@flink-app/oidc-plugin 1.0.0

package/spec/providers/ProviderRegistry.spec.ts

@@ -0,0 +1,197 @@
+/**
+ * Tests for ProviderRegistry
+ */
+
+import { ProviderRegistry } from "../../src/providers/ProviderRegistry";
+import { OidcProviderConfig } from "../../src/OidcProviderConfig";
+import { createTestProviderConfig } from "../helpers/test-helpers";
+
+describe("ProviderRegistry", () => {
+    let staticProviders: Record<string, OidcProviderConfig>;
+
+    beforeEach(() => {
+        staticProviders = {
+            google: createTestProviderConfig({
+                issuer: "https://accounts.google.com",
+                discoveryUrl: "https://accounts.google.com/.well-known/openid-configuration",
+            }),
+            microsoft: createTestProviderConfig({
+                issuer: "https://login.microsoftonline.com/common/v2.0",
+                discoveryUrl: "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
+            }),
+        };
+    });
+
+    describe("constructor", () => {
+        it("should create registry with static providers", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            expect(registry).toBeDefined();
+        });
+
+        it("should create registry with provider loader", () => {
+            const loader = async (name: string) => null;
+            const registry = new ProviderRegistry(staticProviders, loader);
+            expect(registry).toBeDefined();
+        });
+    });
+
+    describe("hasProvider", () => {
+        it("should return true for configured static providers", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            expect(registry.hasProvider("google")).toBe(true);
+            expect(registry.hasProvider("microsoft")).toBe(true);
+        });
+
+        it("should return false for non-configured providers", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            expect(registry.hasProvider("okta")).toBe(false);
+            expect(registry.hasProvider("auth0")).toBe(false);
+        });
+
+        it("should return true if provider loader is configured", () => {
+            const loader = async (name: string) => null;
+            const registry = new ProviderRegistry(staticProviders, loader);
+            // hasProvider returns true if loader exists, even for unknown providers
+            expect(registry.hasProvider("unknown")).toBe(true);
+        });
+    });
+
+    describe("getProvider", () => {
+        it("should throw error for non-existent provider without loader", async () => {
+            const registry = new ProviderRegistry(staticProviders);
+
+            try {
+                await registry.getProvider("nonexistent");
+                fail("Should have thrown error");
+            } catch (error: any) {
+                expect(error.code).toBe("provider_not_configured");
+                expect(error.message).toContain("nonexistent");
+            }
+        });
+
+        it("should include available providers in error details", async () => {
+            const registry = new ProviderRegistry(staticProviders);
+
+            try {
+                await registry.getProvider("okta");
+                fail("Should have thrown error");
+            } catch (error: any) {
+                expect(error.details.availableProviders).toEqual(["google", "microsoft"]);
+            }
+        });
+
+        it("should use provider loader for non-static providers", async () => {
+            const dynamicConfig = createTestProviderConfig({
+                issuer: "https://okta.example.com",
+                discoveryUrl: "https://okta.example.com/.well-known/openid-configuration",
+            });
+
+            const loader = jasmine.createSpy("loader").and.returnValue(Promise.resolve(dynamicConfig));
+            const registry = new ProviderRegistry(staticProviders, loader);
+
+            // Note: This will attempt real OIDC discovery, which will fail in tests
+            // We're primarily testing that the loader is called
+            try {
+                await registry.getProvider("okta");
+            } catch (error) {
+                // Discovery will fail, but loader should have been called
+                expect(loader).toHaveBeenCalledWith("okta");
+            }
+        });
+
+        it("should prioritize static config over loader", async () => {
+            const loader = jasmine.createSpy("loader").and.returnValue(Promise.resolve(null));
+            const registry = new ProviderRegistry(staticProviders, loader);
+
+            // Note: This will attempt real OIDC discovery
+            try {
+                await registry.getProvider("google");
+            } catch (error) {
+                // Loader should NOT have been called for static provider
