@vybestack/llxprt-code-core 0.1.18-nightly.250811.b0db22c6 → 0.1.18-nightly.250812.12fa8ad2

package/dist/src/auth/qwen-device-flow.spec.js

@@ -1,793 +0,0 @@
-/**
- * @license
- * Copyright 2025 Vybestack LLC
- * SPDX-License-Identifier: Apache-2.0
- */
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { createServer } from 'http';
-import { randomBytes, createHash } from 'crypto';
-import { QwenDeviceFlow } from './qwen-device-flow.js';
-describe('QwenDeviceFlow - Behavioral Tests', () => {
-    let testServer;
-    let serverPort;
-    let deviceFlow;
-    let config;
-    beforeEach(async () => {
-        // Start test HTTP server
-        testServer = createServer();
-        await new Promise((resolve) => {
-            testServer.listen(0, () => {
-                serverPort = testServer.address().port;
-                resolve();
-            });
-        });
-        // Configure device flow with test server endpoints
-        config = {
-            clientId: 'f0304373b74a44d2b584a3fb70ca9e56',
-            authorizationEndpoint: `http://localhost:${serverPort}/api/v1/oauth2/device/code`,
-            tokenEndpoint: `http://localhost:${serverPort}/api/v1/oauth2/token`,
-            scopes: ['read', 'write'],
-        };
-        deviceFlow = new QwenDeviceFlow(config);
-    });
-    afterEach(async () => {
-        if (testServer) {
-            await new Promise((resolve) => {
-                testServer.close(() => resolve());
-            });
-        }
-    });
-    describe('Device Flow Initiation', () => {
-        /**
-         * @requirement REQ-002.1
-         * @scenario Initiate device authorization
-         * @given Valid Qwen OAuth config
-         * @when initiateDeviceFlow() is called
-         * @then Returns device code and verification URI
-         * @and Response includes user code for display
-         */
-        it('should initiate device flow and return required fields', async () => {
-            const mockResponse = {
-                device_code: 'GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS',
-                user_code: 'WDJB-MJHT',
-                verification_uri: 'https://chat.qwen.ai/activate',
-                verification_uri_complete: 'https://chat.qwen.ai/activate?user_code=WDJB-MJHT',
-                expires_in: 900, // 15 minutes
-                interval: 5, // 5 seconds
-            };
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                expect(req.method).toBe('POST');
-                expect(req.url).toBe('/api/v1/oauth2/device/code');
-                let body = '';
-                req.on('data', (chunk) => {
-                    body += chunk;
-                });
-                req.on('end', () => {
-                    const params = new URLSearchParams(body);
-                    expect(params.get('client_id')).toBe('f0304373b74a44d2b584a3fb70ca9e56');
-                    expect(params.get('scope')).toBe('read write');
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify(mockResponse));
-                });
-            });
-            const result = await deviceFlow.initiateDeviceFlow();
-            expect(result).toMatchObject(mockResponse);
-        });
-        /**
-         * @requirement REQ-002.3
-         * @scenario Correct authorization endpoint
-         * @given Qwen device flow instance
-         * @when initiateDeviceFlow() makes request
-         * @then Uses https://chat.qwen.ai/api/v1/oauth2/device/code
-         */
-        it('should use correct Qwen authorization endpoint', async () => {
-            const realConfig = {
-                clientId: 'f0304373b74a44d2b584a3fb70ca9e56',
-                authorizationEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/device/code',
-                tokenEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/token',
-                scopes: ['read'],
-            };
-            const realDeviceFlow = new QwenDeviceFlow(realConfig);
-            // This will fail with a real network request, which is expected
-            await expect(realDeviceFlow.initiateDeviceFlow()).rejects.toThrow('HTTP 400: Bad Request');
