@kya-os/mcp-i-core 1.3.7-canary.0 → 1.3.7-canary.clientinfo.20251126041014

package/src/__tests__/services/cache-busting.test.ts

@@ -0,0 +1,125 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { ToolProtectionService } from "../../services/tool-protection.service";
+import { InMemoryToolProtectionCache } from "../../cache/tool-protection-cache";
+
+describe("Cache Busting in clearAndRefresh", () => {
+  let cache: InMemoryToolProtectionCache;
+  let service: ToolProtectionService;
+  const agentDid = "did:key:test-agent";
+  const projectId = "test-project-123";
+
+  beforeEach(() => {
+    cache = new InMemoryToolProtectionCache();
+    service = new ToolProtectionService(
+      {
+        apiUrl: "https://test.agentshield.com",
+        apiKey: "test-api-key",
+        projectId,
+        cacheTtl: 300000,
+        debug: true,
+      },
+      cache
+    );
+  });
+
+  it("clearAndRefresh should call fetchFromApi with bypassCDNCache: true", async () => {
+    // Spy on the private fetchFromApi method
+    const fetchSpy = vi.spyOn(service as any, "fetchFromApi").mockResolvedValue({
+      success: true,
+      data: {
+        toolProtections: {
+          greet: { requiresDelegation: true, requiredScopes: ["greet:execute"] },
+        },
+      },
+    });
+
+    await service.clearAndRefresh(agentDid);
+
+    // Verify fetchFromApi was called with bypassCDNCache: true
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    expect(fetchSpy).toHaveBeenCalledWith(agentDid, { bypassCDNCache: true });
+  });
+
+  it("fetchFromApi should add cache-busting query param when bypassCDNCache is true", async () => {
+    // Mock global fetch
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: () => Promise.resolve({ success: true, data: { toolProtections: {} } }),
+    });
+    global.fetch = fetchMock;
+
+    // Call fetchFromApi directly with bypassCDNCache: true
+    await (service as any).fetchFromApi(agentDid, { bypassCDNCache: true });
+
+    // Verify the URL contains cache-busting timestamp
+    const calledUrl = fetchMock.mock.calls[0][0] as string;
+    expect(calledUrl).toContain("?_t=");
+    expect(calledUrl).toMatch(/\?_t=\d+$/); // Ends with ?_t=<timestamp>
+  });
+
+  it("fetchFromApi should add Cache-Control headers when bypassCDNCache is true", async () => {
+    // Mock global fetch
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: () => Promise.resolve({ success: true, data: { toolProtections: {} } }),
+    });
+    global.fetch = fetchMock;
+
+    // Call fetchFromApi directly with bypassCDNCache: true
+    await (service as any).fetchFromApi(agentDid, { bypassCDNCache: true });
+
+    // Verify the headers contain cache-control
+    const calledOptions = fetchMock.mock.calls[0][1] as RequestInit;
+    const headers = calledOptions.headers as Record<string, string>;
+    
+    expect(headers["Cache-Control"]).toBe("no-cache, no-store, must-revalidate");
+    expect(headers["Pragma"]).toBe("no-cache");
+  });
+
+  it("fetchFromApi should NOT add cache-busting when bypassCDNCache is false/undefined", async () => {
+    // Mock global fetch
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: () => Promise.resolve({ success: true, data: { toolProtections: {} } }),
+    });
+    global.fetch = fetchMock;
+
+    // Call fetchFromApi without bypassCDNCache
+    await (service as any).fetchFromApi(agentDid);
+
+    // Verify the URL does NOT contain cache-busting timestamp
+    const calledUrl = fetchMock.mock.calls[0][0] as string;
+    expect(calledUrl).not.toContain("?_t=");
+    
+    // Verify no cache-control header
+    const calledOptions = fetchMock.mock.calls[0][1] as RequestInit;
+    const headers = calledOptions.headers as Record<string, string>;
+    expect(headers["Cache-Control"]).toBeUndefined();
+  });
+
+  it("cache should be empty after clearAndRefresh deletes it", async () => {
+    const cacheKey = `config:tool-protections:${projectId}`;
+    
+    // Pre-populate cache
+    await cache.set(cacheKey, { toolProtections: { old: { requiresDelegation: false, requiredScopes: [] } } }, 300000);
+    
+    // Verify cache has data
+    const before = await cache.get(cacheKey);
+    expect(before).not.toBeNull();
+
+    // Mock fetchFromApi to avoid network call