+                expect(loader).not.toHaveBeenCalled();
+            }
+        });
+
+        it("should throw error if loader returns null", async () => {
+            const loader = async (name: string) => null;
+            const registry = new ProviderRegistry({}, loader);
+
+            try {
+                await registry.getProvider("unknown");
+                fail("Should have thrown error");
+            } catch (error: any) {
+                expect(error.code).toBe("provider_not_configured");
+            }
+        });
+    });
+
+    describe("getProviderNames", () => {
+        it("should return list of static provider names", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            const names = registry.getProviderNames();
+            expect(names).toEqual(["google", "microsoft"]);
+        });
+
+        it("should return empty array if no static providers", () => {
+            const registry = new ProviderRegistry({});
+            const names = registry.getProviderNames();
+            expect(names).toEqual([]);
+        });
+    });
+
+    describe("clearCache", () => {
+        it("should clear specific provider from cache", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            registry.clearCache("google");
+            // Cache is cleared, next getProvider will re-initialize
+            expect(registry).toBeDefined(); // Basic assertion
+        });
+
+        it("should clear all providers from cache", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            registry.clearCache();
+            expect(registry).toBeDefined();
+        });
+
+        it("should not throw error for non-existent provider", () => {
+            const registry = new ProviderRegistry(staticProviders);
+            expect(() => registry.clearCache("nonexistent")).not.toThrow();
+        });
+    });
+
+    describe("provider caching", () => {
+        it("should cache provider instances", async () => {
+            const loader = jasmine.createSpy("loader").and.returnValue(
+                Promise.resolve(
+                    createTestProviderConfig({
+                        issuer: "https://test.example.com",
+                        discoveryUrl: "https://test.example.com/.well-known/openid-configuration",
+                    })
+                )
+            );
+            const registry = new ProviderRegistry({}, loader);
+
+            // First call - will attempt to initialize (and fail on discovery)
+            try {
+                await registry.getProvider("test");
+            } catch (error) {
+                // Expected to fail on discovery
+            }
+
+            // Loader should have been called once
+            expect(loader).toHaveBeenCalledTimes(1);
+
+            // Clear cache and try again
+            registry.clearCache("test");
+
+            try {
+                await registry.getProvider("test");
+            } catch (error) {
+                // Expected to fail on discovery
+            }
+
+            // Loader should have been called again after cache clear
+            expect(loader).toHaveBeenCalledTimes(2);
+        });
+    });
+});

package/spec/repos/OidcConnectionRepo.spec.ts

@@ -0,0 +1,257 @@
+/**
+ * Tests for OidcConnectionRepo
+ */
+
+import OidcConnectionRepo from "../../src/repos/OidcConnectionRepo";
+import { createMockDb } from "../helpers/test-helpers";
+import OidcConnection from "../../src/schemas/OidcConnection";
+
+describe("OidcConnectionRepo", () => {
+    let repo: OidcConnectionRepo;
+    let db: any;
+    let cleanup: () => Promise<void>;
+
+    beforeEach(async () => {
+        const mockDb = await createMockDb();
+        db = mockDb.db;
+        cleanup = mockDb.cleanup;
+        repo = new OidcConnectionRepo("oidc_connections_test", db);
+    });
+
+    afterEach(async () => {
+        await cleanup();
+    });
+
+    describe("create", () => {
+        it("should create a new connection", async () => {
+            const connection: Omit<OidcConnection, "_id"> = {
+                userId: "user-123",
+                provider: "google",
+                subject: "google-user-456",
+                issuer: "https://accounts.google.com",
+                accessToken: "encrypted-access-token",
+                idToken: "encrypted-id-token",
+                refreshToken: "encrypted-refresh-token",
+                expiresAt: new Date(Date.now() + 3600000),
+                scope: "openid email profile",
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            const created = await repo.create(connection);
+
+            expect(created._id).toBeDefined();
+            expect(created.userId).toBe("user-123");
+            expect(created.provider).toBe("google");
