@openparachute/vault 0.2.3 → 0.3.0-rc.1

package/src/oauth.test.ts

@@ -5,6 +5,9 @@
 import { describe, test, expect, beforeEach, afterEach } from "bun:test";
 import { Database } from "bun:sqlite";
 import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
 import { initSchema } from "../core/src/schema.ts";
 import { generateToken, createToken, resolveToken } from "./token-store.ts";
 import {
@@ -113,44 +116,45 @@ async function fullOAuthFlow(opts?: { scope?: string }): Promise<string> {
 
 describe("OAuth discovery", () => {
   test("protected resource metadata", async () => {
-    const req = makeRequest("https://vault.test/.well-known/oauth-protected-resource");
-    const res = handleProtectedResource(req);
+    const req = makeRequest("https://vault.test/vault/default/.well-known/oauth-protected-resource");
+    const res = handleProtectedResource(req, "default");
     expect(res.status).toBe(200);
     const body = await res.json();
-    expect(body.resource).toBe("https://vault.test/mcp");
+    expect(body.resource).toBe("https://vault.test/vault/default/mcp");
+    expect(body.authorization_servers).toEqual(["https://vault.test/vault/default"]);
     expect(body.scopes_supported).toContain("full");
     expect(body.scopes_supported).toContain("read");
   });
 
   test("authorization server metadata", async () => {
-    const req = makeRequest("https://vault.test/.well-known/oauth-authorization-server");
-    const res = handleAuthorizationServer(req);
+    const req = makeRequest("https://vault.test/vault/default/.well-known/oauth-authorization-server");
+    const res = handleAuthorizationServer(req, "default");
     expect(res.status).toBe(200);
     const body = await res.json();
-    expect(body.issuer).toBe("https://vault.test");
-    expect(body.authorization_endpoint).toBe("https://vault.test/oauth/authorize");
-    expect(body.token_endpoint).toBe("https://vault.test/oauth/token");
-    expect(body.registration_endpoint).toBe("https://vault.test/oauth/register");
+    expect(body.issuer).toBe("https://vault.test/vault/default");
+    expect(body.authorization_endpoint).toBe("https://vault.test/vault/default/oauth/authorize");
+    expect(body.token_endpoint).toBe("https://vault.test/vault/default/oauth/token");
+    expect(body.registration_endpoint).toBe("https://vault.test/vault/default/oauth/register");
     expect(body.code_challenge_methods_supported).toEqual(["S256"]);
   });
 
-  test("resource URL includes custom mcpPath for per-vault", async () => {
-    const req = makeRequest("https://vault.test/.well-known/oauth-protected-resource");
-    const res = handleProtectedResource(req, "/vaults/work/mcp");
+  test("resource URL reflects the vault name", async () => {
+    const req = makeRequest("https://vault.test/vault/work/.well-known/oauth-protected-resource");
+    const res = handleProtectedResource(req, "work");
     const body = await res.json();
-    expect(body.resource).toBe("https://vault.test/vaults/work/mcp");
+    expect(body.resource).toBe("https://vault.test/vault/work/mcp");
   });
 
   test("uses x-forwarded-proto and x-forwarded-host", async () => {
-    const req = makeRequest("http://localhost:1940/.well-known/oauth-protected-resource", {
+    const req = makeRequest("http://localhost:1940/vault/default/.well-known/oauth-protected-resource", {
       headers: {
         "x-forwarded-proto": "https",
         "x-forwarded-host": "vault.example.com",
       },
     });
-    const res = handleProtectedResource(req);
+    const res = handleProtectedResource(req, "default");
     const body = await res.json();
-    expect(body.resource).toBe("https://vault.example.com/mcp");
+    expect(body.resource).toBe("https://vault.example.com/vault/default/mcp");
   });
 });
 
