@youversion/platform-core 0.6.0 → 0.7.0

package/src/__tests__/SignInWithYouVersionPKCE.test.ts

@@ -0,0 +1,418 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { SignInWithYouVersionPKCEAuthorizationRequestBuilder } from '../SignInWithYouVersionPKCE';
+import { YouVersionPlatformConfiguration } from '../YouVersionPlatformConfiguration';
+import { SignInWithYouVersionPermission } from '../SignInWithYouVersionResult';
+import type { SignInWithYouVersionPermissionValues } from '../types/auth';
+import { setupBrowserMocks, cleanupBrowserMocks } from './mocks/browser';
+
+describe('SignInWithYouVersionPKCEAuthorizationRequestBuilder', () => {
+  let mocks: ReturnType<typeof setupBrowserMocks>;
+
+  beforeEach(() => {
+    mocks = setupBrowserMocks();
+
+    // Reset YouVersionPlatformConfiguration
+    YouVersionPlatformConfiguration.appKey = 'test-app-key';
+    YouVersionPlatformConfiguration.apiHost = 'api-test.youversion.com';
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    cleanupBrowserMocks();
+  });
+
+  describe('make', () => {
+    it('should generate authorization request with all required parameters', async () => {
+      // Mock crypto.getRandomValues to return predictable values
+      mocks.crypto.getRandomValues
+        .mockImplementationOnce((array: Uint8Array) => {
+          // Mock code verifier generation (32 bytes)
+          for (let i = 0; i < 32; i++) {
+            array[i] = i + 1;
+          }
+          return array;
+        })
+        .mockImplementationOnce((array: Uint8Array) => {
+          // Mock state generation (24 bytes)
+          for (let i = 0; i < 24; i++) {
+            array[i] = i + 100;
+          }
+          return array;
+        })
+        .mockImplementationOnce((array: Uint8Array) => {
+          // Mock nonce generation (24 bytes)
+          for (let i = 0; i < 24; i++) {
+            array[i] = i + 200;
+          }
+          return array;
+        });
+
+      // Mock crypto.subtle.digest for code challenge
+      const mockDigest = new Uint8Array(32);
+      for (let i = 0; i < 32; i++) {
+        mockDigest[i] = i + 50;
+      }
+      mocks.crypto.subtle.digest.mockResolvedValue(mockDigest.buffer);
+
+      // Mock btoa for base64 encoding
+      mocks.btoa
+        .mockReturnValueOnce('codeVerifierBase64==') // Code verifier
+        .mockReturnValueOnce('codeChallengeBase64==') // Code challenge
+        .mockReturnValueOnce('stateBase64==') // State
+        .mockReturnValueOnce('nonceBase64=='); // Nonce
+
+      const permissions = new Set<SignInWithYouVersionPermissionValues>([
+        SignInWithYouVersionPermission.bibles,
+        SignInWithYouVersionPermission.highlights,
+      ]);
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      // Verify parameters structure
+      expect(result).toHaveProperty('url');
+      expect(result).toHaveProperty('parameters');
+      expect(result.parameters).toHaveProperty('codeVerifier');
+      expect(result.parameters).toHaveProperty('codeChallenge');
+      expect(result.parameters).toHaveProperty('state');
+      expect(result.parameters).toHaveProperty('nonce');
+
+      // Verify URL structure
+      expect(result.url).toBeInstanceOf(URL);
+      expect(result.url.hostname).toBe('api-test.youversion.com');
+      expect(result.url.pathname).toBe('/auth/authorize');
+    });
+
+    it('should generate unique parameters on each call', async () => {
+      // Mock crypto to return different values for each call
+      let callCount = 0;
+      mocks.crypto.getRandomValues.mockImplementation((array: Uint8Array) => {
+        for (let i = 0; i < array.length; i++) {
+          array[i] = callCount + i;
+        }
+        callCount += 10;
+        return array;
+      });
+
+      mocks.crypto.subtle.digest.mockResolvedValue(new Uint8Array(32).buffer);
+      mocks.btoa.mockImplementation((str: string) => `base64_${callCount}_${str.length}`);
+
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result1 = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'app-key',
+        permissions,
+        redirectURL,
+      );
+      const result2 = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'app-key',
+        permissions,
+        redirectURL,
+      );
+
+      // Parameters should be different between calls
