@jskit-ai/auth-web 0.1.4

package/test/authGuardRuntime.test.js

@@ -0,0 +1,361 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createAuthGuardRuntime } from "../src/client/runtime/authGuardRuntime.js";
+
+function createPlacementRuntimeStub(initialContext = {}) {
+  let context = initialContext && typeof initialContext === "object" ? { ...initialContext } : {};
+  const setCalls = [];
+
+  return {
+    getContext() {
+      return context;
+    },
+    setContext(nextContext = {}, { replace = false } = {}) {
+      const patch = nextContext && typeof nextContext === "object" ? nextContext : {};
+      context = replace ? { ...patch } : { ...context, ...patch };
+      setCalls.push(context);
+    },
+    setCalls
+  };
+}
+
+function createEventTargetStub() {
+  const listenersByType = new Map();
+
+  return {
+    addEventListener(type, listener) {
+      if (typeof listener !== "function") {
+        return;
+      }
+      const listeners = listenersByType.get(type) || new Set();
+      listeners.add(listener);
+      listenersByType.set(type, listeners);
+    },
+    removeEventListener(type, listener) {
+      const listeners = listenersByType.get(type);
+      if (!listeners) {
+        return;
+      }
+      listeners.delete(listener);
+    },
+    emit(type) {
+      const listeners = listenersByType.get(type);
+      if (!listeners) {
+        return;
+      }
+      for (const listener of [...listeners]) {
+        listener();
+      }
+    }
+  };
+}
+
+function createDocumentStub(initialVisibilityState = "hidden") {
+  const eventTarget = createEventTargetStub();
+  let visibilityState = initialVisibilityState;
+
+  return {
+    addEventListener: eventTarget.addEventListener,
+    removeEventListener: eventTarget.removeEventListener,
+    emit: eventTarget.emit,
+    get visibilityState() {
+      return visibilityState;
+    },
+    setVisibilityState(nextVisibilityState) {
+      visibilityState = String(nextVisibilityState || "");
+    }
+  };
+}
+
+function flushPendingRefresh() {
+  return new Promise((resolve) => {
+    setTimeout(resolve, 0);
+  });
+}
+
+test("auth guard runtime keeps previous auth state on transient refresh failure", async () => {
+  const placementRuntime = createPlacementRuntimeStub();
+  let callCount = 0;
+
+  const runtime = createAuthGuardRuntime({
+    placementRuntime,
+    fetchImplementation: async () => {
+      callCount += 1;
+      if (callCount === 1) {
+        return {
+          ok: true,
+          async json() {
+            return {
+              authenticated: true,
+              username: "ada"
+            };
+          }
+        };
+      }
+      throw new Error("network temporarily unavailable");
+    }
+  });
+
+  await runtime.initialize();
+  assert.equal(runtime.getState().authenticated, true);
+  const setCallCountBeforeTransientFailure = placementRuntime.setCalls.length;
+
+  await runtime.refresh();
+  assert.equal(runtime.getState().authenticated, true);
+  assert.equal(placementRuntime.setCalls.length, setCallCountBeforeTransientFailure);
+});
+
+test("auth guard runtime only updates placement auth context", async () => {
+  const placementRuntime = createPlacementRuntimeStub({
+    user: {
+      id: 1,
+      displayName: "Existing User"
+    },
+    workspace: {
+      id: 9,
+      slug: "acme"
+    }
+  });
+
+  const runtime = createAuthGuardRuntime({
+    placementRuntime,
+    fetchImplementation: async () => {
+      return {
+        ok: true,
+        async json() {
+          return {
+            authenticated: true,
+            username: "ada",
+            oauthProviders: [{ id: "github", label: "GitHub" }],
+            oauthDefaultProvider: "github"
+          };
+        }
+      };
+    }
+  });
+
+  await runtime.initialize();
+
+  const context = placementRuntime.getContext();
+  assert.deepEqual(context.user, {
+    id: 1,
+    displayName: "Existing User"
+  });
+  assert.deepEqual(context.workspace, {
+    id: 9,
+    slug: "acme"
+  });
+  assert.deepEqual(context.auth, {
+    authenticated: true,
+    oauthDefaultProvider: "github",
+    oauthProviders: [{ id: "github", label: "GitHub" }]
+  });
+});
+
+test("auth guard runtime refreshes on reconnect/focus/visibility when explicitly enabled", async () => {
+  const originalWindow = globalThis.window;
+  const originalDocument = globalThis.document;
+  const windowStub = createEventTargetStub();
+  const documentStub = createDocumentStub("hidden");
+  globalThis.window = {
+    addEventListener: windowStub.addEventListener,
+    removeEventListener: windowStub.removeEventListener,
+    location: {
+      pathname: "/w/acme",
+      search: ""
+    }
+  };
+  globalThis.document = documentStub;
+
+  try {
+    const placementRuntime = createPlacementRuntimeStub();
+    let callCount = 0;
+    const runtime = createAuthGuardRuntime({
+      placementRuntime,
+      refreshOnForeground: true,
+      refreshOnReconnect: true,
+      fetchImplementation: async () => {
+        callCount += 1;
+        return {
