@openverifiable/connector-bluesky 1.0.0 → 1.0.2

package/lib/dpop.test.js

@@ -1,266 +0,0 @@
-/**
- * DPoP Tests
- * Tests for Demonstrating Proof of Possession (RFC 9449) implementation
- */
-import { describe, it, expect } from '@jest/globals';
-import { generateDPoPKeyPair, exportPublicKeyAsJWK, createDPoPProofForToken, createDPoPProofForResource, extractDPoPNonce, } from './dpop.js';
-import { sha256Base64Url, createMockDPoPNonceError, } from './test-utils.js';
-describe('DPoP Implementation', () => {
-    describe('generateDPoPKeyPair', () => {
-        it('should generate valid DPoP key pair', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            expect(keyPair.publicKey).toBeDefined();
-            expect(keyPair.privateKey).toBeDefined();
-            expect(keyPair.publicKey).toBeInstanceOf(CryptoKey);
-            expect(keyPair.privateKey).toBeInstanceOf(CryptoKey);
-        });
-        it('should generate ES256 key pairs with P-256 curve', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const crypto = globalThis.crypto;
-            // Verify key algorithm
-            const publicKeyJwk = await crypto.subtle.exportKey('jwk', keyPair.publicKey);
-            expect(publicKeyJwk.kty).toBe('EC');
-            expect(publicKeyJwk.crv).toBe('P-256');
-            // Note: alg is not part of JWK standard, it's inferred from the key type
-        });
-        it('should generate different key pairs each time', async () => {
-            const keyPair1 = await generateDPoPKeyPair();
-            const keyPair2 = await generateDPoPKeyPair();
-            // Export and compare
-            const crypto = globalThis.crypto;
-            const jwk1 = await crypto.subtle.exportKey('jwk', keyPair1.privateKey);
-            const jwk2 = await crypto.subtle.exportKey('jwk', keyPair2.privateKey);
-            expect(jwk1.d).not.toBe(jwk2.d);
-        });
-        it('should generate extractable keys', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const crypto = globalThis.crypto;
-            // Should be able to export keys
-            const publicJwk = await crypto.subtle.exportKey('jwk', keyPair.publicKey);
-            const privateJwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
-            expect(publicJwk).toBeDefined();
-            expect(privateJwk).toBeDefined();
-        });
-    });
-    describe('exportPublicKeyAsJWK', () => {
-        it('should export public key as JWK without private fields', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const publicJwk = await exportPublicKeyAsJWK(keyPair.publicKey);
-            expect(publicJwk.kty).toBe('EC');
-            expect(publicJwk.crv).toBe('P-256');
-            expect(publicJwk.x).toBeDefined();
-            expect(publicJwk.y).toBeDefined();
-            expect(publicJwk.d).toBeUndefined(); // Private key field should not be present
-        });
-    });
-    describe('createDPoPProofForToken', () => {
-        it('should create valid DPoP proof JWT for token endpoint', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
-            expect(proof).toBeDefined();
-            expect(typeof proof).toBe('string');
-            // Decode and verify structure
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded).toBeDefined();
-        });
-        it('should include required JWT header fields', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
-            // Decode header
-            const parts = proof.split('.');
-            const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
-            expect(header.typ).toBe('dpop+jwt');
-            expect(header.alg).toBe('ES256');
-            expect(header.jwk).toBeDefined();
-            expect(header.jwk.kty).toBe('EC');
-            expect(header.jwk.crv).toBe('P-256');
-        });
-        it('should include required JWT payload fields', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.jti).toBeDefined();
-            expect(decoded.htm).toBe('POST');
-            expect(decoded.htu).toBe(tokenEndpoint);
-            expect(decoded.iat).toBeDefined();
-            expect(decoded.exp).toBeDefined();
-        });
-        it('should include nonce when provided', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const nonce = 'test-nonce-12345';
-            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.nonce).toBe(nonce);
-        });
-        it('should include unique jti in each proof', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const proof1 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
-            const proof2 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
