gameglue 4.0.0 → 4.0.2

package/src/auth.spec.js

@@ -1,481 +1,481 @@
-const { GameGlueAuth } = require('./auth');
-const { storage } = require('./utils');
-const {
-  mockConfig,
-  validAccessToken,
-  expiredAccessToken,
-  validRefreshToken,
-  createMockJwt
-} = require('./test/fixtures');
-
-// Mock the oidc-client-ts module
-jest.mock('oidc-client-ts', () => ({
-  OidcClient: jest.fn().mockImplementation(() => ({
-    createSigninRequest: jest.fn().mockResolvedValue({ url: 'https://auth.example.com/login' }),
-    processSigninResponse: jest.fn().mockResolvedValue({
-      access_token: 'new-access-token',
-      refresh_token: 'new-refresh-token'
-    })
-  }))
-}));
-
-// Mock fetch for token refresh
-global.fetch = jest.fn();
-
-// Suppress console output during tests
-const originalConsoleLog = console.log;
-const originalConsoleError = console.error;
-
-describe('GameGlueAuth', () => {
-  let auth;
-
-  beforeEach(() => {
-    auth = new GameGlueAuth(mockConfig);
-    jest.clearAllMocks();
-    jest.useFakeTimers();
-    // Suppress console output
-    console.log = jest.fn();
-    console.error = jest.fn();
-  });
-
-  afterEach(() => {
-    // Restore console
-    console.log = originalConsoleLog;
-    console.error = originalConsoleError;
-    jest.useRealTimers();
-    // Clear storage
-    storage.remove('gg-auth-token');
-    storage.remove('gg-refresh-token');
-  });
-
-  describe('constructor', () => {
-    it('should initialize with correct OIDC settings', () => {
-      expect(auth._oidcSettings).toMatchObject({
-        authority: 'https://auth.gameglue.gg/realms/GameGlue',
-        client_id: 'test-client-id',
-        redirect_uri: 'http://localhost:3000/callback',
-        response_type: 'code',
-        scope: 'openid msfs:read gg:broadcast',
-        response_mode: 'fragment',
-        filterProtocolClaims: true
-      });
-      // post_logout_redirect_uri is based on window.location.href which varies by environment
-      expect(auth._oidcSettings.post_logout_redirect_uri).toBeDefined();
-    });
-
-    it('should use window.location.href as default redirect_uri', () => {
-      const configNoRedirect = { clientId: 'test', scopes: [] };
-      const authNoRedirect = new GameGlueAuth(configNoRedirect);
-
-      // The redirect_uri should be based on window.location.href (varies by environment)
-      expect(authNoRedirect._oidcSettings.redirect_uri).toMatch(/^http:\/\/localhost/);
-    });
-
-    it('should handle empty scopes array', () => {
-      const configEmptyScopes = { clientId: 'test', scopes: [] };
-      const authEmptyScopes = new GameGlueAuth(configEmptyScopes);
-
-      expect(authEmptyScopes._oidcSettings.scope).toBe('openid ');
-    });
-
-    it('should handle undefined scopes', () => {
-      const configNoScopes = { clientId: 'test' };
-      const authNoScopes = new GameGlueAuth(configNoScopes);
-
-      expect(authNoScopes._oidcSettings.scope).toBe('openid ');
-    });
-
-    it('should remove trailing slashes from redirect_uri', () => {
-      const configWithSlash = {
-        clientId: 'test',
-        redirect_uri: 'http://localhost:3000/callback/'
-      };
-      const authWithSlash = new GameGlueAuth(configWithSlash);
-
-      expect(authWithSlash._oidcSettings.redirect_uri).toBe('http://localhost:3000/callback');
-    });
-  });
-
-  describe('_setAccessToken / getAccessToken', () => {
-    it('should store and retrieve access token', () => {
-      auth._setAccessToken(validAccessToken);
-      const retrieved = auth.getAccessToken();
-
-      expect(retrieved).toBe(validAccessToken);
-    });
-
-    it('should set up token refresh timeout when setting token', () => {
-      auth._setAccessToken(validAccessToken);
-
-      // Check that a timeout was scheduled
-      expect(jest.getTimerCount()).toBeGreaterThan(0);
-    });
-
-    it('should not set timeout for null token', () => {
-      auth._setAccessToken(null);
-
-      expect(jest.getTimerCount()).toBe(0);
-    });
-  });
-
-  describe('_setRefreshToken / _getRefreshToken', () => {
-    it('should store and retrieve refresh token', () => {
-      auth._setRefreshToken(validRefreshToken);
-      const retrieved = auth._getRefreshToken();
-
-      expect(retrieved).toBe(validRefreshToken);
-    });
-  });
-
-  describe('getUser', () => {
-    it('should extract user ID from JWT', () => {
-      auth._setAccessToken(validAccessToken);
-
-      const userId = auth.getUser();
-
-      expect(userId).toBe('user-123');
-    });
-
-    it('should throw error when not authenticated', () => {
-      expect(() => auth.getUser()).toThrow('Not authenticated');
-    });
-  });
-
-  describe('_hasValidTokens', () => {
-    it('should return false when no token exists', () => {