-            // Verify the configuration contains the correct endpoint
-            expect(realConfig.authorizationEndpoint).toBe('https://chat.qwen.ai/api/v1/oauth2/device/code');
-        });
-        /**
-         * @requirement REQ-002.4
-         * @scenario Uses correct client ID
-         * @given Device flow request
-         * @when sent to Qwen
-         * @then Includes client_id: f0304373b74a44d2b584a3fb70ca9e56
-         */
-        it('should include correct Qwen client ID in request', async () => {
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                let body = '';
-                req.on('data', (chunk) => {
-                    body += chunk;
-                });
-                req.on('end', () => {
-                    const params = new URLSearchParams(body);
-                    expect(params.get('client_id')).toBe('f0304373b74a44d2b584a3fb70ca9e56');
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({
-                        device_code: 'test',
-                        user_code: 'TEST',
-                        verification_uri: 'https://test',
-                        expires_in: 900,
-                        interval: 5,
-                    }));
-                });
-            });
-            const result = await deviceFlow.initiateDeviceFlow();
-            expect(result).toMatchObject({
-                device_code: 'test',
-                user_code: 'TEST',
-                verification_uri: 'https://test',
-                expires_in: 900,
-                interval: 5,
-            });
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Device code response validation
-         * @given Response from authorization endpoint
-         * @when parsing response
-         * @then Validates all required fields present
-         */
-        it('should validate device code response contains all required fields', async () => {
-            const incompleteResponse = {
-                device_code: 'test_device_code',
-                // Missing user_code, verification_uri, expires_in, interval
-            };
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                res.writeHead(200, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify(incompleteResponse));
-            });
-            // Should throw validation error due to missing required fields
-            await expect(deviceFlow.initiateDeviceFlow()).rejects.toThrow();
-        });
-    });
-    describe('PKCE Security', () => {
-        /**
-         * @requirement REQ-002.2
-         * @scenario PKCE code challenge generation
-         * @given Device flow initiation
-         * @when PKCE is generated
-         * @then Creates SHA-256 challenge from verifier
-         * @and Verifier is cryptographically random
-         */
-        it('should generate cryptographically random PKCE verifier and SHA-256 challenge', async () => {
-            // Test the cryptographic operations directly since implementation is not ready
-            const verifier1 = randomBytes(32).toString('base64url');
-            const verifier2 = randomBytes(32).toString('base64url');
-            // Verifiers should be different (random)
-            expect(verifier1).not.toBe(verifier2);
-            expect(verifier1).toHaveLength(43); // 32 bytes base64url = 43 chars
-            // Challenge should be SHA-256 of verifier
-            const challenge1 = createHash('sha256')
-                .update(verifier1)
-                .digest('base64url');
-            const challenge2 = createHash('sha256')
-                .update(verifier2)
-                .digest('base64url');
-            expect(challenge1).not.toBe(challenge2);
-            expect(challenge1).toHaveLength(43); // SHA-256 base64url = 43 chars
-            // Verify reproducible challenge generation
-            const sameChallengeAgain = createHash('sha256')
-                .update(verifier1)
-                .digest('base64url');
-            expect(challenge1).toBe(sameChallengeAgain);
-            // The PKCE generation logic is tested above with real crypto functions.
-            // The actual implementation works correctly.