@@ -989,7 +993,7 @@ describe("OAuth consent — scope selection", () => {
       "default",
     );
     const body = await tokenRes.json();
-    expect(body.scope).toBe("read");
+    expect(body.scope).toBe("vault:read");
   });
 
   test("defaults selected_scope to requested scope when not provided", async () => {
@@ -1032,7 +1036,7 @@ describe("OAuth consent — scope selection", () => {
       "default",
     );
     const body = await tokenRes.json();
-    expect(body.scope).toBe("read");
+    expect(body.scope).toBe("vault:read");
   });
 
   test("consent HTML includes both scope radio buttons", async () => {
@@ -1303,7 +1307,7 @@ describe("OAuth token response — vault name", () => {
     expect(body.access_token).toMatch(/^pvt_/);
     expect(body.vault).toBe("default");
     expect(body.token_type).toBe("bearer");
-    expect(body.scope).toBe("full");
+    expect(body.scope).toBe("vault:read vault:write vault:admin");
   });
 
   test("includes vault name for a scoped (named-vault) flow", async () => {
@@ -1316,7 +1320,7 @@ describe("OAuth token response — vault name", () => {
     const redirectUri = "https://example.com/callback";
 
     const authRes = await handleAuthorizePost(
-      makeRequest("https://vault.test/vaults/work/oauth/authorize", {
+      makeRequest("https://vault.test/vault/work/oauth/authorize", {
         method: "POST",
         body: new URLSearchParams({
           action: "authorize",
@@ -1334,7 +1338,7 @@ describe("OAuth token response — vault name", () => {
     const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
 
     const tokenRes = await handleToken(
-      makeRequest("https://vault.test/vaults/work/oauth/token", {
+      makeRequest("https://vault.test/vault/work/oauth/token", {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
@@ -1359,49 +1363,31 @@ describe("OAuth token response — vault name", () => {
 
 describe("OAuth discovery — vault-scoped", () => {
   test("authorization-server metadata scopes all endpoints to the vault", async () => {
-    const req = makeRequest("https://vault.test/vaults/work/.well-known/oauth-authorization-server");
+    const req = makeRequest("https://vault.test/vault/work/.well-known/oauth-authorization-server");
     const res = handleAuthorizationServer(req, "work");
     const body = await res.json();
-    // Issuer and endpoints all live under /vaults/work. This is what makes
-    // vault-scoped OAuth work end-to-end: a client following the scoped
-    // discovery gets redirected to the scoped authorize/token endpoints,
+    // Issuer and endpoints all live under /vault/work. A client following the
+    // scoped discovery gets redirected to the scoped authorize/token endpoints,
     // which in turn mint the token into the named vault's DB.
-    expect(body.issuer).toBe("https://vault.test/vaults/work");
-    expect(body.authorization_endpoint).toBe("https://vault.test/vaults/work/oauth/authorize");
-    expect(body.token_endpoint).toBe("https://vault.test/vaults/work/oauth/token");
-    expect(body.registration_endpoint).toBe("https://vault.test/vaults/work/oauth/register");
+    expect(body.issuer).toBe("https://vault.test/vault/work");
+    expect(body.authorization_endpoint).toBe("https://vault.test/vault/work/oauth/authorize");
+    expect(body.token_endpoint).toBe("https://vault.test/vault/work/oauth/token");
+    expect(body.registration_endpoint).toBe("https://vault.test/vault/work/oauth/register");
     expect(body.code_challenge_methods_supported).toEqual(["S256"]);
   });
 
