@enterprisestandard/esv 0.0.5-beta.20260114.3 → 0.0.5-beta.20260115.2

package/dist/sso/index.js

@@ -1,449 +1,376 @@
-import { createRequire } from "node:module";
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
+/**
+ * SSO Validation Tests
+ *
+ * These tests validate that an application correctly implements
+ * Enterprise Standard SSO (Single Sign-On) functionality.
+ */
+import { assert, buildCookieHeader, createFetcher, parseCookies, runTest, skipTest } from '../utils';
+/**
+ * Default configuration for SSO validation
+ */
+const DEFAULT_CONFIG = {
+    loginPath: '/api/auth/login',
+    callbackPath: '/api/auth/callback',
+    userPath: '/api/auth/user',
+    logoutPath: '/api/auth/logout',
+    backChannelLogoutPath: '/api/auth/logout/backchannel',
+    tokenPath: '/api/auth/token',
+    refreshPath: '/api/auth/refresh',
 };
-var __moduleCache = /* @__PURE__ */ new WeakMap;
-var __toCommonJS = (from) => {
-  var entry = __moduleCache.get(from), desc;
-  if (entry)
-    return entry;
-  entry = __defProp({}, "__esModule", { value: true });
-  if (from && typeof from === "object" || typeof from === "function")
-    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
-      get: () => from[key],
-      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-    }));
-  __moduleCache.set(from, entry);
-  return entry;
-};
-var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, {
-      get: all[name],
-      enumerable: true,
-      configurable: true,
-      set: (newValue) => all[name] = () => newValue
+/**
+ * Test: Login endpoint exists and redirects to authorization URL
+ */
+async function testLoginEndpoint(config, fetch) {
+    return runTest('SSO Login Endpoint', async () => {
+        const response = await fetch(config.loginPath);
+        // Should return a redirect (302)
+        assert(response.status === 302, `Expected 302 redirect, got ${response.status}`);
+        // Should have a Location header pointing to the authorization URL
+        const location = response.headers.get('Location');
+        assert(location !== null, 'Missing Location header in redirect');
+        // If an expected pattern is provided, validate the URL
+        if (config.expectedAuthorizationUrlPattern) {
+            assert(config.expectedAuthorizationUrlPattern.test(location), `Authorization URL does not match expected pattern: ${location}`);
+        }
+        // Should have required OIDC parameters
+        const url = new URL(location);
+        assert(url.searchParams.has('client_id'), 'Missing client_id in authorization URL');
+        assert(url.searchParams.has('redirect_uri'), 'Missing redirect_uri in authorization URL');
+        assert(url.searchParams.has('response_type'), 'Missing response_type in authorization URL');
+        assert(url.searchParams.has('scope'), 'Missing scope in authorization URL');
+        assert(url.searchParams.has('state'), 'Missing state in authorization URL');
+        assert(url.searchParams.has('code_challenge'), 'Missing code_challenge (PKCE) in authorization URL');
+        assert(url.searchParams.has('code_challenge_method'), 'Missing code_challenge_method (PKCE) in authorization URL');
+        // Should set a state cookie
+        const cookies = parseCookies(response.headers);
+        const hasStateCookie = Array.from(cookies.keys()).some((name) => name.includes('.state'));
+        assert(hasStateCookie, 'Missing state cookie in response');
+        return {
+            details: {
+                authorizationUrl: location,
+                pkceEnabled: true,
+                stateParameter: url.searchParams.get('state'),
+            },
+        };
     });
-};
-var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
-
-// packages/esv/src/utils.ts
-function createFetcher(config) {
-  const timeout = config.timeout ?? 5000;
-  const headers = config.headers ?? {};
-  return async function fetcher(path, options = {}) {
-    const url = `${config.baseUrl}${path}`;
-    const controller = new AbortController;
-    const timeoutId = setTimeout(() => controller.abort(), timeout);
-    try {
-      const response = await fetch(url, {
-        ...options,
-        signal: controller.signal,
-        headers: {
-          ...headers,
-          ...options.headers
