@unifiedmemory/cli 1.3.12 → 1.3.14

package/tests/unit/token-validation.test.js

@@ -1,15 +1,15 @@
 /**
  * Unit tests for lib/token-validation.js
  *
- * Tests token loading, expiration checking, and org claims recovery.
+ * Tests token loading and expiration checking.
+ * The implementation is simple: load token, refresh if expired.
  */
 
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 
-// Mock dependencies - using factory functions to avoid hoisting issues
+// Mock dependencies
 vi.mock('../../lib/token-storage.js', () => ({
   getToken: vi.fn(),
-  saveToken: vi.fn(),
 }));
 
 vi.mock('../../lib/token-refresh.js', () => ({
@@ -17,28 +17,10 @@ vi.mock('../../lib/token-refresh.js', () => ({
   refreshAccessToken: vi.fn(),
 }));
 
-vi.mock('../../lib/clerk-api.js', () => ({
-  getOrgScopedToken: vi.fn(),
-}));
-
-vi.mock('../../lib/jwt-utils.js', () => ({
-  parseJWT: vi.fn(),
-}));
-
-vi.mock('../../lib/config.js', () => ({
-  config: {
-    clerkDomain: 'clerk.test.com',
-    clerkClientId: 'test_client_id',
-    clerkClientSecret: 'test_client_secret',
-  },
-}));
-
 // Import after mocking
 import { loadAndRefreshToken } from '../../lib/token-validation.js';
-import { getToken, saveToken } from '../../lib/token-storage.js';
+import { getToken } from '../../lib/token-storage.js';
 import { isTokenExpired, refreshAccessToken } from '../../lib/token-refresh.js';
-import { getOrgScopedToken } from '../../lib/clerk-api.js';
-import { parseJWT } from '../../lib/jwt-utils.js';
 
 describe('loadAndRefreshToken', () => {
   const futureExp = Math.floor(Date.now() / 1000) + 3600;
@@ -130,238 +112,39 @@ describe('loadAndRefreshToken', () => {
     });
   });
 
-  describe('org claims recovery', () => {
-    it('recovers using decoded.sid when org claims missing', async () => {
-      const tokenMissingOrgClaims = {
-        idToken: 'token_no_org',
-        decoded: { exp: futureExp, sid: 'sess_123' },
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-      };
-
-      vi.mocked(getToken).mockReturnValue(tokenMissingOrgClaims);
-      vi.mocked(getOrgScopedToken).mockResolvedValue({
-        jwt: 'org_scoped_jwt',
-      });
-      vi.mocked(parseJWT).mockReturnValue({
-        exp: futureExp,
-        o: { o_id: 'org_456' },
-      });
-
-      await loadAndRefreshToken();
-
-      expect(getOrgScopedToken).toHaveBeenCalledWith(
-        'sess_123',
-        'org_456',
-        'token_no_org'
-      );
-      expect(saveToken).toHaveBeenCalled();
-    });
-
-    it('recovers using originalSid when decoded.sid is missing', async () => {
-      const tokenWithOriginalSid = {
-        idToken: 'token_org_scoped',
-        decoded: { exp: futureExp }, // No sid - org-scoped token
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-        originalSid: 'sess_original',
-      };
-
-      vi.mocked(getToken).mockReturnValue(tokenWithOriginalSid);
-      vi.mocked(getOrgScopedToken).mockResolvedValue({
-        jwt: 'new_org_scoped_jwt',
-      });
-      vi.mocked(parseJWT).mockReturnValue({
-        exp: futureExp,
-        o: { o_id: 'org_456' },
-      });
-
-      await loadAndRefreshToken();
-
-      expect(getOrgScopedToken).toHaveBeenCalledWith(
-        'sess_original',
-        'org_456',
-        'token_org_scoped'
-      );
-    });
-
-    it('skips recovery when token already has org claims', async () => {
-      const tokenWithOrgClaims = {
-        idToken: 'complete_token',
-        decoded: { exp: futureExp, o: { o_id: 'org_456' } },
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-      };
-
-      vi.mocked(getToken).mockReturnValue(tokenWithOrgClaims);
-
-      const result = await loadAndRefreshToken();
-
-      expect(getOrgScopedToken).not.toHaveBeenCalled();
-      expect(result.decoded.o).toBeDefined();
-    });
-
-    it('skips recovery when no selectedOrg (personal account)', async () => {
-      const personalToken = {
-        idToken: 'personal_token',
-        decoded: { exp: futureExp, sid: 'sess_123' },
-        // No selectedOrg - personal account
-      };
-
-      vi.mocked(getToken).mockReturnValue(personalToken);
-
-      await loadAndRefreshToken();
-
-      expect(getOrgScopedToken).not.toHaveBeenCalled();
-    });
-
-    it('skips recovery when selectedOrg has no id', async () => {
-      const tokenWithEmptyOrg = {
-        idToken: 'token_empty_org',
-        decoded: { exp: futureExp, sid: 'sess_123' },
-        selectedOrg: {}, // Empty org object
-      };
-
-      vi.mocked(getToken).mockReturnValue(tokenWithEmptyOrg);
-
-      await loadAndRefreshToken();
-
-      expect(getOrgScopedToken).not.toHaveBeenCalled();
-    });
-
-    it('continues gracefully when recovery fails', async () => {
-      const brokenToken = {
-        idToken: 'broken_token',
-        decoded: { exp: futureExp, sid: 'sess_123' },
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-      };
-
-      vi.mocked(getToken).mockReturnValue(brokenToken);
-      vi.mocked(getOrgScopedToken).mockRejectedValue(new Error('API error'));
-
-      // Should not throw, just log warning and return token
-      const result = await loadAndRefreshToken();
-
-      expect(result).toBeDefined();
-      expect(result.idToken).toBe('broken_token');
-    });
-
-    it('saves updated token after successful recovery', async () => {
-      const tokenMissingOrgClaims = {
-        idToken: 'token_no_org',
-        decoded: { exp: futureExp, sid: 'sess_123' },
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-        refresh_token: 'rt_123',
-      };
-
-      vi.mocked(getToken).mockReturnValue(tokenMissingOrgClaims);
-      vi.mocked(getOrgScopedToken).mockResolvedValue({
-        jwt: 'org_scoped_jwt',
-      });
-      vi.mocked(parseJWT).mockReturnValue({
-        exp: futureExp,
-        o: { o_id: 'org_456' },
-      });
-
-      await loadAndRefreshToken();
-
-      expect(saveToken).toHaveBeenCalledWith(
-        expect.objectContaining({
-          idToken: 'org_scoped_jwt',
-        })
-      );
-    });
-  });
-
-  describe('OAuth refresh fallback for missing sid', () => {
-    const originalFetch = global.fetch;
-
-    afterEach(() => {
-      global.fetch = originalFetch;
-    });
-
-    it('attempts OAuth refresh when no sid/originalSid but has refresh_token', async () => {
-      const tokenNoSid = {
-        idToken: 'token_no_sid',
-        decoded: { exp: futureExp }, // No sid
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
+  describe('valid token handling', () => {
+    it('returns token data when not expired', async () => {
+      const validToken = {
+        idToken: 'valid_token',
+        decoded: { exp: futureExp, sub: 'user_123' },
         refresh_token: 'rt_123',
-        // No originalSid either
       };
 
