@optimizely-opal/opal-tool-ocp-sdk 0.0.0-devmg.13 → 1.0.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +108 -15
- package/dist/auth/AuthUtils.d.ts +26 -0
- package/dist/auth/AuthUtils.d.ts.map +1 -0
- package/dist/auth/AuthUtils.js +109 -0
- package/dist/auth/AuthUtils.js.map +1 -0
- package/dist/auth/AuthUtils.test.d.ts +2 -0
- package/dist/auth/AuthUtils.test.d.ts.map +1 -0
- package/dist/auth/AuthUtils.test.js +601 -0
- package/dist/auth/AuthUtils.test.js.map +1 -0
- package/dist/auth/TokenVerifier.d.ts.map +1 -1
- package/dist/auth/TokenVerifier.js +0 -1
- package/dist/auth/TokenVerifier.js.map +1 -1
- package/dist/auth/TokenVerifier.test.js +9 -0
- package/dist/auth/TokenVerifier.test.js.map +1 -1
- package/dist/function/GlobalToolFunction.d.ts +27 -0
- package/dist/function/GlobalToolFunction.d.ts.map +1 -0
- package/dist/function/GlobalToolFunction.js +53 -0
- package/dist/function/GlobalToolFunction.js.map +1 -0
- package/dist/function/GlobalToolFunction.test.d.ts +2 -0
- package/dist/function/GlobalToolFunction.test.d.ts.map +1 -0
- package/dist/function/GlobalToolFunction.test.js +425 -0
- package/dist/function/GlobalToolFunction.test.js.map +1 -0
- package/dist/function/ToolFunction.d.ts +1 -2
- package/dist/function/ToolFunction.d.ts.map +1 -1
- package/dist/function/ToolFunction.js +3 -35
- package/dist/function/ToolFunction.js.map +1 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/service/Service.d.ts +8 -7
- package/dist/service/Service.d.ts.map +1 -1
- package/dist/service/Service.js.map +1 -1
- package/package.json +3 -4
- package/src/auth/AuthUtils.test.ts +729 -0
- package/src/auth/AuthUtils.ts +117 -0
- package/src/auth/TokenVerifier.test.ts +11 -0
- package/src/auth/TokenVerifier.ts +0 -1
- package/src/function/GlobalToolFunction.test.ts +505 -0
- package/src/function/GlobalToolFunction.ts +56 -0
- package/src/function/ToolFunction.ts +4 -41
- package/src/index.ts +1 -0
- package/src/service/Service.ts +33 -9
|
@@ -0,0 +1,729 @@
|
|
|
1
|
+
/* eslint-disable @typescript-eslint/no-unsafe-call */
|
|
2
|
+
import { getAppContext, logger } from '@zaiusinc/app-sdk';
|
|
3
|
+
import { getTokenVerifier } from './TokenVerifier';
|
|
4
|
+
import { authenticateRegularRequest, authenticateGlobalRequest } from './AuthUtils';
|
|
5
|
+
|
|
6
|
+
// Mock the dependencies
|
|
7
|
+
jest.mock('./TokenVerifier', () => ({
|
|
8
|
+
getTokenVerifier: jest.fn(),
|
|
9
|
+
}));
|
|
10
|
+
|
|
11
|
+
jest.mock('@zaiusinc/app-sdk', () => ({
|
|
12
|
+
getAppContext: jest.fn(),
|
|
13
|
+
logger: {
|
|
14
|
+
info: jest.fn(),
|
|
15
|
+
error: jest.fn(),
|
|
16
|
+
warn: jest.fn(),
|
|
17
|
+
debug: jest.fn(),
|
|
18
|
+
},
|
|
19
|
+
}));
|
|
20
|
+
|
|
21
|
+
describe('AuthUtils', () => {
|
|
22
|
+
let mockTokenVerifier: any;
|
|
23
|
+
let mockGetTokenVerifier: jest.MockedFunction<typeof getTokenVerifier>;
|
|
24
|
+
let mockGetAppContext: jest.MockedFunction<typeof getAppContext>;
|
|
25
|
+
|
|
26
|
+
beforeEach(() => {
|
|
27
|
+
jest.clearAllMocks();
|
|
28
|
+
|
|
29
|
+
// Setup token verifier mock
|
|
30
|
+
mockTokenVerifier = {
|
|
31
|
+
verify: jest.fn(),
|
|
32
|
+
};
|
|
33
|
+
|
|
34
|
+
mockGetTokenVerifier = getTokenVerifier as jest.MockedFunction<typeof getTokenVerifier>;
|
|
35
|
+
mockGetTokenVerifier.mockResolvedValue(mockTokenVerifier);
|
|
36
|
