@enterprisestandard/esv 0.0.5-beta.20260115.3 → 0.0.5-beta.20260115.4

package/dist/sso/index.js

@@ -1,376 +1,384 @@
-/**
- * SSO Validation Tests
- *
- * These tests validate that an application correctly implements
- * Enterprise Standard SSO (Single Sign-On) functionality.
- */
-import { assert, buildCookieHeader, createFetcher, parseCookies, runTest, skipTest } from '../utils.js';
-/**
- * Default configuration for SSO validation
- */
-const DEFAULT_CONFIG = {
-    loginPath: '/api/auth/login',
-    callbackPath: '/api/auth/callback',
-    userPath: '/api/auth/user',
-    logoutPath: '/api/auth/logout',
-    backChannelLogoutPath: '/api/auth/logout/backchannel',
-    tokenPath: '/api/auth/token',
-    refreshPath: '/api/auth/refresh',
-};
-/**
- * Test: Login endpoint exists and redirects to authorization URL
- */
-async function testLoginEndpoint(config, fetch) {
-    return runTest('SSO Login Endpoint', async () => {
-        const response = await fetch(config.loginPath);
-        // Should return a redirect (302)
-        assert(response.status === 302, `Expected 302 redirect, got ${response.status}`);
-        // Should have a Location header pointing to the authorization URL
-        const location = response.headers.get('Location');
-        assert(location !== null, 'Missing Location header in redirect');
-        // If an expected pattern is provided, validate the URL
-        if (config.expectedAuthorizationUrlPattern) {
-            assert(config.expectedAuthorizationUrlPattern.test(location), `Authorization URL does not match expected pattern: ${location}`);
-        }
-        // Should have required OIDC parameters
-        const url = new URL(location);
-        assert(url.searchParams.has('client_id'), 'Missing client_id in authorization URL');
-        assert(url.searchParams.has('redirect_uri'), 'Missing redirect_uri in authorization URL');
-        assert(url.searchParams.has('response_type'), 'Missing response_type in authorization URL');
-        assert(url.searchParams.has('scope'), 'Missing scope in authorization URL');
-        assert(url.searchParams.has('state'), 'Missing state in authorization URL');
-        assert(url.searchParams.has('code_challenge'), 'Missing code_challenge (PKCE) in authorization URL');
-        assert(url.searchParams.has('code_challenge_method'), 'Missing code_challenge_method (PKCE) in authorization URL');
-        // Should set a state cookie
-        const cookies = parseCookies(response.headers);
-        const hasStateCookie = Array.from(cookies.keys()).some((name) => name.includes('.state'));
-        assert(hasStateCookie, 'Missing state cookie in response');
-        return {
-            details: {
-                authorizationUrl: location,
-                pkceEnabled: true,
-                stateParameter: url.searchParams.get('state'),
-            },
-        };
-    });
+// src/utils.ts
+function createFetcher(config) {
+  const timeout = config.timeout ?? 5e3;
+  const headers = config.headers ?? {};
+  return async function fetcher(path, options = {}) {
+    const url = `${config.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        ...options,
+        signal: controller.signal,
+        headers: {
+          ...headers,
+          ...options.headers
+        },
+        redirect: "manual"
+        // Don't follow redirects automatically
+      });
+      return response;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  };
 }
-/**
- * Test: User endpoint returns 401 when not authenticated
- */
-async function testUserEndpointUnauthenticated(config, fetch) {
-    return runTest('SSO User Endpoint (Unauthenticated)', async () => {
-        const response = await fetch(config.userPath);
-        // Should return 401 Unauthorized
-        assert(response.status === 401, `Expected 401 Unauthorized, got ${response.status}`);
-        return {
-            details: {
-                status: response.status,
-            },
-        };
-    });
+async function runTest(name, testFn) {
+  const start = performance.now();
+  try {
+    const result = await testFn();
+    return {
+      name,
+      passed: true,
+      duration: performance.now() - start,
+      details: result?.details
+    };
+  } catch (error) {
+    return {
+      name,
+      passed: false,
+      error: error instanceof Error ? error.message : String(error),
+      duration: performance.now() - start
+    };
+  }
 }
-/**
- * Test: Logout endpoint clears cookies
- */
-async function testLogoutEndpoint(config, fetch) {