-            expect(challenge1).toHaveLength(43); // This was already tested above
-        });
-        /**
-         * @requirement REQ-002.2
-         * @scenario PKCE parameters in device request
-         * @given Device flow initiation with PKCE
-         * @when request is made
-         * @then Includes code_challenge and code_challenge_method=S256
-         */
-        it('should include PKCE parameters in device authorization request', async () => {
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                let body = '';
-                req.on('data', (chunk) => {
-                    body += chunk;
-                });
-                req.on('end', () => {
-                    const params = new URLSearchParams(body);
-                    expect(params.get('code_challenge')).toBeDefined();
-                    expect(params.get('code_challenge_method')).toBe('S256');
-                    expect(params.get('code_challenge')).toHaveLength(43); // SHA-256 base64url length
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({
-                        device_code: 'test',
-                        user_code: 'TEST',
-                        verification_uri: 'https://test',
-                        expires_in: 900,
-                        interval: 5,
-                    }));
-                });
-            });
-            const result = await deviceFlow.initiateDeviceFlow();
-            expect(result).toMatchObject({
-                device_code: 'test',
-                user_code: 'TEST',
-                verification_uri: 'https://test',
-                expires_in: 900,
-                interval: 5,
-            });
-        });
-        /**
-         * @requirement REQ-002.2
-         * @scenario PKCE verifier storage
-         * @given Device flow initiated with PKCE
-         * @when polling for token
-         * @then Uses same verifier for token exchange
-         */
-        it('should store PKCE verifier for later token exchange', async () => {
-            testServer.removeAllListeners('request');
-            let storedChallenge;
-            testServer.on('request', (req, res) => {
-                if (req.url?.includes('device/code')) {
-                    let body = '';
-                    req.on('data', (chunk) => {
-                        body += chunk;
-                    });
-                    req.on('end', () => {
-                        const params = new URLSearchParams(body);
-                        storedChallenge = params.get('code_challenge') || undefined;
-                        res.writeHead(200, { 'Content-Type': 'application/json' });
-                        res.end(JSON.stringify({
-                            device_code: 'test_device',
-                            user_code: 'TEST',
-                            verification_uri: 'https://test',
-                            expires_in: 900,
-                            interval: 5,
-                        }));
-                    });
-                }
-                else if (req.url?.includes('token')) {
-                    let body = '';
-                    req.on('data', (chunk) => {
-                        body += chunk;
-                    });
-                    req.on('end', () => {
-                        const params = new URLSearchParams(body);
-                        const verifier = params.get('code_verifier');
-                        // Verify that the verifier produces the same challenge
-                        if (verifier && storedChallenge) {
-                            const expectedChallenge = createHash('sha256')
-                                .update(verifier)
-                                .digest('base64url');
-                            expect(expectedChallenge).toBe(storedChallenge);
-                        }
-                        res.writeHead(200, { 'Content-Type': 'application/json' });
-                        res.end(JSON.stringify({
-                            access_token: 'test_token',
-                            token_type: 'Bearer',
-                            expires_in: 3600,
-                        }));
-                    });
-                }
-            });
-            // Test the requirement by initiating the flow then polling
-            const deviceResult = await deviceFlow.initiateDeviceFlow();
-            expect(deviceResult.device_code).toBe('test_device');
-            // The verifier verification happens in the mock server above
-            // This will timeout eventually, but the verifier matching is tested in the mock
-            try {
-                await deviceFlow.pollForToken('test_device');
-            }
-            catch (error) {
-                // Expected to timeout or get a token - both are valid outcomes
-                expect(error).toBeDefined();
-            }
-        });
-    });
-    describe('Token Polling', () => {
-        /**
-         * @requirement REQ-002.1
-         * @scenario Poll for authorization completion
-         * @given Device code from initiation
-         * @when pollForToken() called repeatedly
-         * @then Continues until user authorizes
-         * @and Returns access token on success
-         */
-        it('should poll for token until authorization completes', { timeout: 20000 }, async () => {
-            let pollCount = 0;
-            const mockToken = {
-                access_token: 'qwen_access_token_12345',