-        },
-        redirect: "manual"
-      });
-      return response;
-    } finally {
-      clearTimeout(timeoutId);
-    }
-  };
-}
-async function runTest(name, testFn) {
-  const start = performance.now();
-  try {
-    const result = await testFn();
-    return {
-      name,
-      passed: true,
-      duration: performance.now() - start,
-      details: result?.details
-    };
-  } catch (error) {
-    return {
-      name,
-      passed: false,
-      error: error instanceof Error ? error.message : String(error),
-      duration: performance.now() - start
-    };
-  }
-}
-function skipTest(name, reason) {
-  return {
-    name,
-    passed: true,
-    duration: 0,
-    details: { skipped: true, reason }
-  };
 }
-function assert(condition, message) {
-  if (!condition) {
-    throw new Error(message);
-  }
-}
-function assertEqual(actual, expected, message) {
-  if (actual !== expected) {
-    throw new Error(message ?? `Expected ${JSON.stringify(expected)}, got ${JSON.stringify(actual)}`);
-  }
+/**
+ * Test: User endpoint returns 401 when not authenticated
+ */
+async function testUserEndpointUnauthenticated(config, fetch) {
+    return runTest('SSO User Endpoint (Unauthenticated)', async () => {
+        const response = await fetch(config.userPath);
+        // Should return 401 Unauthorized
+        assert(response.status === 401, `Expected 401 Unauthorized, got ${response.status}`);
+        return {
+            details: {
+                status: response.status,
+            },
+        };
+    });
 }
-function assertValid(data, validator, message) {
-  const result = validator["~standard"].validate(data);
-  if (result instanceof Promise) {
-    throw new Error(message ?? "Async validators are not supported in assertValid. Use the validator directly with await.");
-  }
-  if ("issues" in result) {
-    const issues = result.issues;
-    const errorMessages = issues.map((issue) => {
-      const path = issue.path ? issue.path.map(String).join(".") : "";
-      return path ? `${path}: ${issue.message}` : issue.message;
+/**
+ * Test: Logout endpoint clears cookies
+ */
+async function testLogoutEndpoint(config, fetch) {
+    return runTest('SSO Logout Endpoint', async () => {
+        const response = await fetch(`${config.logoutPath}?redirect=/`);
+        // Should return 302 redirect (with redirect param) or 200
+        assert(response.status === 302 || response.status === 200, `Expected 302 or 200, got ${response.status}`);
+        // Should clear cookies
+        const cookies = parseCookies(response.headers);
+        const clearedCookies = [];
+        for (const [name, value] of cookies.entries()) {
+            // Check if the cookie is being cleared (Max-Age=0 or empty value)
+            if (value === '' || value.includes('Max-Age=0')) {
+                clearedCookies.push(name);
+            }
+        }
+        // Check for standard SSO cookies being cleared
+        const setCookieHeaders = response.headers.getSetCookie?.() ?? [];
+        const hasExpiredCookies = setCookieHeaders.some((cookie) => cookie.includes('Max-Age=0') || cookie.includes('expires=Thu, 01 Jan 1970'));
+        assert(hasExpiredCookies || clearedCookies.length > 0 || setCookieHeaders.length === 0, 'Logout should clear session cookies');
+        return {
+            details: {
+                status: response.status,
+                clearedCookies,
+            },
+        };
     });
-    throw new Error(message ?? `Validation failed: ${errorMessages.join("; ")}`);
-  }
 }
-function parseCookies(headers) {
-  const cookies = new Map;
-  const setCookieHeaders = headers.getSetCookie?.() ?? [];
-  for (const cookie of setCookieHeaders) {
-    const [pair] = cookie.split(";");
-    const [name, value] = pair.split("=");
-    if (name && value !== undefined) {
-      cookies.set(name.trim(), value.trim());
-    }
-  }
-  return cookies;
+/**
+ * Test: Back-channel logout endpoint exists
+ */
+async function testBackChannelLogoutEndpoint(config, fetch) {
+    return runTest('SSO Back-Channel Logout Endpoint', async () => {
+        // Send a POST request without a valid logout token
+        // The endpoint should exist and return 400 (bad request) for missing token
