@m-kopa/launchpad-cli 0.23.0

package/skills/marquee-share/tests/flow.test.ts

@@ -0,0 +1,356 @@
+// Full-flow auth tests for the Marquee share skill.
+//
+// These wire the complete PKCE flow against a FAKE OAuth server
+// (an injected `fetcher`) but use a REAL local callback server
+// (port 0). The injected browser opener "drives the browser" by
+// hitting the loopback callback URL directly with code + state.
+//
+// Covers: login → session persisted; getValidToken silently reuses a
+// fresh cached session; getValidToken silently refreshes an expired
+// one; getValidToken re-logins when there is no session; the
+// non-interactive path throws LoginRequiredError; discovery against a
+// Marquee-shaped base URL derives the `resource` from the
+// protected-resource doc.
+
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import * as fs from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+import {
+  login,
+  logout,
+  getValidToken,
+  LoginRequiredError,
+  type SkillConfig,
+} from "../src/auth/index.js";
+import { readSession, writeSession } from "../src/auth/session.js";
+import { SESSION_VERSION } from "../src/auth/session.js";
+
+// A Marquee-shaped base URL — the real prod host. Discovery walks the
+// well-known docs under this; the fake server below answers them.
+const RESOURCE_URL = "https://marquee.launchpad.m-kopa.us";
+const AUTH_SERVER = "https://mkopa.cloudflareaccess.com";
+const WELL_KNOWN_RESOURCE = `${RESOURCE_URL}/.well-known/cloudflare-access-protected-resource/`;
+const WELL_KNOWN_SERVER = `${AUTH_SERVER}/.well-known/oauth-authorization-server`;
+// The protected-resource doc's `resource` field. Deliberately
+// distinct from RESOURCE_URL so an assertion can prove the flow uses
+// the DISCOVERED value (not a hard-coded base URL).
+const DISCOVERED_RESOURCE = "https://marquee-canonical.m-kopa.us";
+const AUTH_ENDPOINT = `${AUTH_SERVER}/oauth/authorize`;
+const TOKEN_ENDPOINT = `${AUTH_SERVER}/oauth/token`;
+const REG_ENDPOINT = `${AUTH_SERVER}/oauth/register`;
+
+let tmpDir: string;
+let sessionPath: string;
+
+beforeEach(async () => {
+  tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "marquee-skill-flow-"));
+  sessionPath = path.join(tmpDir, "session.json");
+});
+
+afterEach(async () => {
+  await fs.rm(tmpDir, { recursive: true, force: true });
+});
+
+function cfg(): SkillConfig {
+  return { resourceUrl: RESOURCE_URL, sessionPath };
+}
+
+interface Captured {
+  tokenBodies: URLSearchParams[];
+  regBody?: Record<string, unknown>;
+  authUrl?: string;
+}
+
+/**
+ * Build a fake OAuth server. `tokenResponder` lets a test override
+ * what the token endpoint returns per call (e.g. a 400 on refresh).
+ */
+function makeFakeServer(
+  cap: Captured,
+  tokenResponder?: (
+    grant: string,
+    callIndex: number,
+  ) => { status: number; body: unknown } | undefined,
+): typeof fetch {
+  let tokenCalls = 0;
+  return vi.fn(
+    async (input: Parameters<typeof fetch>[0], init?: RequestInit) => {
+      const url = typeof input === "string" ? input : input.toString();
+      if (url === WELL_KNOWN_RESOURCE) {
+        return new Response(
+          JSON.stringify({
+            authorization_servers: [AUTH_SERVER],
+            resource: DISCOVERED_RESOURCE,
+          }),
+          { status: 200 },
+        );
+      }
+      if (url === WELL_KNOWN_SERVER) {
+        return new Response(
+          JSON.stringify({
+            authorization_endpoint: AUTH_ENDPOINT,
+            token_endpoint: TOKEN_ENDPOINT,
+            registration_endpoint: REG_ENDPOINT,
+          }),
+          { status: 200 },
+        );
+      }
+      if (url === REG_ENDPOINT) {
+        cap.regBody = JSON.parse(
+          typeof init?.body === "string" ? init.body : "{}",
+        );
+        return new Response(JSON.stringify({ client_id: "marquee-cid" }), {
+          status: 201,
+        });
+      }
+      if (url === TOKEN_ENDPOINT) {
+        const body = new URLSearchParams(
+          typeof init?.body === "string" ? init.body : "",
+        );
+        cap.tokenBodies.push(body);
+        const grant = body.get("grant_type") ?? "";
+        const override = tokenResponder?.(grant, tokenCalls);
+        tokenCalls++;
+        if (override) {
+          return new Response(JSON.stringify(override.body), {
+            status: override.status,
+          });
+        }
+        return new Response(
+          JSON.stringify({
+            access_token: `access-${grant}-${tokenCalls}`,
+            refresh_token: `refresh-${grant}-${tokenCalls}`,
+            expires_in: 900,
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`unexpected fetch ${url}`);
