@matdata/yasqe 5.5.0 → 5.7.0

package/src/__tests__/oauth2-test.ts

@@ -0,0 +1,320 @@
+/**
+ * OAuth 2.0 Authentication Tests
+ */
+
+import { describe, it } from "mocha";
+import { expect } from "chai";
+
+describe("OAuth 2.0 Authentication", () => {
+  describe("Token Expiration", () => {
+    it("should detect expired token", () => {
+      // Token expired 1 hour ago
+      const pastTimestamp = Date.now() - 60 * 60 * 1000;
+      const isExpired = pastTimestamp <= Date.now();
+
+      expect(isExpired).to.be.true;
+    });
+
+    it("should detect valid token", () => {
+      // Token expires in 1 hour
+      const futureTimestamp = Date.now() + 60 * 60 * 1000;
+      const isExpired = futureTimestamp <= Date.now();
+
+      expect(isExpired).to.be.false;
+    });
+
+    it("should handle undefined expiry", () => {
+      const tokenExpiry: number | undefined = undefined;
+      const isExpired = !tokenExpiry || tokenExpiry <= Date.now();
+
+      expect(isExpired).to.be.true;
+    });
+
+    it("should add buffer time to expiration check", () => {
+      // Token expires in 30 seconds - should be considered expired with 60s buffer
+      const soonToExpire = Date.now() + 30 * 1000;
+      const buffer = 60 * 1000;
+      const isExpiredWithBuffer = soonToExpire <= Date.now() + buffer;
+
+      expect(isExpiredWithBuffer).to.be.true;
+    });
+  });
+
+  describe("Authorization Header Format", () => {
+    it("should create proper OAuth 2.0 Bearer header", () => {
+      const accessToken =
+        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
+      const header = `Bearer ${accessToken}`;
+
+      expect(header).to.equal(`Bearer ${accessToken}`);
+      expect(header).to.match(/^Bearer .+$/);
+    });
+
+    it("should handle various access token formats", () => {
+      const tokens = [
+        "short-token",
+        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.payload.signature",
+        "opaque-token-12345678",
+        "token_with_underscores",
+        "token-with-dashes",
+      ];
+
+      tokens.forEach((token) => {
+        const header = `Bearer ${token}`;
+        expect(header).to.match(/^Bearer .+$/);
+        expect(header).to.equal(`Bearer ${token}`);
+      });
+    });
+  });
+
+  describe("Token Storage and Retrieval", () => {
+    it("should store access token", () => {
+      const tokenData = {
+        accessToken: "test-access-token",
+        refreshToken: "test-refresh-token",
+        tokenExpiry: Date.now() + 3600 * 1000,
+      };
+
+      expect(tokenData.accessToken).to.be.a("string");
+      expect(tokenData.refreshToken).to.be.a("string");
+      expect(tokenData.tokenExpiry).to.be.a("number");
+    });
+
+    it("should handle missing refresh token", () => {
+      const tokenData = {
+        accessToken: "test-access-token",
+        refreshToken: undefined as string | undefined,
+        tokenExpiry: Date.now() + 3600 * 1000,
+      };
+
+      expect(tokenData.accessToken).to.be.a("string");
+      expect(tokenData.refreshToken).to.be.undefined;
+    });
+  });
+
+  describe("Token Expiry Calculation", () => {
+    it("should calculate correct expiry timestamp", () => {
+      const expiresIn = 3600; // 1 hour in seconds
+      const now = Date.now();
+      const expectedExpiry = now + expiresIn * 1000;
+      const calculatedExpiry = now + expiresIn * 1000;
+
+      // Allow 1 second tolerance for test execution time
+      expect(calculatedExpiry).to.be.closeTo(expectedExpiry, 1000);
+    });
+
+    it("should handle undefined expires_in", () => {
+      const expiresIn: number | undefined = undefined;
+      const expiry = expiresIn ? Date.now() + expiresIn * 1000 : undefined;
+
+      expect(expiry).to.be.undefined;
+    });
+
+    it("should convert seconds to milliseconds", () => {
+      const expiresInSeconds = 3600;
+      const expiresInMs = expiresInSeconds * 1000;
+
+      expect(expiresInMs).to.equal(3600000);
+    });
+  });
+
+  describe("OAuth 2.0 Configuration Validation", () => {
+    it("should validate required OAuth 2.0 parameters", () => {
+      const config = {
+        clientId: "my-client-id",
+        authorizationEndpoint: "https://provider.com/oauth/authorize",
+        tokenEndpoint: "https://provider.com/oauth/token",
+        redirectUri: "https://myapp.com/callback",
+      };
+
+      expect(config.clientId).to.be.a("string").and.to.have.length.greaterThan(0);
+      expect(config.authorizationEndpoint).to.be.a("string").and.to.include("http");
+      expect(config.tokenEndpoint).to.be.a("string").and.to.include("http");
+      expect(config.redirectUri).to.be.a("string").and.to.include("http");
+    });
+
+    it("should handle optional scope parameter", () => {
+      const config = {
+        clientId: "my-client-id",
+        authorizationEndpoint: "https://provider.com/oauth/authorize",
+        tokenEndpoint: "https://provider.com/oauth/token",
+        redirectUri: "https://myapp.com/callback",
+        scope: "read write",
+      };
+
+      expect(config.scope).to.be.a("string");
+    });
+
+    it("should handle missing scope parameter", () => {
+      const config = {
+        clientId: "my-client-id",
+        authorizationEndpoint: "https://provider.com/oauth/authorize",
+        tokenEndpoint: "https://provider.com/oauth/token",
+        redirectUri: "https://myapp.com/callback",
+        scope: undefined as string | undefined,
+      };
+
+      expect(config.scope).to.be.undefined;
+    });
+  });
+
+  describe("PKCE Code Challenge Generation", () => {
+    it("should generate code verifier of correct length", () => {