+    vi.spyOn(service as any, "fetchFromApi").mockResolvedValue({
+      success: true,
+      data: { toolProtections: {} },
+    });
+
+    // Clear and refresh
+    await service.clearAndRefresh(agentDid);
+
+    // Note: clearAndRefresh deletes then re-populates with fresh data
+    // But since our mock returns empty toolProtections, cache should have empty config
+    const after = await cache.get(cacheKey);
+    expect(after).toBeDefined();
+  });
+});
+

package/src/__tests__/services/oauth-service-pkce.test.ts

@@ -0,0 +1,556 @@
+/**
+ * Tests for OAuthService PKCE Token Exchange
+ *
+ * Verifies:
+ * 1. Successful PKCE token exchange
+ * 2. Handling of GitHub-style 200-status errors
+ * 3. Handling of standard 4xx errors
+ * 4. Token response validation
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { OAuthService } from "../../services/oauth-service";
+import type { OAuthConfigService } from "../../services/oauth-config.service";
+import type { FetchProvider } from "../../providers/types";
+import type { OAuthProvider } from "@kya-os/contracts/config";
+
+describe("OAuthService PKCE Token Exchange", () => {
+  let mockConfigService: OAuthConfigService;
+  let mockFetchProvider: FetchProvider;
+  let oauthService: OAuthService;
+
+  const mockGitHubProvider: OAuthProvider = {
+    clientId: "test-client-id",
+    clientSecret: null,
+    authorizationUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    supportsPKCE: true,
+    requiresClientSecret: false,
+    scopes: [],
+  };
+
+  const mockOAuthConfig = {
+    providers: {
+      github: mockGitHubProvider,
+    },
+    configuredProvider: "github",
+  };
+
+  beforeEach(() => {
+    mockConfigService = {
+      getOAuthConfig: vi.fn().mockResolvedValue(mockOAuthConfig),
+    } as unknown as OAuthConfigService;
+
+    mockFetchProvider = {
+      fetch: vi.fn(),
+      resolveDID: vi.fn(),
+      fetchStatusList: vi.fn(),
+      fetchDelegationChain: vi.fn(),
+    };
+
+    oauthService = new OAuthService({
+      configService: mockConfigService,
+      fetchProvider: mockFetchProvider,
+      agentShieldApiUrl: "https://test.agentshield.com",
+      agentShieldApiKey: "test-api-key",
+      projectId: "test-project",
+      logger: vi.fn(),
+    });
+  });
+
+  describe("Successful Token Exchange", () => {
+    it("should exchange code for access_token successfully", async () => {
+      const mockTokenResponse = {
+        access_token: "gho_test_access_token_123",
+        token_type: "bearer",
+        scope: "greet:execute",
+        expires_in: 3600,
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      const result = await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      expect(result.access_token).toBe("gho_test_access_token_123");
+      expect(result.token_type).toBe("bearer");
+      expect(result.scope).toBe("greet:execute");
+      expect(result.expires_in).toBe(3600);
+      expect(result.expires_at).toBeGreaterThan(Date.now());
+    });
+
+    it("should handle missing expires_in with default value", async () => {
+      const mockTokenResponse = {
+        access_token: "gho_test_access_token_123",
+        token_type: "bearer",
+        // No expires_in - should default to 3600
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      const result = await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      expect(result.expires_in).toBe(3600);
+    });
+
+    it("should handle refresh_token when provided", async () => {
+      const mockTokenResponse = {
+        access_token: "gho_test_access_token_123",
+        refresh_token: "ghr_test_refresh_token_456",
+        token_type: "bearer",
+        expires_in: 3600,
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      const result = await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      expect(result.refresh_token).toBe("ghr_test_refresh_token_456");
+    });
+  });
+
+  describe("GitHub 200-Status Error Handling", () => {
+    it("should handle bad_verification_code error (200 status)", async () => {
+      const mockErrorResponse = {
+        error: "bad_verification_code",
+        error_description: "The code passed is incorrect or expired.",
+        error_uri:
+          "https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true, // GitHub returns 200 even for errors!