+          ok: true,
+          async json() {
+            if (callCount === 1) {
+              return {
+                authenticated: false
+              };
+            }
+            return {
+              authenticated: true,
+              username: "ada"
+            };
+          }
+        };
+      }
+    });
+
+    const observedStates = [];
+    runtime.subscribe((state) => {
+      observedStates.push(state);
+    });
+
+    await runtime.initialize();
+    assert.equal(runtime.getState().authenticated, false);
+    assert.equal(observedStates.length, 1);
+
+    windowStub.emit("online");
+    await flushPendingRefresh();
+    assert.equal(runtime.getState().authenticated, true);
+    assert.equal(observedStates.length, 2);
+
+    const setCallCountBeforeVisibilityRefresh = placementRuntime.setCalls.length;
+    documentStub.setVisibilityState("visible");
+    documentStub.emit("visibilitychange");
+    await flushPendingRefresh();
+    assert.equal(placementRuntime.setCalls.length, setCallCountBeforeVisibilityRefresh + 1);
+    assert.equal(observedStates.length, 3);
+  } finally {
+    globalThis.window = originalWindow;
+    globalThis.document = originalDocument;
+  }
+});
+
+test("auth guard runtime does not refresh on browser events when foreground/reconnect refresh is disabled", async () => {
+  const originalWindow = globalThis.window;
+  const originalDocument = globalThis.document;
+  const windowStub = createEventTargetStub();
+  const documentStub = createDocumentStub("visible");
+  globalThis.window = {
+    addEventListener: windowStub.addEventListener,
+    removeEventListener: windowStub.removeEventListener,
+    location: {
+      pathname: "/w/acme",
+      search: ""
+    }
+  };
+  globalThis.document = documentStub;
+
+  try {
+    const placementRuntime = createPlacementRuntimeStub();
+    let callCount = 0;
+    const runtime = createAuthGuardRuntime({
+      placementRuntime,
+      refreshOnForeground: false,
+      fetchImplementation: async () => {
+        callCount += 1;
+        return {
+          ok: true,
+          async json() {
+            return {
+              authenticated: true,
+              username: "ada"
+            };
+          }
+        };
+      }
+    });
+
+    await runtime.initialize();
+    assert.equal(callCount, 1);
+
+    windowStub.emit("focus");
+    await flushPendingRefresh();
+    assert.equal(callCount, 1);
+
+    documentStub.emit("visibilitychange");
+    await flushPendingRefresh();
+    assert.equal(callCount, 1);
+
+    windowStub.emit("online");
+    await flushPendingRefresh();
+    assert.equal(callCount, 1);
+  } finally {
+    globalThis.window = originalWindow;
+    globalThis.document = originalDocument;
+  }
+});
+
+test("auth guard runtime refreshes session when realtime refresh events are received", async () => {
+  const placementRuntime = createPlacementRuntimeStub();
+  const socketListeners = new Map();
+  let callCount = 0;
+  const runtime = createAuthGuardRuntime({
+    placementRuntime,
+    realtimeSocket: {
+      on(eventName, handler) {
+        socketListeners.set(eventName, handler);
+      },
+      off() {}
+    },
+    fetchImplementation: async () => {
+      callCount += 1;
+      return {
+        ok: true,
+        async json() {
+          return {
+            authenticated: callCount > 1,
+            username: "ada"
+          };
+        }
+      };
+    }
+  });
+
+  await runtime.initialize();
+  assert.equal(runtime.getState().authenticated, false);
+
+  socketListeners.get("users.bootstrap.changed")?.({});
+  await flushPendingRefresh();
+  assert.equal(runtime.getState().authenticated, true);
+});
+
+test("auth guard runtime encodes absolute returnTo for external login routes", async () => {
+  const originalWindow = globalThis.window;
+  globalThis.window = {
+    location: {
+      origin: "https://app.example.com",
+      href: "https://app.example.com/w/acme?tab=1",
+      pathname: "/w/acme",
+      search: "?tab=1"
+    }
+  };
+
+  try {
+    const placementRuntime = createPlacementRuntimeStub();
+    const runtime = createAuthGuardRuntime({
+      placementRuntime,
+      loginRoute: "https://auth.example.com/auth/login",
+      fetchImplementation: async () => {
+        return {
+          ok: true,
+          async json() {
+            return {
+              authenticated: false
+            };
+          }
+        };
+      }
+    });
+
+    await runtime.initialize();
+    const evaluator = globalThis.__JSKIT_WEB_SHELL_GUARD_EVALUATOR__;
+    const outcome = evaluator({
+      guard: {
+        policy: "authenticated"
+      },
+      context: {
+        location: {
+          pathname: "/w/acme",
+          search: "?tab=1"
+        }
+      }
+    });
+
+    assert.deepEqual(outcome, {
+      allow: false,
+      redirectTo: "https://auth.example.com/auth/login?returnTo=https%3A%2F%2Fapp.example.com%2Fw%2Facme%3Ftab%3D1",
+      reason: "auth-required"
+    });
+  } finally {
+    globalThis.window = originalWindow;
+  }
+});