+
|
|
37
|
+
// Setup app context mock with default organization
|
|
38
|
+
mockGetAppContext = getAppContext as jest.MockedFunction<typeof getAppContext>;
|
|
39
|
+
mockGetAppContext.mockReturnValue({
|
|
40
|
+
account: {
|
|
41
|
+
organizationId: 'test-org-123'
|
|
42
|
+
}
|
|
43
|
+
} as any);
|
|
44
|
+
});
|
|
45
|
+
|
|
46
|
+
describe('authenticateRegularRequest', () => {
|
|
47
|
+
beforeEach(() => {
|
|
48
|
+
// Default to successful token verification
|
|
49
|
+
mockTokenVerifier.verify.mockResolvedValue(true);
|
|
50
|
+
});
|
|
51
|
+
|
|
52
|
+
describe('when request is for discovery endpoint', () => {
|
|
53
|
+
it('should return true without authentication', async () => {
|
|
54
|
+
const request = { path: '/discovery' };
|
|
55
|
+
|
|
56
|
+
const result = await authenticateRegularRequest(request);
|
|
57
|
+
|
|
58
|
+
expect(result).toBe(true);
|
|
59
|
+
expect(mockGetTokenVerifier).not.toHaveBeenCalled();
|
|
60
|
+
expect(mockTokenVerifier.verify).not.toHaveBeenCalled();
|
|
61
|
+
});
|
|
62
|
+
});
|
|
63
|
+
|
|
64
|
+
describe('when request is for ready endpoint', () => {
|
|
65
|
+
it('should return true without authentication', async () => {
|
|
66
|
+
const request = { path: '/ready' };
|
|
67
|
+
|
|
68
|
+
const result = await authenticateRegularRequest(request);
|
|
69
|
+
|
|
70
|
+
expect(result).toBe(true);
|
|
71
|
+
expect(mockGetTokenVerifier).not.toHaveBeenCalled();
|
|
72
|
+
expect(mockTokenVerifier.verify).not.toHaveBeenCalled();
|
|
73
|
+
});
|
|
74
|
+
});
|
|
75
|
+
|
|
76
|
+
describe('when request has valid authentication', () => {
|
|
77
|
+
it('should return true for valid OptiID token with matching organization', async () => {
|
|
78
|
+
const request = {
|
|
79
|
+
path: '/some-tool',
|
|
80
|
+
bodyJSON: {
|
|
81
|
+
auth: {
|
|
82
|
+
provider: 'OptiID',
|
|
83
|
+
credentials: {
|
|
84
|
+
customer_id: 'test-org-123',
|
|
85
|
+
access_token: 'valid-token-123'
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
};
|
|
90
|
+
|
|
91
|
+
const result = await authenticateRegularRequest(request);
|
|
92
|
+
|
|
93
|
+
expect(result).toBe(true);
|
|
94
|
+
expect(mockGetTokenVerifier).toHaveBeenCalled();
|
|
95
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
96
|
+
});
|
|
97
|
+
|
|
98
|
+
it('should handle case-insensitive provider names', async () => {
|
|
99
|
+
const request = {
|
|
100
|
+
path: '/some-tool',
|
|
101
|
+
bodyJSON: {
|
|
102
|
+
auth: {
|
|
103
|
+
provider: 'optiid', // lowercase
|
|
104
|
+
credentials: {
|
|
105
|
+
customer_id: 'test-org-123',
|
|
106
|
+
access_token: 'valid-token-123'
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
};
|
|
111
|
+
|
|
112
|
+
const result = await authenticateRegularRequest(request);
|
|
113
|
+
|
|
114
|
+
expect(result).toBe(true);
|
|
115
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
116
|
+
});
|
|
117
|
+
|
|
118
|
+
it('should handle mixed case provider names', async () => {
|
|
119
|
+
const request = {
|
|
120
|
+
path: '/some-tool',
|
|
121
|
+
bodyJSON: {
|
|
122
|
+
auth: {
|
|
123
|
+
provider: 'OpTiId', // mixed case
|
|
124
|
+
credentials: {
|
|
125
|
+
customer_id: 'test-org-123',
|
|
126
|
+
access_token: 'valid-token-123'
|
|
127
|
+
}
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
};
|
|
131
|
+
|
|
132
|
+