+        const response = await fetch(config.backChannelLogoutPath, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: '',
+        });
+        // Should return 400 (missing logout_token) or 200 (if session store not configured)
+        assert(response.status === 400 || response.status === 200 || response.status === 404, `Expected 400 or 200, got ${response.status}`);
+        return {
+            details: {
+                status: response.status,
+                endpointExists: response.status !== 404,
+            },
+        };
+    });
 }
-function buildCookieHeader(cookies) {
-  return Array.from(cookies.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
+/**
+ * Test: Callback endpoint returns error without valid code
+ */
+async function testCallbackEndpointInvalid(config, fetch) {
+    return runTest('SSO Callback Endpoint (Invalid)', async () => {
+        // Send a callback request without proper state/code
+        const response = await fetch(`${config.callbackPath}?code=invalid&state=invalid`);
+        // Should return 400 or 500 (validation error)
+        assert(response.status >= 400, `Expected error status for invalid callback, got ${response.status}`);
+        return {
+            details: {
+                status: response.status,
+                handlesInvalidCallback: true,
+            },
+        };
+    });
 }
-
-// packages/esv/src/sso/index.ts
-var exports_sso = {};
-__export(exports_sso, {
-  validateSSO: () => validateSSO,
-  createSSOTests: () => createSSOTests
-});
-async function testLoginEndpoint(config, fetch2) {
-  return runTest("SSO Login Endpoint", async () => {
-    const response = await fetch2(config.loginPath);
-    assert(response.status === 302, `Expected 302 redirect, got ${response.status}`);
-    const location = response.headers.get("Location");
-    assert(location !== null, "Missing Location header in redirect");
-    if (config.expectedAuthorizationUrlPattern) {
-      assert(config.expectedAuthorizationUrlPattern.test(location), `Authorization URL does not match expected pattern: ${location}`);
+/**
+ * Test: Token endpoint returns 401 when not authenticated
+ */
+async function testTokenEndpointUnauthenticated(config, fetch) {
+    if (!config.tokenPath) {
+        return skipTest('SSO Token Endpoint (Unauthenticated)', 'Token path not configured');
     }
-    const url = new URL(location);
-    assert(url.searchParams.has("client_id"), "Missing client_id in authorization URL");
-    assert(url.searchParams.has("redirect_uri"), "Missing redirect_uri in authorization URL");
-    assert(url.searchParams.has("response_type"), "Missing response_type in authorization URL");
-    assert(url.searchParams.has("scope"), "Missing scope in authorization URL");
-    assert(url.searchParams.has("state"), "Missing state in authorization URL");
-    assert(url.searchParams.has("code_challenge"), "Missing code_challenge (PKCE) in authorization URL");
-    assert(url.searchParams.has("code_challenge_method"), "Missing code_challenge_method (PKCE) in authorization URL");
-    const cookies = parseCookies(response.headers);
-    const hasStateCookie = Array.from(cookies.keys()).some((name) => name.includes(".state"));
-    assert(hasStateCookie, "Missing state cookie in response");
-    return {
-      details: {
-        authorizationUrl: location,
-        pkceEnabled: true,
-        stateParameter: url.searchParams.get("state")
-      }
-    };
-  });
-}
-async function testUserEndpointUnauthenticated(config, fetch2) {
-  return runTest("SSO User Endpoint (Unauthenticated)", async () => {
-    const response = await fetch2(config.userPath);
-    assert(response.status === 401, `Expected 401 Unauthorized, got ${response.status}`);
-    return {
-      details: {
-        status: response.status
-      }
-    };
-  });
+    return runTest('SSO Token Endpoint (Unauthenticated)', async () => {
+        const response = await fetch(config.tokenPath);
+        // Should return 401 Unauthorized
+        assert(response.status === 401 || response.status === 404, `Expected 401 Unauthorized or 404, got ${response.status}`);
+        return {
+            details: {
+                status: response.status,
+            },
+        };
+    });
 }
-async function testLogoutEndpoint(config, fetch2) {
