@stonyx/oauth 0.1.0 → 0.1.1-alpha.0

package/.github/workflows/publish.yml

@@ -1,6 +1,8 @@
 name: Publish to NPM
 
 on:
+  repository_dispatch:
+    types: [cascade-publish]
   workflow_dispatch:
     inputs:
       version-type:
@@ -21,6 +23,10 @@ on:
   push:
     branches: [main]
 
+concurrency:
+  group: ${{ github.event_name == 'repository_dispatch' && 'cascade-update' || format('publish-{0}', github.ref) }}
+  cancel-in-progress: false
+
 permissions:
   contents: write
   id-token: write
@@ -28,8 +34,18 @@ permissions:
 
 jobs:
   publish:
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
     uses: abofs/stonyx-workflows/.github/workflows/npm-publish.yml@main
     with:
       version-type: ${{ github.event.inputs.version-type }}
       custom-version: ${{ github.event.inputs.custom-version }}
+      cascade-source: ${{ github.event.client_payload.source_package || '' }}
+    secrets: inherit
+
+  cascade:
+    needs: publish
+    uses: abofs/stonyx-workflows/.github/workflows/cascade.yml@main
+    with:
+      package-name: ${{ needs.publish.outputs.package-name }}
+      published-version: ${{ needs.publish.outputs.published-version }}
     secrets: inherit

package/config/environment.js

@@ -1,6 +1,7 @@
 export default {
   providers: {},
   sessionDuration: 86400,
+  frontendCallbackUrl: null,
   logColor: 'magenta',
   logMethod: 'oauth',
 };

package/package.json

@@ -4,7 +4,7 @@
     "stonyx-async",
     "stonyx-module"
   ],
-  "version": "0.1.0",
+  "version": "0.1.1-alpha.0",
   "description": "OAuth2 authentication module for the Stonyx framework",
   "repository": {
     "type": "git",
@@ -21,17 +21,18 @@
     "Stone Costa <stone.costa@synamicd.com>"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "dependencies": {
-    "stonyx": "^0.2.0"
+    "stonyx": "0.2.3-beta.4"
   },
   "peerDependencies": {
-    "@stonyx/rest-server": ">=0.2.0"
+    "@stonyx/rest-server": ">=0.2.1-beta.11"
   },
   "devDependencies": {
-    "@stonyx/rest-server": "^0.2.0",
-    "@stonyx/utils": "^0.2.2",
+    "@stonyx/rest-server": "0.2.1-beta.11",
+    "@stonyx/utils": "0.2.3-beta.4",
     "qunit": "^2.24.1",
     "sinon": "^21.0.0"
   },

package/src/auth-request.js

@@ -29,15 +29,38 @@ export default class AuthRequest extends Request {
         }
       },
 
-      '/callback/:provider': async (req) => {
+      '/callback/:provider': async (req, state) => {
         const { provider: providerName } = req.params;
-        const { code, state: stateToken } = req.query;
+        const { code, state: stateToken, error } = req.query;
+
+        if (error) {
+          if (this.oauth.frontendCallbackUrl) {
+            state.redirect = `${this.oauth.frontendCallbackUrl}?error=${encodeURIComponent(error)}`;
+            return;
+          }
+          return 400;
+        }
 
         if (!code) return 400;
 
         try {
-          return await this.oauth.handleCallback(providerName, code, stateToken);
+          const session = await this.oauth.handleCallback(providerName, code, stateToken);
+
+          if (this.oauth.frontendCallbackUrl) {
+            const params = new URLSearchParams({
+              sessionId: session.sessionId,
+              expiresAt: session.expiresAt,
+            });
+            state.redirect = `${this.oauth.frontendCallbackUrl}?${params}`;
+            return;
+          }
+
+          return session;
         } catch {
+          if (this.oauth.frontendCallbackUrl) {
+            state.redirect = `${this.oauth.frontendCallbackUrl}?error=auth_failed`;
+            return;
+          }
           return 500;
         }
       },

package/src/main.js

@@ -8,6 +8,7 @@ import AuthRequest from './auth-request.js';
 
 export default class OAuth {
   providers = new Map();
+  pendingStates = new Map();
 
   constructor() {
     if (OAuth.instance) return OAuth.instance;
@@ -15,7 +16,8 @@ export default class OAuth {
   }
 
   async init() {
-    const { providers, sessionDuration } = config.oauth;
+    const { providers, sessionDuration, frontendCallbackUrl } = config.oauth;
+    this.frontendCallbackUrl = frontendCallbackUrl;
 
     for (const [name, providerConfig] of Object.entries(providers)) {
       const modulePath = providerConfig.module
@@ -43,10 +45,23 @@ export default class OAuth {
   getAuthorizationUrl(providerName) {
     const { flow } = this.getProvider(providerName);
     const stateToken = crypto.randomUUID();
+    this.pendingStates.set(stateToken, Date.now());
     return flow.buildAuthorizationUrl(stateToken);
   }
 