-      const result = auth._hasValidTokens();
-
-      expect(result).toBe(false);
-    });
-
-    it('should return true for valid non-expired token', () => {
-      auth._setAccessToken(validAccessToken);
-
-      const result = auth._hasValidTokens();
-
-      expect(result).toBe(true);
-    });
-
-    it('should return false for expired token', () => {
-      auth._setAccessToken(expiredAccessToken);
-
-      const result = auth._hasValidTokens();
-
-      expect(result).toBe(false);
-    });
-  });
-
-  describe('isAuthenticated', () => {
-    it('should return false when no token exists', async () => {
-      const result = await auth.isAuthenticated();
-
-      expect(result).toBe(false);
-    });
-
-    it('should return true for valid non-expired token', async () => {
-      auth._setAccessToken(validAccessToken);
-
-      const result = await auth.isAuthenticated();
-
-      expect(result).toBe(true);
-    });
-
-    it('should return false for expired token', async () => {
-      auth._setAccessToken(expiredAccessToken);
-
-      const result = await auth.isAuthenticated();
-
-      expect(result).toBe(false);
-    });
-
-    it('should process callback params if present in URL', async () => {
-      window.location.hash = '#state=abc123&code=xyz789';
-
-      const { OidcClient } = require('oidc-client-ts');
-      OidcClient.mockImplementation(() => ({
-        createSigninRequest: jest.fn(),
-        processSigninResponse: jest.fn().mockResolvedValue({
-          access_token: validAccessToken,
-          refresh_token: validRefreshToken
-        })
-      }));
-
-      const authNew = new GameGlueAuth(mockConfig);
-      const result = await authNew.isAuthenticated();
-
-      expect(result).toBe(true);
-      // URL should be cleared
-      expect(window.history.replaceState).toHaveBeenCalled();
-    });
-  });
-
-  describe('login', () => {
-    it('should call createSigninRequest', async () => {
-      const createSigninRequest = jest.fn().mockResolvedValue({ url: 'https://auth.example.com/login' });
-      const { OidcClient } = require('oidc-client-ts');
-      OidcClient.mockImplementation(() => ({
-        createSigninRequest,
-        processSigninResponse: jest.fn()
-      }));
-
-      const authNew = new GameGlueAuth(mockConfig);
-      authNew.login();
-
-      // Wait for promise to resolve
-      await Promise.resolve();
-
-      expect(createSigninRequest).toHaveBeenCalledWith({ state: { bar: 15 } });
-    });
-  });
-
-  describe('logout', () => {
-    it('should clear tokens from storage', () => {
-      auth._setAccessToken(validAccessToken);
-      auth._setRefreshToken(validRefreshToken);
-
-      auth.logout({ redirect: false });
-
-      // After remove, storage.get returns undefined in Node environment (in-memory map)
-      expect(auth.getAccessToken()).toBeUndefined();
-      expect(auth._getRefreshToken()).toBeUndefined();
-    });
-
-    it('should not clear tokens when redirect: false not passed', () => {
-      // We can't easily test the redirect behavior in jsdom, but we can verify
-      // the method accepts options and clears tokens regardless
-      auth._setAccessToken(validAccessToken);
-      auth._setRefreshToken(validRefreshToken);
-
-      // logout() clears tokens first, then redirects
-      auth.logout({ redirect: false });
-
-      expect(auth.getAccessToken()).toBeUndefined();
-    });
-
-    it('should accept options object', () => {
-      auth._setAccessToken(validAccessToken);
-
-      // Should not throw when called with different options
-      expect(() => auth.logout({ redirect: false })).not.toThrow();
-    });
-  });
-
-  describe('_attemptRefresh', () => {
-    it('should call token endpoint with correct parameters', async () => {
-      auth._setRefreshToken(validRefreshToken);
-
-      global.fetch.mockResolvedValueOnce({
-        status: 200,
-        json: () =>
-          Promise.resolve({
-            access_token: validAccessToken,
-            refresh_token: validRefreshToken
-          })
-      });
-
-      await auth._attemptRefresh();
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        'https://auth.gameglue.gg/realms/GameGlue/protocol/openid-connect/token',
-        expect.objectContaining({
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/x-www-form-urlencoded'
-          }
-        })
-      );
-    });
-
-    it('should update tokens on successful refresh', async () => {
-      auth._setRefreshToken(validRefreshToken);
-
-      const newAccessToken = createMockJwt({ sub: 'user-456' }, 3600);
-      const newRefreshToken = createMockJwt({ sub: 'user-456', type: 'refresh' }, 86400);
-
-      global.fetch.mockResolvedValueOnce({
-        status: 200,
