@linkedclaw/cli 0.1.6 → 0.2.0

package/test/auth-device.test.ts

@@ -0,0 +1,126 @@
+import { describe, expect, it } from "vitest";
+import { createServer, Server } from "node:http";
+import { AddressInfo } from "node:net";
+
+import { runDeviceFlow } from "../src/auth/device.js";
+
+interface FakeDeviceGrant {
+  device_code: string;
+  user_code: string;
+  approved: boolean;
+  consumed: boolean;
+  denied: boolean;
+}
+
+function buildCloud(grants: Map<string, FakeDeviceGrant>) {
+  return new Promise<{ server: Server; url: string }>((resolve) => {
+    const s = createServer(async (req, res) => {
+      const chunks: Buffer[] = [];
+      for await (const c of req) chunks.push(c as Buffer);
+      const raw = Buffer.concat(chunks).toString();
+      const body = raw ? JSON.parse(raw) : {};
+
+      const j = (status: number, payload: unknown) => {
+        res.statusCode = status;
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(payload));
+      };
+
+      const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+      if (url.pathname === "/api/v1/auth/device/code" && req.method === "POST") {
+        const device_code = `dvc_${Math.random().toString(36).slice(2, 14)}`;
+        const user_code = "BLUE-FROG";
+        grants.set(device_code, {
+          device_code,
+          user_code,
+          approved: false,
+          consumed: false,
+          denied: false,
+        });
+        return j(201, {
+          device_code,
+          user_code,
+          verification_uri: "http://example/device",
+          verification_uri_complete: `http://example/device?code=${user_code}`,
+          expires_in: 600,
+          interval: 1, // fast for tests
+        });
+      }
+      if (url.pathname === "/api/v1/auth/device/poll" && req.method === "POST") {
+        const g = grants.get(body.device_code);
+        if (!g) return j(400, { detail: "invalid_grant" });
+        if (g.denied) return j(400, { detail: "access_denied" });
+        if (g.consumed) return j(400, { detail: "invalid_grant" });
+        if (!g.approved) return j(200, { status: "pending" });
+        g.consumed = true;
+        return j(200, {
+          status: "approved",
+          api_key: "lc_fake_device_eeee1111ffff2222gggg3333hhhh4444",
+          user_id: "bob",
+          handle: "@bob",
+          scope: "read",
+          key_id: "key_fake_device",
+        });
+      }
+      return j(404, { detail: "not found" });
+    });
+    s.listen(0, "127.0.0.1", () => {
+      const port = (s.address() as AddressInfo).port;
+      resolve({ server: s, url: `http://127.0.0.1:${port}` });
+    });
+  });
+}
+
+describe("runDeviceFlow", () => {
+  it("polls until approved, returns lc_ key", async () => {
+    const grants = new Map<string, FakeDeviceGrant>();
+    const { server, url } = await buildCloud(grants);
+    try {
+      let prompted = false;
+      const promise = runDeviceFlow({
+        cloudUrl: url,
+        clientLabel: "test",
+        requestedScope: "read",
+        onUserPrompt: () => {
+          prompted = true;
+          // Simulate a user clicking Approve after a brief delay.
+          setTimeout(() => {
+            for (const g of grants.values()) g.approved = true;
+          }, 200);
+        },
+      });
+      const result = await promise;
+      expect(prompted).toBe(true);
+      expect(result.apiKey).toBe(
+        "lc_fake_device_eeee1111ffff2222gggg3333hhhh4444",
+      );
+      expect(result.scope).toBe("read");
+      expect(result.userId).toBe("bob");
+    } finally {
+      server.close();
+    }
+  });
+
+  it("surfaces access_denied as DeviceFlowError", async () => {
+    const grants = new Map<string, FakeDeviceGrant>();
+    const { server, url } = await buildCloud(grants);
+    try {
+      const promise = runDeviceFlow({
+        cloudUrl: url,
+        clientLabel: "test",
+        requestedScope: "full",
+        onUserPrompt: () => {
+          setTimeout(() => {
+            for (const g of grants.values()) g.denied = true;
+          }, 100);
+        },
+      });
+      await expect(promise).rejects.toMatchObject({
+        name: "DeviceFlowError",
+        code: "access_denied",
+      });
+    } finally {
+      server.close();
+    }
+  });
+});

