@stonyx/oauth 0.1.1-beta.4 → 0.1.1-beta.40

package/README.md

@@ -1,3 +1,7 @@
+[![CI](https://github.com/abofs/stonyx-oauth/actions/workflows/ci.yml/badge.svg)](https://github.com/abofs/stonyx-oauth/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/@stonyx/oauth.svg)](https://www.npmjs.com/package/@stonyx/oauth)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
 # @stonyx/oauth
 
 OAuth2 authentication module for the Stonyx framework. Provides a generic OAuth2 Authorization Code flow with a provider pattern — ship with Discord support, extensible to any OAuth2 provider.

package/package.json

@@ -4,7 +4,7 @@
     "stonyx-async",
     "stonyx-module"
   ],
-  "version": "0.1.1-beta.4",
+  "version": "0.1.1-beta.40",
   "description": "OAuth2 authentication module for the Stonyx framework",
   "repository": {
     "type": "git",
@@ -20,19 +20,25 @@
   "contributors": [
     "Stone Costa <stone.costa@synamicd.com>"
   ],
+  "files": [
+    "src",
+    "config",
+    "README.md"
+  ],
   "publishConfig": {
     "access": "public",
     "provenance": true
   },
   "dependencies": {
-    "stonyx": "0.2.3-beta.4"
+    "stonyx": "0.2.3-beta.11",
+    "@stonyx/events": "0.1.1-beta.9"
   },
   "peerDependencies": {
     "@stonyx/rest-server": ">=0.2.1-beta.11"
   },
   "devDependencies": {
-    "@stonyx/rest-server": "0.2.1-beta.12",
-    "@stonyx/utils": "0.2.3-beta.4",
+    "@stonyx/rest-server": "0.2.1-beta.30",
+    "@stonyx/utils": "0.2.3-beta.7",
     "qunit": "^2.24.1",
     "sinon": "^21.0.0"
   },

package/src/main.js

@@ -1,11 +1,14 @@
 import config from 'stonyx/config';
 import log from 'stonyx/log';
 import { waitForModule } from 'stonyx';
+import { setup, emit } from '@stonyx/events';
 import RestServer from '@stonyx/rest-server';
 import TokenManager from './token-manager.js';
 import SessionManager from './session-manager.js';
 import AuthRequest from './auth-request.js';
 
+setup(['authenticate']);
+
 export default class OAuth {
   providers = new Map();
   pendingStates = new Map();
@@ -66,6 +69,7 @@ export default class OAuth {
     const tokens = await tokenManager.getTokens(code);
     const rawUser = await flow.fetchUserInfo(tokens.accessToken);
     const user = flow.normalizeUser(rawUser);
+    await emit('authenticate', user);
     return this.sessionManager.create(user, tokens);
   }
 

package/.github/workflows/ci.yml

@@ -1,16 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches: [dev, main]
-
-concurrency:
-  group: ci-${{ github.head_ref || github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    uses: abofs/stonyx-workflows/.github/workflows/ci.yml@main

package/.github/workflows/publish.yml

@@ -1,51 +0,0 @@
-name: Publish to NPM
-
-on:
-  repository_dispatch:
-    types: [cascade-publish]
-  workflow_dispatch:
-    inputs:
-      version-type:
-        description: 'Version type'
-        required: true
-        type: choice
-        options:
-          - patch
-          - minor
-          - major
-      custom-version:
-        description: 'Custom version (optional, overrides version-type)'
-        required: false
-        type: string
-  pull_request:
-    types: [opened, synchronize, reopened]
-    branches: [main]
-  push:
-    branches: [main]
-
-concurrency:
-  group: ${{ github.event_name == 'repository_dispatch' && 'cascade-update' || format('publish-{0}', github.ref) }}
-  cancel-in-progress: false
-
-permissions:
-  contents: write
-  id-token: write
-  pull-requests: write
-
-jobs:
-  publish:
-    if: "!contains(github.event.head_commit.message, '[skip ci]')"
-    uses: abofs/stonyx-workflows/.github/workflows/npm-publish.yml@main
-    with:
-      version-type: ${{ github.event.inputs.version-type }}
-      custom-version: ${{ github.event.inputs.custom-version }}
-      cascade-source: ${{ github.event.client_payload.source_package || '' }}
-    secrets: inherit
-
-  cascade:
-    needs: publish
-    uses: abofs/stonyx-workflows/.github/workflows/cascade.yml@main
-    with:
-      package-name: ${{ needs.publish.outputs.package-name }}
-      published-version: ${{ needs.publish.outputs.published-version }}
-    secrets: inherit