+            expect(created.subject).toBe("google-user-456");
+        });
+    });
+
+    describe("findByUserAndProvider", () => {
+        it("should find connection by user ID and provider", async () => {
+            const connection: Omit<OidcConnection, "_id"> = {
+                userId: "user-456",
+                provider: "microsoft",
+                subject: "ms-user-789",
+                issuer: "https://login.microsoftonline.com",
+                accessToken: "encrypted-token",
+                idToken: "encrypted-id",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            await repo.create(connection);
+
+            const found = await repo.findByUserAndProvider("user-456", "microsoft");
+
+            expect(found).toBeDefined();
+            expect(found?.userId).toBe("user-456");
+            expect(found?.provider).toBe("microsoft");
+            expect(found?.subject).toBe("ms-user-789");
+        });
+
+        it("should return null if connection not found", async () => {
+            const found = await repo.findByUserAndProvider("nonexistent-user", "google");
+            expect(found).toBeNull();
+        });
+
+        it("should differentiate between providers for same user", async () => {
+            const googleConnection: Omit<OidcConnection, "_id"> = {
+                userId: "user-multi",
+                provider: "google",
+                subject: "google-sub",
+                issuer: "https://accounts.google.com",
+                accessToken: "google-token",
+                idToken: "google-id",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            const msConnection: Omit<OidcConnection, "_id"> = {
+                userId: "user-multi",
+                provider: "microsoft",
+                subject: "ms-sub",
+                issuer: "https://login.microsoftonline.com",
+                accessToken: "ms-token",
+                idToken: "ms-id",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            await repo.create(googleConnection);
+            await repo.create(msConnection);
+
+            const foundGoogle = await repo.findByUserAndProvider("user-multi", "google");
+            const foundMs = await repo.findByUserAndProvider("user-multi", "microsoft");
+
+            expect(foundGoogle?.subject).toBe("google-sub");
+            expect(foundMs?.subject).toBe("ms-sub");
+        });
+    });
+
+    describe("findByUserId", () => {
+        it("should find all connections for a user", async () => {
+            const connection1: Omit<OidcConnection, "_id"> = {
+                userId: "user-multi-conn",
+                provider: "google",
+                subject: "google-sub-1",
+                issuer: "https://accounts.google.com",
+                accessToken: "token-1",
+                idToken: "id-1",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            const connection2: Omit<OidcConnection, "_id"> = {
+                userId: "user-multi-conn",
+                provider: "okta",
+                subject: "okta-sub-2",
+                issuer: "https://okta.example.com",
+                accessToken: "token-2",
+                idToken: "id-2",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            await repo.create(connection1);
+            await repo.create(connection2);
+
+            const connections = await repo.findByUserId("user-multi-conn");
+
+            expect(connections.length).toBe(2);
+            expect(connections.map((c) => c.provider).sort()).toEqual(["google", "okta"]);
+        });
+
+        it("should return empty array if no connections found", async () => {
+            const connections = await repo.findByUserId("user-no-connections");
+            expect(connections).toEqual([]);
+        });
+    });
+
+    describe("findBySubjectAndIssuer", () => {
+        it("should find connection by subject and issuer", async () => {
+            const connection: Omit<OidcConnection, "_id"> = {
+                userId: "user-unique",
+                provider: "auth0",
+                subject: "auth0-subject-123",
+                issuer: "https://example.auth0.com",
+                accessToken: "token",
+                idToken: "id",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            await repo.create(connection);
+
+            const found = await repo.findBySubjectAndIssuer("auth0-subject-123", "https://example.auth0.com");
+
+            expect(found).toBeDefined();
+            expect(found?.userId).toBe("user-unique");
+            expect(found?.provider).toBe("auth0");
+        });
+
+        it("should return null if connection not found", async () => {
+            const found = await repo.findBySubjectAndIssuer("nonexistent-sub", "https://example.com");