-    return runTest('SSO Logout Endpoint', async () => {
-        const response = await fetch(`${config.logoutPath}?redirect=/`);
-        // Should return 302 redirect (with redirect param) or 200
-        assert(response.status === 302 || response.status === 200, `Expected 302 or 200, got ${response.status}`);
-        // Should clear cookies
-        const cookies = parseCookies(response.headers);
-        const clearedCookies = [];
-        for (const [name, value] of cookies.entries()) {
-            // Check if the cookie is being cleared (Max-Age=0 or empty value)
-            if (value === '' || value.includes('Max-Age=0')) {
-                clearedCookies.push(name);
-            }
-        }
-        // Check for standard SSO cookies being cleared
-        const setCookieHeaders = response.headers.getSetCookie?.() ?? [];
-        const hasExpiredCookies = setCookieHeaders.some((cookie) => cookie.includes('Max-Age=0') || cookie.includes('expires=Thu, 01 Jan 1970'));
-        assert(hasExpiredCookies || clearedCookies.length > 0 || setCookieHeaders.length === 0, 'Logout should clear session cookies');
-        return {
-            details: {
-                status: response.status,
-                clearedCookies,
-            },
-        };
-    });
+function skipTest(name, reason) {
+  return {
+    name,
+    passed: true,
+    duration: 0,
+    details: { skipped: true, reason }
+  };
 }
-/**
- * Test: Back-channel logout endpoint exists
- */
-async function testBackChannelLogoutEndpoint(config, fetch) {
-    return runTest('SSO Back-Channel Logout Endpoint', async () => {
-        // Send a POST request without a valid logout token
-        // The endpoint should exist and return 400 (bad request) for missing token
-        const response = await fetch(config.backChannelLogoutPath, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-            },
-            body: '',
-        });
-        // Should return 400 (missing logout_token) or 200 (if session store not configured)
-        assert(response.status === 400 || response.status === 200 || response.status === 404, `Expected 400 or 200, got ${response.status}`);
-        return {
-            details: {
-                status: response.status,
-                endpointExists: response.status !== 404,
-            },
-        };
-    });
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message);
+  }
 }
-/**
- * Test: Callback endpoint returns error without valid code
- */
-async function testCallbackEndpointInvalid(config, fetch) {
-    return runTest('SSO Callback Endpoint (Invalid)', async () => {
-        // Send a callback request without proper state/code
-        const response = await fetch(`${config.callbackPath}?code=invalid&state=invalid`);
-        // Should return 400 or 500 (validation error)
-        assert(response.status >= 400, `Expected error status for invalid callback, got ${response.status}`);
-        return {
-            details: {
-                status: response.status,
-                handlesInvalidCallback: true,
-            },
-        };
-    });
+function parseCookies(headers) {
+  const cookies = /* @__PURE__ */ new Map();
+  const setCookieHeaders = headers.getSetCookie?.() ?? [];
+  for (const cookie of setCookieHeaders) {
+    const [pair] = cookie.split(";");
+    const [name, value] = pair.split("=");
+    if (name && value !== void 0) {
+      cookies.set(name.trim(), value.trim());
+    }
+  }
+  return cookies;
 }
-/**
- * Test: Token endpoint returns 401 when not authenticated
- */
-async function testTokenEndpointUnauthenticated(config, fetch) {
-    if (!config.tokenPath) {
-        return skipTest('SSO Token Endpoint (Unauthenticated)', 'Token path not configured');
+function buildCookieHeader(cookies) {
+  return Array.from(cookies.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
+}
+
+// src/sso/index.ts
+var DEFAULT_CONFIG = {
+  loginPath: "/api/auth/login",
+  callbackPath: "/api/auth/callback",
+  userPath: "/api/auth/user",
+  logoutPath: "/api/auth/logout",
+  backChannelLogoutPath: "/api/auth/logout/backchannel",
+  tokenPath: "/api/auth/token",
+  refreshPath: "/api/auth/refresh"
+};
+async function testLoginEndpoint(config, fetch2) {
+  return runTest("SSO Login Endpoint", async () => {
+    const response = await fetch2(config.loginPath);
+    assert(response.status === 302, `Expected 302 redirect, got ${response.status}`);
+    const location = response.headers.get("Location");
+    assert(location !== null, "Missing Location header in redirect");