package/test/config/environment.js

@@ -1,18 +0,0 @@
-export default {
-  restServer: {
-    dir: './test/sample/requests',
-  },
-  oauth: {
-    providers: {
-      mock: {
-        clientId: 'test-client-id',
-        clientSecret: 'test-client-secret',
-        redirectUri: 'http://localhost:2666/auth/callback/mock',
-        scopes: ['identify'],
-        module: './test/sample/providers/mock.js',
-      }
-    },
-    sessionDuration: 3600,
-    frontendCallbackUrl: 'http://localhost:4200/auth/callback',
-  }
-};

package/test/integration/oauth-test.js

@@ -1,149 +0,0 @@
-import QUnit from 'qunit';
-import RestServer from '@stonyx/rest-server';
-import config from 'stonyx/config';
-import { setupIntegrationTests } from 'stonyx/test-helpers';
-import OAuth from '../../src/main.js';
-
-const { module, test } = QUnit;
-let endpoint;
-
-async function getValidState(endpoint) {
-  const loginResponse = await fetch(`${endpoint}/auth/login/mock`, { redirect: 'manual' });
-  const location = loginResponse.headers.get('location');
-  const url = new URL(location);
-  return url.searchParams.get('state');
-}
-
-module('[Integration] OAuth', function(hooks) {
-  setupIntegrationTests(hooks);
-
-  hooks.before(function() {
-    endpoint = `http://localhost:${config.restServer.port}`;
-  });
-
-  hooks.after(function() {
-    RestServer.close();
-  });
-
-  test('GET /auth/login/mock redirects to provider auth URL', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/login/mock`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-
-    const location = response.headers.get('location');
-    assert.ok(location.startsWith('https://mock.provider/oauth/authorize?'));
-    assert.ok(location.includes('client_id=test-client-id'));
-    assert.ok(location.includes('response_type=code'));
-  });
-
-  test('GET /auth/login/nonexistent returns 404', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/login/nonexistent`, { redirect: 'manual' });
-
-    assert.equal(response.status, 404);
-  });
-
-  test('GET /auth/callback/mock with valid state redirects to frontend with session', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=${stateToken}`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.origin + redirectUrl.pathname, 'http://localhost:4200/auth/callback');
-    assert.ok(redirectUrl.searchParams.get('sessionId'), 'redirect includes sessionId');
-    assert.ok(redirectUrl.searchParams.get('expiresAt'), 'redirect includes expiresAt');
-  });
-
-  test('GET /auth with valid session returns user', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    const location = callbackResponse.headers.get('location');
-    const sessionId = new URL(location).searchParams.get('sessionId');
-
-    const response = await fetch(`${endpoint}/auth`, {
-      headers: { 'session-id': sessionId },
-    });
-    const data = await response.json();
-
-    assert.equal(response.status, 200);
-    assert.equal(data.id, 'mock-user-123');
-  });
-
-  test('GET /auth without session returns 401', async function(assert) {
-    const response = await fetch(`${endpoint}/auth`);
-
-    assert.equal(response.status, 401);
-  });
-
-  test('GET /auth with invalid session returns 401', async function(assert) {
-    const response = await fetch(`${endpoint}/auth`, {
-      headers: { 'session-id': 'invalid-session' },
-    });
-
-    assert.equal(response.status, 401);
-  });
-
-  test('GET /auth/logout invalidates session', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    const location = callbackResponse.headers.get('location');
-    const sessionId = new URL(location).searchParams.get('sessionId');
-
-    // Logout
-    const logoutResponse = await fetch(`${endpoint}/auth/logout`, {
-      headers: { 'session-id': sessionId },
-    });
-    assert.equal(logoutResponse.status, 200);
-
-    // Verify session is invalid
-    const authResponse = await fetch(`${endpoint}/auth`, {
-      headers: { 'session-id': sessionId },
-    });
-    assert.equal(authResponse.status, 401);
-  });
-
-  test('GET /auth/callback/mock rejects missing state token', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.searchParams.get('error'), 'auth_failed');
-  });
-
-  test('GET /auth/callback/mock rejects invalid state token', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=bogus-state`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.searchParams.get('error'), 'auth_failed');
-  });
-
-  test('GET /auth/callback/mock with error param redirects with error', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?error=access_denied`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.origin + redirectUrl.pathname, 'http://localhost:4200/auth/callback');
-    assert.equal(redirectUrl.searchParams.get('error'), 'access_denied');
-  });
-
-  test('GET /auth/callback/mock state token cannot be reused', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-
-    // First use succeeds
-    const first = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    assert.equal(first.status, 302);
-    const firstLocation = new URL(first.headers.get('location'));
-    assert.ok(firstLocation.searchParams.get('sessionId'), 'first use succeeds');
-
-    // Second use fails
-    const second = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    assert.equal(second.status, 302);
-    const secondLocation = new URL(second.headers.get('location'));
-    assert.equal(secondLocation.searchParams.get('error'), 'auth_failed', 'reuse is rejected');
-  });
-});