-  async handleCallback(providerName, code) {
+  async handleCallback(providerName, code, stateToken) {
+    if (!stateToken || !this.pendingStates.has(stateToken)) {
+      throw new Error('Invalid or missing state token');
+    }
+
+    const stateCreatedAt = this.pendingStates.get(stateToken);
+    this.pendingStates.delete(stateToken);
+
+    const TEN_MINUTES = 10 * 60 * 1000;
+    if (Date.now() - stateCreatedAt > TEN_MINUTES) {
+      throw new Error('State token has expired');
+    }
+
     const { flow, tokenManager } = this.getProvider(providerName);
     const tokens = await tokenManager.getTokens(code);
     const rawUser = await flow.fetchUserInfo(tokens.accessToken);

package/test/config/environment.js

@@ -13,5 +13,6 @@ export default {
       }
     },
     sessionDuration: 3600,
+    frontendCallbackUrl: 'http://localhost:4200/auth/callback',
   }
 };

package/test/integration/oauth-test.js

@@ -2,10 +2,18 @@ import QUnit from 'qunit';
 import RestServer from '@stonyx/rest-server';
 import config from 'stonyx/config';
 import { setupIntegrationTests } from 'stonyx/test-helpers';
+import OAuth from '../../src/main.js';
 
 const { module, test } = QUnit;
 let endpoint;
 
+async function getValidState(endpoint) {
+  const loginResponse = await fetch(`${endpoint}/auth/login/mock`, { redirect: 'manual' });
+  const location = loginResponse.headers.get('location');
+  const url = new URL(location);
+  return url.searchParams.get('state');
+}
+
 module('[Integration] OAuth', function(hooks) {
   setupIntegrationTests(hooks);
 
@@ -34,21 +42,24 @@ module('[Integration] OAuth', function(hooks) {
     assert.equal(response.status, 404);
   });
 
-  test('GET /auth/callback/mock exchanges code and returns session', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=abc`);
-    const data = await response.json();
+  test('GET /auth/callback/mock with valid state redirects to frontend with session', async function(assert) {
+    const stateToken = await getValidState(endpoint);
+    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=${stateToken}`, { redirect: 'manual' });
 
-    assert.equal(response.status, 200);
-    assert.ok(data.sessionId);
-    assert.ok(data.user);
-    assert.equal(data.user.id, 'mock-user-123');
-    assert.equal(data.user.username, 'mockuser');
+    assert.equal(response.status, 302);
+
+    const location = response.headers.get('location');
+    const redirectUrl = new URL(location);
+    assert.equal(redirectUrl.origin + redirectUrl.pathname, 'http://localhost:4200/auth/callback');
+    assert.ok(redirectUrl.searchParams.get('sessionId'), 'redirect includes sessionId');
+    assert.ok(redirectUrl.searchParams.get('expiresAt'), 'redirect includes expiresAt');
   });
 
   test('GET /auth with valid session returns user', async function(assert) {
-    // Create a session first
-    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=abc`);
-    const { sessionId } = await callbackResponse.json();
+    const stateToken = await getValidState(endpoint);
+    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
+    const location = callbackResponse.headers.get('location');
+    const sessionId = new URL(location).searchParams.get('sessionId');
 
     const response = await fetch(`${endpoint}/auth`, {
       headers: { 'session-id': sessionId },
@@ -74,9 +85,10 @@ module('[Integration] OAuth', function(hooks) {
   });
 
   test('GET /auth/logout invalidates session', async function(assert) {
-    // Create a session
-    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=abc`);
-    const { sessionId } = await callbackResponse.json();
+    const stateToken = await getValidState(endpoint);
+    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
+    const location = callbackResponse.headers.get('location');
+    const sessionId = new URL(location).searchParams.get('sessionId');
 
     // Logout
     const logoutResponse = await fetch(`${endpoint}/auth/logout`, {
@@ -90,4 +102,48 @@ module('[Integration] OAuth', function(hooks) {
     });
     assert.equal(authResponse.status, 401);
   });
+
+  test('GET /auth/callback/mock rejects missing state token', async function(assert) {
+    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code`, { redirect: 'manual' });
+
+    assert.equal(response.status, 302);
+    const location = response.headers.get('location');
+    const redirectUrl = new URL(location);
+    assert.equal(redirectUrl.searchParams.get('error'), 'auth_failed');
+  });
+
+  test('GET /auth/callback/mock rejects invalid state token', async function(assert) {
+    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=bogus-state`, { redirect: 'manual' });
+
+    assert.equal(response.status, 302);
+    const location = response.headers.get('location');
+    const redirectUrl = new URL(location);
+    assert.equal(redirectUrl.searchParams.get('error'), 'auth_failed');
+  });
+
+  test('GET /auth/callback/mock with error param redirects with error', async function(assert) {
+    const response = await fetch(`${endpoint}/auth/callback/mock?error=access_denied`, { redirect: 'manual' });
+
+    assert.equal(response.status, 302);
+    const location = response.headers.get('location');
+    const redirectUrl = new URL(location);
+    assert.equal(redirectUrl.origin + redirectUrl.pathname, 'http://localhost:4200/auth/callback');
+    assert.equal(redirectUrl.searchParams.get('error'), 'access_denied');
+  });
+
+  test('GET /auth/callback/mock state token cannot be reused', async function(assert) {
+    const stateToken = await getValidState(endpoint);
+
+    // First use succeeds
+    const first = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
+    assert.equal(first.status, 302);
+    const firstLocation = new URL(first.headers.get('location'));
+    assert.ok(firstLocation.searchParams.get('sessionId'), 'first use succeeds');
+
+    // Second use fails
+    const second = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
+    assert.equal(second.status, 302);
+    const secondLocation = new URL(second.headers.get('location'));
+    assert.equal(secondLocation.searchParams.get('error'), 'auth_failed', 'reuse is rejected');
+  });
 });