+      const length = 128;
+      const possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+      const codeVerifier = Array.from({ length }, () => possible[Math.floor(Math.random() * possible.length)]).join("");
+
+      expect(codeVerifier).to.have.length(length);
+      expect(codeVerifier).to.match(/^[A-Za-z0-9\-._~]+$/);
+    });
+
+    it("should validate PKCE characters", () => {
+      const validChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+      const testString = "abc123-._~ABC";
+
+      // Check all characters are valid
+      const allValid = testString.split("").every((char) => validChars.includes(char));
+
+      expect(allValid).to.be.true;
+    });
+  });
+
+  describe("URL Parameter Encoding", () => {
+    it("should properly encode URL parameters", () => {
+      const params = {
+        client_id: "my-client-id",
+        response_type: "code",
+        redirect_uri: "https://myapp.com/callback",
+        state: "random-state-string",
+        code_challenge: "challenge-string",
+        code_challenge_method: "S256",
+      };
+
+      const searchParams = new URLSearchParams(params);
+      expect(searchParams.get("client_id")).to.equal("my-client-id");
+      expect(searchParams.get("response_type")).to.equal("code");
+      expect(searchParams.get("code_challenge_method")).to.equal("S256");
+    });
+
+    it("should handle optional scope in URL", () => {
+      const params = {
+        client_id: "my-client-id",
+        scope: "read write",
+      };
+
+      const searchParams = new URLSearchParams(params);
+      expect(searchParams.get("scope")).to.equal("read write");
+    });
+  });
+
+  describe("Token Response Parsing", () => {
+    it("should parse token response correctly", () => {
+      const tokenResponse = {
+        access_token: "new-access-token",
+        refresh_token: "new-refresh-token",
+        expires_in: 3600,
+        token_type: "Bearer",
+      };
+
+      expect(tokenResponse.access_token).to.be.a("string");
+      expect(tokenResponse.refresh_token).to.be.a("string");
+      expect(tokenResponse.expires_in).to.be.a("number");
+      expect(tokenResponse.token_type).to.equal("Bearer");
+    });
+
+    it("should handle response without refresh token", () => {
+      const tokenResponse = {
+        access_token: "new-access-token",
+        expires_in: 3600,
+        token_type: "Bearer",
+      };
+
+      expect(tokenResponse.access_token).to.be.a("string");
+      expect(tokenResponse).to.not.have.property("refresh_token");
+    });
+  });
+
+  describe("Authentication Priority with OAuth 2.0", () => {
+    it("should prioritize OAuth 2.0 over Basic auth", () => {
+      // Both use Authorization header, OAuth 2.0 should be checked first
+      const oauth2Header = "Bearer oauth2-token";
+      const basicHeader = "Basic " + btoa("user:pass");
+
+      expect(oauth2Header).to.not.equal(basicHeader);
+      expect(oauth2Header).to.include("Bearer");
+      expect(basicHeader).to.include("Basic");
+    });
+
+    it("should allow API Key to coexist with OAuth 2.0", () => {
+      // OAuth 2.0 uses Authorization header, API Key uses custom header
+      const authorizationHeader = "Authorization";
+      const apiKeyHeader = "X-API-Key";
+
+      expect(authorizationHeader).to.not.equal(apiKeyHeader);
+      // These are different headers, so they can both be set
+    });
+  });
+
+  describe("Error Handling", () => {
+    it("should handle undefined authentication config", () => {
+      const oauth2Auth = undefined;
+
+      expect(oauth2Auth).to.be.undefined;
+      // Implementation should handle undefined gracefully
+    });
+
+    it("should handle null access token", () => {
+      const accessToken: any = null;
+      const isValid = !!(accessToken && typeof accessToken === "string" && accessToken.trim().length > 0);
+
+      expect(isValid).to.be.false;
+    });
+
+    it("should validate empty access token", () => {
+      const accessToken = "";
+      const isValid = accessToken.trim().length > 0;
+
+      expect(isValid).to.be.false;
+    });
+
+    it("should validate whitespace-only access token", () => {
+      const accessToken = "   ";
+      const isValid = accessToken.trim().length > 0;
+
+      expect(isValid).to.be.false;
+    });
+
+    it("should validate non-empty access token", () => {
+      const accessToken = "valid-token";
+      const isValid = accessToken.trim().length > 0;
+
+      expect(isValid).to.be.true;
+    });
+  });
+
+  describe("Trimming Behavior", () => {
+    it("should use trimmed access token in header", () => {
+      const originalToken = "  token-with-spaces  ";
+      const trimmedToken = originalToken.trim();
+      const header = `Bearer ${trimmedToken}`;
+
+      expect(header).to.equal("Bearer token-with-spaces");
+      expect(header).to.not.include("  ");
+    });
+
+    it("should verify trimmed values are used not originals", () => {
+      const originalConfig = {
+        clientId: "  client-id  ",
+        scope: "  read write  ",
+      };
+
+      const trimmedConfig = {
+        clientId: originalConfig.clientId.trim(),
+        scope: originalConfig.scope.trim(),
+      };
+
+      expect(trimmedConfig.clientId).to.equal("client-id");
+      expect(trimmedConfig.scope).to.equal("read write");
+    });
+  });
+});

package/src/defaults.ts

@@ -175,6 +175,9 @@ SELECT * WHERE {
     withCredentials: false,
     adjustQueryBeforeRequest: false,
     basicAuth: undefined,
+    bearerAuth: undefined,
+    apiKeyAuth: undefined,
+    oauth2Auth: undefined,
   };
   return { ...config, requestConfig };
 }