-  test("authorization-server metadata defaults to unscoped endpoints when no vaultName", async () => {
-    // Regression check — the unscoped form still returns unscoped endpoints.
-    const req = makeRequest("https://vault.test/.well-known/oauth-authorization-server");
-    const res = handleAuthorizationServer(req);
-    const body = await res.json();
-    expect(body.issuer).toBe("https://vault.test");
-    expect(body.authorization_endpoint).toBe("https://vault.test/oauth/authorize");
-    expect(body.token_endpoint).toBe("https://vault.test/oauth/token");
-  });
-
   test("protected-resource advertises a vault-scoped authorization server", async () => {
-    const req = makeRequest("https://vault.test/vaults/work/.well-known/oauth-protected-resource");
-    const res = handleProtectedResource(req, "/vaults/work/mcp", "/vaults/work");
+    const req = makeRequest("https://vault.test/vault/work/.well-known/oauth-protected-resource");
+    const res = handleProtectedResource(req, "work");
     const body = await res.json();
-    expect(body.resource).toBe("https://vault.test/vaults/work/mcp");
+    expect(body.resource).toBe("https://vault.test/vault/work/mcp");
     // The authorization server the client should fetch next is the scoped one,
     // so the client discovers the scoped authorize/token endpoints.
-    expect(body.authorization_servers).toEqual(["https://vault.test/vaults/work"]);
-  });
-
-  test("protected-resource defaults to root authorization server when no prefix", async () => {
-    const req = makeRequest("https://vault.test/.well-known/oauth-protected-resource");
-    const res = handleProtectedResource(req);
-    const body = await res.json();
-    expect(body.authorization_servers).toEqual(["https://vault.test"]);
+    expect(body.authorization_servers).toEqual(["https://vault.test/vault/work"]);
   });
 
   test("scoped discovery honors x-forwarded-host", async () => {
-    const req = makeRequest("http://localhost:1940/vaults/work/.well-known/oauth-authorization-server", {
+    const req = makeRequest("http://localhost:1940/vault/work/.well-known/oauth-authorization-server", {
       headers: {
         "x-forwarded-proto": "https",
         "x-forwarded-host": "vault.example.com",
@@ -1409,8 +1395,8 @@ describe("OAuth discovery — vault-scoped", () => {
     });
     const res = handleAuthorizationServer(req, "work");
     const body = await res.json();
-    expect(body.issuer).toBe("https://vault.example.com/vaults/work");
-    expect(body.authorization_endpoint).toBe("https://vault.example.com/vaults/work/oauth/authorize");
+    expect(body.issuer).toBe("https://vault.example.com/vault/work");
+    expect(body.authorization_endpoint).toBe("https://vault.example.com/vault/work/oauth/authorize");
   });
 });
 
@@ -1432,7 +1418,7 @@ describe("OAuth token — cross-vault code replay", () => {
 
     // Issue a code under vault A's authorize endpoint
     const authRes = await handleAuthorizePost(
-      makeRequest("https://vault.test/vaults/vault-a/oauth/authorize", {
+      makeRequest("https://vault.test/vault/vault-a/oauth/authorize", {
         method: "POST",
         body: new URLSearchParams({
           action: "authorize",
@@ -1455,7 +1441,7 @@ describe("OAuth token — cross-vault code replay", () => {
     // barrier: without the vault_name pinning, the code would mint a token
     // into whichever vault's DB this handleToken was called against.
     const tokenRes = await handleToken(
-      makeRequest("https://vault.test/vaults/vault-b/oauth/token", {
+      makeRequest("https://vault.test/vault/vault-b/oauth/token", {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
@@ -1483,7 +1469,7 @@ describe("OAuth token — cross-vault code replay", () => {
     const redirectUri = "https://example.com/callback";
 
     const authRes = await handleAuthorizePost(
-      makeRequest("https://vault.test/vaults/vault-a/oauth/authorize", {
+      makeRequest("https://vault.test/vault/vault-a/oauth/authorize", {
         method: "POST",
         body: new URLSearchParams({
           action: "authorize",
@@ -1501,7 +1487,7 @@ describe("OAuth token — cross-vault code replay", () => {
     const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
 
