@telicent-oss/fe-auth-lib 1.0.1 → 1.0.2-TELFE-1477.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@telicent-oss/fe-auth-lib",
-  "version": "1.0.1",
+  "version": "1.0.2-TELFE-1477.0",
   "private": false,
   "license": "Apache-2.0",
   "description": "OAuth2 client library for Telicent Authentication Server",
@@ -32,7 +32,7 @@
     "INSTRUCTIONS.md"
   ],
   "scripts": {
-    "test": "jest",
+    "test": "jest --config ./jest.config.js",
     "build": "echo \"No-op: Nothing to build\"",
     "local-publish": "npm publish --registry http://localhost:4873"
   },
@@ -50,5 +50,5 @@
   "engines": {
     "node": ">=20.19.0"
   },
-  "gitHead": "4868d793fefb4b0a564b028a85189e608d9ca927"
+  "gitHead": "4222468eba6c8be751a0de016110d35cd53322cd"
 }

package/src/AuthServerOAuth2Client.d.ts

@@ -10,19 +10,17 @@
  */
 export interface AuthServerOAuth2ClientConfig {
   /** OAuth2 client identifier registered with the auth server */
-  clientId?: string;
+  clientId: string;
   /** Base URL of the authentication server (e.g. "http://auth.telicent.localhost") */
-  authServerUrl?: string;
+  authServerUrl: string;
   /** URI to redirect to after OAuth authorization (must be registered with auth server) */
-  redirectUri?: string;
+  redirectUri: string;
   /** Alternative redirect URI for popup-based authentication flows */
-  popupRedirectUri?: string;
+  popupRedirectUri: string;
   /** OAuth2 scopes to request (e.g. "openid profile message.read") */
-  scope?: string;
-  /** Base URL for API requests (used for cross-domain detection) */
-  apiUrl?: string;
+  scope: string;
   /** Callback function executed after successful logout */
-  onLogout?: () => void;
+  onLogout: () => void;
 }
 
 /**
@@ -144,7 +142,7 @@ declare class AuthServerOAuth2Client {
   static readonly OAUTH_ERROR: string;
 
   /** Client configuration with defaults applied */
-  config: Required<AuthServerOAuth2ClientConfig>;
+  config: AuthServerOAuth2ClientConfig;
   /** Whether this client operates in cross-domain mode */
   isCrossDomain: boolean;
 
@@ -184,6 +182,8 @@ declare class AuthServerOAuth2Client {
    */
   base64URLEncode(array: Uint8Array): string;
 
+  base64URLEncodeString(str: string): string;
+
   /**
    * Generate random state
    */
@@ -255,7 +255,9 @@ declare class AuthServerOAuth2Client {
    *   });
    * ```
    */
-  handleCallback(callbackParams?: string | null): Promise<SessionData>;
+  handleCallback(
+    callbackParams?: string | Record<string, string> | URLSearchParams | null
+  ): Promise<SessionData>;
 
   /**
    * Check if user has valid session
@@ -425,11 +427,6 @@ declare class AuthServerOAuth2Client {
    */
   logout(): Promise<void>;
 
-  /**
-   * Track popup window and listen for OAuth callback messages
-   */
-  trackPopup(popup: Window): void;
-
   /**
    * Complete popup OAuth flow
    *

package/src/AuthServerOAuth2Client.js

@@ -44,6 +44,9 @@ class AuthServerOAuth2Client {
     this.config = {
       ...config,
     };
+    this.derived = {
+      accountInactive: `${this.config.authServerUrl}/account-inactive`,
+    }
 
     // Auto-detect if this is a cross-domain client
     this.isCrossDomain = this.detectCrossDomain();
@@ -278,6 +281,8 @@ class AuthServerOAuth2Client {
     );
 
     if (!tokenResponse.ok) {
+      let errorMessage = "Unknown error";
+      const authUrl = `${this.config.authServerUrl}/oauth2/authorize`;
       let errorDetails;
       try {
         // Try to parse JSON error response first
@@ -288,6 +293,9 @@ class AuthServerOAuth2Client {
         errorDetails = { error: "unknown", error_description: errorText };
       }
 
+      errorMessage =
+        errorDetails.error_description || errorDetails.error || "Unknown error";
+
       // Handle specific consent_required error
       if (errorDetails.error === "consent_required") {
         console.log("Consent required - redirecting to proper OAuth2 flow");
@@ -295,15 +303,24 @@ class AuthServerOAuth2Client {
         // The SPA should not directly call /oauth2/session without consent
         // Instead, redirect to start the proper OAuth2 authorization flow
         // which will handle consent properly through OAuth2AuthenticationSuccessHandler
-        const authUrl = this.buildAuthorizationUrl();
         console.log("Redirecting to OAuth2 authorization flow:", authUrl);
-        window.location.href = authUrl;
+        this.clearLocalStorage();
+        window.location.href = `${authUrl}/access-denied`;
+        
         return; // Don't throw error, we're redirecting
       }
 