package/test/sample/providers/mock.js

@@ -1,40 +0,0 @@
-import OAuthFlow from '../../../src/oauth-flow.js';
-
-export default class MockProvider extends OAuthFlow {
-  constructor(config) {
-    super({
-      ...config,
-      authorizationUrl: 'https://mock.provider/oauth/authorize',
-      tokenUrl: 'https://mock.provider/oauth/token',
-      userInfoUrl: 'https://mock.provider/api/me',
-    });
-  }
-
-  async exchangeCode(_code) {
-    return {
-      accessToken: 'mock-access-token',
-      refreshToken: 'mock-refresh-token',
-      expiresIn: 3600,
-    };
-  }
-
-  async fetchUserInfo(_accessToken) {
-    return {
-      id: 'mock-user-123',
-      username: 'mockuser',
-      displayName: 'Mock User',
-      email: 'mock@test.com',
-    };
-  }
-
-  normalizeUser(rawUser) {
-    return {
-      id: rawUser.id,
-      username: rawUser.username,
-      displayName: rawUser.displayName,
-      avatar: null,
-      email: rawUser.email,
-      raw: rawUser,
-    };
-  }
-}

package/test/unit/oauth-flow-test.js

@@ -1,137 +0,0 @@
-import QUnit from 'qunit';
-import OAuthFlow from '../../src/oauth-flow.js';
-
-const { module, test } = QUnit;
-
-const defaultConfig = {
-  clientId: 'test-client',
-  clientSecret: 'test-secret',
-  redirectUri: 'http://localhost/callback',
-  scopes: ['read', 'write'],
-  authorizationUrl: 'https://provider.com/oauth/authorize',
-  tokenUrl: 'https://provider.com/oauth/token',
-  userInfoUrl: 'https://provider.com/api/me',
-};
-
-module('[Unit] OAuthFlow', function() {
-  module('buildAuthorizationUrl', function() {
-    test('generates a valid authorization URL with all params', function(assert) {
-      const flow = new OAuthFlow(defaultConfig);
-      const url = flow.buildAuthorizationUrl('test-state-123');
-
-      assert.ok(url.startsWith('https://provider.com/oauth/authorize?'));
-      assert.ok(url.includes('client_id=test-client'));
-      assert.ok(url.includes('redirect_uri='));
-      assert.ok(url.includes('response_type=code'));
-      assert.ok(url.includes('scope=read+write'));
-      assert.ok(url.includes('state=test-state-123'));
-    });
-
-    test('handles empty scopes', function(assert) {
-      const flow = new OAuthFlow({ ...defaultConfig, scopes: [] });
-      const url = flow.buildAuthorizationUrl('state');
-
-      assert.ok(url.includes('scope='));
-    });
-  });
-
-  module('exchangeCode', function() {
-    test('makes a POST request to the token URL', async function(assert) {
-      const flow = new OAuthFlow(defaultConfig);
-      const originalFetch = globalThis.fetch;
-
-      globalThis.fetch = async (url, options) => {
-        assert.equal(url, 'https://provider.com/oauth/token');
-        assert.equal(options.method, 'POST');
-        assert.equal(options.headers['Content-Type'], 'application/json');
-
-        const body = JSON.parse(options.body);
-        assert.equal(body.grant_type, 'authorization_code');
-        assert.equal(body.code, 'test-code');
-        assert.equal(body.client_id, 'test-client');
-
-        return {
-          ok: true,
-          json: async () => ({ access_token: 'abc', refresh_token: 'def', expires_in: 3600 }),
-        };
-      };
-
-      const result = await flow.exchangeCode('test-code');
-
-      assert.equal(result.accessToken, 'abc');
-      assert.equal(result.refreshToken, 'def');
-      assert.equal(result.expiresIn, 3600);
-
-      globalThis.fetch = originalFetch;
-    });
-
-    test('throws on failed token exchange', async function(assert) {
-      const flow = new OAuthFlow(defaultConfig);
-      const originalFetch = globalThis.fetch;
-
-      globalThis.fetch = async () => ({ ok: false, status: 400 });
-
-      await assert.rejects(flow.exchangeCode('bad-code'), /Token exchange failed: 400/);
-
-      globalThis.fetch = originalFetch;
-    });
-  });
-
-  module('refreshAccessToken', function() {
-    test('makes a refresh grant request', async function(assert) {
-      const flow = new OAuthFlow(defaultConfig);
-      const originalFetch = globalThis.fetch;
-
-      globalThis.fetch = async (_url, options) => {
-        const body = JSON.parse(options.body);
-        assert.equal(body.grant_type, 'refresh_token');
-        assert.equal(body.refresh_token, 'old-refresh');
-
-        return {
-          ok: true,
-          json: async () => ({ access_token: 'new-access', expires_in: 7200 }),
-        };
-      };
-
-      const result = await flow.refreshAccessToken('old-refresh');
-
-      assert.equal(result.accessToken, 'new-access');
-      assert.equal(result.refreshToken, 'old-refresh', 'falls back to original refresh token');
-      assert.equal(result.expiresIn, 7200);
-
-      globalThis.fetch = originalFetch;
-    });
-  });
-
-  module('fetchUserInfo', function() {
-    test('sends a Bearer token in the Authorization header', async function(assert) {
-      const flow = new OAuthFlow(defaultConfig);
-      const originalFetch = globalThis.fetch;
-
-      globalThis.fetch = async (url, options) => {
-        assert.equal(url, 'https://provider.com/api/me');
-        assert.equal(options.headers.Authorization, 'Bearer my-token');
-
-        return {
-          ok: true,
-          json: async () => ({ id: '1', name: 'Test' }),
-        };
-      };
-
-      const result = await flow.fetchUserInfo('my-token');
-      assert.deepEqual(result, { id: '1', name: 'Test' });
-
-      globalThis.fetch = originalFetch;
-    });
-  });
-
-  module('normalizeUser', function() {
-    test('returns raw user by default', function(assert) {
-      const flow = new OAuthFlow(defaultConfig);
-      const raw = { id: '1', name: 'Test' };
-      const result = flow.normalizeUser(raw);
-
-      assert.deepEqual(result, { raw });
-    });
-  });
-});