package/test/unit/state-validation-test.js

@@ -0,0 +1,118 @@
+import QUnit from 'qunit';
+
+const { module, test } = QUnit;
+
+/**
+ * Tests for OAuth state token validation logic.
+ *
+ * These tests exercise the pendingStates map and validation directly,
+ * mirroring the logic in OAuth.handleCallback without requiring the
+ * full module initialization (which depends on stonyx config/modules).
+ */
+
+const TEN_MINUTES = 10 * 60 * 1000;
+
+function validateState(pendingStates, stateToken) {
+  if (!stateToken || !pendingStates.has(stateToken)) {
+    throw new Error('Invalid or missing state token');
+  }
+
+  const stateCreatedAt = pendingStates.get(stateToken);
+  pendingStates.delete(stateToken);
+
+  if (Date.now() - stateCreatedAt > TEN_MINUTES) {
+    throw new Error('State token has expired');
+  }
+}
+
+module('[Unit] State Validation', function() {
+  test('accepts a valid pending state token', function(assert) {
+    const pendingStates = new Map();
+    pendingStates.set('valid-token', Date.now());
+
+    validateState(pendingStates, 'valid-token');
+    assert.ok(true, 'did not throw');
+  });
+
+  test('consumes the state token after validation', function(assert) {
+    const pendingStates = new Map();
+    pendingStates.set('one-time-token', Date.now());
+
+    validateState(pendingStates, 'one-time-token');
+    assert.false(pendingStates.has('one-time-token'), 'token removed from pending states');
+  });
+
+  test('rejects a missing state token', function(assert) {
+    const pendingStates = new Map();
+
+    assert.throws(
+      () => validateState(pendingStates, undefined),
+      /Invalid or missing state token/,
+    );
+  });
+
+  test('rejects an empty string state token', function(assert) {
+    const pendingStates = new Map();
+
+    assert.throws(
+      () => validateState(pendingStates, ''),
+      /Invalid or missing state token/,
+    );
+  });
+
+  test('rejects an unknown state token', function(assert) {
+    const pendingStates = new Map();
+    pendingStates.set('known-token', Date.now());
+
+    assert.throws(
+      () => validateState(pendingStates, 'unknown-token'),
+      /Invalid or missing state token/,
+    );
+  });
+
+  test('rejects an expired state token (older than 10 minutes)', function(assert) {
+    const pendingStates = new Map();
+    const elevenMinutesAgo = Date.now() - (11 * 60 * 1000);
+    pendingStates.set('expired-token', elevenMinutesAgo);
+
+    assert.throws(
+      () => validateState(pendingStates, 'expired-token'),
+      /State token has expired/,
+    );
+  });
+
+  test('expired state token is still consumed', function(assert) {
+    const pendingStates = new Map();
+    const elevenMinutesAgo = Date.now() - (11 * 60 * 1000);
+    pendingStates.set('expired-token', elevenMinutesAgo);
+
+    try {
+      validateState(pendingStates, 'expired-token');
+    } catch {
+      // expected
+    }
+
+    assert.false(pendingStates.has('expired-token'), 'expired token removed from map');
+  });
+
+  test('accepts a token just under 10 minutes old', function(assert) {
+    const pendingStates = new Map();
+    const nineMinutesAgo = Date.now() - (9 * 60 * 1000);
+    pendingStates.set('fresh-token', nineMinutesAgo);
+
+    validateState(pendingStates, 'fresh-token');
+    assert.ok(true, 'did not throw');
+  });
+
+  test('rejects reuse of a previously valid token', function(assert) {
+    const pendingStates = new Map();
+    pendingStates.set('use-once', Date.now());
+
+    validateState(pendingStates, 'use-once');
+
+    assert.throws(
+      () => validateState(pendingStates, 'use-once'),
+      /Invalid or missing state token/,
+    );
+  });
+});