     const tokenRes = await handleToken(
-      makeRequest("https://vault.test/vaults/vault-a/oauth/token", {
+      makeRequest("https://vault.test/vault/vault-a/oauth/token", {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
@@ -1521,3 +1507,305 @@ describe("OAuth token — cross-vault code replay", () => {
     expect(body.access_token).toMatch(/^pvt_/);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Phase 0+1: PARACHUTE_HUB_ORIGIN + service catalog in token response
+// ---------------------------------------------------------------------------
+
+describe("OAuth Phase 0: PARACHUTE_HUB_ORIGIN", () => {
+  const HUB = "https://hub.example";
+  let origHub: string | undefined;
+  let origHome: string | undefined;
+  let tmpHome: string;
+
+  beforeEach(() => {
+    origHub = process.env.PARACHUTE_HUB_ORIGIN;
+    origHome = process.env.PARACHUTE_HOME;
+    tmpHome = fs.mkdtempSync(path.join(os.tmpdir(), "vault-oauth-phase0-"));
+    process.env.PARACHUTE_HOME = tmpHome;
+  });
+
+  afterEach(() => {
+    if (origHub === undefined) delete process.env.PARACHUTE_HUB_ORIGIN;
+    else process.env.PARACHUTE_HUB_ORIGIN = origHub;
+    if (origHome === undefined) delete process.env.PARACHUTE_HOME;
+    else process.env.PARACHUTE_HOME = origHome;
+    fs.rmSync(tmpHome, { recursive: true, force: true });
+  });
+
+  test("discovery: returns hub issuer when request arrives via hub origin", () => {
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    const req = makeRequest(`${HUB}/vault/default/.well-known/oauth-authorization-server`);
+    const res = handleAuthorizationServer(req, "default");
+    expect(res.status).toBe(200);
+    return res.json().then((body: any) => {
+      expect(body.issuer).toBe(HUB);
+      expect(body.authorization_endpoint).toBe(`${HUB}/oauth/authorize`);
+      expect(body.token_endpoint).toBe(`${HUB}/oauth/token`);
+      expect(body.registration_endpoint).toBe(`${HUB}/oauth/register`);
+      expect(body.scopes_supported).toContain("vault:read");
+      expect(body.scopes_supported).toContain("vault:write");
+    });
+  });
+
+  test("discovery: trailing slash on hub origin is stripped", async () => {
+    process.env.PARACHUTE_HUB_ORIGIN = `${HUB}/`;
+    const req = makeRequest(`${HUB}/vault/default/.well-known/oauth-authorization-server`);
+    const res = handleAuthorizationServer(req, "default");
+    const body = await res.json();
+    expect(body.issuer).toBe(HUB);
+    expect(body.token_endpoint).toBe(`${HUB}/oauth/token`);
+  });
+
+  test("discovery: protected-resource metadata uses hub as authorization_server when request arrives via hub", async () => {
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    const req = makeRequest(`${HUB}/vault/default/.well-known/oauth-protected-resource`);
+    const res = handleProtectedResource(req, "default");
+    const body = await res.json();
+    expect(body.authorization_servers).toEqual([HUB]);
+    expect(body.resource).toBe(`${HUB}/vault/default/mcp`);
+    expect(body.scopes_supported).toContain("vault:read");
+  });
+
+  test("discovery: RFC 8414 — hub env set, request via loopback returns loopback issuer, not hub", async () => {
+    // Aaron's bug: mcp-install wrote a loopback URL while PARACHUTE_HUB_ORIGIN
+    // was set, so the client fetched discovery via http://127.0.0.1 but got
+    // back `issuer: https://hub.example` — origin mismatch, strict OAuth
+    // clients (Claude Code) reject. Each origin must advertise its own issuer.
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    const req = makeRequest("http://127.0.0.1:1940/vault/default/.well-known/oauth-authorization-server");
+    const res = handleAuthorizationServer(req, "default");
+    const body = await res.json();
+    expect(body.issuer).toBe("http://127.0.0.1:1940/vault/default");
+    expect(body.token_endpoint).toBe("http://127.0.0.1:1940/vault/default/oauth/token");
+    expect(body.registration_endpoint).toBe("http://127.0.0.1:1940/vault/default/oauth/register");
+  });
+
+  test("discovery: protected-resource on loopback returns loopback AS even with hub env set", async () => {
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    const req = makeRequest("http://127.0.0.1:1940/vault/default/.well-known/oauth-protected-resource");
+    const res = handleProtectedResource(req, "default");
+    const body = await res.json();
+    expect(body.authorization_servers).toEqual(["http://127.0.0.1:1940/vault/default"]);
+    expect(body.resource).toBe("http://127.0.0.1:1940/vault/default/mcp");
+  });
+