+    if (config.expectedAuthorizationUrlPattern) {
+      assert(
+        config.expectedAuthorizationUrlPattern.test(location),
+        `Authorization URL does not match expected pattern: ${location}`
+      );
     }
-    return runTest('SSO Token Endpoint (Unauthenticated)', async () => {
-        const response = await fetch(config.tokenPath);
-        // Should return 401 Unauthorized
-        assert(response.status === 401 || response.status === 404, `Expected 401 Unauthorized or 404, got ${response.status}`);
-        return {
-            details: {
-                status: response.status,
-            },
-        };
-    });
+    const url = new URL(location);
+    assert(url.searchParams.has("client_id"), "Missing client_id in authorization URL");
+    assert(url.searchParams.has("redirect_uri"), "Missing redirect_uri in authorization URL");
+    assert(url.searchParams.has("response_type"), "Missing response_type in authorization URL");
+    assert(url.searchParams.has("scope"), "Missing scope in authorization URL");
+    assert(url.searchParams.has("state"), "Missing state in authorization URL");
+    assert(url.searchParams.has("code_challenge"), "Missing code_challenge (PKCE) in authorization URL");
+    assert(url.searchParams.has("code_challenge_method"), "Missing code_challenge_method (PKCE) in authorization URL");
+    const cookies = parseCookies(response.headers);
+    const hasStateCookie = Array.from(cookies.keys()).some((name) => name.includes(".state"));
+    assert(hasStateCookie, "Missing state cookie in response");
+    return {
+      details: {
+        authorizationUrl: location,
+        pkceEnabled: true,
+        stateParameter: url.searchParams.get("state")
+      }
+    };
+  });
+}
+async function testUserEndpointUnauthenticated(config, fetch2) {
+  return runTest("SSO User Endpoint (Unauthenticated)", async () => {
+    const response = await fetch2(config.userPath);
+    assert(response.status === 401, `Expected 401 Unauthorized, got ${response.status}`);
+    return {
+      details: {
+        status: response.status
+      }
+    };
+  });
 }
-/**
- * Test: Refresh endpoint returns 401 when not authenticated
- */
-async function testRefreshEndpointUnauthenticated(config, fetch) {
-    if (!config.refreshPath) {
-        return skipTest('SSO Refresh Endpoint (Unauthenticated)', 'Refresh path not configured');
+async function testLogoutEndpoint(config, fetch2) {
+  return runTest("SSO Logout Endpoint", async () => {
+    const response = await fetch2(`${config.logoutPath}?redirect=/`);
+    assert(response.status === 302 || response.status === 200, `Expected 302 or 200, got ${response.status}`);
+    const cookies = parseCookies(response.headers);
+    const clearedCookies = [];
+    for (const [name, value] of cookies.entries()) {
+      if (value === "" || value.includes("Max-Age=0")) {
+        clearedCookies.push(name);
+      }
     }
-    return runTest('SSO Refresh Endpoint (Unauthenticated)', async () => {
-        const response = await fetch(config.refreshPath);
-        // Should return 401 Unauthorized
-        assert(response.status === 401 || response.status === 404, `Expected 401 Unauthorized or 404, got ${response.status}`);
-        return {
-            details: {
-                status: response.status,
-            },
-        };
+    const setCookieHeaders = response.headers.getSetCookie?.() ?? [];
+    const hasExpiredCookies = setCookieHeaders.some(
+      (cookie) => cookie.includes("Max-Age=0") || cookie.includes("expires=Thu, 01 Jan 1970")
+    );
+    assert(
+      hasExpiredCookies || clearedCookies.length > 0 || setCookieHeaders.length === 0,
+      "Logout should clear session cookies"
+    );
+    return {
+      details: {
+        status: response.status,
+        clearedCookies
+      }
+    };
+  });
+}
+async function testBackChannelLogoutEndpoint(config, fetch2) {
+  return runTest("SSO Back-Channel Logout Endpoint", async () => {
+    const response = await fetch2(config.backChannelLogoutPath, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: ""
     });
+    assert(
+      response.status === 400 || response.status === 200 || response.status === 404,
+      `Expected 400 or 200, got ${response.status}`
+    );
+    return {
+      details: {
+        status: response.status,
+        endpointExists: response.status !== 404
+      }
+    };
+  });
 }
-/**
- * Helper: Complete a full SSO login flow through the mock server
- *
- * Returns the cookies set after successful authentication