+      expect(result1.parameters.codeVerifier).not.toBe(result2.parameters.codeVerifier);
+      expect(result1.parameters.state).not.toBe(result2.parameters.state);
+      expect(result1.parameters.nonce).not.toBe(result2.parameters.nonce);
+    });
+  });
+
+  describe('authorizeURL', () => {
+    beforeEach(() => {
+      // Setup mocks for btoa which are needed for these tests
+      mocks.crypto.getRandomValues.mockImplementation((array: Uint8Array) => {
+        for (let i = 0; i < array.length; i++) {
+          array[i] = i;
+        }
+        return array;
+      });
+      mocks.crypto.subtle.digest.mockResolvedValue(new Uint8Array(32).buffer);
+      mocks.btoa.mockImplementation((str: string) => Buffer.from(str).toString('base64'));
+    });
+
+    it('should build authorization URL with all required OAuth2 parameters', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>([
+        SignInWithYouVersionPermission.bibles,
+      ]);
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const url = result.url;
+      const params = new URLSearchParams(url.search);
+
+      // Required OAuth2 parameters
+      expect(params.get('response_type')).toBe('code');
+      expect(params.get('client_id')).toBe('test-app-key');
+      expect(params.get('redirect_uri')).toBe('https://example.com/callback');
+      expect(params.get('code_challenge_method')).toBe('S256');
+
+      // PKCE parameters
+      expect(params.get('code_challenge')).toBeTruthy();
+      expect(params.get('state')).toBeTruthy();
+      expect(params.get('nonce')).toBeTruthy();
+    });
+
+    it('should handle redirect URL with trailing slash', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback/');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      expect(params.get('redirect_uri')).toBe('https://example.com/callback');
+    });
+
+    it('should include x-yvp-installation-id param', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      expect(params.get('x-yvp-installation-id')).not.toBeFalsy();
+    });
+
+    it('should create scope string with permissions and openid', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>([
+        SignInWithYouVersionPermission.bibles,
+        SignInWithYouVersionPermission.highlights,
+      ]);
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      const scope = params.get('scope');
+
+      expect(scope).toContain('bibles');
+      expect(scope).toContain('highlights');
+      expect(scope).toContain('openid');
+    });
+
+    it('should sort permissions alphabetically', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>([
+        SignInWithYouVersionPermission.votd,
+        SignInWithYouVersionPermission.bibles,
+        SignInWithYouVersionPermission.demographics,
+      ]);
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      const scope = params.get('scope');
+
+      // Should be sorted: bibles demographics votd openid
+      expect(scope).toBe('bibles demographics votd openid');
+    });
+
+    it('should add openid when not present', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>([
+        SignInWithYouVersionPermission.bibles,
+      ]);
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      const scope = params.get('scope');
+
+      expect(scope).toBe('bibles openid');
+    });
+
+    it('should handle empty permissions set', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      const scope = params.get('scope');
+
+      expect(scope).toBe('openid');
+    });
+
+    it('should not duplicate openid if already present', async () => {
+      // This test simulates if openid was somehow in the permissions set
+      const permissions = new Set<SignInWithYouVersionPermissionValues>([
+        'openid' as SignInWithYouVersionPermissionValues,
+        SignInWithYouVersionPermission.bibles,
+      ]);
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      const params = new URLSearchParams(result.url.search);
+      const scope = params.get('scope');
+
+      // Should not have duplicate openid
+      const openidCount = (scope?.match(/openid/g) || []).length;
+      expect(openidCount).toBe(1);
+    });
+  });
+
+  describe('tokenURLRequest', () => {
+    it('should create POST request with correct parameters', async () => {
+      const code = 'auth-code-123';
+      const codeVerifier = 'code-verifier-456';
+      const redirectUri = 'https://example.com/callback';