+    },
+  ) as unknown as typeof fetch;
+}
+
+/** A browser opener that drives the loopback callback directly. */
+function drivingOpener(cap: Captured): (url: string) => Promise<void> {
+  return async (url: string): Promise<void> => {
+    cap.authUrl = url;
+    const u = new URL(url);
+    const state = u.searchParams.get("state");
+    const redirect = u.searchParams.get("redirect_uri");
+    void fetch(`${redirect}?code=test-code&state=${state}`).catch(() => {
+      /* the flow awaits server.result, not this */
+    });
+  };
+}
+
+describe("login — full PKCE flow against a fake OAuth server", () => {
+  test("opens browser, waits for callback, persists a 0600 session", async () => {
+    const cap: Captured = { tokenBodies: [] };
+    const session = await login({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    expect(session.version).toBe(SESSION_VERSION);
+    expect(session.accessToken).toMatch(/^access-authorization_code/);
+    expect(session.refreshToken).toMatch(/^refresh-authorization_code/);
+
+    // Session is on disk and re-readable.
+    const onDisk = await readSession(sessionPath);
+    expect(onDisk?.accessToken).toBe(session.accessToken);
+    if (process.platform !== "win32") {
+      const stat = await fs.stat(sessionPath);
+      expect(stat.mode & 0o777).toBe(0o600);
+    }
+  });
+
+  test("registers as a PUBLIC client — no client secret", async () => {
+    const cap: Captured = { tokenBodies: [] };
+    await login({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    expect(cap.regBody?.token_endpoint_auth_method).toBe("none");
+    expect(cap.regBody).not.toHaveProperty("client_secret");
+    // The token exchange carries code_verifier (PKCE proof), never
+    // a client_secret.
+    const tokenBody = cap.tokenBodies[0];
+    expect(tokenBody?.get("code_verifier")).toBeTruthy();
+    expect(tokenBody?.has("client_secret")).toBe(false);
+  });
+
+  test("discovery derives `resource` from the protected-resource doc, not the base URL", async () => {
+    const cap: Captured = { tokenBodies: [] };
+    const session = await login({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    // The discovered value — distinct from RESOURCE_URL — must be
+    // what lands in the session and on the auth + token requests.
+    expect(session.resource).toBe(DISCOVERED_RESOURCE);
+    expect(new URL(cap.authUrl ?? "").searchParams.get("resource")).toBe(
+      DISCOVERED_RESOURCE,
+    );
+    expect(cap.tokenBodies[0]?.get("resource")).toBe(DISCOVERED_RESOURCE);
+  });
+
+  test("authorization URL carries PKCE S256 challenge + state", async () => {
+    const cap: Captured = { tokenBodies: [] };
+    await login({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    const u = new URL(cap.authUrl ?? "");
+    expect(u.searchParams.get("code_challenge_method")).toBe("S256");
+    expect(u.searchParams.get("code_challenge")).toBeTruthy();
+    expect(u.searchParams.get("state")).toBeTruthy();
+    expect(u.searchParams.get("response_type")).toBe("code");
+  });
+});
+
+describe("getValidToken — cached-session reuse", () => {
+  test("returns the cached token without any network call when fresh", async () => {
+    const fresh = {
+      version: SESSION_VERSION as typeof SESSION_VERSION,
+      accessToken: "cached-fresh",
+      refreshToken: "r",
+      accessTokenExpiresAt: Date.now() + 600_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: DISCOVERED_RESOURCE,
+      issuedAt: new Date().toISOString(),
+    };
+    await writeSession(sessionPath, fresh);
+    const fetcher = vi.fn(async () => {
+      throw new Error("network must not be touched for a fresh session");
+    }) as unknown as typeof fetch;
+    const token = await getValidToken({ config: cfg(), fetcher });
+    expect(token).toBe("cached-fresh");
+  });
+
+  test("silently refreshes an expired session and persists the new pair", async () => {
+    const expired = {
+      version: SESSION_VERSION as typeof SESSION_VERSION,
+      accessToken: "cached-stale",
+      refreshToken: "the-refresh-token",
+      accessTokenExpiresAt: Date.now() - 1_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: DISCOVERED_RESOURCE,
+      issuedAt: new Date(Date.now() - 1_000_000).toISOString(),
+    };
+    await writeSession(sessionPath, expired);
+    const cap: Captured = { tokenBodies: [] };
+    const token = await getValidToken({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      onDiagnostic: () => {},
+    });
+    expect(token).toMatch(/^access-refresh_token/);
+    // The refresh grant was used, carrying the cached refresh token.