- */
-async function completeLoginFlow(config, fetch) {
-    try {
-        // Step 1: Hit the login endpoint to get the authorization redirect
-        const loginResponse = await fetch(config.loginPath);
-        if (loginResponse.status !== 302) {
-            return { cookies: new Map(), success: false, error: `Login did not redirect: ${loginResponse.status}` };
-        }
-        const authUrl = loginResponse.headers.get('Location');
-        if (!authUrl) {
-            return { cookies: new Map(), success: false, error: 'No redirect location from login' };
-        }
-        // Collect cookies from login response (includes state cookie)
-        const loginCookies = parseCookies(loginResponse.headers);
-        // Step 2: Follow the redirect to the authorization endpoint (mock server auto-authenticates)
-        const authResponse = await globalThis.fetch(authUrl, { redirect: 'manual' });
-        if (authResponse.status !== 302) {
-            return { cookies: new Map(), success: false, error: `Auth did not redirect: ${authResponse.status}` };
-        }
-        const callbackUrl = authResponse.headers.get('Location');
-        if (!callbackUrl) {
-            return { cookies: new Map(), success: false, error: 'No redirect location from auth' };
-        }
-        // Step 3: Complete the callback with the authorization code
-        // Extract just the path and query from the callback URL
-        const callbackPath = new URL(callbackUrl).pathname + new URL(callbackUrl).search;
-        const callbackResponse = await fetch(callbackPath, {
-            headers: {
-                Cookie: buildCookieHeader(loginCookies),
-            },
-        });
-        // Should redirect to landing page on success
-        if (callbackResponse.status !== 302) {
-            return { cookies: new Map(), success: false, error: `Callback did not redirect: ${callbackResponse.status}` };
-        }
-        // Collect all cookies from the callback response
-        const allCookies = parseCookies(callbackResponse.headers);
-        return { cookies: allCookies, success: true };
+async function testCallbackEndpointInvalid(config, fetch2) {
+  return runTest("SSO Callback Endpoint (Invalid)", async () => {
+    const response = await fetch2(`${config.callbackPath}?code=invalid&state=invalid`);
+    assert(response.status >= 400, `Expected error status for invalid callback, got ${response.status}`);
+    return {
+      details: {
+        status: response.status,
+        handlesInvalidCallback: true
+      }
+    };
+  });
+}
+async function testTokenEndpointUnauthenticated(config, fetch2) {
+  if (!config.tokenPath) {
+    return skipTest("SSO Token Endpoint (Unauthenticated)", "Token path not configured");
+  }
+  return runTest("SSO Token Endpoint (Unauthenticated)", async () => {
+    const response = await fetch2(config.tokenPath);
+    assert(
+      response.status === 401 || response.status === 404,
+      `Expected 401 Unauthorized or 404, got ${response.status}`
+    );
+    return {
+      details: {
+        status: response.status
+      }
+    };
+  });
+}
+async function testRefreshEndpointUnauthenticated(config, fetch2) {
+  if (!config.refreshPath) {
+    return skipTest("SSO Refresh Endpoint (Unauthenticated)", "Refresh path not configured");
+  }
+  return runTest("SSO Refresh Endpoint (Unauthenticated)", async () => {
+    const response = await fetch2(config.refreshPath);
+    assert(
+      response.status === 401 || response.status === 404,
+      `Expected 401 Unauthorized or 404, got ${response.status}`
+    );
+    return {
+      details: {
+        status: response.status
+      }
+    };
+  });
+}
+async function completeLoginFlow(config, fetch2) {
+  try {
+    const loginResponse = await fetch2(config.loginPath);
+    if (loginResponse.status !== 302) {
+      return { cookies: /* @__PURE__ */ new Map(), success: false, error: `Login did not redirect: ${loginResponse.status}` };
     }
-    catch (error) {
-        return { cookies: new Map(), success: false, error: error instanceof Error ? error.message : String(error) };
+    const authUrl = loginResponse.headers.get("Location");
+    if (!authUrl) {
+      return { cookies: /* @__PURE__ */ new Map(), success: false, error: "No redirect location from login" };
     }
-}
-/**
- * Test: JIT user provisioning works when enabled
- *
- * This test completes a full SSO flow and verifies the user is authenticated.
- * The actual JIT provisioning behavior depends on the server configuration.