+
+      const request = SignInWithYouVersionPKCEAuthorizationRequestBuilder.tokenURLRequest(
+        code,
+        codeVerifier,
+        redirectUri,
+      );
+
+      expect(request.method).toBe('POST');
+      expect(request.url).toBe('https://api-test.youversion.com/auth/token');
+      expect(request.headers.get('Content-Type')).toBe('application/x-www-form-urlencoded');
+
+      const body = await request.text();
+      const params = new URLSearchParams(body);
+
+      expect(params.get('grant_type')).toBe('authorization_code');
+      expect(params.get('code')).toBe(code);
+      expect(params.get('redirect_uri')).toBe(redirectUri);
+      expect(params.get('client_id')).toBe('test-app-key');
+      expect(params.get('code_verifier')).toBe(codeVerifier);
+    });
+
+    it('should handle empty app key gracefully', async () => {
+      YouVersionPlatformConfiguration.appKey = null;
+
+      const request = SignInWithYouVersionPKCEAuthorizationRequestBuilder.tokenURLRequest(
+        'code',
+        'verifier',
+        'https://example.com/callback',
+      );
+
+      expect(request).toBeInstanceOf(Request);
+
+      const body = await request.text();
+      const params = new URLSearchParams(body);
+
+      expect(params.get('client_id')).toBe('');
+    });
+  });
+
+  describe('randomness and security', () => {
+    beforeEach(() => {
+      // Setup mocks for btoa which are needed for these tests
+      mocks.crypto.getRandomValues.mockImplementation((array: Uint8Array) => {
+        for (let i = 0; i < array.length; i++) {
+          array[i] = i;
+        }
+        return array;
+      });
+      mocks.crypto.subtle.digest.mockResolvedValue(new Uint8Array(32).buffer);
+      mocks.btoa.mockImplementation((str: string) => Buffer.from(str).toString('base64'));
+    });
+
+    it('should use crypto.getRandomValues for secure random generation', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback');
+
+      await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      // Should call crypto.getRandomValues for code verifier, state, and nonce
+      expect(mocks.crypto.getRandomValues).toHaveBeenCalledTimes(3);
+
+      // Verify correct byte lengths
+      const calls = mocks.crypto.getRandomValues.mock.calls;
+      expect(calls[0]?.[0]).toHaveLength(32); // Code verifier
+      expect(calls[1]?.[0]).toHaveLength(24); // State
+      expect(calls[2]?.[0]).toHaveLength(24); // Nonce
+    });
+
+    it('should use SHA-256 for code challenge', async () => {
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback');
+
+      await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      expect(mocks.crypto.subtle.digest).toHaveBeenCalledWith('SHA-256', expect.any(Uint8Array));
+    });
+
+    it('should generate parameters with sufficient entropy', async () => {
+      // Use real crypto for this test to verify actual randomness
+      cleanupBrowserMocks();
+
+      const permissions = new Set<SignInWithYouVersionPermissionValues>();
+      const redirectURL = new URL('https://example.com/callback');
+
+      const result1 = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+      const result2 = await SignInWithYouVersionPKCEAuthorizationRequestBuilder.make(
+        'test-app-key',
+        permissions,
+        redirectURL,
+      );
+
+      // All parameters should be different between calls
+      expect(result1.parameters.codeVerifier).not.toBe(result2.parameters.codeVerifier);
+      expect(result1.parameters.codeChallenge).not.toBe(result2.parameters.codeChallenge);
+      expect(result1.parameters.state).not.toBe(result2.parameters.state);
+      expect(result1.parameters.nonce).not.toBe(result2.parameters.nonce);
+
+      // Parameters should have reasonable length (base64url encoded)
+      expect(result1.parameters.codeVerifier.length).toBeGreaterThan(40);
+      expect(result1.parameters.state.length).toBeGreaterThan(30);
+      expect(result1.parameters.nonce.length).toBeGreaterThan(30);
+
+      // Parameters should be URL-safe (no +, /, or =)
+      expect(result1.parameters.codeVerifier).not.toMatch(/[+/=]/);
+      expect(result1.parameters.codeChallenge).not.toMatch(/[+/=]/);
+      expect(result1.parameters.state).not.toMatch(/[+/=]/);
+      expect(result1.parameters.nonce).not.toMatch(/[+/=]/);
+    });
+  });
+});