-            const parts1 = proof1.split('.');
-            const parts2 = proof2.split('.');
-            const decoded1 = JSON.parse(Buffer.from(parts1[1], 'base64url').toString());
-            const decoded2 = JSON.parse(Buffer.from(parts2[1], 'base64url').toString());
-            expect(decoded1.jti).not.toBe(decoded2.jti);
-        });
-        it('should sign proof with correct private key', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint);
-            // Verify signature can be validated by checking JWT structure
-            // Note: We can't verify with the same key pair because the public key
-            // from generateDPoPKeyPair only has 'sign' usage, not 'verify'
-            // In production, the server would verify using the public key from the JWT header
-            const parts = proof.split('.');
-            expect(parts.length).toBe(3); // header.payload.signature
-            expect(proof).toBeDefined();
-        });
-        it('should include correct HTTP method and URL', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const proof = await createDPoPProofForToken(keyPair, 'GET', tokenEndpoint);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.htm).toBe('GET');
-            expect(decoded.htu).toBe(tokenEndpoint);
-        });
-    });
-    describe('createDPoPProofForResource', () => {
-        it('should create valid DPoP proof JWT for resource server', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
-            const accessToken = 'test_access_token_12345';
-            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
-            expect(proof).toBeDefined();
-            expect(typeof proof).toBe('string');
-        });
-        it('should include ath (access token hash) field', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
-            const accessToken = 'test_access_token_12345';
-            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.ath).toBeDefined();
-            // Verify ath is correct hash of access token
-            const expectedAth = sha256Base64Url(accessToken);
-            expect(decoded.ath).toBe(expectedAth);
-        });
-        it('should include all required fields plus ath', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
-            const accessToken = 'test_access_token_12345';
-            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.jti).toBeDefined();
-            expect(decoded.htm).toBe('GET');
-            expect(decoded.htu).toBe(resourceUrl);
-            expect(decoded.iat).toBeDefined();
-            expect(decoded.exp).toBeDefined();
-            expect(decoded.ath).toBeDefined();
-        });
-        it('should include nonce when provided', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
-            const accessToken = 'test_access_token_12345';
-            const nonce = 'test-nonce-67890';
-            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken, nonce);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.nonce).toBe(nonce);
-        });
-        it('should sign proof with correct private key', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const resourceUrl = 'https://bsky.social/xrpc/app.bsky.actor.getProfile';
-            const accessToken = 'test_access_token_12345';
-            const proof = await createDPoPProofForResource(keyPair, 'GET', resourceUrl, accessToken);
-            // Verify signature can be validated by checking JWT structure
-            // Note: We can't verify with the same key pair because the public key
-            // from generateDPoPKeyPair only has 'sign' usage, not 'verify'
-            // In production, the server would verify using the public key from the JWT header
-            const parts = proof.split('.');
-            expect(parts.length).toBe(3); // header.payload.signature
-            expect(proof).toBeDefined();
-        });
-    });
-    describe('extractDPoPNonce', () => {
-        it('should extract nonce from Headers object', () => {
-            const headers = new Headers();
-            headers.set('dpop-nonce', 'test-nonce-12345');
-            const nonce = extractDPoPNonce(headers);
-            expect(nonce).toBe('test-nonce-12345');
-        });
-        it('should extract nonce from record with lowercase key', () => {
-            const headers = { 'dpop-nonce': 'test-nonce-12345' };
-            const nonce = extractDPoPNonce(headers);
-            expect(nonce).toBe('test-nonce-12345');
-        });
-        it('should extract nonce from record with uppercase key', () => {
-            const headers = { 'DPoP-Nonce': 'test-nonce-12345' };