package/test/clientBoot.test.js

@@ -0,0 +1,16 @@
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import test from "node:test";
+
+test("auth-web client index defines provider-based client routes surface", () => {
+  const source = readFileSync(fileURLToPath(new URL("../src/client/index.js", import.meta.url)), "utf8");
+
+  assert.equal(source.includes("const routeComponents = Object.freeze({"), true);
+  assert.equal(source.includes('"auth-login": DefaultLoginView'), true);
+  assert.equal(source.includes('"auth-signout": DefaultSignOutView'), true);
+  assert.equal(source.includes('"auth-default-login": DefaultLoginView'), true);
+  assert.equal(source.includes("const clientProviders = Object.freeze([AuthWebClientProvider]);"), true);
+  assert.equal(source.includes("async function bootClient(context) {"), false);
+  assert.equal(source.includes("export { routeComponents, clientProviders };"), true);
+});

package/test/clientSurface.test.js

@@ -0,0 +1,89 @@
+import assert from "node:assert/strict";
+import { existsSync, readFileSync } from "node:fs";
+import test from "node:test";
+import { fileURLToPath } from "node:url";
+import descriptor from "../package.descriptor.mjs";
+import {
+  useSignOut as fromRuntimeUseSignOut,
+  createSignOutAction as fromRuntimeCreateSignOutAction,
+  performSignOutRequest as fromRuntimePerformSignOutRequest
+} from "../src/client/runtime/useSignOut.js";
+
+test("auth-web descriptor declares auth surface ui routes", () => {
+  const uiRoutes = Array.isArray(descriptor?.metadata?.ui?.routes) ? descriptor.metadata.ui.routes : [];
+  const authRoutes = uiRoutes.filter((route) => String(route?.path || "").startsWith("/auth/"));
+
+  assert.equal(authRoutes.length >= 2, true);
+  for (const route of authRoutes) {
+    assert.equal(String(route?.scope || "").trim().toLowerCase(), "surface");
+    assert.equal(String(route?.surface || "").trim().toLowerCase(), "auth");
+    assert.equal(String(route?.guard?.policy || "").trim().toLowerCase(), "public");
+  }
+});
+
+test("auth-web auth page templates declare public route guard", () => {
+  const loginTemplatePath = fileURLToPath(new URL("../templates/src/pages/auth/login.vue", import.meta.url));
+  const signOutTemplatePath = fileURLToPath(new URL("../templates/src/pages/auth/signout.vue", import.meta.url));
+  const loginTemplateSource = readFileSync(loginTemplatePath, "utf8");
+  const signOutTemplateSource = readFileSync(signOutTemplatePath, "utf8");
+
+  assert.match(loginTemplateSource, /"guard"\s*:\s*\{\s*"policy"\s*:\s*"public"\s*\}/);
+  assert.match(signOutTemplateSource, /"guard"\s*:\s*\{\s*"policy"\s*:\s*"public"\s*\}/);
+});
+
+test("auth-web exports runtime signout helpers directly", () => {
+  assert.equal(typeof fromRuntimeUseSignOut, "function");
+  assert.equal(typeof fromRuntimeCreateSignOutAction, "function");
+  assert.equal(typeof fromRuntimePerformSignOutRequest, "function");
+});
+
+test("auth-web removes legacy client wrapper modules", () => {
+  const legacyFiles = [
+    "../src/client/composables/authHttpClient.js",
+    "../src/client/composables/authGuardRuntime.js",
+    "../src/client/composables/useSignOut.js",
+    "../src/client/api/AuthHttpClient.js"
+  ];
+