const result = await authenticateRegularRequest(request);
|
|
133
|
+
|
|
134
|
+
expect(result).toBe(true);
|
|
135
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
136
|
+
});
|
|
137
|
+
});
|
|
138
|
+
|
|
139
|
+
describe('when authentication fails', () => {
|
|
140
|
+
it('should return false when auth data is missing', async () => {
|
|
141
|
+
const request = {
|
|
142
|
+
path: '/some-tool',
|
|
143
|
+
bodyJSON: {}
|
|
144
|
+
};
|
|
145
|
+
|
|
146
|
+
const result = await authenticateRegularRequest(request);
|
|
147
|
+
|
|
148
|
+
expect(result).toBe(false);
|
|
149
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
150
|
+
expect(mockTokenVerifier.verify).not.toHaveBeenCalled();
|
|
151
|
+
});
|
|
152
|
+
|
|
153
|
+
it('should return false when bodyJSON is missing', async () => {
|
|
154
|
+
const request = {
|
|
155
|
+
path: '/some-tool'
|
|
156
|
+
};
|
|
157
|
+
|
|
158
|
+
const result = await authenticateRegularRequest(request);
|
|
159
|
+
|
|
160
|
+
expect(result).toBe(false);
|
|
161
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
162
|
+
});
|
|
163
|
+
|
|
164
|
+
it('should return false when provider is not OptiID', async () => {
|
|
165
|
+
const request = {
|
|
166
|
+
path: '/some-tool',
|
|
167
|
+
bodyJSON: {
|
|
168
|
+
auth: {
|
|
169
|
+
provider: 'SomeOtherProvider',
|
|
170
|
+
credentials: {
|
|
171
|
+
customer_id: 'test-org-123',
|
|
172
|
+
access_token: 'some-token'
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
}
|
|
176
|
+
};
|
|
177
|
+
|
|
178
|
+
const result = await authenticateRegularRequest(request);
|
|
179
|
+
|
|
180
|
+
expect(result).toBe(false);
|
|
181
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
182
|
+
});
|
|
183
|
+
|
|
184
|
+
it('should return false when access token is missing', async () => {
|
|
185
|
+
const request = {
|
|
186
|
+
path: '/some-tool',
|
|
187
|
+
bodyJSON: {
|
|
188
|
+
auth: {
|
|
189
|
+
provider: 'OptiID',
|
|
190
|
+
credentials: {
|
|
191
|
+
customer_id: 'test-org-123'
|
|
192
|
+
// access_token missing
|
|
193
|
+
}
|
|
194
|
+
}
|
|
195
|
+
}
|
|
196
|
+
};
|
|
197
|
+
|
|
198
|
+
const result = await authenticateRegularRequest(request);
|
|
199
|
+
|
|
200
|
+
expect(result).toBe(false);
|
|
201
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
202
|
+
});
|
|
203
|
+
|
|
204
|
+
it('should return false when access token is empty string', async () => {
|
|
205
|
+
const request = {
|
|
206
|
+
path: '/some-tool',
|
|
207
|
+
bodyJSON: {
|
|
208
|
+
auth: {
|
|
209
|
+
provider: 'OptiID',
|
|
210
|
+
credentials: {
|
|
211
|
+
customer_id: 'test-org-123',
|
|
212
|
+
access_token: ''
|
|
213
|
+
}
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
};
|
|
217
|
+
|
|
218
|
+
const result = await authenticateRegularRequest(request);
|
|
219
|
+
|
|
220
|
+
expect(result).toBe(false);
|
|
221
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
222
|
+
});
|
|
223
|
+
|
|
224
|
+
it('should return false when access token is undefined', async () => {
|
|
225
|
+
const request = {
|
|
226
|
+
path: '/some-tool',
|
|
227
|
+
bodyJSON: {
|
|
228
|
+
auth: {
|
|
229
|
+
provider: 'OptiID',
|
|
230
|
+
credentials: {
|
|
231
|
+
customer_id: 'test-org-123',
|
|
232
|
+
access_token: undefined
|
|
233
|
+
}
|
|
234
|
+
}
|
|
235
|
+
}
|
|
236
|
+
};
|
|
237
|
+
|
|
238
|
+
