MAAMnC,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAOoD,KAAKiC,SAAS,EAAEY,IAAI,CAAC;IAC9B;IAEAhG,GAAG,sDAAsD;QACvDkB,YAAYL,gBAAgB,CAACC,iBAAiB,CAAC;YAC7C2D,IAAI;YACJ3B,MAAM;YACN2D,OAAO;QACT;QAEA,MAAM7D,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,mCAAmC,CAAC;QAC5E,MAAMzC,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAOoD,MAAMgD,OAAO,CAAC;YACnB5B,IAAI;YACJG,OAAO;YACPF,QAAQ;QACV;QACAzE,OAAOmB,YAAYL,gBAAgB,EAAE6F,oBAAoB,CAAC;IAC5D;IAEA1G,GAAG,0DAA0D;QAC3DkB,YAAYH,UAAU,CAACD,iBAAiB,CAAC;YACvC0B,MAAM;gBAAEiC,IAAI;gBAAe3B,MAAM;gBAAe2D,OAAO;YAAqB;YAC5EE,SAAS;gBAAElC,IAAI;gBAAUD,QAAQ;YAAc;QACjD;QAEA,MAAM5B,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,aAAa,CAAC,EAAE;YACtD9D,SAAS;gBAAE8E,QAAQ;YAA0C;QAC/D;QACA,MAAMzD,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAOoD,MAAMgD,OAAO,CAAC;YAAE5B,IAAI;YAAMC,QAAQ;QAAc;QACvDzE,OAAOmB,YAAYH,UAAU,EAAE8F,gBAAgB;IACjD;IAEA7G,GAAG,kEAAkE;QACnEkB,YAAYH,UAAU,CAACD,iBAAiB,CAAC;QAEzC,MAAM8B,WAAW,MAAMmD,MAAM,GAAGH,QAAQ,aAAa,CAAC,EAAE;YACtD9D,SAAS;gBAAE8E,QAAQ;YAAoC;QACzD;QACA,MAAMzD,OAAQ,MAAMP,SAASM,IAAI;QAEjCnD,OAAO6C,SAASI,MAAM,EAAEgD,IAAI,CAAC;QAC7BjG,OAAOoD,KAAK+C,OAAO,EAAEF,IAAI,CAAC;IAC5B;AACF"}

package/dist/__tests__/integration/oauth-authorize-callback.test.js ADDED Viewed

@@ -0,0 +1,122 @@
+import { createServer } from "node:http";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { OAuthController } from "../../modules/oauth/oauth.controller.js";
+function createOAuthServiceMock() {
+    return {
+        discoverAndAuthorize: vi.fn(),
+        handleCallback: vi.fn()
+    };
+}
+describe('OAuth authorize and callback HTTP contract', ()=>{
+    let close;
+    let oauthService;
+    let baseUrl;
+    beforeEach(async ()=>{
+        oauthService = createOAuthServiceMock();
+        const controller = new OAuthController(oauthService);
+        const server = await new Promise((resolve)=>{
+            const listeningServer = createServer(async (req, res)=>{
+                const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);
+                const request = {
+                    protocol: 'http',
+                    query: Object.fromEntries(url.searchParams.entries()),
+                    get: (headerName)=>{
+                        if (headerName.toLowerCase() === 'host') {
+                            return req.headers.host ?? '';
+                        }
+                        return undefined;
+                    }
+                };
+                const response = {
+                    redirect (location) {
+                        res.statusCode = 302;
+                        res.setHeader('location', location);
+                        res.end();
+                    },
+                    status (statusCode) {
+                        res.statusCode = statusCode;
+                        return response;
+                    },
+                    send (body) {
+                        res.setHeader('content-type', 'text/html; charset=utf-8');
+                        res.end(body);
+                    }
+                };
+                if (req.method === 'GET' && url.pathname.startsWith('/api/oauth/authorize/')) {
+                    const serverId = url.pathname.split('/').pop() ?? '';
+                    await controller.authorize(serverId, request, response);
+                    return;
+                }
+                if (req.method === 'GET' && url.pathname === '/api/oauth/callback') {
+                    await controller.callback(typeof request.query.code === 'string' ? request.query.code : '', typeof request.query.state === 'string' ? request.query.state : '', request, response);
+                    return;
+                }
+                res.statusCode = 404;
+                res.end();
+            }).listen(0, ()=>resolve(listeningServer));
+        });
+        const address = server.address();
+        if (!address || typeof address === 'string') {