+    expect(cap.tokenBodies[0]?.get("grant_type")).toBe("refresh_token");
+    expect(cap.tokenBodies[0]?.get("refresh_token")).toBe("the-refresh-token");
+    // The fresh pair is persisted.
+    const onDisk = await readSession(sessionPath);
+    expect(onDisk?.accessToken).toBe(token);
+    expect(onDisk?.accessToken).not.toBe("cached-stale");
+  });
+
+  test("re-logins via the browser when there is no session at all", async () => {
+    const cap: Captured = { tokenBodies: [] };
+    const token = await getValidToken({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    expect(token).toMatch(/^access-authorization_code/);
+    // A session now exists for the next call.
+    expect(await readSession(sessionPath)).not.toBeNull();
+  });
+
+  test("non-interactive mode throws LoginRequiredError instead of opening a browser", async () => {
+    const fetcher = vi.fn(async () => {
+      throw new Error("must not reach the network");
+    }) as unknown as typeof fetch;
+    await expect(
+      getValidToken({ config: cfg(), fetcher, interactive: false }),
+    ).rejects.toBeInstanceOf(LoginRequiredError);
+  });
+
+  test("a 4xx on refresh forces re-login (interactive) ", async () => {
+    const expired = {
+      version: SESSION_VERSION as typeof SESSION_VERSION,
+      accessToken: "cached-stale",
+      refreshToken: "revoked-refresh",
+      accessTokenExpiresAt: Date.now() - 1_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: DISCOVERED_RESOURCE,
+      issuedAt: new Date().toISOString(),
+    };
+    await writeSession(sessionPath, expired);
+    const cap: Captured = { tokenBodies: [] };
+    // First token call is the refresh grant — reject it 400. The
+    // subsequent authorization_code call (from the re-login) succeeds.
+    const fetcher = makeFakeServer(cap, (grant) =>
+      grant === "refresh_token"
+        ? { status: 400, body: { error: "invalid_grant" } }
+        : undefined,
+    );
+    const token = await getValidToken({
+      config: cfg(),
+      fetcher,
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    // Ended up with a fresh authorization_code token after re-login.
+    expect(token).toMatch(/^access-authorization_code/);
+  });
+
+  test("non-interactive: a 4xx on refresh surfaces LoginRequiredError", async () => {
+    const expired = {
+      version: SESSION_VERSION as typeof SESSION_VERSION,
+      accessToken: "cached-stale",
+      refreshToken: "revoked-refresh",
+      accessTokenExpiresAt: Date.now() - 1_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: DISCOVERED_RESOURCE,
+      issuedAt: new Date().toISOString(),
+    };
+    await writeSession(sessionPath, expired);
+    const cap: Captured = { tokenBodies: [] };
+    const fetcher = makeFakeServer(cap, (grant) =>
+      grant === "refresh_token"
+        ? { status: 400, body: { error: "invalid_grant" } }
+        : undefined,
+    );
+    await expect(
+      getValidToken({ config: cfg(), fetcher, interactive: false }),
+    ).rejects.toBeInstanceOf(LoginRequiredError);
+  });
+});
+
+describe("logout", () => {
+  test("clears a session created by login; second logout is a no-op", async () => {
+    const cap: Captured = { tokenBodies: [] };
+    await login({
+      config: cfg(),
+      fetcher: makeFakeServer(cap),
+      browserOpener: drivingOpener(cap),
+      onDiagnostic: () => {},
+    });
+    expect(await logout({ config: cfg(), onDiagnostic: () => {} })).toBe(true);
+    expect(await readSession(sessionPath)).toBeNull();
+    expect(await logout({ config: cfg(), onDiagnostic: () => {} })).toBe(false);
+  });
+});

package/skills/marquee-share/tests/no-token-leak.test.ts

@@ -0,0 +1,240 @@
+// Token-leak guard for the Marquee share skill auth layer.