-  return runTest("SSO Logout Endpoint", async () => {
-    const response = await fetch2(`${config.logoutPath}?redirect=/`);
-    assert(response.status === 302 || response.status === 200, `Expected 302 or 200, got ${response.status}`);
-    const cookies = parseCookies(response.headers);
-    const clearedCookies = [];
-    for (const [name, value] of cookies.entries()) {
-      if (value === "" || value.includes("Max-Age=0")) {
-        clearedCookies.push(name);
-      }
+/**
+ * Test: Refresh endpoint returns 401 when not authenticated
+ */
+async function testRefreshEndpointUnauthenticated(config, fetch) {
+    if (!config.refreshPath) {
+        return skipTest('SSO Refresh Endpoint (Unauthenticated)', 'Refresh path not configured');
     }
-    const setCookieHeaders = response.headers.getSetCookie?.() ?? [];
-    const hasExpiredCookies = setCookieHeaders.some((cookie) => cookie.includes("Max-Age=0") || cookie.includes("expires=Thu, 01 Jan 1970"));
-    assert(hasExpiredCookies || clearedCookies.length > 0 || setCookieHeaders.length === 0, "Logout should clear session cookies");
-    return {
-      details: {
-        status: response.status,
-        clearedCookies
-      }
-    };
-  });
-}
-async function testBackChannelLogoutEndpoint(config, fetch2) {
-  return runTest("SSO Back-Channel Logout Endpoint", async () => {
-    const response = await fetch2(config.backChannelLogoutPath, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded"
-      },
-      body: ""
+    return runTest('SSO Refresh Endpoint (Unauthenticated)', async () => {
+        const response = await fetch(config.refreshPath);
+        // Should return 401 Unauthorized
+        assert(response.status === 401 || response.status === 404, `Expected 401 Unauthorized or 404, got ${response.status}`);
+        return {
+            details: {
+                status: response.status,
+            },
+        };
     });
-    assert(response.status === 400 || response.status === 200 || response.status === 404, `Expected 400 or 200, got ${response.status}`);
-    return {
-      details: {
-        status: response.status,
-        endpointExists: response.status !== 404
-      }
-    };
-  });
-}
-async function testCallbackEndpointInvalid(config, fetch2) {
-  return runTest("SSO Callback Endpoint (Invalid)", async () => {
-    const response = await fetch2(`${config.callbackPath}?code=invalid&state=invalid`);
-    assert(response.status >= 400, `Expected error status for invalid callback, got ${response.status}`);
-    return {
-      details: {
-        status: response.status,
-        handlesInvalidCallback: true
-      }
-    };
-  });
 }
-async function testTokenEndpointUnauthenticated(config, fetch2) {
-  if (!config.tokenPath) {
-    return skipTest("SSO Token Endpoint (Unauthenticated)", "Token path not configured");
-  }
-  return runTest("SSO Token Endpoint (Unauthenticated)", async () => {
-    const response = await fetch2(config.tokenPath);
-    assert(response.status === 401 || response.status === 404, `Expected 401 Unauthorized or 404, got ${response.status}`);
-    return {
-      details: {
-        status: response.status
-      }
-    };
-  });
-}
-async function testRefreshEndpointUnauthenticated(config, fetch2) {
-  if (!config.refreshPath) {
-    return skipTest("SSO Refresh Endpoint (Unauthenticated)", "Refresh path not configured");
-  }
-  return runTest("SSO Refresh Endpoint (Unauthenticated)", async () => {
-    const response = await fetch2(config.refreshPath);
-    assert(response.status === 401 || response.status === 404, `Expected 401 Unauthorized or 404, got ${response.status}`);
-    return {
-      details: {
-        status: response.status
-      }
-    };
-  });
-}
-async function completeLoginFlow(config, fetch2) {
-  try {
-    const loginResponse = await fetch2(config.loginPath);
-    if (loginResponse.status !== 302) {
-      return { cookies: new Map, success: false, error: `Login did not redirect: ${loginResponse.status}` };
-    }
-    const authUrl = loginResponse.headers.get("Location");
-    if (!authUrl) {
-      return { cookies: new Map, success: false, error: "No redirect location from login" };
-    }
-    const loginCookies = parseCookies(loginResponse.headers);