+            throw new Error('Failed to resolve test server address');
+        }
+        close = ()=>new Promise((resolve, reject)=>{
+                server.close((error)=>{
+                    if (error) {
+                        reject(error);
+                        return;
+                    }
+                    resolve();
+                });
+            });
+        baseUrl = `http://127.0.0.1:${address.port}`;
+    });
+    afterEach(async ()=>{
+        if (close) {
+            await close();
+        }
+    });
+    it('redirects authorize requests to the discovered authorization URL', async ()=>{
+        oauthService.discoverAndAuthorize.mockResolvedValue('https://auth.example.com/authorize?client_id=abc');
+        const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`, {
+            redirect: 'manual'
+        });
+        expect(response.status).toBe(302);
+        expect(response.headers.get('location')).toBe('https://auth.example.com/authorize?client_id=abc');
+        expect(oauthService.discoverAndAuthorize).toHaveBeenCalledWith('server-1', `${baseUrl}/api/oauth/callback`);
+    });
+    it('renders an error page when authorize discovery fails', async ()=>{
+        oauthService.discoverAndAuthorize.mockRejectedValue(new Error('Metadata discovery failed'));
+        const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`);
+        const html = await response.text();
+        expect(response.status).toBe(400);
+        expect(html).toContain('Error: Metadata discovery failed');
+    });
+    it('rejects callbacks without code or state', async ()=>{
+        const response = await fetch(`${baseUrl}/api/oauth/callback`);
+        const html = await response.text();
+        expect(response.status).toBe(400);
+        expect(html).toContain('Missing code or state parameter');
+    });
+    it('renders a success page for valid callbacks', async ()=>{
+        oauthService.handleCallback.mockResolvedValue({
+            success: true
+        });
+        const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);
+        const html = await response.text();
+        expect(response.status).toBe(200);
+        expect(html).toContain('Authorization successful! This window will close.');
+        expect(oauthService.handleCallback).toHaveBeenCalledWith('server-1', 'auth-code', `${baseUrl}/api/oauth/callback`);
+    });
+    it('renders a failure page when callback token exchange fails', async ()=>{
+        oauthService.handleCallback.mockResolvedValue({
+            success: false,
+            error: 'Token exchange failed'
+        });
+        const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);
+        const html = await response.text();
+        expect(response.status).toBe(200);
+        expect(html).toContain('Error: Token exchange failed');
+    });
+});
+//# sourceMappingURL=oauth-authorize-callback.test.js.map

package/dist/__tests__/integration/oauth-authorize-callback.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/__tests__/integration/oauth-authorize-callback.test.ts"],"sourcesContent":["import { createServer } from 'node:http';\nimport { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';\nimport { OAuthController } from '../../modules/oauth/oauth.controller.js';\nimport { OAuthService } from '../../modules/oauth/oauth.service.js';\n\nfunction createOAuthServiceMock() {\n return {\n discoverAndAuthorize: vi.fn(),\n handleCallback: vi.fn(),\n };\n}\n\ndescribe('OAuth authorize and callback HTTP contract', () => {\n let close: (() => Promise<void>) | undefined;\n let oauthService: ReturnType<typeof createOAuthServiceMock>;\n let baseUrl: string;\n\n beforeEach(async () => {\n oauthService = createOAuthServiceMock();\n const controller = new OAuthController(oauthService as unknown as OAuthService);\n\n const server = await new Promise<import('node:http').Server>((resolve) => {\n