+//
+// The single most security-sensitive property of this layer: the
+// access + refresh tokens must NEVER reach stdout, stderr, or any
+// logging sink. This test exercises every public auth operation
+// (login, getValidToken with reuse, getValidToken with refresh,
+// logout) while intercepting console.log / console.error / direct
+// process.stdout|stderr writes, then asserts the captured output
+// contains no token value.
+
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import * as fs from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+import { login, logout, getValidToken } from "../src/auth/index.js";
+import { writeSession, SESSION_VERSION } from "../src/auth/session.js";
+import type { SkillConfig } from "../src/config.js";
+
+const RESOURCE_URL = "https://marquee.launchpad.m-kopa.us";
+const AUTH_SERVER = "https://mkopa.cloudflareaccess.com";
+const WELL_KNOWN_RESOURCE = `${RESOURCE_URL}/.well-known/cloudflare-access-protected-resource/`;
+const WELL_KNOWN_SERVER = `${AUTH_SERVER}/.well-known/oauth-authorization-server`;
+const AUTH_ENDPOINT = `${AUTH_SERVER}/oauth/authorize`;
+const TOKEN_ENDPOINT = `${AUTH_SERVER}/oauth/token`;
+const REG_ENDPOINT = `${AUTH_SERVER}/oauth/register`;
+
+// Distinctive sentinel token values. If any of these strings appears
+// in captured output the leak guard fails.
+const SECRET_ACCESS = "SENTINEL-ACCESS-TOKEN-9f8e7d6c5b4a";
+const SECRET_REFRESH = "SENTINEL-REFRESH-TOKEN-1a2b3c4d5e6f";
+const SECRET_ACCESS_2 = "SENTINEL-ACCESS-REFRESHED-aabbccdd";
+const SECRET_REFRESH_2 = "SENTINEL-REFRESH-ROTATED-eeff0011";
+
+let tmpDir: string;
+let sessionPath: string;
+let captured: string[];
+const restorers: Array<() => void> = [];
+
+beforeEach(async () => {
+  tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "marquee-skill-leak-"));
+  sessionPath = path.join(tmpDir, "session.json");
+  captured = [];
+
+  // Intercept every plausible output channel. We RECORD, not
+  // suppress — the assertion runs against everything written.
+  const record = (...args: unknown[]): void => {
+    captured.push(args.map((a) => String(a)).join(" "));
+  };
+  for (const ch of ["log", "error", "warn", "info", "debug"] as const) {
+    const original = console[ch];
+    console[ch] = record as typeof console.log;
+    restorers.push(() => {
+      console[ch] = original;
+    });
+  }
+  for (const stream of [process.stdout, process.stderr] as const) {
+    const original = stream.write.bind(stream);
+    stream.write = ((chunk: unknown): boolean => {
+      captured.push(String(chunk));
+      return true;
+    }) as typeof stream.write;
+    restorers.push(() => {
+      stream.write = original;
+    });
+  }
+});
+
+afterEach(async () => {
+  while (restorers.length > 0) restorers.pop()?.();
+  await fs.rm(tmpDir, { recursive: true, force: true });
+});
+
+function cfg(): SkillConfig {
+  return { resourceUrl: RESOURCE_URL, sessionPath };
+}
+
+function fakeServer(): typeof fetch {
+  return vi.fn(
+    async (input: Parameters<typeof fetch>[0], init?: RequestInit) => {
+      const url = typeof input === "string" ? input : input.toString();
+      if (url === WELL_KNOWN_RESOURCE) {
+        return new Response(
+          JSON.stringify({
+            authorization_servers: [AUTH_SERVER],
+            resource: RESOURCE_URL,
+          }),
+          { status: 200 },
+        );
+      }
+      if (url === WELL_KNOWN_SERVER) {
+        return new Response(
+          JSON.stringify({
+            authorization_endpoint: AUTH_ENDPOINT,
+            token_endpoint: TOKEN_ENDPOINT,
+            registration_endpoint: REG_ENDPOINT,
+          }),
+          { status: 200 },
+        );
+      }
+      if (url === REG_ENDPOINT) {
+        return new Response(JSON.stringify({ client_id: "marquee-cid" }), {
+          status: 201,
+        });
+      }
+      if (url === TOKEN_ENDPOINT) {
+        const body = new URLSearchParams(
+          typeof init?.body === "string" ? init.body : "",
+        );
+        const grant = body.get("grant_type");
+        // First exchange (authorization_code) returns the sentinel
+        // pair; a refresh returns the rotated sentinel pair.