package/test/auth-loopback.test.ts

@@ -0,0 +1,190 @@
+/**
+ * End-to-end loopback PKCE test driven against an in-process fake cloud.
+ *
+ * The fake cloud exposes /auth/oauth/initiate and /auth/oauth/token, plus
+ * a "portal Approve" simulator that the test drives directly: when the
+ * CLI hits initiate(), the test grabs the redirect_uri+state, generates
+ * an opaque code, and (a microtask later) hits the loopback callback as
+ * if the user had clicked Approve.
+ */
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { createServer, Server } from "node:http";
+import { AddressInfo } from "node:net";
+
+import { runLoopback } from "../src/auth/loopback.js";
+
+interface FakeGrant {
+  grant_id: string;
+  redirect_uri: string;
+  state: string;
+  code_challenge: string;
+  approved: boolean;
+  consumed: boolean;
+  code?: string;
+}
+
+let cloud: Server;
+let cloudUrl: string;
+let grants: Map<string, FakeGrant>;
+
+function buildCloud(): Promise<{ server: Server; url: string }> {
+  return new Promise((resolve) => {
+    const s = createServer(async (req, res) => {
+      const chunks: Buffer[] = [];
+      for await (const c of req) chunks.push(c as Buffer);
+      const raw = Buffer.concat(chunks).toString();
+      const body = raw ? JSON.parse(raw) : {};
+
+      const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+      const j = (status: number, payload: unknown) => {
+        res.statusCode = status;
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(payload));
+      };
+
+      if (url.pathname === "/api/v1/auth/oauth/initiate" && req.method === "POST") {
+        const grant_id = `grt_${Math.random().toString(36).slice(2, 10)}`;
+        grants.set(grant_id, {
+          grant_id,
+          redirect_uri: body.redirect_uri,
+          state: body.state,
+          code_challenge: body.code_challenge,
+          approved: false,
+          consumed: false,
+        });
+        return j(201, {
+          grant_id,
+          authorize_url: `${cloudUrl}/__fake_portal/authorize?grant_id=${grant_id}`,
+          expires_in: 600,
+        });
+      }
+      if (url.pathname === "/api/v1/auth/oauth/token" && req.method === "POST") {
+        const found = [...grants.values()].find((g) => g.code === body.code);
+        if (!found) return j(400, { detail: "invalid_grant" });
+        if (found.consumed) return j(400, { detail: "invalid_grant" });
+        found.consumed = true;
+        return j(200, {
+          api_key: "lc_fake_aaaa1111bbbb2222cccc3333dddd4444",
+          user_id: "alice",
+          handle: "@alice",
+          scope: "full",
+          key_id: "key_fake_aaaa1111",
+        });
+      }
+      return j(404, { detail: "not found" });
+    });
+    s.listen(0, "127.0.0.1", () => {
+      const port = (s.address() as AddressInfo).port;
+      resolve({ server: s, url: `http://127.0.0.1:${port}` });
+    });
+  });
+}
+
+beforeEach(async () => {
+  grants = new Map();
+  const c = await buildCloud();
+  cloud = c.server;
+  cloudUrl = c.url;
+});
+
+afterEach(() => {
+  cloud.close();
+});
+
+/**
+ * Simulate a user clicking Approve in the portal: hit the CLI's loopback
+ * callback URL with code + state extracted from the recorded grant.
+ */
+async function simulateApprove(grant: FakeGrant, code: string): Promise<void> {
+  grant.code = code;
+  grant.approved = true;
+  const url = new URL(grant.redirect_uri);
+  url.searchParams.set("code", code);
+  url.searchParams.set("state", grant.state);
+  await fetch(url.toString());
+}
+
+describe("runLoopback", () => {
+  it("mints lc_ key after browser-side approval", async () => {
+    let approvalSchedulingResolved: (() => void) | null = null;
+    const result = runLoopback({
+      cloudUrl,
+      clientLabel: "test",
+      requestedScope: "full",
+      timeoutMs: 5_000,
+      openBrowser: async (_url: string) => {
+        // Schedule the approval after the loopback server starts listening
+        // for callbacks.
+        setTimeout(async () => {
+          const g = [...grants.values()][0];
+          await simulateApprove(g!, "test_authcode_xxxxxxxxxxxxxxxxxxxxxxxxxxx");
+          approvalSchedulingResolved?.();
+        }, 50);
+      },
+    });
+
+    await new Promise<void>((r) => (approvalSchedulingResolved = r));
+
+    const r = await result;
+    expect(r.apiKey).toBe("lc_fake_aaaa1111bbbb2222cccc3333dddd4444");
+    expect(r.userId).toBe("alice");
+    expect(r.scope).toBe("full");
+  });
+
+  it("throws recoverable LoopbackError when openBrowser fails", async () => {
+    await expect(
+      runLoopback({
+        cloudUrl,
+        clientLabel: "test",
+        requestedScope: "full",
+        timeoutMs: 1_000,
+        openBrowser: async () => {
+          throw new Error("no display");
+        },
+      }),
+    ).rejects.toMatchObject({
+      name: "LoopbackError",
+      recoverable: true,
+    });
+  });
+
+  it("throws recoverable LoopbackError when callback times out", async () => {
+    await expect(
+      runLoopback({
+        cloudUrl,
+        clientLabel: "test",
+        requestedScope: "full",
+        timeoutMs: 200,
+        openBrowser: async () => {
+          // succeeds, but no approval is ever simulated → timeout
+        },
+      }),
+    ).rejects.toMatchObject({
+      name: "LoopbackError",
+      recoverable: true,
+    });
+  });
+
+  it("throws non-recoverable LoopbackError on state mismatch", async () => {
+    await expect(
+      runLoopback({
+        cloudUrl,
+        clientLabel: "test",
+        requestedScope: "full",
+        timeoutMs: 5_000,
+        openBrowser: async () => {
+          setTimeout(() => {
+            const g = [...grants.values()][0]!;
+            const url = new URL(g.redirect_uri);
+            url.searchParams.set("code", "test_authcode_xxxxxxxxxxxxxxxx");
+            url.searchParams.set("state", "wrong-state");
+            void fetch(url.toString()); // fire-and-forget; loopback will resolve on its own
+          }, 50);
+        },
+      }),
+    ).rejects.toMatchObject({
+      name: "LoopbackError",
+      recoverable: false,
+    });
+  });
+});