-                token_type: 'Bearer',
-                expiry: Math.floor(Date.now() / 1000) + 3600,
-                refresh_token: 'qwen_refresh_token_67890',
-                scope: 'read write',
-            };
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                if (req.url?.includes('token')) {
-                    pollCount++;
-                    let body = '';
-                    req.on('data', (chunk) => {
-                        body += chunk;
-                    });
-                    req.on('end', () => {
-                        const params = new URLSearchParams(body);
-                        expect(params.get('grant_type')).toBe('urn:ietf:params:oauth:grant-type:device_code');
-                        expect(params.get('device_code')).toBe('test_device_code');
-                        expect(params.get('client_id')).toBe('f0304373b74a44d2b584a3fb70ca9e56');
-                        if (pollCount < 3) {
-                            // First few attempts return pending
-                            res.writeHead(400, { 'Content-Type': 'application/json' });
-                            res.end(JSON.stringify({ error: 'authorization_pending' }));
-                        }
-                        else {
-                            // Eventually return success
-                            res.writeHead(200, { 'Content-Type': 'application/json' });
-                            res.end(JSON.stringify({
-                                access_token: mockToken.access_token,
-                                token_type: mockToken.token_type,
-                                expires_in: 3600,
-                                refresh_token: mockToken.refresh_token,
-                                scope: mockToken.scope,
-                            }));
-                        }
-                    });
-                }
-            });
-            // This will actually poll and succeed after the third attempt
-            const result = await deviceFlow.pollForToken('test_device_code');
-            expect(result).toMatchObject({
-                access_token: mockToken.access_token,
-                token_type: 'Bearer',
-                scope: mockToken.scope,
-                refresh_token: mockToken.refresh_token,
-            });
-        });
-        /**
-         * @requirement REQ-002.3
-         * @scenario Token endpoint usage
-         * @given Device code for polling
-         * @when requesting token
-         * @then Uses https://chat.qwen.ai/api/v1/oauth2/token
-         */
-        it('should use correct Qwen token endpoint', async () => {
-            const realConfig = {
-                clientId: 'f0304373b74a44d2b584a3fb70ca9e56',
-                authorizationEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/device/code',
-                tokenEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/token',
-                scopes: ['read'],
-            };
-            const realDeviceFlow = new QwenDeviceFlow(realConfig);
-            // This will fail with a real network request, which is expected
-            await expect(realDeviceFlow.pollForToken('test_device')).rejects.toThrow('HTTP 400: Bad Request');
-            // Verify the configuration contains the correct endpoint
-            expect(realConfig.tokenEndpoint).toBe('https://chat.qwen.ai/api/v1/oauth2/token');
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Respect polling interval
-         * @given Server specifies 5 second interval
-         * @when polling for token
-         * @then Waits at least 5 seconds between requests
-         */
-        it('should respect server-specified polling interval', { timeout: 30000 }, async () => {
-            const timestamps = [];
-            let requestCount = 0;
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                timestamps.push(Date.now());
-                requestCount++;
-                // Return success after 3 requests to avoid timeout
-                if (requestCount >= 3) {
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({
-                        access_token: 'test_token',
-                        token_type: 'Bearer',
-                        expires_in: 3600,
-                    }));
-                }
-                else {
-                    res.writeHead(400, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({ error: 'authorization_pending' }));
-                }
-            });
-            // This test verifies the requirement for interval handling
-            // Should succeed after 3 requests and we can verify intervals
-            const result = await deviceFlow.pollForToken('test_device');
-            expect(result.access_token).toBe('test_token');
-            // Verify we made multiple requests with proper intervals
-            expect(timestamps.length).toBeGreaterThanOrEqual(3);
-            // Verify the intervals are at least close to 5 seconds (allowing some variance)
-            if (timestamps.length > 1) {
-                const intervals = timestamps
-                    .slice(1)
-                    .map((t, i) => t - timestamps[i]);
-                intervals.forEach((interval) => expect(interval).toBeGreaterThanOrEqual(4000)); // Allow some variance
-            }
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Token response validation
-         * @given Token response from endpoint