-            const nonce = extractDPoPNonce(headers);
-            expect(nonce).toBe('test-nonce-12345');
-        });
-        it('should return null when nonce is not present', () => {
-            const headers = { 'content-type': 'application/json' };
-            const nonce = extractDPoPNonce(headers);
-            expect(nonce).toBeNull();
-        });
-        it('should handle array values in headers', () => {
-            const headers = { 'dpop-nonce': ['test-nonce-12345'] };
-            const nonce = extractDPoPNonce(headers);
-            expect(nonce).toBe('test-nonce-12345');
-        });
-        it('should handle undefined headers', () => {
-            const headers = {};
-            const nonce = extractDPoPNonce(headers);
-            expect(nonce).toBeNull();
-        });
-    });
-    describe('Nonce Retry Flow', () => {
-        it('should handle use_dpop_nonce error response', () => {
-            const errorResponse = createMockDPoPNonceError('new-nonce-12345', 401);
-            expect(errorResponse.statusCode).toBe(401);
-            expect(errorResponse.headers['dpop-nonce']).toBe('new-nonce-12345');
-            expect(errorResponse.body).toContain('use_dpop_nonce');
-            const nonce = extractDPoPNonce(errorResponse.headers);
-            expect(nonce).toBe('new-nonce-12345');
-        });
-        it('should create proof with nonce after receiving error', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            const nonce = 'new-nonce-from-error';
-            // First attempt without nonce (would fail)
-            // Second attempt with nonce
-            const proof = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce);
-            const parts = proof.split('.');
-            const decoded = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-            expect(decoded.nonce).toBe(nonce);
-        });
-    });
-    describe('Nonce Rotation and Persistence', () => {
-        it('should handle nonce changes during session', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            const tokenEndpoint = 'https://bsky.social/oauth/token';
-            // Initial nonce
-            const nonce1 = 'nonce-1';
-            const proof1 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce1);
-            // Updated nonce
-            const nonce2 = 'nonce-2';
-            const proof2 = await createDPoPProofForToken(keyPair, 'POST', tokenEndpoint, nonce2);
-            const parts1 = proof1.split('.');
-            const parts2 = proof2.split('.');
-            const decoded1 = JSON.parse(Buffer.from(parts1[1], 'base64url').toString());
-            const decoded2 = JSON.parse(Buffer.from(parts2[1], 'base64url').toString());
-            expect(decoded1.nonce).toBe(nonce1);
-            expect(decoded2.nonce).toBe(nonce2);
-        });
-    });
-});

package/lib/index.test.js

@@ -1,329 +0,0 @@
-/**
- * Bluesky Connector Tests
- *
- * Basic unit tests for Bluesky OAuth connector with PAR, PKCE, and DPoP
- */
-import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';
-import nock from 'nock';
-import { ConnectorError } from '@logto/connector-kit';
-import { generatePKCECodePair } from './pkce.js';
-import { generateDPoPKeyPair } from './dpop.js';
-import { blueskyConfigGuard } from './types.js';
-import createBlueskyConnector from './index.js';
-import { authorizationServerMetadata, resourceServerMetadata, } from './__fixtures__/metadata.js';
-import { tokenResponse, } from './__fixtures__/token-responses.js';
-import { profileResponse, } from './__fixtures__/profile-responses.js';
-import { useDpopNonceError, invalidGrantError, } from './__fixtures__/oauth-errors.js';
-import { didPlcDocument, } from './__fixtures__/did-documents.js';
-describe('Bluesky Connector', () => {
-    beforeEach(() => {
-        nock.cleanAll();
-    });
-    afterEach(() => {
-        nock.cleanAll();
-    });
-    describe('PKCE Generation', () => {
-        it('should generate valid PKCE code pair', () => {
-            const pkce = generatePKCECodePair();
-            expect(pkce.codeVerifier).toBeDefined();
-            expect(pkce.codeChallenge).toBeDefined();
-            expect(pkce.codeChallengeMethod).toBe('S256');
-            expect(pkce.codeVerifier.length).toBeGreaterThan(32);
-            expect(pkce.codeChallenge.length).toBeGreaterThan(32);
-        });
-        it('should generate different code pairs each time', () => {
-            const pkce1 = generatePKCECodePair();
-            const pkce2 = generatePKCECodePair();
-            expect(pkce1.codeVerifier).not.toBe(pkce2.codeVerifier);