package/test/unit/providers/discord-test.js

@@ -1,115 +0,0 @@
-import QUnit from 'qunit';
-import DiscordProvider from '../../../src/providers/discord.js';
-
-const { module, test } = QUnit;
-
-const defaultConfig = {
-  clientId: 'discord-client-id',
-  clientSecret: 'discord-client-secret',
-  redirectUri: 'http://localhost/auth/callback/discord',
-  scopes: ['identify', 'email'],
-};
-
-module('[Unit] DiscordProvider', function() {
-  module('constructor', function() {
-    test('sets correct Discord OAuth2 URLs', function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-
-      assert.equal(provider.authorizationUrl, 'https://discord.com/oauth2/authorize');
-      assert.equal(provider.tokenUrl, 'https://discord.com/api/oauth2/token');
-      assert.equal(provider.userInfoUrl, 'https://discord.com/api/users/@me');
-    });
-
-    test('preserves client config', function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-
-      assert.equal(provider.clientId, 'discord-client-id');
-      assert.equal(provider.clientSecret, 'discord-client-secret');
-      assert.deepEqual(provider.scopes, ['identify', 'email']);
-    });
-  });
-
-  module('exchangeCode', function() {
-    test('uses form-encoded body for Discord token exchange', async function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-      const originalFetch = globalThis.fetch;
-
-      globalThis.fetch = async (url, options) => {
-        assert.equal(url, 'https://discord.com/api/oauth2/token');
-        assert.equal(options.headers['Content-Type'], 'application/x-www-form-urlencoded');
-        assert.ok(options.body instanceof URLSearchParams);
-
-        const params = Object.fromEntries(options.body);
-        assert.equal(params.grant_type, 'authorization_code');
-        assert.equal(params.code, 'discord-auth-code');
-        assert.equal(params.client_id, 'discord-client-id');
-
-        return {
-          ok: true,
-          json: async () => ({ access_token: 'discord-token', refresh_token: 'refresh', expires_in: 604800 }),
-        };
-      };
-
-      const result = await provider.exchangeCode('discord-auth-code');
-
-      assert.equal(result.accessToken, 'discord-token');
-      assert.equal(result.refreshToken, 'refresh');
-      assert.equal(result.expiresIn, 604800);
-
-      globalThis.fetch = originalFetch;
-    });
-  });
-
-  module('normalizeUser', function() {
-    test('maps Discord user fields correctly', function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-
-      const discordUser = {
-        id: '123456789',
-        username: 'testuser',
-        global_name: 'Test User',
-        avatar: 'abc123',
-        email: 'test@example.com',
-      };
-
-      const result = provider.normalizeUser(discordUser);
-
-      assert.equal(result.id, '123456789');
-      assert.equal(result.username, 'testuser');
-      assert.equal(result.displayName, 'Test User');
-      assert.equal(result.avatar, 'https://cdn.discordapp.com/avatars/123456789/abc123.png');
-      assert.equal(result.email, 'test@example.com');
-      assert.deepEqual(result.raw, discordUser);
-    });
-
-    test('handles missing avatar', function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-
-      const result = provider.normalizeUser({
-        id: '1', username: 'user', global_name: 'User', avatar: null, email: null,
-      });
-
-      assert.equal(result.avatar, null);
-    });
-
-    test('falls back to username when global_name is missing', function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-
-      const result = provider.normalizeUser({
-        id: '1', username: 'myuser', avatar: null, email: null,
-      });
-
-      assert.equal(result.displayName, 'myuser');
-    });
-
-    test('handles missing email', function(assert) {
-      const provider = new DiscordProvider(defaultConfig);
-
-      const result = provider.normalizeUser({
-        id: '1', username: 'user', global_name: 'User', avatar: null,
-      });
-
-      assert.equal(result.email, null);
-    });
-  });
-});