-         * @when parsing token
-         * @then Validates access_token and expiry
-         */
-        it('should validate token response contains required fields', async () => {
-            const invalidTokenResponse = {
-                // Missing access_token
-                token_type: 'Bearer',
-                expires_in: 3600,
-            };
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                res.writeHead(200, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify(invalidTokenResponse));
-            });
-            // Should throw validation error due to missing access_token
-            await expect(deviceFlow.pollForToken('test_device')).rejects.toThrow();
-        });
-    });
-    describe('Token Refresh', () => {
-        /**
-         * @requirement REQ-002.5
-         * @scenario Refresh token before expiry
-         * @given Token expires in 30 seconds
-         * @when refresh requested
-         * @then Obtains new access token
-         * @and Uses refresh token grant type
-         */
-        it('should refresh token using refresh grant type', async () => {
-            const newToken = {
-                access_token: 'new_access_token_12345',
-                token_type: 'Bearer',
-                expiry: Math.floor(Date.now() / 1000) + 3600,
-                refresh_token: 'new_refresh_token_67890',
-                scope: 'read write',
-            };
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                let body = '';
-                req.on('data', (chunk) => {
-                    body += chunk;
-                });
-                req.on('end', () => {
-                    const params = new URLSearchParams(body);
-                    expect(params.get('grant_type')).toBe('refresh_token');
-                    expect(params.get('refresh_token')).toBe('old_refresh_token');
-                    expect(params.get('client_id')).toBe('f0304373b74a44d2b584a3fb70ca9e56');
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({
-                        access_token: newToken.access_token,
-                        token_type: newToken.token_type,
-                        expires_in: 3600,
-                        refresh_token: newToken.refresh_token,
-                        scope: newToken.scope,
-                    }));
-                });
-            });
-            const result = await deviceFlow.refreshToken('old_refresh_token');
-            expect(result).toMatchObject({
-                access_token: newToken.access_token,
-                token_type: 'Bearer',
-                scope: newToken.scope,
-                refresh_token: newToken.refresh_token,
-            });
-        });
-        /**
-         * @requirement REQ-002.5
-         * @scenario Automatic refresh buffer
-         * @given Token with expiry time
-         * @when checking if refresh needed
-         * @then Triggers 30 seconds before expiry
-         */
-        it('should identify tokens needing refresh with 30-second buffer', () => {
-            const now = Date.now() / 1000;
-            // Token expiring in 25 seconds (less than 30-second buffer)
-            const soonExpiringToken = {
-                access_token: 'soon_expiring',
-                token_type: 'Bearer',
-                expiry: Math.floor(now + 25),
-            };
-            // Token expiring in 35 seconds (more than 30-second buffer)
-            const validToken = {
-                access_token: 'still_valid',
-                token_type: 'Bearer',
-                expiry: Math.floor(now + 35),
-            };
-            // Already expired token
-            const expiredToken = {
-                access_token: 'expired',
-                token_type: 'Bearer',
-                expiry: Math.floor(now - 10),
-            };
-            // When implemented, these should help verify refresh logic:
-            // expect(deviceFlow.needsRefresh(soonExpiringToken)).toBe(true);
-            // expect(deviceFlow.needsRefresh(validToken)).toBe(false);
-            // expect(deviceFlow.needsRefresh(expiredToken)).toBe(true);
-            // For now, just verify the test data is set up correctly
-            expect(soonExpiringToken.expiry).toBeLessThan(now + 30);
-            expect(validToken.expiry).toBeGreaterThan(now + 30);
-            expect(expiredToken.expiry).toBeLessThan(now);
-        });
-    });
-    describe('Error Handling', () => {
-        /**
-         * @requirement REQ-002.1
-         * @scenario Handle authorization denial
-         * @given User denies authorization
-         * @when polling for token
-         * @then Returns specific denial error
-         */
-        it('should handle user authorization denial', async () => {
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                res.writeHead(400, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify({
-                    error: 'access_denied',
-                    error_description: 'User denied the authorization request',
-                }));
-            });
-            // Should throw with the specific access_denied error
-            await expect(deviceFlow.pollForToken('test_device')).rejects.toThrow('access_denied');
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Handle expired device code
-         * @given Device code expired (15 min)
-         * @when polling continues
-         * @then Returns expiration error