const result = await authenticateRegularRequest(request);
|
|
239
|
+
|
|
240
|
+
expect(result).toBe(false);
|
|
241
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
242
|
+
});
|
|
243
|
+
});
|
|
244
|
+
|
|
245
|
+
describe('when organization validation fails', () => {
|
|
246
|
+
it('should return false when customer_id does not match app organization', async () => {
|
|
247
|
+
const request = {
|
|
248
|
+
path: '/some-tool',
|
|
249
|
+
bodyJSON: {
|
|
250
|
+
auth: {
|
|
251
|
+
provider: 'OptiID',
|
|
252
|
+
credentials: {
|
|
253
|
+
customer_id: 'different-org-456',
|
|
254
|
+
access_token: 'valid-token-123'
|
|
255
|
+
}
|
|
256
|
+
}
|
|
257
|
+
}
|
|
258
|
+
};
|
|
259
|
+
|
|
260
|
+
const result = await authenticateRegularRequest(request);
|
|
261
|
+
|
|
262
|
+
expect(result).toBe(false);
|
|
263
|
+
expect(logger.error).toHaveBeenCalledWith(
|
|
264
|
+
'Invalid organisation ID: expected test-org-123, received different-org-456'
|
|
265
|
+
);
|
|
266
|
+
expect(mockTokenVerifier.verify).not.toHaveBeenCalled();
|
|
267
|
+
});
|
|
268
|
+
|
|
269
|
+
it('should return false when customer_id is missing', async () => {
|
|
270
|
+
const request = {
|
|
271
|
+
path: '/some-tool',
|
|
272
|
+
bodyJSON: {
|
|
273
|
+
auth: {
|
|
274
|
+
provider: 'OptiID',
|
|
275
|
+
credentials: {
|
|
276
|
+
access_token: 'valid-token-123'
|
|
277
|
+
// customer_id missing
|
|
278
|
+
}
|
|
279
|
+
}
|
|
280
|
+
}
|
|
281
|
+
};
|
|
282
|
+
|
|
283
|
+
const result = await authenticateRegularRequest(request);
|
|
284
|
+
|
|
285
|
+
expect(result).toBe(false);
|
|
286
|
+
expect(logger.error).toHaveBeenCalledWith('Organisation ID is required but not provided');
|
|
287
|
+
});
|
|
288
|
+
|
|
289
|
+
it('should return false when customer_id is empty string', async () => {
|
|
290
|
+
const request = {
|
|
291
|
+
path: '/some-tool',
|
|
292
|
+
bodyJSON: {
|
|
293
|
+
auth: {
|
|
294
|
+
provider: 'OptiID',
|
|
295
|
+
credentials: {
|
|
296
|
+
customer_id: '',
|
|
297
|
+
access_token: 'valid-token-123'
|
|
298
|
+
}
|
|
299
|
+
}
|
|
300
|
+
}
|
|
301
|
+
};
|
|
302
|
+
|
|
303
|
+
const result = await authenticateRegularRequest(request);
|
|
304
|
+
|
|
305
|
+
expect(result).toBe(false);
|
|
306
|
+
expect(logger.error).toHaveBeenCalledWith('Organisation ID is required but not provided');
|
|
307
|
+
});
|
|
308
|
+
|
|
309
|
+
it('should handle case when app context has no account', async () => {
|
|
310
|
+
mockGetAppContext.mockReturnValue({} as any);
|
|
311
|
+
|
|
312
|
+
const request = {
|
|
313
|
+
path: '/some-tool',
|
|
314
|
+
bodyJSON: {
|
|
315
|
+
auth: {
|
|
316
|
+
provider: 'OptiID',
|
|
317
|
+
credentials: {
|
|
318
|
+
customer_id: 'some-org-123',
|
|
319
|
+
access_token: 'valid-token-123'
|
|
320
|
+
}
|
|
321
|
+
}
|
|
322
|
+
}
|
|
323
|
+
};
|
|
324
|
+
|
|
325
|
+
const result = await authenticateRegularRequest(request);
|
|
326
|
+
|
|
327
|
+
expect(result).toBe(false);
|
|
328
|
+
expect(logger.error).toHaveBeenCalledWith(
|
|
329
|
+
'Invalid organisation ID: expected undefined, received some-org-123'
|
|
330
|
+
);
|
|
331
|
+
});
|
|
332
|
+
|
|
333
|
+
it('should handle case when app context is null', async () => {
|
|
334
|
+
mockGetAppContext.mockReturnValue(null as any);
|
|
335
|
+
|
|
336
|
+
const request = {
|
|
337
|
+