package/test/unit/session-manager-test.js

@@ -1,85 +0,0 @@
-import QUnit from 'qunit';
-import SessionManager from '../../src/session-manager.js';
-
-const { module, test } = QUnit;
-
-const mockUser = { id: '1', username: 'testuser' };
-const mockTokens = { accessToken: 'abc', expiresAt: Date.now() + 60000 };
-
-module('[Unit] SessionManager', function() {
-  module('create', function() {
-    test('generates a unique session ID and stores session', function(assert) {
-      const manager = new SessionManager(3600);
-      const session1 = manager.create(mockUser, mockTokens);
-      const session2 = manager.create(mockUser, mockTokens);
-
-      assert.ok(session1.sessionId);
-      assert.ok(session2.sessionId);
-      assert.notEqual(session1.sessionId, session2.sessionId);
-      assert.deepEqual(session1.user, mockUser);
-    });
-
-    test('sets expiresAt based on duration', function(assert) {
-      const manager = new SessionManager(3600);
-      const before = Date.now();
-      const session = manager.create(mockUser, mockTokens);
-
-      assert.ok(session.expiresAt >= before + 3600 * 1000);
-    });
-  });
-
-  module('get', function() {
-    test('returns session data for a valid session ID', function(assert) {
-      const manager = new SessionManager(3600);
-      const { sessionId } = manager.create(mockUser, mockTokens);
-      const session = manager.get(sessionId);
-
-      assert.ok(session);
-      assert.deepEqual(session.user, mockUser);
-    });
-
-    test('returns null for unknown session ID', function(assert) {
-      const manager = new SessionManager(3600);
-      const session = manager.get('nonexistent');
-
-      assert.equal(session, null);
-    });
-  });
-
-  module('validate', function() {
-    test('returns user for a valid, non-expired session', function(assert) {
-      const manager = new SessionManager(3600);
-      const { sessionId } = manager.create(mockUser, mockTokens);
-      const user = manager.validate(sessionId);
-
-      assert.deepEqual(user, mockUser);
-    });
-
-    test('returns null for an expired session and cleans it up', function(assert) {
-      const manager = new SessionManager(0);
-      const { sessionId } = manager.create(mockUser, mockTokens);
-      const user = manager.validate(sessionId);
-
-      assert.equal(user, null);
-      assert.equal(manager.get(sessionId), null);
-    });
-
-    test('returns null for nonexistent session', function(assert) {
-      const manager = new SessionManager(3600);
-      const user = manager.validate('missing');
-
-      assert.equal(user, null);
-    });
-  });
-
-  module('destroy', function() {
-    test('removes the session', function(assert) {
-      const manager = new SessionManager(3600);
-      const { sessionId } = manager.create(mockUser, mockTokens);
-
-      manager.destroy(sessionId);
-
-      assert.equal(manager.get(sessionId), null);
-    });
-  });
-});

package/test/unit/state-validation-test.js

@@ -1,118 +0,0 @@
-import QUnit from 'qunit';
-
-const { module, test } = QUnit;
-
-/**
- * Tests for OAuth state token validation logic.
- *
- * These tests exercise the pendingStates map and validation directly,
- * mirroring the logic in OAuth.handleCallback without requiring the
- * full module initialization (which depends on stonyx config/modules).
