@telicent-oss/fe-auth-lib 1.0.0 → 1.0.2-TELFE-1477.0

package/src/__tests__/request-helpers.failures.test.ts

@@ -0,0 +1,143 @@
+import AuthServerOAuth2Client, {
+  AuthServerOAuth2ClientConfig,
+} from "../AuthServerOAuth2Client";
+import { installTestEnv, resetTestEnv } from "./test-utils";
+
+const createConfig = (
+  overrides: Partial<AuthServerOAuth2ClientConfig> = {}
+): AuthServerOAuth2ClientConfig => ({
+  clientId: "client-1",
+  authServerUrl: "http://auth.telicent.localhost",
+  redirectUri: "http://app.telicent.localhost/callback",
+  popupRedirectUri: "http://app.telicent.localhost/popup",
+  scope: "openid profile",
+  onLogout: jest.fn(),
+  ...overrides,
+});
+
+const createFetchResponse = (options: {
+  status?: number;
+  ok?: boolean;
+}): Response =>
+  ({
+    status: options.status ?? 401,
+    ok: options.ok ?? false,
+  } as unknown as Response);
+
+describe("failure path - request helpers on 401", () => {
+  beforeEach(() => {
+    installTestEnv();
+    Object.defineProperty(window, "location", {
+      value: {
+        href: "http://app.telicent.localhost/home",
+        origin: "http://app.telicent.localhost",
+        search: "",
+      },
+      writable: true,
+    });
+  });
+
+  afterEach(() => {
+    resetTestEnv();
+  });
+
+  it("logs out and throws on 401 for makeAuthenticatedRequest", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    const fetchMock = jest.fn().mockResolvedValue(createFetchResponse({}));
+    globalThis.fetch = fetchMock;
+    jest.spyOn(client, "login").mockResolvedValue();
+    const clearSpy = jest.spyOn(client, "clearLocalStorage");
+
+    let error: Error | null = null;
+    try {
+      await client.makeAuthenticatedRequest("http://app.telicent.localhost/data");
+    } catch (caught) {
+      error = caught as Error;
+    }
+
+    expect({
+      error: error?.message,
+      clearCalls: clearSpy.mock.calls.length,
+      loginCalls: (client.login as jest.Mock).mock.calls.length,
+    }).toMatchInlineSnapshot(`
+      {
+        "clearCalls": 1,
+        "error": "Session expired",
+        "loginCalls": 1,
+      }
+    `);
+  });
+
+  it("warns and does not logout when skipAutoLogout is true", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    const fetchMock = jest.fn().mockResolvedValue(createFetchResponse({}));
+    globalThis.fetch = fetchMock;
+
+    const response = await client.makeAuthenticatedRequest(
+      "http://app.telicent.localhost/data",
+      { skipAutoLogout: true }
+    );
+
+    expect({
+      status: response.status,
+      warnings: (console.warn as jest.Mock).mock.calls.map((call) => call[0]),
+    }).toMatchInlineSnapshot(`
+      {
+        "status": 401,
+        "warnings": [
+          "401 response during protected operation, not auto-logging out to prevent loops",
+        ],
+      }
+    `);
+  });
+
+  it("throws on 401 for afterRequest and triggers login", () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    jest.spyOn(client, "login").mockResolvedValue();
+    const clearSpy = jest.spyOn(client, "clearLocalStorage");
+    const response = createFetchResponse({});
+
+    let error: Error | null = null;
+    try {
+      client.afterRequest(
+        response,
+        "http://app.telicent.localhost/data"
+      );
+    } catch (caught) {
+      error = caught as Error;
+    }
+
+    expect({
+      error: error?.message,
+      clearCalls: clearSpy.mock.calls.length,
+      loginCalls: (client.login as jest.Mock).mock.calls.length,
+    }).toMatchInlineSnapshot(`
+      {
+        "clearCalls": 1,
+        "error": "Session expired",
+        "loginCalls": 1,
+      }
+    `);
+  });
+
+  it("warns and does not logout when afterRequest skipAutoLogout is true", () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    const response = createFetchResponse({});
+
+    const result = client.afterRequest(response, "http://app/data", {
+      skipAutoLogout: true,
+    });
+
+    expect({
+      status: result.status,
+      warnings: (console.warn as jest.Mock).mock.calls.map((call) => call[0]),
+    }).toMatchInlineSnapshot(`
+      {
+        "status": 401,
+        "warnings": [
+          "401 response during protected operation, not auto-logging out to prevent loops",
+        ],
+      }
+    `);
+  });
+});