+      if (errorDetails.error === "access_denied" && tokenResponse.status === 400) {
+        console.log(`${errorMessage}`);
+        this.clearLocalStorage();
+
+        window.location.href = this.derived.accountInactive;
+        
+        throw new Error(`${errorMessage} redirecting to ${this.derived.accountInactive}`);
+      }
+
       // For other errors, throw as before
-      const errorMessage =
-        errorDetails.error_description || errorDetails.error || "Unknown error";
+      this.clearLocalStorage();
       throw new Error(
         `Token exchange and session creation failed: ${errorMessage}`
       );
@@ -963,4 +980,4 @@ if (typeof module !== "undefined" && module.exports) {
   // ES modules
   exports.default = AuthServerOAuth2Client;
   exports.AuthServerOAuth2Client = AuthServerOAuth2Client;
-}
+}

package/src/__tests__/callback.failures.test.ts

@@ -0,0 +1,285 @@
+import AuthServerOAuth2Client, {
+  AuthServerOAuth2ClientConfig,
+} from "../AuthServerOAuth2Client";
+import { installTestEnv, resetTestEnv } from "./test-utils";
+
+const createConfig = (
+  overrides: Partial<AuthServerOAuth2ClientConfig> = {}
+): AuthServerOAuth2ClientConfig => ({
+  clientId: "client-1",
+  authServerUrl: "http://auth.telicent.localhost",
+  redirectUri: "http://app.telicent.localhost/callback",
+  popupRedirectUri: "http://app.telicent.localhost/popup",
+  scope: "openid profile",
+  onLogout: jest.fn(),
+  ...overrides,
+});
+
+const createFetchResponse = (options: {
+  ok?: boolean;
+  status?: number;
+  jsonData?: unknown;
+  textData?: string;
+  jsonThrows?: boolean;
+}): Response =>
+  ({
+    ok: options.ok ?? false,
+    status: options.status ?? 400,
+    json: options.jsonThrows
+      ? jest.fn().mockRejectedValue(new Error("json error"))
+      : jest.fn().mockResolvedValue(options.jsonData ?? {}),
+    text: jest.fn().mockResolvedValue(options.textData ?? ""),
+  } as unknown as Response);
+
+describe("failure path - handleCallback failure modes", () => {
+  beforeEach(() => {
+    installTestEnv();
+    Object.defineProperty(window, "location", {
+      value: {
+        href: "http://app.telicent.localhost/callback",
+        origin: "http://app.telicent.localhost",
+        search: "",
+      },
+      writable: true,
+    });
+  });
+
+  afterEach(() => {
+    resetTestEnv();
+    jest.useRealTimers();
+  });
+
+  it("throws on missing code or state", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+
+    const cases = [
+      { params: {}, error: "Missing code or state parameter" },
+      { params: { code: "CODE_1" }, error: "Missing code or state parameter" },
+      {
+        params: { state: "STATE_1" },
+        error: "Missing code or state parameter",
+      },
+    ];
+
+    const results = [];
+    for (const item of cases) {
+      try {
+        await client.handleCallback(item.params as Record<string, string>);
+        results.push({ error: null });
+      } catch (error) {
+        results.push({ error: (error as Error).message });
+      }
+    }
+
+    expect(results).toMatchInlineSnapshot(`
+      [
+        {
+          "error": "Missing code or state parameter",
+        },
+        {
+          "error": "Missing code or state parameter",
+        },
+        {
+          "error": "Missing code or state parameter",
+        },
+      ]
+    `);
+  });
+
+  it("throws on state mismatch or missing verifier/redirect uri", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    sessionStorage.setItem("oauth_state", "STATE_1");
+    sessionStorage.setItem("oauth_code_verifier", "VERIFIER_1");
+    sessionStorage.setItem("oauth_redirect_uri", "http://app/callback");
+
+    const cases = [
+      {
+        params: { code: "CODE_1", state: "STATE_2" },
+        error: "Invalid state parameter",
+      },
+      {
+        params: { code: "CODE_1", state: "STATE_1" },
+        clear: "oauth_code_verifier",
+        error: "Missing code verifier",
+      },
+      {
+        params: { code: "CODE_1", state: "STATE_1" },
+        clear: "oauth_redirect_uri",
+        error: "Missing redirect URI",
+      },
+    ];
+
+    const results = [];
+    for (const item of cases) {
+      sessionStorage.setItem("oauth_state", "STATE_1");
+      sessionStorage.setItem("oauth_code_verifier", "VERIFIER_1");
+      sessionStorage.setItem("oauth_redirect_uri", "http://app/callback");
+      if (item.clear) sessionStorage.removeItem(item.clear);
+      try {
+        await client.handleCallback(item.params as Record<string, string>);
+        results.push({ error: null });
+      } catch (error) {
+        results.push({ error: (error as Error).message });
+      }
+    }
+
+    expect(results).toMatchInlineSnapshot(`