- */
-async function testJitUserProvisioningFlow(config, fetch) {
-    return runTest('SSO JIT User Provisioning Flow', async () => {
-        // Complete the full login flow
-        const { cookies, success, error } = await completeLoginFlow(config, fetch);
-        assert(success, error || 'Login flow failed');
-        // Verify we got authentication cookies
-        const hasAuthCookies = Array.from(cookies.keys()).some((name) => name.includes('.access') || name.includes('.id'));
-        assert(hasAuthCookies, 'No authentication cookies set after login');
-        // Verify we can now access the user endpoint
-        const userResponse = await fetch(config.userPath, {
-            headers: {
-                Cookie: buildCookieHeader(cookies),
-            },
-        });
-        assert(userResponse.status === 200, `User endpoint returned ${userResponse.status} after login, expected 200`);
-        const userData = await userResponse.json();
-        assert(userData.id, 'User data missing id field');
-        return {
-            details: {
-                userId: userData.id,
-                userName: userData.userName,
-                email: userData.email,
-                jitFlowCompleted: true,
-            },
-        };
+    const loginCookies = parseCookies(loginResponse.headers);
+    const authResponse = await globalThis.fetch(authUrl, { redirect: "manual" });
+    if (authResponse.status !== 302) {
+      return { cookies: /* @__PURE__ */ new Map(), success: false, error: `Auth did not redirect: ${authResponse.status}` };
+    }
+    const callbackUrl = authResponse.headers.get("Location");
+    if (!callbackUrl) {
+      return { cookies: /* @__PURE__ */ new Map(), success: false, error: "No redirect location from auth" };
+    }
+    const callbackPath = new URL(callbackUrl).pathname + new URL(callbackUrl).search;
+    const callbackResponse = await fetch2(callbackPath, {
+      headers: {
+        Cookie: buildCookieHeader(loginCookies)
+      }
     });
+    if (callbackResponse.status !== 302) {
+      return { cookies: /* @__PURE__ */ new Map(), success: false, error: `Callback did not redirect: ${callbackResponse.status}` };
+    }
+    const allCookies = parseCookies(callbackResponse.headers);
+    return { cookies: allCookies, success: true };
+  } catch (error) {
+    return { cookies: /* @__PURE__ */ new Map(), success: false, error: error instanceof Error ? error.message : String(error) };
+  }
 }
-/**
- * Runs all SSO validation tests
- */
-export async function validateSSO(config) {
-    const startTime = performance.now();
-    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-    const fetch = createFetcher(mergedConfig);
-    const tests = [];
-    // Run all tests
-    tests.push(await testLoginEndpoint(mergedConfig, fetch));
-    tests.push(await testUserEndpointUnauthenticated(mergedConfig, fetch));
-    tests.push(await testLogoutEndpoint(mergedConfig, fetch));
-    tests.push(await testBackChannelLogoutEndpoint(mergedConfig, fetch));
-    tests.push(await testCallbackEndpointInvalid(mergedConfig, fetch));
-    tests.push(await testTokenEndpointUnauthenticated(mergedConfig, fetch));
-    tests.push(await testRefreshEndpointUnauthenticated(mergedConfig, fetch));
-    tests.push(await testJitUserProvisioningFlow(mergedConfig, fetch));
-    const duration = performance.now() - startTime;
-    const passed = tests.filter((t) => t.passed).length;
-    const failed = tests.filter((t) => !t.passed).length;
-    const skipped = tests.filter((t) => t.details?.skipped).length;
+async function testJitUserProvisioningFlow(config, fetch2) {
+  return runTest("SSO JIT User Provisioning Flow", async () => {
+    const { cookies, success, error } = await completeLoginFlow(config, fetch2);
+    assert(success, error || "Login flow failed");
+    const hasAuthCookies = Array.from(cookies.keys()).some((name) => name.includes(".access") || name.includes(".id"));
+    assert(hasAuthCookies, "No authentication cookies set after login");
+    const userResponse = await fetch2(config.userPath, {
+      headers: {
+        Cookie: buildCookieHeader(cookies)
+      }
+    });
+    assert(userResponse.status === 200, `User endpoint returned ${userResponse.status} after login, expected 200`);
+    const userData = await userResponse.json();
+    assert(userData.id, "User data missing id field");
     return {
-        suite: 'SSO',
-        passed: failed === 0,
-        tests,
-        duration,
-        summary: {
-            total: tests.length,
-            passed: passed - skipped,
-            failed,
-            skipped,
-        },
+      details: {
+        userId: userData.id,
+        userName: userData.userName,
+        email: userData.email,
+        jitFlowCompleted: true
+      }
     };
+  });
 }
-/**
- * Creates Vitest-compatible test suite for SSO validation
- */
-export function createSSOTests(config) {
-    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-    const fetch = createFetcher(mergedConfig);
-    // Core/mandatory SSO tests
-    const tests = [
-        {
-            name: 'login endpoint redirects to authorization URL',
-            fn: async () => {
-                const result = await testLoginEndpoint(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'user endpoint returns 401 when unauthenticated',