path: '/some-tool',
|
|
338
|
+
bodyJSON: {
|
|
339
|
+
auth: {
|
|
340
|
+
provider: 'OptiID',
|
|
341
|
+
credentials: {
|
|
342
|
+
customer_id: 'some-org-123',
|
|
343
|
+
access_token: 'valid-token-123'
|
|
344
|
+
}
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
};
|
|
348
|
+
|
|
349
|
+
const result = await authenticateRegularRequest(request);
|
|
350
|
+
|
|
351
|
+
expect(result).toBe(false);
|
|
352
|
+
expect(logger.error).toHaveBeenCalledWith(
|
|
353
|
+
'Invalid organisation ID: expected undefined, received some-org-123'
|
|
354
|
+
);
|
|
355
|
+
});
|
|
356
|
+
});
|
|
357
|
+
|
|
358
|
+
describe('when token validation fails', () => {
|
|
359
|
+
it('should return false when token verifier returns false', async () => {
|
|
360
|
+
mockTokenVerifier.verify.mockResolvedValue(false);
|
|
361
|
+
|
|
362
|
+
const request = {
|
|
363
|
+
path: '/some-tool',
|
|
364
|
+
bodyJSON: {
|
|
365
|
+
auth: {
|
|
366
|
+
provider: 'OptiID',
|
|
367
|
+
credentials: {
|
|
368
|
+
customer_id: 'test-org-123',
|
|
369
|
+
access_token: 'invalid-token'
|
|
370
|
+
}
|
|
371
|
+
}
|
|
372
|
+
}
|
|
373
|
+
};
|
|
374
|
+
|
|
375
|
+
const result = await authenticateRegularRequest(request);
|
|
376
|
+
|
|
377
|
+
expect(result).toBe(false);
|
|
378
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('invalid-token');
|
|
379
|
+
});
|
|
380
|
+
|
|
381
|
+
it('should return false when token verification throws an error', async () => {
|
|
382
|
+
const verificationError = new Error('Token verification failed');
|
|
383
|
+
mockTokenVerifier.verify.mockRejectedValue(verificationError);
|
|
384
|
+
|
|
385
|
+
const request = {
|
|
386
|
+
path: '/some-tool',
|
|
387
|
+
bodyJSON: {
|
|
388
|
+
auth: {
|
|
389
|
+
provider: 'OptiID',
|
|
390
|
+
credentials: {
|
|
391
|
+
customer_id: 'test-org-123',
|
|
392
|
+
access_token: 'error-token'
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
}
|
|
396
|
+
};
|
|
397
|
+
|
|
398
|
+
const result = await authenticateRegularRequest(request);
|
|
399
|
+
|
|
400
|
+
expect(result).toBe(false);
|
|
401
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token validation failed:', verificationError);
|
|
402
|
+
});
|
|
403
|
+
|
|
404
|
+
it('should return false when getTokenVerifier throws an error', async () => {
|
|
405
|
+
const verifierError = new Error('Failed to get token verifier');
|
|
406
|
+
mockGetTokenVerifier.mockRejectedValue(verifierError);
|
|
407
|
+
|
|
408
|
+
const request = {
|
|
409
|
+
path: '/some-tool',
|
|
410
|
+
bodyJSON: {
|
|
411
|
+
auth: {
|
|
412
|
+
provider: 'OptiID',
|
|
413
|
+
credentials: {
|
|
414
|
+
customer_id: 'test-org-123',
|
|
415
|
+
access_token: 'some-token'
|
|
416
|
+
}
|
|
417
|
+
}
|
|
418
|
+
}
|
|
419
|
+
};
|
|
420
|
+
|
|
421
|
+
const result = await authenticateRegularRequest(request);
|
|
422
|
+
|
|
423
|
+
expect(result).toBe(false);
|
|
424
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token validation failed:', verifierError);
|
|
425
|
+
});
|
|
426
|
+
});
|
|
427
|
+
});
|
|
428
|
+
|
|
429
|
+
describe('authenticateGlobalRequest', () => {
|
|
430
|
+
beforeEach(() => {
|
|
431
|
+
// Default to successful token verification
|
|
432
|
+
mockTokenVerifier.verify.mockResolvedValue(true);
|
|
433
|
+
});
|
|
434
|
+
|
|
435
|
+
describe('when request is for discovery endpoint', () => {