- */
-
-const TEN_MINUTES = 10 * 60 * 1000;
-
-function validateState(pendingStates, stateToken) {
-  if (!stateToken || !pendingStates.has(stateToken)) {
-    throw new Error('Invalid or missing state token');
-  }
-
-  const stateCreatedAt = pendingStates.get(stateToken);
-  pendingStates.delete(stateToken);
-
-  if (Date.now() - stateCreatedAt > TEN_MINUTES) {
-    throw new Error('State token has expired');
-  }
-}
-
-module('[Unit] State Validation', function() {
-  test('accepts a valid pending state token', function(assert) {
-    const pendingStates = new Map();
-    pendingStates.set('valid-token', Date.now());
-
-    validateState(pendingStates, 'valid-token');
-    assert.ok(true, 'did not throw');
-  });
-
-  test('consumes the state token after validation', function(assert) {
-    const pendingStates = new Map();
-    pendingStates.set('one-time-token', Date.now());
-
-    validateState(pendingStates, 'one-time-token');
-    assert.false(pendingStates.has('one-time-token'), 'token removed from pending states');
-  });
-
-  test('rejects a missing state token', function(assert) {
-    const pendingStates = new Map();
-
-    assert.throws(
-      () => validateState(pendingStates, undefined),
-      /Invalid or missing state token/,
-    );
-  });
-
-  test('rejects an empty string state token', function(assert) {
-    const pendingStates = new Map();
-
-    assert.throws(
-      () => validateState(pendingStates, ''),
-      /Invalid or missing state token/,
-    );
-  });
-
-  test('rejects an unknown state token', function(assert) {
-    const pendingStates = new Map();
-    pendingStates.set('known-token', Date.now());
-
-    assert.throws(
-      () => validateState(pendingStates, 'unknown-token'),
-      /Invalid or missing state token/,
-    );
-  });
-
-  test('rejects an expired state token (older than 10 minutes)', function(assert) {
-    const pendingStates = new Map();
-    const elevenMinutesAgo = Date.now() - (11 * 60 * 1000);
-    pendingStates.set('expired-token', elevenMinutesAgo);
-
-    assert.throws(
-      () => validateState(pendingStates, 'expired-token'),
-      /State token has expired/,
-    );
-  });
-
-  test('expired state token is still consumed', function(assert) {
-    const pendingStates = new Map();
-    const elevenMinutesAgo = Date.now() - (11 * 60 * 1000);
-    pendingStates.set('expired-token', elevenMinutesAgo);
-
-    try {
-      validateState(pendingStates, 'expired-token');
-    } catch {
-      // expected
-    }
-
-    assert.false(pendingStates.has('expired-token'), 'expired token removed from map');
-  });
-
-  test('accepts a token just under 10 minutes old', function(assert) {
-    const pendingStates = new Map();
-    const nineMinutesAgo = Date.now() - (9 * 60 * 1000);
-    pendingStates.set('fresh-token', nineMinutesAgo);
-
-    validateState(pendingStates, 'fresh-token');
-    assert.ok(true, 'did not throw');
-  });
-
-  test('rejects reuse of a previously valid token', function(assert) {
-    const pendingStates = new Map();
-    pendingStates.set('use-once', Date.now());
-
-    validateState(pendingStates, 'use-once');
-
-    assert.throws(
-      () => validateState(pendingStates, 'use-once'),
-      /Invalid or missing state token/,
-    );
-  });
-});