+        json: () => Promise.resolve(mockErrorResponse),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "expired-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("The code passed is incorrect or expired.");
+    });
+
+    it("should handle incorrect_client_credentials error (200 status)", async () => {
+      const mockErrorResponse = {
+        error: "incorrect_client_credentials",
+        error_description:
+          "The client_id and/or client_secret passed are incorrect.",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockErrorResponse),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow(
+        "The client_id and/or client_secret passed are incorrect."
+      );
+    });
+
+    it("should handle redirect_uri_mismatch error (200 status)", async () => {
+      const mockErrorResponse = {
+        error: "redirect_uri_mismatch",
+        error_description:
+          "The redirect_uri MUST match the registered callback URL for this application.",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockErrorResponse),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://wrong-redirect.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("The redirect_uri MUST match the registered callback");
+    });
+
+    it("should fallback to error code when error_description is missing", async () => {
+      const mockErrorResponse = {
+        error: "access_denied",
+        // No error_description
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockErrorResponse),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("access_denied");
+    });
+  });
+
+  describe("Standard HTTP Error Handling", () => {
+    it("should handle 400 Bad Request error", async () => {
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: false,
+        status: 400,
+        text: () =>
+          Promise.resolve(
+            JSON.stringify({
+              error: "invalid_request",
+              error_description: "Missing required parameter",
+            })
+          ),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("Missing required parameter");
+    });
+
+    it("should handle 401 Unauthorized error", async () => {
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: false,
+        status: 401,
+        text: () =>
+          Promise.resolve(
+            JSON.stringify({
+              error: "invalid_client",
+              error_description: "Client authentication failed",
+            })
+          ),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("Client authentication failed");
+    });
+
+    it("should handle non-JSON error response", async () => {
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: false,
+        status: 500,
+        text: () => Promise.resolve("Internal Server Error"),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("Internal Server Error");
+    });
+  });
+
+  describe("Token Response Validation", () => {
+    it("should throw error when access_token is missing from valid response", async () => {
+      const mockInvalidResponse = {
+        token_type: "bearer",
+        scope: "greet:execute",
+        // Missing access_token
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockInvalidResponse),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("Token response missing access_token");
+    });
+
+    it("should throw error when access_token is empty string", async () => {
+      const mockInvalidResponse = {
+        access_token: "",
+        token_type: "bearer",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockInvalidResponse),
+      });
+
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow("Token response missing access_token");
+    });
+  });
+
+  describe("PKCE Request Format", () => {
+    it("should send correct PKCE parameters", async () => {
+      const mockTokenResponse = {
+        access_token: "gho_test_access_token_123",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier-12345",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
+        "https://github.com/login/oauth/access_token",
+        expect.objectContaining({
+          method: "POST",
+          headers: expect.objectContaining({
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+          }),
+        })
+      );
+
+      // Verify request body contains correct PKCE parameters
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mock.calls[0];
+      const body = callArgs[1].body as string;
+
+      expect(body).toContain("grant_type=authorization_code");
+      expect(body).toContain("code=test-auth-code");
+      expect(body).toContain("code_verifier=test-code-verifier-12345");
+      expect(body).toContain("client_id=test-client-id");
+      expect(body).toContain(
+        "redirect_uri=https%3A%2F%2Ftest.workers.dev%2Foauth%2Fcallback"
+      );
+    });
+  });
+
+  describe("Provider Not Found", () => {
+    it("should throw error for unconfigured provider", async () => {
+      await expect(
+        oauthService.exchangeToken(