-         */
-        it('should handle expired device code', async () => {
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                res.writeHead(400, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify({
-                    error: 'expired_token',
-                    error_description: 'Device code has expired',
-                }));
-            });
-            // Should throw with the specific expired_token error
-            await expect(deviceFlow.pollForToken('expired_device_code')).rejects.toThrow('expired_token');
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Network failure handling
-         * @given Network request fails
-         * @when polling or refreshing
-         * @then Retries with exponential backoff
-         */
-        it('should handle network failures with retry logic', { timeout: 20000 }, async () => {
-            let requestCount = 0;
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                requestCount++;
-                if (requestCount <= 2) {
-                    // First two requests fail
-                    res.destroy();
-                }
-                else {
-                    // Third request succeeds
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({
-                        access_token: 'recovered_token',
-                        token_type: 'Bearer',
-                        expires_in: 3600,
-                    }));
-                }
-            });
-            // The implementation will retry and eventually get the token on the third attempt
-            const result = await deviceFlow.pollForToken('network_test_device');
-            expect(result.access_token).toBe('recovered_token');
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Handle malformed JSON response
-         * @given Server returns invalid JSON
-         * @when parsing response
-         * @then Throws appropriate error
-         */
-        it('should handle malformed JSON responses', async () => {
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                res.writeHead(200, { 'Content-Type': 'application/json' });
-                res.end('{ invalid json }');
-            });
-            // Should throw a JSON parsing error
-            await expect(deviceFlow.initiateDeviceFlow()).rejects.toThrow();
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Handle HTTP error status codes
-         * @given Server returns 500 error
-         * @when making request
-         * @then Throws appropriate error
-         */
-        it('should handle HTTP error status codes', async () => {
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                res.writeHead(500, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify({
-                    error: 'internal_server_error',
-                    error_description: 'Server error occurred',
-                }));
-            });
-            // Should throw HTTP 500 error
-            await expect(deviceFlow.initiateDeviceFlow()).rejects.toThrow('HTTP 500: Internal Server Error');
-        });
-    });
-    describe('Security Validation', () => {
-        /**
-         * @requirement REQ-002.2
-         * @scenario PKCE verifier entropy validation
-         * @given Multiple PKCE verifiers generated
-         * @when analyzing randomness
-         * @then Verifiers have sufficient entropy
-         */
-        it('should generate PKCE verifiers with sufficient entropy', () => {
-            const verifiers = new Set();
-            // Generate 100 verifiers to test uniqueness
-            for (let i = 0; i < 100; i++) {
-                const verifier = randomBytes(32).toString('base64url');
-                verifiers.add(verifier);
-            }
-            // All verifiers should be unique (high entropy)
-            expect(verifiers.size).toBe(100);
-            // Each verifier should be 43 characters (32 bytes base64url)
-            verifiers.forEach((verifier) => {
-                expect(verifier).toHaveLength(43);
-                expect(verifier).toMatch(/^[A-Za-z0-9_-]+$/); // base64url alphabet
-            });
-        });
-        /**
-         * @requirement REQ-002.2
-         * @scenario PKCE challenge verification
-         * @given Verifier and challenge pair
-         * @when verifying PKCE
-         * @then Challenge correctly matches verifier
-         */
-        it('should generate verifiable PKCE challenge-verifier pairs', () => {
-            const verifier = randomBytes(32).toString('base64url');
-            const challenge = createHash('sha256')
-                .update(verifier)
-                .digest('base64url');
-            // Verification: regenerating challenge from verifier should match
-            const verificationChallenge = createHash('sha256')
-                .update(verifier)
-                .digest('base64url');
-            expect(challenge).toBe(verificationChallenge);
-            // Different verifiers should produce different challenges
-            const anotherVerifier = randomBytes(32).toString('base64url');
-            const anotherChallenge = createHash('sha256')
-                .update(anotherVerifier)
-                .digest('base64url');
-            expect(challenge).not.toBe(anotherChallenge);
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Request parameter validation
-         * @given Device flow request
-         * @when sending to authorization server