|
|
436
|
+
it('should return true without authentication', async () => {
|
|
437
|
+
const request = { path: '/discovery' };
|
|
438
|
+
|
|
439
|
+
const result = await authenticateGlobalRequest(request);
|
|
440
|
+
|
|
441
|
+
expect(result).toBe(true);
|
|
442
|
+
expect(mockGetTokenVerifier).not.toHaveBeenCalled();
|
|
443
|
+
expect(mockTokenVerifier.verify).not.toHaveBeenCalled();
|
|
444
|
+
});
|
|
445
|
+
});
|
|
446
|
+
|
|
447
|
+
describe('when request is for ready endpoint', () => {
|
|
448
|
+
it('should return true without authentication', async () => {
|
|
449
|
+
const request = { path: '/ready' };
|
|
450
|
+
|
|
451
|
+
const result = await authenticateGlobalRequest(request);
|
|
452
|
+
|
|
453
|
+
expect(result).toBe(true);
|
|
454
|
+
expect(mockGetTokenVerifier).not.toHaveBeenCalled();
|
|
455
|
+
expect(mockTokenVerifier.verify).not.toHaveBeenCalled();
|
|
456
|
+
});
|
|
457
|
+
});
|
|
458
|
+
|
|
459
|
+
describe('when request has valid authentication', () => {
|
|
460
|
+
it('should return true for valid OptiID token regardless of organization', async () => {
|
|
461
|
+
const request = {
|
|
462
|
+
path: '/global-tool',
|
|
463
|
+
bodyJSON: {
|
|
464
|
+
auth: {
|
|
465
|
+
provider: 'OptiID',
|
|
466
|
+
credentials: {
|
|
467
|
+
customer_id: 'different-org-456', // Different from app org
|
|
468
|
+
access_token: 'valid-token-123'
|
|
469
|
+
}
|
|
470
|
+
}
|
|
471
|
+
}
|
|
472
|
+
};
|
|
473
|
+
|
|
474
|
+
const result = await authenticateGlobalRequest(request);
|
|
475
|
+
|
|
476
|
+
expect(result).toBe(true);
|
|
477
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
478
|
+
// Should not log organization validation errors for global requests
|
|
479
|
+
expect(logger.error).not.toHaveBeenCalledWith(
|
|
480
|
+
expect.stringContaining('Invalid organisation ID')
|
|
481
|
+
);
|
|
482
|
+
});
|
|
483
|
+
|
|
484
|
+
it('should return true even without customer_id', async () => {
|
|
485
|
+
const request = {
|
|
486
|
+
path: '/global-tool',
|
|
487
|
+
bodyJSON: {
|
|
488
|
+
auth: {
|
|
489
|
+
provider: 'OptiID',
|
|
490
|
+
credentials: {
|
|
491
|
+
access_token: 'valid-token-123'
|
|
492
|
+
// No customer_id - should be fine for global functions
|
|
493
|
+
}
|
|
494
|
+
}
|
|
495
|
+
}
|
|
496
|
+
};
|
|
497
|
+
|
|
498
|
+
const result = await authenticateGlobalRequest(request);
|
|
499
|
+
|
|
500
|
+
expect(result).toBe(true);
|
|
501
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
502
|
+
});
|
|
503
|
+
|
|
504
|
+
it('should handle case-insensitive provider names', async () => {
|
|
505
|
+
const request = {
|
|
506
|
+
path: '/global-tool',
|
|
507
|
+
bodyJSON: {
|
|
508
|
+
auth: {
|
|
509
|
+
provider: 'optiid',
|
|
510
|
+
credentials: {
|
|
511
|
+
customer_id: 'any-org',
|
|
512
|
+
access_token: 'valid-token-123'
|
|
513
|
+
}
|
|
514
|
+
}
|
|
515
|
+
}
|
|
516
|
+
};
|
|
517
|
+
|
|
518
|
+
const result = await authenticateGlobalRequest(request);
|
|
519
|
+
|
|
520
|
+
expect(result).toBe(true);
|
|
521
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
522
|
+
});
|
|
523
|
+
});
|
|
524
|
+
|
|
525
|
+
describe('when authentication fails', () => {
|
|
526
|
+
it('should return false when auth data is missing', async () => {
|
|
527
|
+
const request = {
|
|
528
|
+
path: '/global-tool',