+          "unknown-provider",
+          "test-code",
+          "test-code-verifier",
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow('Provider "unknown-provider" not configured');
+    });
+  });
+
+  describe("PKCE Requirement", () => {
+    it("should throw error when codeVerifier is missing for PKCE provider", async () => {
+      await expect(
+        oauthService.exchangeToken(
+          "github",
+          "test-code",
+          undefined, // Missing code_verifier
+          "https://test.workers.dev/oauth/callback"
+        )
+      ).rejects.toThrow('Provider "github" requires PKCE code_verifier');
+    });
+  });
+
+  describe("Client Secret Handling in PKCE", () => {
+    it("should include client_secret when provider has one configured (GitHub OAuth Apps)", async () => {
+      // GitHub OAuth Apps require client_secret even with PKCE
+      const mockGitHubOAuthAppProvider: OAuthProvider = {
+        clientId: "github-oauth-app-client-id",
+        clientSecret: "github-oauth-app-client-secret",
+        authorizationUrl: "https://github.com/login/oauth/authorize",
+        tokenUrl: "https://github.com/login/oauth/access_token",
+        supportsPKCE: true,
+        requiresClientSecret: true,
+        scopes: [],
+      };
+
+      const mockConfigWithSecret = {
+        providers: {
+          github: mockGitHubOAuthAppProvider,
+        },
+        configuredProvider: "github",
+      };
+
+      (mockConfigService.getOAuthConfig as ReturnType<typeof vi.fn>).mockResolvedValue(
+        mockConfigWithSecret
+      );
+
+      const mockTokenResponse = {
+        access_token: "gho_test_access_token_123",
+        token_type: "bearer",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      // Verify client_secret is included in request body
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mock.calls[0];
+      const body = callArgs[1].body as string;
+
+      expect(body).toContain("client_id=github-oauth-app-client-id");
+      expect(body).toContain("client_secret=github-oauth-app-client-secret");
+      expect(body).toContain("code_verifier=test-code-verifier");
+    });
+
+    it("should NOT include client_secret when provider has null clientSecret (GitHub Apps)", async () => {
+      // GitHub Apps (not OAuth Apps) can use PKCE without client_secret
+      const mockGitHubAppProvider: OAuthProvider = {
+        clientId: "github-app-client-id",
+        clientSecret: null, // No secret for GitHub Apps with PKCE
+        authorizationUrl: "https://github.com/login/oauth/authorize",
+        tokenUrl: "https://github.com/login/oauth/access_token",
+        supportsPKCE: true,
+        requiresClientSecret: false,
+        scopes: [],
+      };
+
+      const mockConfigWithoutSecret = {
+        providers: {
+          github: mockGitHubAppProvider,
+        },
+        configuredProvider: "github",
+      };
+
+      (mockConfigService.getOAuthConfig as ReturnType<typeof vi.fn>).mockResolvedValue(
+        mockConfigWithoutSecret
+      );
+
+      const mockTokenResponse = {
+        access_token: "gho_test_access_token_123",
+        token_type: "bearer",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      // Verify client_secret is NOT included in request body
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mock.calls[0];
+      const body = callArgs[1].body as string;
+
+      expect(body).toContain("client_id=github-app-client-id");
+      expect(body).not.toContain("client_secret");
+      expect(body).toContain("code_verifier=test-code-verifier");
+    });
+
+    it("should NOT include client_secret when it is empty string", async () => {
+      const mockProviderWithEmptySecret: OAuthProvider = {
+        clientId: "test-client-id",
+        clientSecret: "", // Empty string should be treated as no secret
+        authorizationUrl: "https://example.com/oauth/authorize",
+        tokenUrl: "https://example.com/oauth/token",
+        supportsPKCE: true,
+        requiresClientSecret: false,
+        scopes: [],
+      };
+
+      const mockConfigWithEmptySecret = {
+        providers: {
+          github: mockProviderWithEmptySecret,
+        },
+        configuredProvider: "github",
+      };
+
+      (mockConfigService.getOAuthConfig as ReturnType<typeof vi.fn>).mockResolvedValue(
+        mockConfigWithEmptySecret
+      );
+
+      const mockTokenResponse = {
+        access_token: "test_access_token",
+        token_type: "bearer",
+      };
+
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve(mockTokenResponse),
+      });
+
+      await oauthService.exchangeToken(
+        "github",
+        "test-auth-code",
+        "test-code-verifier",
+        "https://test.workers.dev/oauth/callback"
+      );
+
+      // Verify client_secret is NOT included when empty
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mock.calls[0];
+      const body = callArgs[1].body as string;
+
+      expect(body).not.toContain("client_secret");
+    });
+  });
+});
+