+      [
+        {
+          "error": "Invalid state parameter",
+        },
+        {
+          "error": "Missing code verifier",
+        },
+        {
+          "error": "Missing redirect URI",
+        },
+      ]
+    `);
+  });
+
+  it("throws on error param from callback params", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+
+    let error: Error | null = null;
+    try {
+      await client.handleCallback({ error: "access_denied" });
+    } catch (caught) {
+      error = caught as Error;
+    }
+
+    expect({ error: error?.message }).toMatchInlineSnapshot(`
+      {
+        "error": "OAuth error: access_denied",
+      }
+    `);
+  });
+
+  it("reads callback params from window.location.search", async () => {
+    const client = new AuthServerOAuth2Client(createConfig());
+    Object.defineProperty(window, "location", {
+      value: {
+        href: "http://app.telicent.localhost/callback?error=access_denied",
+        origin: "http://app.telicent.localhost",
+        search: "?error=access_denied",
+      },
+      writable: true,
+    });
+
+    let error: Error | null = null;
+    try {
+      await client.handleCallback();
+    } catch (caught) {
+      error = caught as Error;
+    }
+
+    expect({ error: error?.message }).toMatchInlineSnapshot(`
+      {
+        "error": "OAuth error: access_denied",
+      }
+    `);
+  });
+
+  it("redirects on consent_required without throwing", async () => {
+    jest.useFakeTimers();
+    const client = new AuthServerOAuth2Client(createConfig());
+    sessionStorage.setItem("oauth_state", "STATE_1");
+    sessionStorage.setItem("oauth_code_verifier", "VERIFIER_1");
+    sessionStorage.setItem("oauth_redirect_uri", "http://app/callback");
+
+    const fetchMock = jest.fn().mockResolvedValue(
+      createFetchResponse({
+        ok: false,
+        status: 400,
+        jsonData: { error: "consent_required" },
+      })
+    );
+    globalThis.fetch = fetchMock;
+
+    await client.handleCallback({ code: "CODE_1", state: "STATE_1" });
+
+    expect({
+      href: window.location.href,
+      oauthState: sessionStorage.getItem("oauth_state"),
+      oauthVerifier: sessionStorage.getItem("oauth_code_verifier"),
+    }).toMatchInlineSnapshot(`
+      {
+        "href": "http://auth.telicent.localhost/oauth2/authorize/access-denied",
+        "oauthState": null,
+        "oauthVerifier": null,
+      }
+    `);
+  });
+
+  it("redirects on access_denied", async () => {
+    jest.useFakeTimers();
+    const client = new AuthServerOAuth2Client(createConfig());
+    sessionStorage.setItem("oauth_state", "STATE_1");
+    sessionStorage.setItem("oauth_code_verifier", "VERIFIER_1");
+    sessionStorage.setItem("oauth_redirect_uri", "http://app/callback");
+
+    const fetchMock = jest.fn().mockResolvedValue(
+      createFetchResponse({
+        ok: false,
+        status: 400,
+        jsonData: { error: "access_denied" },
+      })
+    );
+    globalThis.fetch = fetchMock;
+
+    await expect(
+      client.handleCallback({ code: "CODE_1", state: "STATE_1" })
+    ).rejects.toThrow(
+      "access_denied redirecting to http://auth.telicent.localhost/account-inactive"
+    );
+
+    expect({
+      href: window.location.href,
+      oauthState: sessionStorage.getItem("oauth_state"),
+      oauthVerifier: sessionStorage.getItem("oauth_code_verifier"),
+    }).toMatchInlineSnapshot(`
+      {
+        "href": "http://auth.telicent.localhost/account-inactive",
+        "oauthState": null,
+        "oauthVerifier": null,
+      }
+    `);
+  });
+
+  it("throws when token exchange fails with text response", async () => {
+    jest.useFakeTimers();
+    const client = new AuthServerOAuth2Client(createConfig());
+    sessionStorage.setItem("oauth_state", "STATE_1");
+    sessionStorage.setItem("oauth_code_verifier", "VERIFIER_1");
+    sessionStorage.setItem("oauth_redirect_uri", "http://app/callback");
+
+    const fetchMock = jest.fn().mockResolvedValue(
+      createFetchResponse({
+        ok: false,
+        status: 500,
+        jsonThrows: true,
+        textData: "server down",
+      })
+    );
+    globalThis.fetch = fetchMock;
+
+    let error: Error | null = null;
+    try {
+      await client.handleCallback({ code: "CODE_1", state: "STATE_1" });
+    } catch (caught) {
+      error = caught as Error;
+    }
+
+    expect({
+      error: error?.message,
+      oauthState: sessionStorage.getItem("oauth_state"),
+      oauthVerifier: sessionStorage.getItem("oauth_code_verifier"),
+    }).toMatchInlineSnapshot(`
+      {
+        "error": "Token exchange and session creation failed: server down",
+        "oauthState": null,
+        "oauthVerifier": null,
+      }
+    `);
+  });
+});