+  test("discovery: falls back to vault origin when env is unset", async () => {
+    delete process.env.PARACHUTE_HUB_ORIGIN;
+    const req = makeRequest("https://vault.test/vault/default/.well-known/oauth-authorization-server");
+    const res = handleAuthorizationServer(req, "default");
+    const body = await res.json();
+    expect(body.issuer).toBe("https://vault.test/vault/default");
+    expect(body.token_endpoint).toBe("https://vault.test/vault/default/oauth/token");
+  });
+
+  test("scopes_supported publishes new shape alongside legacy names", async () => {
+    const req = makeRequest("https://vault.test/vault/default/.well-known/oauth-authorization-server");
+    const res = handleAuthorizationServer(req, "default");
+    const body = await res.json();
+    expect(body.scopes_supported).toEqual(expect.arrayContaining(["vault:read", "vault:write", "full", "read"]));
+  });
+
+  test("token response includes iss = hub when issued on hub origin", async () => {
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    const token = await fullOAuthFlow();
+    // Re-issue a token to inspect the body (fullOAuthFlow returns only the string)
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+    const authRes = await handleAuthorizePost(
+      makeRequest(`${HUB}/vault/default/oauth/authorize`, {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+    const tokenRes = await handleToken(
+      makeRequest(`${HUB}/vault/default/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    expect(tokenRes.status).toBe(200);
+    const body = await tokenRes.json();
+    expect(body.iss).toBe(HUB);
+    expect(body.services).toEqual({});
+    // Back-compat: access_token still present and unchanged shape-wise.
+    expect(body.access_token).toMatch(/^pvt_/);
+    expect(token).toMatch(/^pvt_/);
+  });
+
+  test("token iss matches request origin when client came via loopback even with hub env set", async () => {
+    // Same-vault twin of the discovery-on-loopback test: a token minted over
+    // the loopback flow carries `iss` = the loopback issuer, not the hub.
+    // Tokens introspected against loopback discovery's issuer must validate.
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+    const authRes = await handleAuthorizePost(
+      makeRequest("http://127.0.0.1:1940/vault/default/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+    const tokenRes = await handleToken(
+      makeRequest("http://127.0.0.1:1940/vault/default/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    const body = await tokenRes.json();
+    expect(body.iss).toBe("http://127.0.0.1:1940/vault/default");
+  });
+
+  test("token response services catalog reflects services.json using hub origin when issued via hub", async () => {
+    process.env.PARACHUTE_HUB_ORIGIN = HUB;
+    fs.writeFileSync(
+      path.join(tmpHome, "services.json"),
+      JSON.stringify({
+        services: [
+          { name: "vault", port: 1940, paths: ["/vault/default"], health: "/health", version: "0.3.0" },
+          { name: "notes", port: 1941, paths: ["/notes"], health: "/health", version: "0.1.0" },
+        ],
+      }),
+    );
+
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+    const authRes = await handleAuthorizePost(
+      makeRequest(`${HUB}/vault/default/oauth/authorize`, {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+    const tokenRes = await handleToken(
+      makeRequest(`${HUB}/vault/default/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    const body = await tokenRes.json();
+    expect(body.services).toEqual({
+      vault: { url: `${HUB}/vault/default`, version: "0.3.0" },
+      notes: { url: `${HUB}/notes`, version: "0.1.0" },
+    });
+  });
+
+  test("token response services catalog falls back to vault origin when hub env unset", async () => {
+    delete process.env.PARACHUTE_HUB_ORIGIN;
+    fs.writeFileSync(
+      path.join(tmpHome, "services.json"),
+      JSON.stringify({
+        services: [
+          { name: "vault", port: 1940, paths: ["/vault/default"], health: "/health", version: "0.3.0" },
+        ],
+      }),
+    );
+
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/vault/default/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+    const tokenRes = await handleToken(
+      makeRequest("https://vault.test/vault/default/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    const body = await tokenRes.json();
+    expect(body.iss).toBe("https://vault.test/vault/default");
+    expect(body.services).toEqual({
+      vault: { url: "https://vault.test/vault/default", version: "0.3.0" },
+    });
+  });
+});