|
|
529
|
+
bodyJSON: {}
|
|
530
|
+
};
|
|
531
|
+
|
|
532
|
+
const result = await authenticateGlobalRequest(request);
|
|
533
|
+
|
|
534
|
+
expect(result).toBe(false);
|
|
535
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
536
|
+
});
|
|
537
|
+
|
|
538
|
+
it('should return false when provider is not OptiID', async () => {
|
|
539
|
+
const request = {
|
|
540
|
+
path: '/global-tool',
|
|
541
|
+
bodyJSON: {
|
|
542
|
+
auth: {
|
|
543
|
+
provider: 'SomeOtherProvider',
|
|
544
|
+
credentials: {
|
|
545
|
+
customer_id: 'any-org',
|
|
546
|
+
access_token: 'some-token'
|
|
547
|
+
}
|
|
548
|
+
}
|
|
549
|
+
}
|
|
550
|
+
};
|
|
551
|
+
|
|
552
|
+
const result = await authenticateGlobalRequest(request);
|
|
553
|
+
|
|
554
|
+
expect(result).toBe(false);
|
|
555
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
556
|
+
});
|
|
557
|
+
|
|
558
|
+
it('should return false when access token is missing', async () => {
|
|
559
|
+
const request = {
|
|
560
|
+
path: '/global-tool',
|
|
561
|
+
bodyJSON: {
|
|
562
|
+
auth: {
|
|
563
|
+
provider: 'OptiID',
|
|
564
|
+
credentials: {
|
|
565
|
+
customer_id: 'any-org'
|
|
566
|
+
// access_token missing
|
|
567
|
+
}
|
|
568
|
+
}
|
|
569
|
+
}
|
|
570
|
+
};
|
|
571
|
+
|
|
572
|
+
const result = await authenticateGlobalRequest(request);
|
|
573
|
+
|
|
574
|
+
expect(result).toBe(false);
|
|
575
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
576
|
+
});
|
|
577
|
+
|
|
578
|
+
it('should return false when access token is empty', async () => {
|
|
579
|
+
const request = {
|
|
580
|
+
path: '/global-tool',
|
|
581
|
+
bodyJSON: {
|
|
582
|
+
auth: {
|
|
583
|
+
provider: 'OptiID',
|
|
584
|
+
credentials: {
|
|
585
|
+
customer_id: 'any-org',
|
|
586
|
+
access_token: ''
|
|
587
|
+
}
|
|
588
|
+
}
|
|
589
|
+
}
|
|
590
|
+
};
|
|
591
|
+
|
|
592
|
+
const result = await authenticateGlobalRequest(request);
|
|
593
|
+
|
|
594
|
+
expect(result).toBe(false);
|
|
595
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
596
|
+
});
|
|
597
|
+
});
|
|
598
|
+
|
|
599
|
+
describe('when token validation fails', () => {
|
|
600
|
+
it('should return false when token verifier returns false', async () => {
|
|
601
|
+
mockTokenVerifier.verify.mockResolvedValue(false);
|
|
602
|
+
|
|
603
|
+
const request = {
|
|
604
|
+
path: '/global-tool',
|
|
605
|
+
bodyJSON: {
|
|
606
|
+
auth: {
|
|
607
|
+
provider: 'OptiID',
|
|
608
|
+
credentials: {
|
|
609
|
+
customer_id: 'any-org',
|
|
610
|
+
access_token: 'invalid-token'
|
|
611
|
+
}
|
|
612
|
+
}
|
|
613
|
+
}
|
|
614
|
+
};
|
|
615
|
+
|
|
616
|
+
const result = await authenticateGlobalRequest(request);
|
|
617
|
+
|
|
618
|
+
expect(result).toBe(false);
|
|
619
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('invalid-token');
|
|
620
|
+
});
|
|
621
|
+
|
|
622
|
+
it('should return false when token verification throws an error', async () => {
|
|
623
|
+
const verificationError = new Error('Global token verification failed');
|
|
624
|
+
mockTokenVerifier.verify.mockRejectedValue(verificationError);
|
|
625
|
+
|
|
626
|
+
const request = {
|
|
627
|
+
path: '/global-tool',
|
|
628
|
+
bodyJSON: {
|
|
629
|
+
auth: {
|
|
630
|
+
provider: 'OptiID',
|
|
631
|
+
credentials: {
|
|
632
|
+
customer_id: 'any-org',
|
|
633
|
+
access_token: 'error-token'
|