+  for (const relativePath of legacyFiles) {
+    const absolutePath = fileURLToPath(new URL(relativePath, import.meta.url));
+    assert.equal(existsSync(absolutePath), false, `${relativePath} must not exist.`);
+  }
+});
+
+test("auth-web runtime/useLoginView delegates to useDefaultLoginView", () => {
+  const runtimeUseLoginViewPath = fileURLToPath(new URL("../src/client/runtime/useLoginView.js", import.meta.url));
+  const runtimeUseLoginViewSource = readFileSync(runtimeUseLoginViewPath, "utf8");
+
+  assert.match(runtimeUseLoginViewSource, /import\s+\{\s*useDefaultLoginView\s*\}\s+from\s+"..\/composables\/useDefaultLoginView\.js";/);
+  assert.match(runtimeUseLoginViewSource, /function\s+useLoginView\s*\(\)\s*\{\s*return\s+useDefaultLoginView\(\);\s*\}/);
+  assert.match(runtimeUseLoginViewSource, /export\s+\{\s*useLoginView,\s*useDefaultLoginView\s*\};/);
+});
+
+test("auth-web package exports only minimal client runtime/view subpaths", () => {
+  const packageJson = JSON.parse(readFileSync(fileURLToPath(new URL("../package.json", import.meta.url)), "utf8"));
+  const exportsMap = packageJson && typeof packageJson === "object" ? packageJson.exports : {};
+
+  assert.equal(
+    exportsMap["./client/views/DefaultLoginView"],
+    "./src/client/views/DefaultLoginView.vue"
+  );
+  assert.equal(
+    exportsMap["./client/views/DefaultSignOutView"],
+    "./src/client/views/DefaultSignOutView.vue"
+  );
+  assert.equal(
+    exportsMap["./client/runtime/authGuardRuntime"],
+    "./src/client/runtime/authGuardRuntime.js"
+  );
+  assert.equal(
+    exportsMap["./client/runtime/authHttpClient"],
+    "./src/client/runtime/authHttpClient.js"
+  );
+  assert.equal(exportsMap["./client/runtime/useSignOut"], "./src/client/runtime/useSignOut.js");
+  assert.equal(exportsMap["./client/composables/useDefaultLoginView"], undefined);
+  assert.equal(exportsMap["./client/composables/useDefaultSignOutView"], undefined);
+  assert.equal(exportsMap["./client/runtime/useLoginView"], undefined);
+  assert.equal(exportsMap["./client/views/AuthProfileWidget"], undefined);
+  assert.equal(exportsMap["./client/views/AuthProfileMenuLinkItem"], undefined);
+});

package/test/index.test.js

@@ -0,0 +1,21 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import path from "node:path";
+import { existsSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { AuthController } from "../src/server/controllers/AuthController.js";
+import { buildRoutes } from "../src/server/routes/authRoutes.js";
+import { authLoginPasswordCommand } from "@jskit-ai/auth-core/shared/commands/authLoginPasswordCommand";
+
+test("auth fastify adapter exports controller/routes backed by shared command validators", () => {
+  assert.equal(typeof AuthController, "function");
+  assert.equal(typeof buildRoutes, "function");
+  assert.ok(authLoginPasswordCommand.operation.bodyValidator.schema);
+});
+
+test("auth-web no longer contains legacy server/schema directory", () => {
+  const testFilePath = fileURLToPath(import.meta.url);
+  const packageRoot = path.resolve(path.dirname(testFilePath), "..");
+  const legacySchemaDir = path.join(packageRoot, "src", "server", "schema");
+  assert.equal(existsSync(legacySchemaDir), false, "src/server/schema must not exist.");
+});