-    const authResponse = await globalThis.fetch(authUrl, { redirect: "manual" });
-    if (authResponse.status !== 302) {
-      return { cookies: new Map, success: false, error: `Auth did not redirect: ${authResponse.status}` };
-    }
-    const callbackUrl = authResponse.headers.get("Location");
-    if (!callbackUrl) {
-      return { cookies: new Map, success: false, error: "No redirect location from auth" };
+/**
+ * Helper: Complete a full SSO login flow through the mock server
+ *
+ * Returns the cookies set after successful authentication
+ */
+async function completeLoginFlow(config, fetch) {
+    try {
+        // Step 1: Hit the login endpoint to get the authorization redirect
+        const loginResponse = await fetch(config.loginPath);
+        if (loginResponse.status !== 302) {
+            return { cookies: new Map(), success: false, error: `Login did not redirect: ${loginResponse.status}` };
+        }
+        const authUrl = loginResponse.headers.get('Location');
+        if (!authUrl) {
+            return { cookies: new Map(), success: false, error: 'No redirect location from login' };
+        }
+        // Collect cookies from login response (includes state cookie)
+        const loginCookies = parseCookies(loginResponse.headers);
+        // Step 2: Follow the redirect to the authorization endpoint (mock server auto-authenticates)
+        const authResponse = await globalThis.fetch(authUrl, { redirect: 'manual' });
+        if (authResponse.status !== 302) {
+            return { cookies: new Map(), success: false, error: `Auth did not redirect: ${authResponse.status}` };
+        }
+        const callbackUrl = authResponse.headers.get('Location');
+        if (!callbackUrl) {
+            return { cookies: new Map(), success: false, error: 'No redirect location from auth' };
+        }
+        // Step 3: Complete the callback with the authorization code
+        // Extract just the path and query from the callback URL
+        const callbackPath = new URL(callbackUrl).pathname + new URL(callbackUrl).search;
+        const callbackResponse = await fetch(callbackPath, {
+            headers: {
+                Cookie: buildCookieHeader(loginCookies),
+            },
+        });
+        // Should redirect to landing page on success
+        if (callbackResponse.status !== 302) {
+            return { cookies: new Map(), success: false, error: `Callback did not redirect: ${callbackResponse.status}` };
+        }
+        // Collect all cookies from the callback response
+        const allCookies = parseCookies(callbackResponse.headers);
+        return { cookies: allCookies, success: true };
     }
-    const callbackPath = new URL(callbackUrl).pathname + new URL(callbackUrl).search;
-    const callbackResponse = await fetch2(callbackPath, {
-      headers: {
-        Cookie: buildCookieHeader(loginCookies)
-      }
-    });
-    if (callbackResponse.status !== 302) {
-      return { cookies: new Map, success: false, error: `Callback did not redirect: ${callbackResponse.status}` };
+    catch (error) {
+        return { cookies: new Map(), success: false, error: error instanceof Error ? error.message : String(error) };
     }
-    const allCookies = parseCookies(callbackResponse.headers);
-    return { cookies: allCookies, success: true };
-  } catch (error) {
-    return { cookies: new Map, success: false, error: error instanceof Error ? error.message : String(error) };
-  }
 }
-async function testJitUserProvisioningFlow(config, fetch2) {
-  return runTest("SSO JIT User Provisioning Flow", async () => {
-    const { cookies, success, error } = await completeLoginFlow(config, fetch2);
-    assert(success, error || "Login flow failed");
-    const hasAuthCookies = Array.from(cookies.keys()).some((name) => name.includes(".access") || name.includes(".id"));
-    assert(hasAuthCookies, "No authentication cookies set after login");
-    const userResponse = await fetch2(config.userPath, {
-      headers: {
-        Cookie: buildCookieHeader(cookies)
-      }
+/**
+ * Test: JIT user provisioning works when enabled
+ *
+ * This test completes a full SSO flow and verifies the user is authenticated.
+ * The actual JIT provisioning behavior depends on the server configuration.