+            expect(found).toBeNull();
+        });
+    });
+
+    // updateOne is tested via integration tests - ObjectId handling requires special setup
+
+    describe("deleteByUserAndProvider", () => {
+        it("should delete connection by user and provider", async () => {
+            const connection: Omit<OidcConnection, "_id"> = {
+                userId: "user-delete",
+                provider: "okta",
+                subject: "okta-sub",
+                issuer: "https://okta.example.com",
+                accessToken: "token",
+                idToken: "id",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            await repo.create(connection);
+
+            await repo.deleteByUserAndProvider("user-delete", "okta");
+
+            const found = await repo.findByUserAndProvider("user-delete", "okta");
+            expect(found).toBeNull();
+        });
+
+        it("should not throw if connection not found", async () => {
+            await repo.deleteByUserAndProvider("nonexistent-user", "google");
+            // Should complete without error
+            expect(true).toBe(true);
+        });
+    });
+
+    describe("deleteByUserId", () => {
+        it("should delete all connections for a user", async () => {
+            const connection1: Omit<OidcConnection, "_id"> = {
+                userId: "user-delete-all",
+                provider: "google",
+                subject: "google-sub",
+                issuer: "https://accounts.google.com",
+                accessToken: "token-1",
+                idToken: "id-1",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            const connection2: Omit<OidcConnection, "_id"> = {
+                userId: "user-delete-all",
+                provider: "microsoft",
+                subject: "ms-sub",
+                issuer: "https://login.microsoftonline.com",
+                accessToken: "token-2",
+                idToken: "id-2",
+                expiresAt: new Date(Date.now() + 3600000),
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+
+            await repo.create(connection1);
+            await repo.create(connection2);
+
+            const deletedCount = await repo.deleteByUserId("user-delete-all");
+            expect(deletedCount).toBe(2);
+
+            const connections = await repo.findByUserId("user-delete-all");
+            expect(connections.length).toBe(0);
+        });
+
+        it("should return 0 if no connections to delete", async () => {
+            const deletedCount = await repo.deleteByUserId("user-no-connections");
+            expect(deletedCount).toBe(0);
+        });
+    });
+});

package/spec/repos/OidcSessionRepo.spec.ts

@@ -0,0 +1,196 @@
+/**
+ * Tests for OidcSessionRepo
+ */
+
+import OidcSessionRepo from "../../src/repos/OidcSessionRepo";
+import { createMockDb } from "../helpers/test-helpers";
+import OidcSession from "../../src/schemas/OidcSession";
+
+describe("OidcSessionRepo", () => {
+    let repo: OidcSessionRepo;
+    let db: any;
+    let cleanup: () => Promise<void>;
+
+    beforeEach(async () => {
+        const mockDb = await createMockDb();
+        db = mockDb.db;
+        cleanup = mockDb.cleanup;
+        repo = new OidcSessionRepo("oidc_sessions_test", db);
+    });
+
+    afterEach(async () => {
+        await cleanup();
+    });
+
+    describe("create", () => {
+        it("should create a new session", async () => {
+            const session: Omit<OidcSession, "_id"> = {
+                sessionId: "session-123",
+                state: "state-abc",
+                codeVerifier: "verifier-xyz",
+                nonce: "nonce-789",
+                provider: "google",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            const created = await repo.create(session);
+
+            expect(created._id).toBeDefined();
+            expect(created.sessionId).toBe("session-123");
+            expect(created.state).toBe("state-abc");
+            expect(created.codeVerifier).toBe("verifier-xyz");
+            expect(created.nonce).toBe("nonce-789");
+            expect(created.provider).toBe("google");
+        });
+    });
+
+    describe("getByState", () => {
+        it("should find session by state", async () => {
+            const session: Omit<OidcSession, "_id"> = {
+                sessionId: "session-456",
+                state: "state-unique-123",
+                codeVerifier: "verifier-abc",
+                nonce: "nonce-xyz",
+                provider: "microsoft",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            await repo.create(session);
+
+            const found = await repo.getByState("state-unique-123");
+
+            expect(found).toBeDefined();