-      vi.mocked(getToken).mockReturnValue(tokenNoSid);
-
-      // Mock fetch for OAuth refresh
-      global.fetch = vi.fn().mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve({
-          access_token: 'new_at',
-          id_token: 'new_idt_with_sid',
-          refresh_token: 'new_rt',
-        }),
-      });
-
-      // parseJWT returns token with sid after refresh
-      vi.mocked(parseJWT)
-        .mockReturnValueOnce({ exp: futureExp, sid: 'sess_new' }) // First call: parse refreshed token
-        .mockReturnValueOnce({ exp: futureExp, o: { o_id: 'org_456' } }); // Second call: parse org-scoped token
-
-      vi.mocked(getOrgScopedToken).mockResolvedValue({
-        jwt: 'org_scoped_jwt_after_refresh',
-      });
-
-      await loadAndRefreshToken();
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        expect.stringContaining('/oauth/token'),
-        expect.any(Object)
-      );
-    });
-
-    it('continues without org token when OAuth refresh fails', async () => {
-      const tokenNoSid = {
-        idToken: 'token_no_sid',
-        decoded: { exp: futureExp },
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-        refresh_token: 'rt_123',
-      };
+      vi.mocked(getToken).mockReturnValue(validToken);
+      vi.mocked(isTokenExpired).mockReturnValue(false);
 
-      vi.mocked(getToken).mockReturnValue(tokenNoSid);
-
-      // Mock fetch to fail
-      global.fetch = vi.fn().mockResolvedValue({
-        ok: false,
-        status: 400,
-      });
-
-      // Should not throw, just return token as-is
       const result = await loadAndRefreshToken();
 
-      expect(result).toBeDefined();
-      expect(result.idToken).toBe('token_no_sid');
+      expect(refreshAccessToken).not.toHaveBeenCalled();
+      expect(result).toEqual(validToken);
     });
 
-    it('logs warning when no recovery path available', async () => {
-      const fullyBrokenToken = {
-        idToken: 'broken_token',
-        decoded: { exp: futureExp },
-        selectedOrg: { id: 'org_456', name: 'Test Org' },
-        // No sid, no originalSid, no refresh_token
+    it('returns token with org context when present', async () => {
+      const orgToken = {
+        idToken: 'org_token',
+        decoded: { exp: futureExp, sub: 'user_123', org_id: 'org_456' },
+        selectedOrgId: 'org_456',
+        selectedOrgName: 'Test Org',
+        refresh_token: 'rt_123',
       };
 
-      vi.mocked(getToken).mockReturnValue(fullyBrokenToken);
-
-      // Spy on console.error
-      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      vi.mocked(getToken).mockReturnValue(orgToken);
+      vi.mocked(isTokenExpired).mockReturnValue(false);
 
       const result = await loadAndRefreshToken();
 
-      // Should still return token (API calls may fail later)
-      expect(result).toBeDefined();
-
-      // Should have logged warning about missing session ID
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining('Could not obtain session ID')
-      );
-
-      consoleSpy.mockRestore();
+      expect(result.selectedOrgId).toBe('org_456');
+      expect(result.selectedOrgName).toBe('Test Org');
     });
   });
 });