package/test/logoutFallback.test.js

@@ -0,0 +1,50 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { AuthController } from "../src/server/controllers/AuthController.js";
+
+function createReplyStub() {
+  return {
+    statusCode: null,
+    payload: null,
+    code(value) {
+      this.statusCode = value;
+      return this;
+    },
+    send(value) {
+      this.payload = value;
+      return this;
+    }
+  };
+}
+
+test("logout clears local cookies and returns ok when auth service is unavailable", async () => {
+  let clearSessionCalls = 0;
+
+  const controller = new AuthController({
+    service: {
+      async logout() {
+        throw new Error("upstream unavailable");
+      },
+      clearSessionCookies() {
+        clearSessionCalls += 1;
+      }
+    }
+  });
+
+  const logs = [];
+  const request = {
+    log: {
+      warn(payload, message) {
+        logs.push({ payload, message });
+      }
+    }
+  };
+  const reply = createReplyStub();
+
+  await controller.logout(request, reply);
+
+  assert.equal(clearSessionCalls, 1);
+  assert.equal(reply.statusCode, 200);
+  assert.deepEqual(reply.payload, { ok: true });
+  assert.equal(logs.length, 1);
+});

package/test/providerRuntime.test.js

@@ -0,0 +1,100 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createApplication, createHttpRuntime } from "@jskit-ai/kernel/_testable";
+import { AuthRouteServiceProvider } from "../src/server/providers/AuthRouteServiceProvider.js";
+import { AuthWebServiceProvider } from "../src/server/providers/AuthWebServiceProvider.js";
+
+function createFastifyStub() {
+  const routes = [];
+  return {
+    routes,
+    errorHandler: null,
+    route(definition) {
+      routes.push(definition);
+    },
+    setErrorHandler(handler) {
+      this.errorHandler = handler;
+    }
+  };
+}
+
+function createReplyStub() {
+  return {
+    sent: false,
+    statusCode: null,
+    payload: null,
+    code(value) {
+      this.statusCode = value;
+      return this;
+    },
+    send(value) {
+      this.payload = value;
+      this.sent = true;
+      return this;
+    }
+  };
+}
+
+test("auth route provider registers routes and executes login/logout handlers", async () => {
+  const events = [];
+  const fastify = createFastifyStub();
+  const app = createApplication();
+  const httpRuntime = createHttpRuntime({ app, fastify });
+
+  const authService = {
+    writeSessionCookies(_reply, session) {
+      events.push({ type: "writeSession", session });
+    },
+    clearSessionCookies() {
+      events.push({ type: "clearSession" });
+    },
+    getOAuthProviderCatalog() {
+      return { providers: [], defaultProvider: "" };
+    }
+  };
+
+  app.instance("authService", authService);
+  app.instance("actionExecutor", {
+    async execute({ actionId }) {
+      if (actionId === "auth.login.password") {
+        return {
+          session: { access_token: "a", refresh_token: "r" },
+          profile: { displayName: "Ada" }
+        };
+      }
+      if (actionId === "auth.logout") {
+        return {
+          ok: true,
+          clearSession: true
+        };
+      }
+      return {};
+    }
+  });
+
+  class MockAuthProvider {
+    static id = "auth.provider";
+  }
+
+  await app.start({ providers: [MockAuthProvider, AuthWebServiceProvider, AuthRouteServiceProvider] });
+
+  const registration = httpRuntime.registerRoutes();
+  assert.equal(registration.routeCount > 0, true);
+
+  const loginRoute = fastify.routes.find((route) => route.method === "POST" && route.url === "/api/login");
+  assert.ok(loginRoute);
+  const loginReply = createReplyStub();
+  await loginRoute.handler({ body: { email: "ada@example.com", password: "pass" } }, loginReply);
+  assert.equal(loginReply.statusCode, 200);
+  assert.equal(loginReply.payload.username, "Ada");
+
+  const logoutRoute = fastify.routes.find((route) => route.method === "POST" && route.url === "/api/logout");
+  assert.ok(logoutRoute);
+  const logoutReply = createReplyStub();
+  await logoutRoute.handler({}, logoutReply);
+  assert.equal(logoutReply.statusCode, 200);
+  assert.equal(logoutReply.payload.ok, true);
+
+  assert.equal(events.some((entry) => entry.type === "writeSession"), true);
+  assert.equal(events.some((entry) => entry.type === "clearSession"), true);
+});