-            expect(pkce1.codeChallenge).not.toBe(pkce2.codeChallenge);
-        });
-    });
-    describe('DPoP Key Generation', () => {
-        it('should generate valid DPoP key pair', async () => {
-            const keyPair = await generateDPoPKeyPair();
-            expect(keyPair.publicKey).toBeDefined();
-            expect(keyPair.privateKey).toBeDefined();
-            expect(keyPair.publicKey).toBeInstanceOf(CryptoKey);
-            expect(keyPair.privateKey).toBeInstanceOf(CryptoKey);
-        });
-        it('should generate different key pairs each time', async () => {
-            const keyPair1 = await generateDPoPKeyPair();
-            const keyPair2 = await generateDPoPKeyPair();
-            // Export and compare
-            const crypto = globalThis.crypto;
-            const jwk1 = await crypto.subtle.exportKey('jwk', keyPair1.privateKey);
-            const jwk2 = await crypto.subtle.exportKey('jwk', keyPair2.privateKey);
-            expect(jwk1.d).not.toBe(jwk2.d);
-        });
-    });
-    describe('Config Validation', () => {
-        it('should accept valid config with private_key_jwt', () => {
-            const config = {
-                clientMetadataUri: 'https://example.com/.well-known/oauth-client-metadata.json',
-                clientId: 'https://example.com/client-id',
-                jwksUri: 'https://example.com/.well-known/jwks.json',
-                scope: 'atproto transition:generic',
-                tokenEndpointAuthMethod: 'private_key_jwt',
-            };
-            const result = blueskyConfigGuard.safeParse(config);
-            expect(result.success).toBe(true);
-        });
-        it('should reject config without jwksUri for private_key_jwt', () => {
-            const config = {
-                clientMetadataUri: 'https://example.com/.well-known/oauth-client-metadata.json',
-                clientId: 'https://example.com/client-id',
-                scope: 'atproto transition:generic',
-                tokenEndpointAuthMethod: 'private_key_jwt',
-            };
-            const result = blueskyConfigGuard.safeParse(config);
-            expect(result.success).toBe(false);
-        });
-        it('should reject config with invalid URLs', () => {
-            const config = {
-                clientMetadataUri: 'not-a-url',
-                clientId: 'https://example.com/client-id',
-                jwksUri: 'https://example.com/.well-known/jwks.json',
-                scope: 'atproto transition:generic',
-                tokenEndpointAuthMethod: 'private_key_jwt',
-            };
-            const result = blueskyConfigGuard.safeParse(config);
-            expect(result.success).toBe(false);
-        });
-    });
-    describe('OAuth Flow Integration', () => {
-        const mockConfig = jest.fn(async () => ({
-            clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
-            clientId: 'https://app.example.com/client-id',
-            jwksUri: 'https://app.example.com/.well-known/jwks.json',
-            scope: 'atproto transition:generic',
-            tokenEndpointAuthMethod: 'private_key_jwt',
-        }));
-        const setSession = jest.fn();
-        const getSession = jest.fn();
-        it('should complete full OAuth flow with handle', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            const handle = 'example.bsky.social';
-            const did = 'did:plc:example123456789';
-            const state = 'test-state-12345';
-            const redirectUri = 'https://app.example.com/oauth/callback';
-            const code = 'auth-code-12345';
-            const nonce = 'dpop-nonce-12345';
-            // Mock handle resolution
-            nock('https://example.bsky.social')
-                .get('/.well-known/atproto-did')
-                .reply(200, did);
-            // Mock DID document resolution
-            nock('https://plc.directory')
-                .get('/example123456789')
-                .reply(200, didPlcDocument);
-            // Mock protected resource metadata
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-protected-resource')
-                .reply(200, resourceServerMetadata);
-            // Mock authorization server metadata
-            // fetchAuthorizationServerMetadata will try protected resource first, then auth server
-            // got library checks root URL first, so we need to mock both
-            nock('https://bsky.social')
-                .get('/')
-                .reply(200, '<html></html>', { 'content-type': 'text/html' })
-                .persist();