+ */
+async function testJitUserProvisioningFlow(config, fetch) {
+    return runTest('SSO JIT User Provisioning Flow', async () => {
+        // Complete the full login flow
+        const { cookies, success, error } = await completeLoginFlow(config, fetch);
+        assert(success, error || 'Login flow failed');
+        // Verify we got authentication cookies
+        const hasAuthCookies = Array.from(cookies.keys()).some((name) => name.includes('.access') || name.includes('.id'));
+        assert(hasAuthCookies, 'No authentication cookies set after login');
+        // Verify we can now access the user endpoint
+        const userResponse = await fetch(config.userPath, {
+            headers: {
+                Cookie: buildCookieHeader(cookies),
+            },
+        });
+        assert(userResponse.status === 200, `User endpoint returned ${userResponse.status} after login, expected 200`);
+        const userData = await userResponse.json();
+        assert(userData.id, 'User data missing id field');
+        return {
+            details: {
+                userId: userData.id,
+                userName: userData.userName,
+                email: userData.email,
+                jitFlowCompleted: true,
+            },
+        };
     });
-    assert(userResponse.status === 200, `User endpoint returned ${userResponse.status} after login, expected 200`);
-    const userData = await userResponse.json();
-    assert(userData.id, "User data missing id field");
+}
+/**
+ * Runs all SSO validation tests
+ */
+export async function validateSSO(config) {
+    const startTime = performance.now();
+    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+    const fetch = createFetcher(mergedConfig);
+    const tests = [];
+    // Run all tests
+    tests.push(await testLoginEndpoint(mergedConfig, fetch));
+    tests.push(await testUserEndpointUnauthenticated(mergedConfig, fetch));
+    tests.push(await testLogoutEndpoint(mergedConfig, fetch));
+    tests.push(await testBackChannelLogoutEndpoint(mergedConfig, fetch));
+    tests.push(await testCallbackEndpointInvalid(mergedConfig, fetch));
+    tests.push(await testTokenEndpointUnauthenticated(mergedConfig, fetch));
+    tests.push(await testRefreshEndpointUnauthenticated(mergedConfig, fetch));
+    tests.push(await testJitUserProvisioningFlow(mergedConfig, fetch));
+    const duration = performance.now() - startTime;
+    const passed = tests.filter((t) => t.passed).length;
+    const failed = tests.filter((t) => !t.passed).length;
+    const skipped = tests.filter((t) => t.details?.skipped).length;
     return {
-      details: {
-        userId: userData.id,
-        userName: userData.userName,
-        email: userData.email,
-        jitFlowCompleted: true
-      }
+        suite: 'SSO',
+        passed: failed === 0,
+        tests,
+        duration,
+        summary: {
+            total: tests.length,
+            passed: passed - skipped,
+            failed,
+            skipped,
+        },
     };
-  });
-}
-async function validateSSO(config) {
-  const startTime = performance.now();
-  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  const fetch2 = createFetcher(mergedConfig);
-  const tests = [];
-  tests.push(await testLoginEndpoint(mergedConfig, fetch2));
-  tests.push(await testUserEndpointUnauthenticated(mergedConfig, fetch2));
-  tests.push(await testLogoutEndpoint(mergedConfig, fetch2));
-  tests.push(await testBackChannelLogoutEndpoint(mergedConfig, fetch2));
-  tests.push(await testCallbackEndpointInvalid(mergedConfig, fetch2));
-  tests.push(await testTokenEndpointUnauthenticated(mergedConfig, fetch2));
-  tests.push(await testRefreshEndpointUnauthenticated(mergedConfig, fetch2));
-  tests.push(await testJitUserProvisioningFlow(mergedConfig, fetch2));
-  const duration = performance.now() - startTime;
-  const passed = tests.filter((t) => t.passed).length;
-  const failed = tests.filter((t) => !t.passed).length;
-  const skipped = tests.filter((t) => t.details?.skipped).length;
-  return {
-    suite: "SSO",
-    passed: failed === 0,
-    tests,
-    duration,
-    summary: {
-      total: tests.length,
-      passed: passed - skipped,
-      failed,
-      skipped
-    }
-  };
 }
-function createSSOTests(config) {
-  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  const fetch2 = createFetcher(mergedConfig);
-  const tests = [
-    {
-      name: "login endpoint redirects to authorization URL",
-      fn: async () => {
-        const result = await testLoginEndpoint(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "user endpoint returns 401 when unauthenticated",
-      fn: async () => {