package/src/__tests__/request-helpers.success.test.ts

@@ -0,0 +1,137 @@
+import AuthServerOAuth2Client, {
+  AuthServerOAuth2ClientConfig,
+} from "../AuthServerOAuth2Client";
+import { installTestEnv, resetTestEnv, setCookies } from "./test-utils";
+
+const createConfig = (
+  overrides: Partial<AuthServerOAuth2ClientConfig> = {}
+): AuthServerOAuth2ClientConfig => ({
+  clientId: "client-1",
+  authServerUrl: "http://auth.telicent.localhost",
+  redirectUri: "http://app.telicent.localhost/callback",
+  popupRedirectUri: "http://app.telicent.localhost/popup",
+  scope: "openid profile",
+  onLogout: jest.fn(),
+  ...overrides,
+});
+
+const createFetchResponse = (options: {
+  status?: number;
+  ok?: boolean;
+}): Response =>
+  ({
+    status: options.status ?? 200,
+    ok: options.ok ?? true,
+  } as unknown as Response);
+
+describe("happy path - request helpers add auth headers", () => {
+  beforeEach(() => {
+    installTestEnv();
+    Object.defineProperty(window, "location", {
+      value: {
+        href: "http://app.telicent.localhost/home",
+        origin: "http://app.telicent.localhost",
+        search: "",
+      },
+      writable: true,
+    });
+  });
+
+  afterEach(() => {
+    resetTestEnv();
+  });
+
+  it("adds Authorization header for cross-domain requests", async () => {
+    const client = new AuthServerOAuth2Client(
+      createConfig({ authServerUrl: "https://auth.telicent.io" })
+    );
+    sessionStorage.setItem("auth_session_id", "SESSION_123");
+    const fetchMock = jest.fn().mockResolvedValue(createFetchResponse({}));
+    globalThis.fetch = fetchMock;
+
+    await client.makeAuthenticatedRequest("https://api.telicent.io/data");
+
+    expect({
+      headers: fetchMock.mock.calls[0][1]?.headers,
+    }).toMatchInlineSnapshot(`
+      {
+        "headers": {
+          "Accept": "application/json",
+          "Authorization": "Bearer SESSION_123",
+        },
+      }
+    `);
+  });
+
+  it("adds CSRF token for same-domain state-changing requests", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    setCookies("XSRF-TOKEN=csrf-123");
+    const fetchMock = jest.fn().mockResolvedValue(createFetchResponse({}));
+    globalThis.fetch = fetchMock;
+
+    await client.makeAuthenticatedRequest(
+      "http://auth.telicent.localhost/data",
+      { method: "POST" }
+    );
+
+    expect({
+      headers: fetchMock.mock.calls[0][1]?.headers,
+    }).toMatchInlineSnapshot(`
+      {
+        "headers": {
+          "Accept": "application/json",
+          "X-XSRF-TOKEN": "csrf-123",
+        },
+      }
+    `);
+  });
+
+  it("prepares request headers for cross-domain and same-domain", () => {
+    const crossDomainClient = new AuthServerOAuth2Client(
+      createConfig({ authServerUrl: "https://auth.telicent.io" })
+    );
+    const sameDomainClient = new AuthServerOAuth2Client(createConfig());
+    sessionStorage.setItem("auth_session_id", "SESSION_ABC");
+    setCookies("XSRF-TOKEN=csrf-456");
+
+    const crossHeaders = crossDomainClient.beforeRequest().headers;
+    const sameHeaders = sameDomainClient.beforeRequest({
+      method: "DELETE",
+    }).headers;
+
+    expect({
+      crossHeaders,
+      sameHeaders,
+    }).toMatchInlineSnapshot(`
+      {
+        "crossHeaders": {
+          "Accept": "application/json",
+          "Authorization": "Bearer SESSION_ABC",
+        },
+        "sameHeaders": {
+          "Accept": "application/json",
+          "X-XSRF-TOKEN": "csrf-456",
+        },
+      }
+    `);
+  });
+
+  it("returns response from afterRequest on allowed 401", () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    const response = createFetchResponse({ status: 401, ok: false });
+
+    const result = client.afterRequest(
+      response,
+      "http://auth.telicent.localhost/session/check"
+    );
+
+    expect({ result }).toMatchInlineSnapshot(`
+      {
+        "result": {
+          "ok": false,
+          "status": 401,
+        },
+      }
+    `);
+  });
+});