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata)
-                .persist();
-            // Mock PAR request (with nonce retry)
-            nock('https://bsky.social')
-                .post('/oauth/par')
-                .reply(401, useDpopNonceError, {
-                'dpop-nonce': nonce,
-            });
-            nock('https://bsky.social')
-                .post('/oauth/par')
-                .reply(200, {
-                request_uri: 'urn:ietf:params:oauth:request_uri:test-request-uri',
-                expires_in: 600,
-            }, {
-                'dpop-nonce': nonce,
-            });
-            // Generate authorization URI
-            const authUri = await connector.getAuthorizationUri({
-                state,
-                redirectUri,
-                connectorId: 'bluesky-web',
-                connectorFactoryId: 'bluesky',
-                jti: 'test-jti',
-                headers: {},
-            }, setSession);
-            expect(authUri).toContain('request_uri');
-            expect(authUri).toContain('client_id');
-            // Mock token exchange
-            nock('https://bsky.social')
-                .post('/oauth/token')
-                .reply(200, tokenResponse, {
-                'dpop-nonce': nonce,
-            });
-            // Mock profile fetch
-            nock('https://bsky.social')
-                .get(/\/xrpc\/app\.bsky\.actor\.getProfile/)
-                .reply(200, profileResponse, {
-                'dpop-nonce': nonce,
-            });
-            // Mock authorization server metadata from issuer
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata);
-            // Note: In a real test, we'd need to mock state storage/retrieval
-            // For now, this tests the flow structure
-        });
-        it('should handle PAR request with DPoP nonce retry', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            const state = 'test-state-12345';
-            const redirectUri = 'https://app.example.com/oauth/callback';
-            const nonce = 'dpop-nonce-12345';
-            // Mock metadata
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-protected-resource')
-                .reply(404);
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata);
-            // First PAR request fails with nonce error
-            nock('https://bsky.social')
-                .post('/oauth/par')
-                .reply(401, useDpopNonceError, {
-                'dpop-nonce': nonce,
-            });
-            // Second PAR request succeeds with nonce
-            nock('https://bsky.social')
-                .post('/oauth/par')
-                .reply(200, {
-                request_uri: 'urn:ietf:params:oauth:request_uri:test-request-uri',
-            }, {
-                'dpop-nonce': nonce,
-            });
-            const authUri = await connector.getAuthorizationUri({
-                state,
-                redirectUri,
-                connectorId: 'bluesky-web',
-                connectorFactoryId: 'bluesky',
-                jti: 'test-jti',
-                headers: {},
-            }, setSession);
-            expect(authUri).toBeDefined();
-        });
-        it('should handle token exchange errors', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            // Mock metadata
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata);
-            // Mock invalid grant error
-            nock('https://bsky.social')
-                .post('/oauth/token')
-                .reply(400, invalidGrantError);
-            // This would be called in getUserInfo, but we need state storage mocked
-            // For now, we test that the error structure is correct
-            expect(invalidGrantError.error).toBe('invalid_grant');
-        });
-        it('should validate state parameter prevents CSRF', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            const state = 'csrf-protection-state';
-            const redirectUri = 'https://app.example.com/oauth/callback';
-            // Mock metadata
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-protected-resource')
-                .reply(404);
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata);
-            nock('https://bsky.social')
-                .post('/oauth/par')
-                .reply(200, {
-                request_uri: 'urn:ietf:params:oauth:request_uri:test',
-            });
-            const authUri = await connector.getAuthorizationUri({
-                state,
-                redirectUri,
-                connectorId: 'bluesky-web',
-                connectorFactoryId: 'bluesky',