package/src/__tests__/SignInWithYouVersionResult.test.ts

@@ -0,0 +1,28 @@
+import { describe, it, expect, vi } from 'vitest';
+import { SignInWithYouVersionResult } from '../SignInWithYouVersionResult';
+
+describe('SignInWithYouVersionResult', () => {
+  it('sets all properties properly', () => {
+    const fixedDate = new Date(2025, 2, 11, 12, 0, 0);
+    vi.setSystemTime(fixedDate);
+    const result = new SignInWithYouVersionResult({
+      accessToken: 'test-access-token',
+      expiresIn: 3600,
+      refreshToken: 'test-refresh-token',
+      permissions: ['votd', 'bibles'],
+      yvpUserId: 'test-user-id',
+      name: 'test user',
+      profilePicture: 'https://this-is-a-test-picture.com',
+      email: 'test@example.com',
+    });
+
+    expect(result.accessToken).toBe('test-access-token');
+    expect(result.expiryDate).toStrictEqual(new Date(fixedDate.getTime() + 60 * 60 * 1000));
+    expect(result.refreshToken).toBe('test-refresh-token');
+    expect(result.permissions).toStrictEqual(['votd', 'bibles']);
+    expect(result.yvpUserId).toBe('test-user-id');
+    expect(result.name).toBe('test user');
+    expect(result.profilePicture).toBe('https://this-is-a-test-picture.com');
+    expect(result.email).toBe('test@example.com');
+  });
+});

package/src/__tests__/StorageStrategy.test.ts

@@ -3,7 +3,6 @@
  */
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
 import { SessionStorageStrategy, MemoryStorageStrategy } from '../StorageStrategy';
-import { WebAuthenticationStrategy } from '../WebAuthenticationStrategy';
 
 describe('SessionStorageStrategy', () => {
   let strategy: SessionStorageStrategy;
@@ -291,77 +290,6 @@ describe('MemoryStorageStrategy', () => {
   });
 });
 
-describe('WebAuthenticationStrategy - Custom Storage', () => {
-  beforeEach(() => {
-    sessionStorage.clear();
-  });
-
-  afterEach(() => {
-    sessionStorage.clear();
-  });
-
-  it('should use SessionStorageStrategy by default', () => {
-    const strategy = new WebAuthenticationStrategy();
-
-    // The strategy should use sessionStorage internally (we can't access private field directly)
-    // But we can verify it works by checking that data persists in sessionStorage
-    // This is an indirect test
-    expect(strategy).toBeInstanceOf(WebAuthenticationStrategy);
-  });
-
-  it('should accept custom storage strategy in constructor', () => {
-    const customStorage = new MemoryStorageStrategy();
-
-    const strategy = new WebAuthenticationStrategy({
-      storage: customStorage,
-    });
-
-    expect(strategy).toBeInstanceOf(WebAuthenticationStrategy);
-    // The strategy should use the custom storage
-  });
-
-  it('should use custom MemoryStorageStrategy when provided', () => {
-    const memoryStorage = new MemoryStorageStrategy();
-
-    const strategy = new WebAuthenticationStrategy({
-      storage: memoryStorage,
-    });
-
-    expect(strategy).toBeInstanceOf(WebAuthenticationStrategy);
-  });
-
-  it('should support custom storage implementations', () => {
-    // Create a custom storage implementation
-    class CustomStorageStrategy {
-      private data = new Map<string, string>();
-
-      setItem(key: string, value: string): void {
-        this.data.set(key, value);
-      }
-
-      getItem(key: string): string | null {
-        return this.data.get(key) ?? null;
-      }
-
-      removeItem(key: string): void {
-        this.data.delete(key);
-      }
-
-      clear(): void {
-        this.data.clear();
-      }
-    }
-
-    const customStorage = new CustomStorageStrategy();
-
-    const strategy = new WebAuthenticationStrategy({
-      storage: customStorage,
-    });
-
-    expect(strategy).toBeInstanceOf(WebAuthenticationStrategy);
-  });
-});
-
 describe('StorageStrategy Interface Compliance', () => {
   const testCases = [
     { name: 'SessionStorageStrategy', factory: () => new SessionStorageStrategy() },

package/src/__tests__/URLBuilder.test.ts

@@ -154,79 +154,6 @@ describe('URLBuilder - Input Validation', () => {
     });
   });
 