package/src/__tests__/schema-loading.failures.test.ts

@@ -0,0 +1,44 @@
+import { installTestEnv, resetTestEnv } from "./test-utils";
+
+describe("failure path - schema loading fails", () => {
+  beforeEach(() => {
+    installTestEnv();
+    jest.resetModules();
+  });
+
+  afterEach(() => {
+    resetTestEnv();
+    jest.resetModules();
+    jest.dontMock("../schemas.js");
+  });
+
+  it("warns when schemas cannot be required", () => {
+    jest.doMock("../schemas.js", () => {
+      throw new Error("missing schemas");
+    });
+
+    let AuthServerOAuth2Client:
+      | typeof import("../AuthServerOAuth2Client").default
+      | undefined;
+    jest.isolateModules(() => {
+      AuthServerOAuth2Client = require("../AuthServerOAuth2Client").default;
+    });
+    if (!AuthServerOAuth2Client) {
+      throw new Error("AuthServerOAuth2Client not loaded");
+    }
+
+    const warnCalls = (console.warn as jest.Mock).mock.calls;
+
+    expect({
+      hasClient: typeof AuthServerOAuth2Client === "function",
+      warnings: warnCalls.map((call) => call[0]),
+    }).toMatchInlineSnapshot(`
+      {
+        "hasClient": true,
+        "warnings": [
+          "Zod schema not available, validation will be skipped:",
+        ],
+      }
+    `);
+  });
+});

package/src/__tests__/schema-loading.success.test.ts

@@ -0,0 +1,106 @@
+import { installTestEnv, resetTestEnv } from "./test-utils";
+
+describe("happy path - schema loading succeeds", () => {
+  beforeEach(() => {
+    installTestEnv();
+  });
+
+  afterEach(() => {
+    resetTestEnv();
+    jest.resetModules();
+  });
+
+  it("parses config when schema is available", () => {
+    let AuthServerOAuth2Client:
+      | typeof import("../AuthServerOAuth2Client").default
+      | undefined;
+    jest.isolateModules(() => {
+      AuthServerOAuth2Client = require("../AuthServerOAuth2Client").default;
+    });
+    if (!AuthServerOAuth2Client) {
+      throw new Error("AuthServerOAuth2Client not loaded");
+    }
+
+    const client = new AuthServerOAuth2Client({
+      clientId: "client-1",
+      authServerUrl: "http://auth.telicent.localhost",
+      redirectUri: "http://app.telicent.localhost/callback",
+      popupRedirectUri: "http://app.telicent.localhost/popup",
+      scope: "openid profile",
+      onLogout: jest.fn(),
+    });
+
+    expect({
+      clientId: client.config.clientId,
+    }).toMatchInlineSnapshot(`
+      {
+        "clientId": "client-1",
+      }
+    `);
+  });
+
+  it("validates user info via schema when available", () => {
+    let AuthServerOAuth2Client:
+      | typeof import("../AuthServerOAuth2Client").default
+      | undefined;
+    jest.isolateModules(() => {
+      AuthServerOAuth2Client = require("../AuthServerOAuth2Client").default;
+    });
+    if (!AuthServerOAuth2Client) {
+      throw new Error("AuthServerOAuth2Client not loaded");
+    }
+
+    const client = new AuthServerOAuth2Client({
+      clientId: "client-1",
+      authServerUrl: "http://auth.telicent.localhost",
+      redirectUri: "http://app.telicent.localhost/callback",
+      popupRedirectUri: "http://app.telicent.localhost/popup",
+      scope: "openid profile",
+      onLogout: jest.fn(),
+    });
+
+    const now = 1_700_000_000_000;
+    jest.spyOn(Date, "now").mockReturnValue(now);
+    const token =
+      "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ1c2VyLTEiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJwcmVmZXJyZWRfbmFtZSI6IlVzZXIgT25lIiwiaXNzIjoiaHR0cDovL2F1dGgudGVsaWNlbnQubG9jYWxob3N0IiwiYXVkIjoiY2xpZW50LTEiLCJleHAiOjE3MDAwMDAzMDAsImlhdCI6MTcwMDAwMDAwMCwianRpIjoiaWQtMSJ9.";
+
+    sessionStorage.setItem("auth_id_token", token);
+    const info = client.getUserInfo();
+
+    expect({ info }).toMatchInlineSnapshot(`
+      {
+        "info": {
+          "aud": "client-1",
+          "auth_time": undefined,
+          "azp": undefined,
+          "email": "user@example.com",
+          "exp": 1700000300,
+          "externalProvider": {
+            "aud": "client-1",
+            "email": "user@example.com",
+            "exp": 1700000300,
+            "iat": 1700000000,
+            "iss": "http://auth.telicent.localhost",
+            "jti": "id-1",
+            "preferred_name": "User One",
+            "sub": "user-1",
+          },
+          "iat": 1700000000,
+          "isActive": undefined,
+          "iss": "http://auth.telicent.localhost",
+          "jti": "id-1",
+          "name": "User One",
+          "nonce": undefined,
+          "preferred_name": "User One",
+          "sid": undefined,
+          "source": "id_token",
+          "sub": "user-1",
+          "token_expired": false,
+          "token_expires_at": "2023-11-14T22:18:20.000Z",
+        },
+      }
+    `);
+
+    (Date.now as jest.Mock).mockRestore();
+  });
+});