package/test/auth-pkce.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, it } from "vitest";
+import { createHash } from "node:crypto";
+import { deriveChallenge, generateState, generateVerifier } from "../src/auth/pkce.js";
+
+describe("PKCE", () => {
+  it("generateVerifier produces 43–128 char URL-safe value", () => {
+    for (let i = 0; i < 5; i++) {
+      const v = generateVerifier();
+      expect(v.length).toBeGreaterThanOrEqual(43);
+      expect(v.length).toBeLessThanOrEqual(128);
+      expect(/^[A-Za-z0-9_-]+$/.test(v)).toBe(true);
+    }
+  });
+
+  it("verifier values differ across calls", () => {
+    const a = generateVerifier();
+    const b = generateVerifier();
+    expect(a).not.toBe(b);
+  });
+
+  it("deriveChallenge equals BASE64URL(SHA256(verifier))", () => {
+    const verifier = "test-verifier-12345678901234567890123456789012345678901234";
+    const expected = createHash("sha256").update(verifier).digest("base64url");
+    expect(deriveChallenge(verifier)).toBe(expected);
+  });
+
+  it("generateState returns 16-byte URL-safe value", () => {
+    const s = generateState();
+    expect(s.length).toBeGreaterThanOrEqual(16);
+    expect(/^[A-Za-z0-9_-]+$/.test(s)).toBe(true);
+  });
+});