-        const result = await testUserEndpointUnauthenticated(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "callback endpoint rejects invalid requests",
-      fn: async () => {
-        const result = await testCallbackEndpointInvalid(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "token endpoint returns 401 when unauthenticated",
-      fn: async () => {
-        const result = await testTokenEndpointUnauthenticated(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "refresh endpoint returns 401 when unauthenticated",
-      fn: async () => {
-        const result = await testRefreshEndpointUnauthenticated(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    }
-  ];
-  const ext = {
-    createJITTests: () => [
-      {
-        name: "user provisioning flow completes successfully",
-        fn: async () => {
-          const result = await testJitUserProvisioningFlow(mergedConfig, fetch2);
-          if (!result.passed)
-            throw new Error(result.error);
-        }
-      }
-    ],
-    createLogoutTests: () => [
-      {
-        name: "logout endpoint clears cookies",
-        fn: async () => {
-          const result = await testLogoutEndpoint(mergedConfig, fetch2);
-          if (!result.passed)
-            throw new Error(result.error);
-        }
-      }
-    ],
-    createBackChannelLogoutTests: () => [
-      {
-        name: "endpoint exists",
-        fn: async () => {
-          const result = await testBackChannelLogoutEndpoint(mergedConfig, fetch2);
-          if (!result.passed)
-            throw new Error(result.error);
-        }
-      }
-    ]
-  };
-  return { tests, ext };
+/**
+ * Creates Vitest-compatible test suite for SSO validation
+ */
+export function createSSOTests(config) {
+    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+    const fetch = createFetcher(mergedConfig);
+    // Core/mandatory SSO tests
+    const tests = [
+        {
+            name: 'login endpoint redirects to authorization URL',
+            fn: async () => {
+                const result = await testLoginEndpoint(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'user endpoint returns 401 when unauthenticated',
+            fn: async () => {
+                const result = await testUserEndpointUnauthenticated(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'callback endpoint rejects invalid requests',
+            fn: async () => {
+                const result = await testCallbackEndpointInvalid(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'token endpoint returns 401 when unauthenticated',
+            fn: async () => {
+                const result = await testTokenEndpointUnauthenticated(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'refresh endpoint returns 401 when unauthenticated',
+            fn: async () => {
+                const result = await testRefreshEndpointUnauthenticated(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+    ];
+    // Extension methods for optional functionality
+    const ext = {
+        createJITTests: () => [
+            {
+                name: 'user provisioning flow completes successfully',
+                fn: async () => {
+                    const result = await testJitUserProvisioningFlow(mergedConfig, fetch);
+                    if (!result.passed)
+                        throw new Error(result.error);
+                },
+            },
+        ],
+        createLogoutTests: () => [
+            {
+                name: 'logout endpoint clears cookies',
+                fn: async () => {
+                    const result = await testLogoutEndpoint(mergedConfig, fetch);
+                    if (!result.passed)
+                        throw new Error(result.error);
+                },
+            },
+        ],
+        createBackChannelLogoutTests: () => [
+            {
+                name: 'endpoint exists',
+                fn: async () => {
+                    const result = await testBackChannelLogoutEndpoint(mergedConfig, fetch);
+                    if (!result.passed)
+                        throw new Error(result.error);
+                },
+            },
+        ],
+    };
+    return { tests, ext };
 }
-var DEFAULT_CONFIG;
-var init_sso = __esm(() => {
-  DEFAULT_CONFIG = {
-    loginPath: "/api/auth/login",
-    callbackPath: "/api/auth/callback",
-    userPath: "/api/auth/user",
-    logoutPath: "/api/auth/logout",
-    backChannelLogoutPath: "/api/auth/logout/backchannel",
-    tokenPath: "/api/auth/token",
-    refreshPath: "/api/auth/refresh"
-  };
-});
-init_sso();
-
-export {
-  validateSSO,
-  createSSOTests
-};
-
-//# debugId=65C413DE1A60173A64756E2164756E21
+//# sourceMappingURL=index.js.map