package/src/__tests__/state.success.test.ts

@@ -0,0 +1,217 @@
+import AuthServerOAuth2Client, {
+  AuthServerOAuth2ClientConfig,
+} from "../AuthServerOAuth2Client";
+import { buildJwt, installTestEnv, resetTestEnv } from "./test-utils";
+
+const createConfig = (
+  overrides: Partial<AuthServerOAuth2ClientConfig> = {}
+): AuthServerOAuth2ClientConfig => ({
+  clientId: "client-1",
+  authServerUrl: "http://auth.telicent.localhost",
+  redirectUri: "http://app.telicent.localhost/callback",
+  popupRedirectUri: "http://app.telicent.localhost/popup",
+  scope: "openid profile",
+  onLogout: jest.fn(),
+  ...overrides,
+});
+
+describe("happy path - jwt decode, validation, and user info", () => {
+  beforeEach(() => {
+    installTestEnv();
+  });
+
+  afterEach(() => {
+    resetTestEnv();
+  });
+
+  it("decodes jwt payload", () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    const token = buildJwt({ sub: "user-1", aud: "client-1" });
+    const payload = client.decodeJWT(token);
+
+    expect({ payload }).toMatchInlineSnapshot(`
+      {
+        "payload": {
+          "aud": "client-1",
+          "sub": "user-1",
+        },
+      }
+    `);
+  });
+
+  it("validates id token and removes nonce", () => {
+    const now = 1_700_000_000_000;
+    jest.spyOn(Date, "now").mockReturnValue(now);
+
+    const client = new AuthServerOAuth2Client(createConfig());
+    sessionStorage.setItem("oauth_nonce", "ABC_nonce_ABC");
+    const token = buildJwt({
+      sub: "user-1",
+      aud: "client-1",
+      exp: Math.floor(now / 1000) + 300,
+      iat: Math.floor(now / 1000),
+      nonce: "ABC_nonce_ABC",
+    });
+
+    const result = client.validateIdToken(token);
+
+    expect({
+      result,
+      nonceAfter: sessionStorage.getItem("oauth_nonce"),
+    }).toMatchInlineSnapshot(`
+      {
+        "nonceAfter": null,
+        "result": true,
+      }
+    `);
+
+    (Date.now as jest.Mock).mockRestore();
+  });
+
+  it("validates id token for recovery", () => {
+    const now = 1_700_000_000_000;
+    jest.spyOn(Date, "now").mockReturnValue(now);
+
+    const client = new AuthServerOAuth2Client(createConfig());
+    const token = buildJwt({
+      sub: "user-1",
+      aud: "client-1",
+      exp: Math.floor(now / 1000) + 300,
+      iat: Math.floor(now / 1000),
+    });
+
+    const result = client.validateIdTokenForRecovery(token);
+
+    expect({ result }).toMatchInlineSnapshot(`
+      {
+        "result": true,
+      }
+    `);
+
+    (Date.now as jest.Mock).mockRestore();
+  });
+
+  it("returns user info from id token", () => {
+    const now = 1_700_000_000_000;
+    jest.spyOn(Date, "now").mockReturnValue(now);
+
+    const client = new AuthServerOAuth2Client(createConfig());
+    const token = buildJwt({
+      sub: "user-1",
+      aud: "client-1",
+      exp: Math.floor(now / 1000) + 300,
+      iat: Math.floor(now / 1000),
+      email: "user@example.com",
+      preferred_name: "User One",
+      iss: "http://auth.telicent.localhost",
+      jti: "id-1",
+      sid: "session-1",
+      azp: "azp-1",
+      auth_time: Math.floor(now / 1000) - 100,
+      nonce: "ABC_nonce_ABC",
+      isActive: true,
+      name: "User One",
+    });
+    sessionStorage.setItem("auth_id_token", token);
+
+    const info = client.getUserInfo();
+
+    expect({ info }).toMatchInlineSnapshot(`
+      {
+        "info": {
+          "aud": "client-1",