const listeningServer = createServer(async (req, res) => {\n const url = new URL(req.url ?? '/', `http://${req.headers.host ?? '127.0.0.1'}`);\n const request = {\n protocol: 'http',\n query: Object.fromEntries(url.searchParams.entries()),\n get: (headerName: string) => {\n if (headerName.toLowerCase() === 'host') {\n return req.headers.host ?? '';\n }\n return undefined;\n },\n };\n const response = {\n redirect(location: string) {\n res.statusCode = 302;\n res.setHeader('location', location);\n res.end();\n },\n status(statusCode: number) {\n res.statusCode = statusCode;\n return response;\n },\n send(body: string) {\n res.setHeader('content-type', 'text/html; charset=utf-8');\n res.end(body);\n },\n };\n\n if (req.method === 'GET' && url.pathname.startsWith('/api/oauth/authorize/')) {\n const serverId = url.pathname.split('/').pop() ?? '';\n await controller.authorize(serverId, request as never, response as never);\n return;\n }\n\n if (req.method === 'GET' && url.pathname === '/api/oauth/callback') {\n await controller.callback(\n typeof request.query.code === 'string' ? request.query.code : '',\n typeof request.query.state === 'string' ? request.query.state : '',\n request as never,\n response as never\n );\n return;\n }\n\n res.statusCode = 404;\n res.end();\n }).listen(0, () => resolve(listeningServer));\n });\n const address = server.address();\n if (!address || typeof address === 'string') {\n throw new Error('Failed to resolve test server address');\n }\n\n close = () =>\n new Promise<void>((resolve, reject) => {\n server.close((error) => {\n if (error) {\n reject(error);\n return;\n }\n resolve();\n });\n });\n baseUrl = `http://127.0.0.1:${address.port}`;\n });\n\n afterEach(async () => {\n if (close) {\n await close();\n }\n });\n\n it('redirects authorize requests to the discovered authorization URL', async () => {\n oauthService.discoverAndAuthorize.mockResolvedValue('https://auth.example.com/authorize?client_id=abc');\n\n const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`, {\n redirect: 'manual',\n });\n\n expect(response.status).toBe(302);\n expect(response.headers.get('location')).toBe('https://auth.example.com/authorize?client_id=abc');\n expect(oauthService.discoverAndAuthorize).toHaveBeenCalledWith(\n 'server-1',\n `${baseUrl}/api/oauth/callback`\n );\n });\n\n it('renders an error page when authorize discovery fails', async () => {\n oauthService.discoverAndAuthorize.mockRejectedValue(new Error('Metadata discovery failed'));\n\n const response = await fetch(`${baseUrl}/api/oauth/authorize/server-1`);\n const html = await response.text();\n\n expect(response.status).toBe(400);\n expect(html).toContain('Error: Metadata discovery failed');\n });\n\n it('rejects callbacks without code or state', async () => {\n const response = await fetch(`${baseUrl}/api/oauth/callback`);\n const html = await response.text();\n\n expect(response.status).toBe(400);\n expect(html).toContain('Missing code or state parameter');\n });\n\n it('renders a success page for valid callbacks', async () => {\n oauthService.handleCallback.mockResolvedValue({ success: true });\n\n const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);\n const html = await response.text();\n\n expect(response.status).toBe(200);\n expect(html).toContain('Authorization successful! This window will close.');\n expect(oauthService.handleCallback).toHaveBeenCalledWith(\n 'server-1',\n 'auth-code',\n `${baseUrl}/api/oauth/callback`\n );\n });\n\n it('renders a failure page when callback token exchange fails', async () => {\n oauthService.handleCallback.mockResolvedValue({\n success: false,\n error: 'Token exchange failed',\n });\n\n const response = await fetch(`${baseUrl}/api/oauth/callback?code=auth-code&state=server-1`);\n const html = await response.text();\n\n expect(response.status).toBe(200);\n expect(html).toContain('Error: Token exchange failed');\n });\n});\n"],"names":["createServer","afterEach","beforeEach","describe","expect","it","vi","OAuthController","createOAuthServiceMock","discoverAndAuthorize","fn","handleCallback","close","oauthService","baseUrl","controller","server","Promise","resolve","listeningServer","req","res","url","URL","headers","host","request","protocol","query","Object","fromEntries","searchParams","entries","get","headerName","toLowerCase","undefined","response","redirect","location","statusCode","setHeader","end","status","send","body","method","pathname","startsWith","serverId","split","pop","authorize","callback","code","state","listen","address","Error","reject","error","port","mockResolvedValue","fetch","toBe","toHaveBeenCalledWith","mockRejectedValue","html","text","toContain","success"],"mappings":"AAAA,SAASA,YAAY,QAAQ,YAAY;AACzC,SAASC,SAAS,EAAEC,UAAU,EAAEC,QAAQ,EAAEC,MAAM,EAAEC,EAAE,EAAEC,EAAE,QAAQ,SAAS;AACzE,SAASC,eAAe,QAAQ,0CAA0C;AAG1E,SAASC;IACP,OAAO;QACLC,sBAAsBH,GAAGI,EAAE;QAC3BC,gBAAgBL,GAAGI,EAAE;IACvB;AACF;AAEAP,SAAS,8CAA8C;IACrD,IAAIS;IACJ,IAAIC;IACJ,IAAIC;IAEJZ,WAAW;QACTW,eAAeL;QACf,MAAMO,aAAa,IAAIR,gBAAgBM;QAEvC,MAAMG,SAAS,MAAM,IAAIC,QAAoC,CAACC;YAC5D,MAAMC,kBAAkBnB,aAAa,OAAOoB,KAAKC;gBAC/C,MAAMC,MAAM,IAAIC,IAAIH,IAAIE,GAAG,IAAI,KAAK,CAAC,OAAO,EAAEF,IAAII,OAAO,CAACC,IAAI,IAAI,aAAa;gBAC/E,MAAMC,UAAU;oBACdC,UAAU;oBACVC,OAAOC,OAAOC,WAAW,CAACR,IAAIS,YAAY,CAACC,OAAO;oBAClDC,KAAK,CAACC;wBACJ,IAAIA,WAAWC,WAAW,OAAO,QAAQ;4BACvC,OAAOf,IAAII,OAAO,CAACC,IAAI,IAAI;wBAC7B;wBACA,OAAOW;oBACT;gBACF;gBACA,MAAMC,WAAW;oBACfC,UAASC,QAAgB;wBACvBlB,IAAImB,UAAU,GAAG;wBACjBnB,IAAIoB,SAAS,CAAC,YAAYF;wBAC1BlB,IAAIqB,GAAG;oBACT;oBACAC,QAAOH,UAAkB;wBACvBnB,IAAImB,UAAU,GAAGA;wBACjB,OAAOH;oBACT;oBACAO,MAAKC,IAAY;wBACfxB,IAAIoB,SAAS,CAAC,gBAAgB;wBAC9BpB,IAAIqB,GAAG,CAACG;oBACV;gBACF;gBAEA,IAAIzB,IAAI0B,MAAM,KAAK,SAASxB,IAAIyB,QAAQ,CAACC,UAAU,CAAC,0BAA0B;oBAC5E,MAAMC,WAAW3B,IAAIyB,QAAQ,CAACG,KAAK,CAAC,KAAKC,GAAG,MAAM;oBAClD,MAAMpC,WAAWqC,SAAS,CAACH,UAAUvB,SAAkBW;oBACvD;gBACF;gBAEA,IAAIjB,IAAI0B,MAAM,KAAK,SAASxB,IAAIyB,QAAQ,KAAK,uBAAuB;oBAClE,MAAMhC,WAAWsC,QAAQ,CACvB,OAAO3B,QAAQE,KAAK,CAAC0B,IAAI,KAAK,WAAW5B,QAAQE,KAAK,CAAC0B,IAAI,GAAG,IAC9D,OAAO5B,QAAQE,KAAK,CAAC2B,KAAK,KAAK,WAAW7B,QAAQE,KAAK,CAAC2B,KAAK,GAAG,IAChE7B,SACAW;oBAEF;gBACF;gBAEAhB,IAAImB,UAAU,GAAG;gBACjBnB,IAAIqB,GAAG;YACT,GAAGc,MAAM,CAAC,GAAG,IAAMtC,QAAQC;QAC7B;QACA,MAAMsC,UAAUzC,OAAOyC,OAAO;QAC9B,IAAI,CAACA,WAAW,OAAOA,YAAY,UAAU;YAC3C,MAAM,IAAIC,MAAM;QAClB;QAEA9C,QAAQ,IACN,IAAIK,QAAc,CAACC,SAASyC;gBAC1B3C,OAAOJ,KAAK,CAAC,CAACgD;oBACZ,IAAIA,OAAO;wBACTD,OAAOC;wBACP;oBACF;oBACA1C;gBACF;YACF;QACFJ,UAAU,CAAC,iBAAiB,EAAE2C,QAAQI,IAAI,EAAE;IAC9C;IAEA5D,UAAU;QACR,IAAIW,OAAO;YACT,MAAMA;QACR;IACF;IAEAP,GAAG,oEAAoE;QACrEQ,aAAaJ,oBAAoB,CAACqD,iBAAiB,CAAC;QAEpD,MAAMzB,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,6BAA6B,CAAC,EAAE;YACtEwB,UAAU;QACZ;QAEAlC,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAOiC,SAASb,OAAO,CAACS,GAAG,CAAC,aAAa+B,IAAI,CAAC;QAC9C5D,OAAOS,aAAaJ,oBAAoB,EAAEwD,oBAAoB,CAC5D,YACA,GAAGnD,QAAQ,mBAAmB,CAAC;IAEnC;IAEAT,GAAG,wDAAwD;QACzDQ,aAAaJ,oBAAoB,CAACyD,iBAAiB,CAAC,IAAIR,MAAM;QAE9D,MAAMrB,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,6BAA6B,CAAC;QACtE,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;IACzB;IAEAhE,GAAG,2CAA2C;QAC5C,MAAMgC,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,mBAAmB,CAAC;QAC5D,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;IACzB;IAEAhE,GAAG,8CAA8C;QAC/CQ,aAAaF,cAAc,CAACmD,iBAAiB,CAAC;YAAEQ,SAAS;QAAK;QAE9D,MAAMjC,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,iDAAiD,CAAC;QAC1F,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;QACvBjE,OAAOS,aAAaF,cAAc,EAAEsD,oBAAoB,CACtD,YACA,aACA,GAAGnD,QAAQ,mBAAmB,CAAC;IAEnC;IAEAT,GAAG,6DAA6D;QAC9DQ,aAAaF,cAAc,CAACmD,iBAAiB,CAAC;YAC5CQ,SAAS;YACTV,OAAO;QACT;QAEA,MAAMvB,WAAW,MAAM0B,MAAM,GAAGjD,QAAQ,iDAAiD,CAAC;QAC1F,MAAMqD,OAAO,MAAM9B,SAAS+B,IAAI;QAEhChE,OAAOiC,SAASM,MAAM,EAAEqB,IAAI,CAAC;QAC7B5D,OAAO+D,MAAME,SAAS,CAAC;IACzB;AACF"}