|
634
|
+
}
|
|
635
|
+
}
|
|
636
|
+
}
|
|
637
|
+
};
|
|
638
|
+
|
|
639
|
+
const result = await authenticateGlobalRequest(request);
|
|
640
|
+
|
|
641
|
+
expect(result).toBe(false);
|
|
642
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token validation failed:', verificationError);
|
|
643
|
+
});
|
|
644
|
+
});
|
|
645
|
+
|
|
646
|
+
describe('organization validation differences from authenticateRegularRequest', () => {
|
|
647
|
+
it('should NOT validate organization ID and allow any customer_id', async () => {
|
|
648
|
+
const request = {
|
|
649
|
+
path: '/global-tool',
|
|
650
|
+
bodyJSON: {
|
|
651
|
+
auth: {
|
|
652
|
+
provider: 'OptiID',
|
|
653
|
+
credentials: {
|
|
654
|
+
customer_id: 'completely-different-org',
|
|
655
|
+
access_token: 'valid-token-123'
|
|
656
|
+
}
|
|
657
|
+
}
|
|
658
|
+
}
|
|
659
|
+
};
|
|
660
|
+
|
|
661
|
+
const result = await authenticateGlobalRequest(request);
|
|
662
|
+
|
|
663
|
+
expect(result).toBe(true);
|
|
664
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
665
|
+
// Should NOT log organization validation errors
|
|
666
|
+
expect(logger.error).not.toHaveBeenCalledWith(
|
|
667
|
+
expect.stringContaining('Invalid organisation ID')
|
|
668
|
+
);
|
|
669
|
+
expect(logger.error).not.toHaveBeenCalledWith(
|
|
670
|
+
expect.stringContaining('Organisation ID is required')
|
|
671
|
+
);
|
|
672
|
+
});
|
|
673
|
+
|
|
674
|
+
it('should work even when app context has no organization', async () => {
|
|
675
|
+
mockGetAppContext.mockReturnValue({} as any);
|
|
676
|
+
|
|
677
|
+
const request = {
|
|
678
|
+
path: '/global-tool',
|
|
679
|
+
bodyJSON: {
|
|
680
|
+
auth: {
|
|
681
|
+
provider: 'OptiID',
|
|
682
|
+
credentials: {
|
|
683
|
+
customer_id: 'any-org',
|
|
684
|
+
access_token: 'valid-token-123'
|
|
685
|
+
}
|
|
686
|
+
}
|
|
687
|
+
}
|
|
688
|
+
};
|
|
689
|
+
|
|
690
|
+
const result = await authenticateGlobalRequest(request);
|
|
691
|
+
|
|
692
|
+
expect(result).toBe(true);
|
|
693
|
+
expect(mockTokenVerifier.verify).toHaveBeenCalledWith('valid-token-123');
|
|
694
|
+
});
|
|
695
|
+
});
|
|
696
|
+
});
|
|
697
|
+
|
|
698
|
+
describe('edge cases and error handling', () => {
|
|
699
|
+
it('should handle requests with null bodyJSON', async () => {
|
|
700
|
+
const request = {
|
|
701
|
+
path: '/some-tool',
|
|
702
|
+
bodyJSON: null
|
|
703
|
+
};
|
|
704
|
+
|
|
705
|
+
const result1 = await authenticateRegularRequest(request);
|
|
706
|
+
const result2 = await authenticateGlobalRequest(request);
|
|
707
|
+
|
|
708
|
+
expect(result1).toBe(false);
|
|
709
|
+
expect(result2).toBe(false);
|
|
710
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
711
|
+
});
|
|
712
|
+
|
|
713
|
+
it('should handle malformed auth objects', async () => {
|
|
714
|
+
const request = {
|
|
715
|
+
path: '/some-tool',
|
|
716
|
+
bodyJSON: {
|
|
717
|
+
auth: 'invalid-auth-format'
|
|
718
|
+
}
|
|
719
|
+
};
|
|
720
|
+
|
|
721
|
+
const result1 = await authenticateRegularRequest(request);
|
|
722
|
+
const result2 = await authenticateGlobalRequest(request);
|
|
723
|
+
|
|
724
|
+
expect(result1).toBe(false);
|
|
725
|
+
expect(result2).toBe(false);
|
|
726
|
+
expect(logger.error).toHaveBeenCalledWith('OptiID token is required but not provided');
|
|
727
|
+
});
|
|
728
|
+
});
|
|
729
|
+
});
|