+          "auth_time": 1699999900,
+          "azp": "azp-1",
+          "email": "user@example.com",
+          "exp": 1700000300,
+          "externalProvider": {
+            "aud": "client-1",
+            "auth_time": 1699999900,
+            "azp": "azp-1",
+            "email": "user@example.com",
+            "exp": 1700000300,
+            "iat": 1700000000,
+            "isActive": true,
+            "iss": "http://auth.telicent.localhost",
+            "jti": "id-1",
+            "name": "User One",
+            "nonce": "ABC_nonce_ABC",
+            "preferred_name": "User One",
+            "sid": "session-1",
+            "sub": "user-1",
+          },
+          "iat": 1700000000,
+          "isActive": true,
+          "iss": "http://auth.telicent.localhost",
+          "jti": "id-1",
+          "name": "User One",
+          "nonce": "ABC_nonce_ABC",
+          "preferred_name": "User One",
+          "sid": "session-1",
+          "source": "id_token",
+          "sub": "user-1",
+          "token_expired": false,
+          "token_expires_at": "2023-11-14T22:18:20.000Z",
+        },
+      }
+    `);
+
+    (Date.now as jest.Mock).mockRestore();
+  });
+
+  it("returns user info from API as token claims", async () => {
+    const now = 1_700_000_000_000;
+    jest.spyOn(Date, "now").mockReturnValue(now);
+
+    const client = new AuthServerOAuth2Client(createConfig());
+    const token = buildJwt({
+      sub: "user-1",
+      aud: "client-1",
+      exp: Math.floor(now / 1000) + 300,
+      iat: Math.floor(now / 1000),
+      email: "user@example.com",
+      preferred_name: "User One",
+      iss: "http://auth.telicent.localhost",
+      jti: "id-1",
+    });
+    sessionStorage.setItem("auth_id_token", token);
+
+    const info = await client.getUserInfoFromAPI();
+
+    expect({ info }).toMatchInlineSnapshot(`
+      {
+        "info": {
+          "aud": "client-1",
+          "auth_time": undefined,
+          "azp": undefined,
+          "email": "user@example.com",
+          "exp": 1700000300,
+          "externalProvider": {
+            "aud": "client-1",
+            "email": "user@example.com",
+            "exp": 1700000300,
+            "iat": 1700000000,
+            "iss": "http://auth.telicent.localhost",
+            "jti": "id-1",
+            "preferred_name": "User One",
+            "sub": "user-1",
+          },
+          "iat": 1700000000,
+          "isActive": undefined,
+          "iss": "http://auth.telicent.localhost",
+          "jti": "id-1",
+          "name": "User One",
+          "nonce": undefined,
+          "preferred_name": "User One",
+          "sid": undefined,
+          "source": "id_token",
+          "sub": "user-1",
+          "token_expired": false,
+          "token_expires_at": "2023-11-14T22:18:20.000Z",
+        },
+      }
+    `);
+
+    (Date.now as jest.Mock).mockRestore();
+  });
+});

package/src/__tests__/test-utils.node.success.test.ts

@@ -0,0 +1,16 @@
+/** @jest-environment node */
+import { resetCookies, resetSessionStorage, setCookies } from "./test-utils";
+
+describe("happy path - test utils in node", () => {
+  it("handles missing document and sessionStorage safely", () => {
+    resetSessionStorage();
+    resetCookies();
+    setCookies("XSRF-TOKEN=abc123");
+
+    expect({ ok: true }).toMatchInlineSnapshot(`
+      {
+        "ok": true,
+      }
+    `);
+  });
+});