+        const isRefresh = grant === "refresh_token";
+        return new Response(
+          JSON.stringify({
+            access_token: isRefresh ? SECRET_ACCESS_2 : SECRET_ACCESS,
+            refresh_token: isRefresh ? SECRET_REFRESH_2 : SECRET_REFRESH,
+            expires_in: 900,
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`unexpected fetch ${url}`);
+    },
+  ) as unknown as typeof fetch;
+}
+
+function drivingOpener(): (url: string) => Promise<void> {
+  return async (url: string): Promise<void> => {
+    const u = new URL(url);
+    const state = u.searchParams.get("state");
+    const redirect = u.searchParams.get("redirect_uri");
+    void fetch(`${redirect}?code=test-code&state=${state}`).catch(() => {
+      /* flow awaits server.result */
+    });
+  };
+}
+
+function assertNoLeak(): void {
+  const haystack = captured.join("\n");
+  for (const secret of [
+    SECRET_ACCESS,
+    SECRET_REFRESH,
+    SECRET_ACCESS_2,
+    SECRET_REFRESH_2,
+  ]) {
+    expect(
+      haystack.includes(secret),
+      `token value "${secret}" leaked to stdout/stderr/console`,
+    ).toBe(false);
+  }
+}
+
+describe("no-token-leak — auth layer never prints a credential", () => {
+  test("login does not echo the access or refresh token", async () => {
+    // NOTE: no `onDiagnostic` override — the auth layer's DEFAULT
+    // sink (console.error) is exercised, so this proves the shipped
+    // default path is leak-free, not just an injected silent sink.
+    await login({
+      config: cfg(),
+      fetcher: fakeServer(),
+      browserOpener: drivingOpener(),
+    });
+    // Sanity: login DID produce diagnostic output (so the test is
+    // actually exercising the print path, not a no-op).
+    expect(captured.join("\n").length).toBeGreaterThan(0);
+    assertNoLeak();
+  });
+
+  test("getValidToken (cached reuse) does not echo the token", async () => {
+    await writeSession(sessionPath, {
+      version: SESSION_VERSION,
+      accessToken: SECRET_ACCESS,
+      refreshToken: SECRET_REFRESH,
+      accessTokenExpiresAt: Date.now() + 600_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: RESOURCE_URL,
+      issuedAt: new Date().toISOString(),
+    });
+    const token = await getValidToken({ config: cfg(), fetcher: fakeServer() });
+    // The token IS returned to the in-process caller — that is the
+    // contract. It must just never have been printed.
+    expect(token).toBe(SECRET_ACCESS);
+    assertNoLeak();
+  });
+
+  test("getValidToken (silent refresh) does not echo either token", async () => {
+    await writeSession(sessionPath, {
+      version: SESSION_VERSION,
+      accessToken: "old-stale-token",
+      refreshToken: SECRET_REFRESH,
+      accessTokenExpiresAt: Date.now() - 1_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: RESOURCE_URL,
+      issuedAt: new Date().toISOString(),
+    });
+    const token = await getValidToken({ config: cfg(), fetcher: fakeServer() });
+    expect(token).toBe(SECRET_ACCESS_2);
+    assertNoLeak();
+  });
+
+  test("getValidToken (full re-login) does not echo the token", async () => {
+    const token = await getValidToken({
+      config: cfg(),
+      fetcher: fakeServer(),
+      browserOpener: drivingOpener(),
+    });
+    expect(token).toBe(SECRET_ACCESS);
+    assertNoLeak();
+  });
+
+  test("logout does not echo a token", async () => {
+    await writeSession(sessionPath, {
+      version: SESSION_VERSION,
+      accessToken: SECRET_ACCESS,
+      refreshToken: SECRET_REFRESH,
+      accessTokenExpiresAt: Date.now() + 600_000,
+      clientId: "cid",
+      tokenEndpoint: TOKEN_ENDPOINT,
+      resource: RESOURCE_URL,
+      issuedAt: new Date().toISOString(),
+    });
+    await logout({ config: cfg() });
+    assertNoLeak();
+  });
+
+  test("diagnostic output mentions the session PATH but not its contents", async () => {
+    await login({
+      config: cfg(),
+      fetcher: fakeServer(),
+      browserOpener: drivingOpener(),
+    });
+    const haystack = captured.join("\n");
+    // The path is fine to print (it's where the file lives, not the
+    // credential). The credential is not.
+    expect(haystack).toContain(sessionPath);
+    assertNoLeak();
+  });
+});