-                jti: 'test-jti',
-                headers: {},
-            }, setSession);
-            // State should be included in PAR request
-            expect(authUri).toBeDefined();
-            // In getUserInfo, state mismatch should be detected
-            // This requires state storage to be properly implemented
-        });
-        it('should handle missing authorization code', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            await expect(connector.getUserInfo({
-                redirectUri: 'https://app.example.com/oauth/callback',
-                // Missing code
-            }, getSession)).rejects.toThrow(ConnectorError);
-        });
-        it('should handle missing state parameter', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            // Mock metadata
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata);
-            await expect(connector.getUserInfo({
-                code: 'auth-code-12345',
-                iss: 'https://bsky.social',
-                redirectUri: 'https://app.example.com/oauth/callback',
-                // Missing state
-            }, getSession)).rejects.toThrow(ConnectorError);
-        });
-    });
-    describe('Security Tests', () => {
-        const mockConfig = jest.fn(async () => ({
-            clientMetadataUri: 'https://app.example.com/oauth/client-metadata.json',
-            clientId: 'https://app.example.com/client-id',
-            jwksUri: 'https://app.example.com/.well-known/jwks.json',
-            scope: 'atproto transition:generic',
-            tokenEndpointAuthMethod: 'private_key_jwt',
-        }));
-        const setSession = jest.fn();
-        const getSession = jest.fn();
-        it('should not expose private keys in error messages', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            // Mock metadata
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-protected-resource')
-                .reply(404);
-            nock('https://bsky.social')
-                .get('/.well-known/oauth-authorization-server')
-                .reply(200, authorizationServerMetadata);
-            nock('https://bsky.social')
-                .post('/oauth/par')
-                .reply(500, { error: 'server_error' });
-            try {
-                await connector.getAuthorizationUri({
-                    state: 'test-state',
-                    redirectUri: 'https://app.example.com/oauth/callback',
-                    connectorId: 'bluesky-web',
-                    connectorFactoryId: 'bluesky',
-                    jti: 'test-jti',
-                    headers: {},
-                }, setSession);
-            }
-            catch (error) {
-                const errorMessage = error instanceof Error ? error.message : String(error);
-                // Should not contain private key material
-                expect(errorMessage).not.toMatch(/-----BEGIN.*KEY-----/);
-                expect(errorMessage).not.toMatch(/d=/); // Private key field in JWK
-            }
-        });
-        it('should enforce state parameter validation', async () => {
-            const connector = await createBlueskyConnector({ getConfig: mockConfig });
-            // State parameter is required and should be validated
-            // This is tested in the missing state parameter test above
-            await expect(connector.getUserInfo({
-                code: 'auth-code-12345',
-                iss: 'https://bsky.social',
-                redirectUri: 'https://app.example.com/oauth/callback',
-                // Missing state
-            }, getSession)).rejects.toThrow(ConnectorError);
-        });
-    });
-});

package/lib/mock.js

@@ -1,24 +0,0 @@
-export const mockConfig = {
-    clientMetadataUri: 'https://app.example.com/.well-known/oauth-client-metadata.json',
-    clientId: 'https://app.example.com/client-id',
-    jwksUri: 'https://app.example.com/.well-known/jwks.json',
-    scope: 'atproto transition:generic',
-    tokenEndpointAuthMethod: 'private_key_jwt',
-};
-export const mockTokenResponse = {
-    access_token: 'mock_access_token_12345',
-    refresh_token: 'mock_refresh_token_67890',
-    token_type: 'Bearer',
-    expires_in: 3600,
-    scope: 'atproto transition:generic',
-    sub: 'did:plc:mockdid123456789',
-    did: 'did:plc:mockdid123456789',
-};
-export const mockProfileResponse = {
-    did: 'did:plc:mockdid123456789',
-    handle: 'example.bsky.social',
-    displayName: 'Example User',
-    avatar: 'https://example.com/avatar.jpg',
-    email: 'user@example.com',
-    description: 'Mock user profile',
-};