-            fn: async () => {
-                const result = await testUserEndpointUnauthenticated(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'callback endpoint rejects invalid requests',
-            fn: async () => {
-                const result = await testCallbackEndpointInvalid(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'token endpoint returns 401 when unauthenticated',
-            fn: async () => {
-                const result = await testTokenEndpointUnauthenticated(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'refresh endpoint returns 401 when unauthenticated',
-            fn: async () => {
-                const result = await testRefreshEndpointUnauthenticated(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-    ];
-    // Extension methods for optional functionality
-    const ext = {
-        createJITTests: () => [
-            {
-                name: 'user provisioning flow completes successfully',
-                fn: async () => {
-                    const result = await testJitUserProvisioningFlow(mergedConfig, fetch);
-                    if (!result.passed)
-                        throw new Error(result.error);
-                },
-            },
-        ],
-        createLogoutTests: () => [
-            {
-                name: 'logout endpoint clears cookies',
-                fn: async () => {
-                    const result = await testLogoutEndpoint(mergedConfig, fetch);
-                    if (!result.passed)
-                        throw new Error(result.error);
-                },
-            },
-        ],
-        createBackChannelLogoutTests: () => [
-            {
-                name: 'endpoint exists',
-                fn: async () => {
-                    const result = await testBackChannelLogoutEndpoint(mergedConfig, fetch);
-                    if (!result.passed)
-                        throw new Error(result.error);
-                },
-            },
-        ],
-    };
-    return { tests, ext };
+async function validateSSO(config) {
+  const startTime = performance.now();
+  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+  const fetch2 = createFetcher(mergedConfig);
+  const tests = [];
+  tests.push(await testLoginEndpoint(mergedConfig, fetch2));
+  tests.push(await testUserEndpointUnauthenticated(mergedConfig, fetch2));
+  tests.push(await testLogoutEndpoint(mergedConfig, fetch2));
+  tests.push(await testBackChannelLogoutEndpoint(mergedConfig, fetch2));
+  tests.push(await testCallbackEndpointInvalid(mergedConfig, fetch2));
+  tests.push(await testTokenEndpointUnauthenticated(mergedConfig, fetch2));
+  tests.push(await testRefreshEndpointUnauthenticated(mergedConfig, fetch2));
+  tests.push(await testJitUserProvisioningFlow(mergedConfig, fetch2));
+  const duration = performance.now() - startTime;
+  const passed = tests.filter((t) => t.passed).length;
+  const failed = tests.filter((t) => !t.passed).length;
+  const skipped = tests.filter((t) => t.details?.skipped).length;
+  return {
+    suite: "SSO",
+    passed: failed === 0,
+    tests,
+    duration,
+    summary: {
+      total: tests.length,
+      passed: passed - skipped,
+      failed,
+      skipped
+    }
+  };
 }
+function createSSOTests(config) {
+  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+  const fetch2 = createFetcher(mergedConfig);
+  const tests = [
+    {
+      name: "login endpoint redirects to authorization URL",
+      fn: async () => {
+        const result = await testLoginEndpoint(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "user endpoint returns 401 when unauthenticated",
+      fn: async () => {
+        const result = await testUserEndpointUnauthenticated(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "callback endpoint rejects invalid requests",
+      fn: async () => {
+        const result = await testCallbackEndpointInvalid(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "token endpoint returns 401 when unauthenticated",
+      fn: async () => {
+        const result = await testTokenEndpointUnauthenticated(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "refresh endpoint returns 401 when unauthenticated",
+      fn: async () => {
+        const result = await testRefreshEndpointUnauthenticated(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    }
+  ];
+  const ext = {
+    createJITTests: () => [
+      {
+        name: "user provisioning flow completes successfully",
+        fn: async () => {
+          const result = await testJitUserProvisioningFlow(mergedConfig, fetch2);
+          if (!result.passed) throw new Error(result.error);
+        }
+      }
+    ],
+    createLogoutTests: () => [
+      {
+        name: "logout endpoint clears cookies",
+        fn: async () => {
+          const result = await testLogoutEndpoint(mergedConfig, fetch2);
+          if (!result.passed) throw new Error(result.error);
+        }
+      }
+    ],
+    createBackChannelLogoutTests: () => [
+      {
+        name: "endpoint exists",
+        fn: async () => {
+          const result = await testBackChannelLogoutEndpoint(mergedConfig, fetch2);
+          if (!result.passed) throw new Error(result.error);
+        }
+      }
+    ]
+  };
+  return { tests, ext };
+}
+export {
+  createSSOTests,
+  validateSSO
+};
 //# sourceMappingURL=index.js.map