-  describe('userURL - accessToken validation', () => {
-    it('should throw error for empty string accessToken', () => {
-      expect(() => {
-        URLBuilder.userURL('');
-      }).toThrow('accessToken must be a non-empty string');
-    });
-
-    it('should throw error for whitespace-only accessToken', () => {
-      expect(() => {
-        URLBuilder.userURL('   ');
-      }).toThrow('accessToken must be a non-empty string');
-    });
-
-    it('should throw error for tab/newline-only accessToken', () => {
-      expect(() => {
-        URLBuilder.userURL('\t\n  ');
-      }).toThrow('accessToken must be a non-empty string');
-    });
-
-    it('should throw descriptive error message', () => {
-      try {
-        URLBuilder.userURL('');
-        expect.fail('Should have thrown an error');
-      } catch (error) {
-        expect(error).toBeInstanceOf(Error);
-        expect((error as Error).message).toContain('accessToken');
-        expect((error as Error).message).toContain('non-empty string');
-      }
-    });
-
-    it('should accept valid non-empty accessToken', () => {
-      const url = URLBuilder.userURL('valid-access-token-123');
-
-      expect(url).toBeInstanceOf(URL);
-      expect(url.hostname.endsWith('.youversion.com')).toBe(true);
-      expect(url.pathname).toBe('/auth/me');
-      expect(url.searchParams.get('lat')).toBe('valid-access-token-123');
-    });
-
-    it('should accept accessToken with special characters', () => {
-      const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.test.signature';
-      const url = URLBuilder.userURL(token);
-
-      expect(url.searchParams.get('lat')).toBe(token);
-    });
-  });
-
-  describe('userURL - URL construction', () => {
-    it('should construct correct base URL and pathname', () => {
-      const url = URLBuilder.userURL('test-token');
-
-      expect(url.protocol).toBe('https:');
-      expect(url.hostname.endsWith('.youversion.com')).toBe(true);
-      expect(url.pathname).toBe('/auth/me');
-    });
-
-    it('should include access token in lat query parameter', () => {
-      const token = 'my-access-token-abc123';
-      const url = URLBuilder.userURL(token);
-
-      expect(url.searchParams.get('lat')).toBe(token);
-    });
-
-    it('should properly encode special characters in token', () => {
-      const tokenWithSpecialChars = 'token+with/special=chars';
-      const url = URLBuilder.userURL(tokenWithSpecialChars);
-
-      // URLSearchParams automatically encodes special characters
-      expect(url.searchParams.get('lat')).toBe(tokenWithSpecialChars);
-      expect(url.toString()).toContain('token%2Bwith%2Fspecial%3Dchars');
-    });
-  });
-
   describe('Error handling', () => {
     it('should throw errors instead of returning null for invalid appKey', () => {
       // Verify that the method throws, not returns null
@@ -243,20 +170,6 @@ describe('URLBuilder - Input Validation', () => {
       expect(returnValue).toBeUndefined();
     });
 
-    it('should throw errors instead of returning null for invalid accessToken', () => {
-      let threwError = false;
-      let returnValue: any;
-
-      try {
-        returnValue = URLBuilder.userURL('');
-      } catch {
-        threwError = true;
-      }
-
-      expect(threwError).toBe(true);
-      expect(returnValue).toBeUndefined();
-    });
-
     it('should wrap URL construction errors with descriptive message for authURL', () => {
       // This is hard to trigger, but we can at least verify the pattern exists
       // by checking that valid inputs don't trigger the catch block
@@ -264,12 +177,6 @@ describe('URLBuilder - Input Validation', () => {
         URLBuilder.authURL('valid-app-key');
       }).not.toThrow(/Failed to construct auth URL/);
     });
-
-    it('should wrap URL construction errors with descriptive message for userURL', () => {
-      expect(() => {
-        URLBuilder.userURL('valid-token');
-      }).not.toThrow(/Failed to construct user URL/);
-    });
   });
 
   describe('Return type validation', () => {
@@ -279,12 +186,5 @@ describe('URLBuilder - Input Validation', () => {
       expect(result).toBeInstanceOf(URL);
       expect(result).not.toBeNull();
     });
-
-    it('userURL should return URL object (not null)', () => {
-      const result = URLBuilder.userURL('test-token');
-
-      expect(result).toBeInstanceOf(URL);
-      expect(result).not.toBeNull();
-    });
   });
 });