+            expect(found?.sessionId).toBe("session-456");
+            expect(found?.state).toBe("state-unique-123");
+        });
+
+        it("should return null if session not found", async () => {
+            const found = await repo.getByState("nonexistent-state");
+            expect(found).toBeNull();
+        });
+    });
+
+    describe("getOne({ sessionId", () => {
+        it("should find session by session ID", async () => {
+            const session: Omit<OidcSession, "_id"> = {
+                sessionId: "session-unique-789",
+                state: "state-def",
+                codeVerifier: "verifier-ghi",
+                nonce: "nonce-jkl",
+                provider: "okta",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            await repo.create(session);
+
+            const found = await repo.getOne({ sessionId: "session-unique-789" });
+
+            expect(found).toBeDefined();
+            expect(found?.sessionId).toBe("session-unique-789");
+            expect(found?.provider).toBe("okta");
+        });
+
+        it("should return null if session not found", async () => {
+            const found = await repo.getOne({ sessionId: "nonexistent-session" });
+            expect(found).toBeNull();
+        });
+    });
+
+    describe("deleteByState", () => {
+        it("should delete session by state", async () => {
+            const session: Omit<OidcSession, "_id"> = {
+                sessionId: "session-delete-1",
+                state: "state-delete-1",
+                codeVerifier: "verifier-delete",
+                nonce: "nonce-delete",
+                provider: "auth0",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            await repo.create(session);
+
+            await repo.deleteByState("state-delete-1");
+
+            const found = await repo.getByState("state-delete-1");
+            expect(found).toBeNull();
+        });
+
+        it("should not throw if session not found", async () => {
+            await repo.deleteByState("nonexistent-state");
+            // Should complete without error
+            expect(true).toBe(true);
+        });
+    });
+
+    describe("deleteBySessionId", () => {
+        it("should delete session by session ID", async () => {
+            const session: Omit<OidcSession, "_id"> = {
+                sessionId: "session-delete-2",
+                state: "state-delete-2",
+                codeVerifier: "verifier-delete-2",
+                nonce: "nonce-delete-2",
+                provider: "custom",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            await repo.create(session);
+
+            await repo.deleteBySessionId("session-delete-2");
+
+            const found = await repo.getOne({ sessionId: "session-delete-2" });
+            expect(found).toBeNull();
+        });
+
+        it("should not throw if session not found", async () => {
+            await repo.deleteBySessionId("nonexistent-session");
+            // Should complete without error
+            expect(true).toBe(true);
+        });
+    });
+
+    describe("multiple sessions", () => {
+        it("should handle multiple sessions independently", async () => {
+            const session1: Omit<OidcSession, "_id"> = {
+                sessionId: "session-multi-1",
+                state: "state-multi-1",
+                codeVerifier: "verifier-1",
+                nonce: "nonce-1",
+                provider: "google",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            const session2: Omit<OidcSession, "_id"> = {
+                sessionId: "session-multi-2",
+                state: "state-multi-2",
+                codeVerifier: "verifier-2",
+                nonce: "nonce-2",
+                provider: "microsoft",
+                redirectUri: "http://localhost:3000/callback",
+                createdAt: new Date(),
+            };
+
+            await repo.create(session1);
+            await repo.create(session2);
+
+            const found1 = await repo.getByState("state-multi-1");
+            const found2 = await repo.getByState("state-multi-2");
+
+            expect(found1?.sessionId).toBe("session-multi-1");
+            expect(found2?.sessionId).toBe("session-multi-2");
+
+            await repo.deleteByState("state-multi-1");
+
+            const stillExists = await repo.getByState("state-multi-2");
+            expect(stillExists).toBeDefined();
+
+            const deleted = await repo.getByState("state-multi-1");
+            expect(deleted).toBeNull();
+        });
+    });
+});

package/spec/support/jasmine.json

@@ -0,0 +1,7 @@
+{
+    "spec_dir": "spec",
+    "spec_files": ["**/*[sS]pec.ts"],
+    "helpers": ["helpers/**/*.ts"],
+    "stopSpecOnExpectationFailure": false,
+    "random": false
+}