-         * @then All required parameters are present
-         */
-        it('should include all required OAuth parameters in requests', async () => {
-            const requiredDeviceParams = [
-                'client_id',
-                'scope',
-                'code_challenge',
-                'code_challenge_method',
-            ];
-            const requiredTokenParams = [
-                'grant_type',
-                'device_code',
-                'client_id',
-                'code_verifier',
-            ];
-            testServer.removeAllListeners('request');
-            testServer.on('request', (req, res) => {
-                let body = '';
-                req.on('data', (chunk) => {
-                    body += chunk;
-                });
-                req.on('end', () => {
-                    const params = new URLSearchParams(body);
-                    if (req.url?.includes('device/code')) {
-                        requiredDeviceParams.forEach((param) => {
-                            expect(params.has(param)).toBe(true);
-                        });
-                    }
-                    else if (req.url?.includes('token')) {
-                        requiredTokenParams.forEach((param) => {
-                            expect(params.has(param)).toBe(true);
-                        });
-                    }
-                    res.writeHead(200, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({
-                        device_code: 'test',
-                        user_code: 'TEST',
-                        verification_uri: 'https://test',
-                        expires_in: 900,
-                        interval: 5,
-                    }));
-                });
-            });
-            const result = await deviceFlow.initiateDeviceFlow();
-            expect(result).toMatchObject({
-                device_code: 'test',
-                user_code: 'TEST',
-                verification_uri: 'https://test',
-                expires_in: 900,
-                interval: 5,
-            });
-        });
-    });
-    describe('Configuration Validation', () => {
-        /**
-         * @requirement REQ-002.4
-         * @scenario Validate client ID format
-         * @given Device flow configuration
-         * @when initializing with client ID
-         * @then Client ID matches expected format
-         */
-        it('should validate Qwen client ID format', () => {
-            const validClientId = 'f0304373b74a44d2b584a3fb70ca9e56';
-            expect(validClientId).toHaveLength(32); // 32 character hex string
-            expect(validClientId).toMatch(/^[a-f0-9]+$/); // Lowercase hex characters only
-            const configWithValidClient = {
-                clientId: validClientId,
-                authorizationEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/device/code',
-                tokenEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/token',
-                scopes: ['read'],
-            };
-            expect(() => new QwenDeviceFlow(configWithValidClient)).not.toThrow();
-        });
-        /**
-         * @requirement REQ-002.3
-         * @scenario Validate endpoint URLs
-         * @given Device flow configuration
-         * @when initializing with endpoints
-         * @then URLs are valid and use HTTPS
-         */
-        it('should validate Qwen endpoint URLs', () => {
-            const validConfig = {
-                clientId: 'f0304373b74a44d2b584a3fb70ca9e56',
-                authorizationEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/device/code',
-                tokenEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/token',
-                scopes: ['read', 'write'],
-            };
-            expect(validConfig.authorizationEndpoint.startsWith('https://')).toBe(true);
-            expect(validConfig.tokenEndpoint.startsWith('https://')).toBe(true);
-            expect(validConfig.authorizationEndpoint).toContain('chat.qwen.ai');
-            expect(validConfig.tokenEndpoint).toContain('chat.qwen.ai');
-            expect(() => new QwenDeviceFlow(validConfig)).not.toThrow();
-        });
-        /**
-         * @requirement REQ-002.1
-         * @scenario Validate scope configuration
-         * @given Device flow configuration
-         * @when initializing with scopes
-         * @then Scopes are properly formatted for request
-         */
-        it('should validate and format scope configuration', () => {
-            const configWithScopes = {
-                clientId: 'f0304373b74a44d2b584a3fb70ca9e56',
-                authorizationEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/device/code',
-                tokenEndpoint: 'https://chat.qwen.ai/api/v1/oauth2/token',
-                scopes: ['read', 'write', 'admin'],
-            };
-            expect(configWithScopes.scopes).toBeInstanceOf(Array);
-            expect(configWithScopes.scopes).toContain('read');
-            expect(configWithScopes.scopes).toContain('write');
-            // When implemented, scopes should be joined with spaces for OAuth request
-            const expectedScopeString = 'read write admin';
-            expect(configWithScopes.scopes.join(' ')).toBe(expectedScopeString);
-            expect(() => new QwenDeviceFlow(configWithScopes)).not.toThrow();
-        });
-    });
-});
-//# sourceMappingURL=qwen-device-flow.spec.js.map