package/test/unit/token-manager-test.js

@@ -1,76 +0,0 @@
-import QUnit from 'qunit';
-import TokenManager from '../../src/token-manager.js';
-
-const { module, test } = QUnit;
-
-function createMockFlow() {
-  return {
-    exchangeCode: async (code) => ({
-      accessToken: `token-for-${code}`,
-      refreshToken: 'refresh-123',
-      expiresIn: 3600,
-    }),
-    refreshAccessToken: async (refreshToken) => ({
-      accessToken: 'new-access',
-      refreshToken,
-      expiresIn: 7200,
-    }),
-    revokeToken: async () => {},
-  };
-}
-
-module('[Unit] TokenManager', function() {
-  module('getTokens', function() {
-    test('delegates to flow.exchangeCode and sets expiresAt', async function(assert) {
-      const manager = new TokenManager(createMockFlow());
-      const before = Date.now();
-      const result = await manager.getTokens('my-code');
-
-      assert.equal(result.accessToken, 'token-for-my-code');
-      assert.equal(result.refreshToken, 'refresh-123');
-      assert.ok(result.expiresAt >= before + 3600 * 1000);
-    });
-  });
-
-  module('refresh', function() {
-    test('delegates to flow.refreshAccessToken and sets expiresAt', async function(assert) {
-      const manager = new TokenManager(createMockFlow());
-      const result = await manager.refresh('refresh-123');
-
-      assert.equal(result.accessToken, 'new-access');
-      assert.ok(result.expiresAt > Date.now());
-    });
-  });
-
-  module('revoke', function() {
-    test('delegates to flow.revokeToken', async function(assert) {
-      let revoked = false;
-      const flow = { ...createMockFlow(), revokeToken: async () => { revoked = true; } };
-      const manager = new TokenManager(flow);
-
-      await manager.revoke('some-token');
-      assert.ok(revoked);
-    });
-  });
-
-  module('isExpired', function() {
-    test('returns true if expiresAt is in the past', function(assert) {
-      const manager = new TokenManager(createMockFlow());
-
-      assert.true(manager.isExpired({ expiresAt: Date.now() - 1000 }));
-    });
-
-    test('returns false if expiresAt is in the future', function(assert) {
-      const manager = new TokenManager(createMockFlow());
-
-      assert.false(manager.isExpired({ expiresAt: Date.now() + 60000 }));
-    });
-
-    test('returns true if tokenData is null or missing expiresAt', function(assert) {
-      const manager = new TokenManager(createMockFlow());
-
-      assert.true(manager.isExpired(null));
-      assert.true(manager.isExpired({}));
-    });
-  });
-});