-        json: () =>
-          Promise.resolve({
-            access_token: newAccessToken,
-            refresh_token: newRefreshToken
-          })
-      });
-
-      await auth._attemptRefresh();
-
-      expect(auth.getAccessToken()).toBe(newAccessToken);
-      expect(auth._getRefreshToken()).toBe(newRefreshToken);
-    });
-
-    it('should call refresh callback with access token on successful refresh', async () => {
-      const callback = jest.fn();
-      auth.onTokenRefreshed(callback);
-      auth._setRefreshToken(validRefreshToken);
-
-      const responseData = {
-        access_token: validAccessToken,
-        refresh_token: validRefreshToken
-      };
-
-      global.fetch.mockResolvedValueOnce({
-        status: 200,
-        json: () => Promise.resolve(responseData)
-      });
-
-      await auth._attemptRefresh();
-
-      expect(callback).toHaveBeenCalledWith(validAccessToken);
-    });
-
-    it('should handle network errors gracefully', async () => {
-      auth._setRefreshToken(validRefreshToken);
-      global.fetch.mockRejectedValueOnce(new Error('Network error'));
-
-      // Should not throw
-      await expect(auth._attemptRefresh()).resolves.toBeUndefined();
-    });
-
-    it('should not update tokens on non-200 response', async () => {
-      auth._setRefreshToken(validRefreshToken);
-      const originalAccessToken = auth.getAccessToken();
-
-      global.fetch.mockResolvedValueOnce({
-        status: 400,
-        json: () => Promise.resolve({ error: 'invalid_grant' })
-      });
-
-      await auth._attemptRefresh();
-
-      // Access token should remain unchanged (null in this case)
-      expect(auth.getAccessToken()).toBe(originalAccessToken);
-    });
-  });
-
-  describe('onTokenRefreshed', () => {
-    it('should register callback for token refresh', () => {
-      const callback = jest.fn();
-      auth.onTokenRefreshed(callback);
-
-      expect(auth._refreshCallback).toBe(callback);
-    });
-  });
-
-  describe('_setTokenRefreshTimeout', () => {
-    it('should schedule refresh before token expiration', () => {
-      // Token expires in 1 hour (3600 seconds)
-      auth._setTokenRefreshTimeout(validAccessToken);
-
-      // Should have scheduled a timeout
-      expect(jest.getTimerCount()).toBe(1);
-    });
-
-    it('should clear previous timeout when setting new one', () => {
-      auth._setTokenRefreshTimeout(validAccessToken);
-      auth._setTokenRefreshTimeout(validAccessToken);
-
-      // Should only have one active timeout
-      expect(jest.getTimerCount()).toBe(1);
-    });
-
-    it('should not schedule timeout for expired token', () => {
-      auth._setTokenRefreshTimeout(expiredAccessToken);
-
-      // Timer count may be 0 since the timeUntilExp is negative
-      // The important thing is it doesn't throw
-    });
-  });
-
-  describe('_hasCallbackParams', () => {
-    it('should return true when hash contains state and code', () => {
-      window.location.hash = '#state=abc123&code=xyz789';
-
-      expect(auth._hasCallbackParams()).toBe(true);
-    });
-
-    it('should return true when hash contains state and error', () => {
-      window.location.hash = '#state=abc123&error=access_denied';
-
-      expect(auth._hasCallbackParams()).toBe(true);
-    });
-
-    it('should return false when hash does not contain state', () => {
-      window.location.hash = '#code=xyz789';
-
-      expect(auth._hasCallbackParams()).toBe(false);
-    });
-
-    it('should return false when hash is empty', () => {
-      window.location.hash = '';
-
-      expect(auth._hasCallbackParams()).toBe(false);
-    });
-  });
-
-  describe('_processCallback', () => {
-    it('should process signin response and store tokens', async () => {
-      const { OidcClient } = require('oidc-client-ts');
-      OidcClient.mockImplementation(() => ({
-        processSigninResponse: jest.fn().mockResolvedValue({
-          access_token: validAccessToken,
-          refresh_token: validRefreshToken
-        })
-      }));
-
-      const authNew = new GameGlueAuth(mockConfig);
-      await authNew._processCallback();
-
-      expect(authNew.getAccessToken()).toBe(validAccessToken);
-      expect(authNew._getRefreshToken()).toBe(validRefreshToken);
-      expect(window.history.replaceState).toHaveBeenCalled();
-    });
-
-    it('should throw on error response', async () => {
-      const { OidcClient } = require('oidc-client-ts');
-      OidcClient.mockImplementation(() => ({
-        processSigninResponse: jest.fn().mockResolvedValue({
-          error: 'access_denied',
-          access_token: null
-        })
-      }));
-
-      const authNew = new GameGlueAuth(mockConfig);
-
-      await expect(authNew._processCallback()).rejects.toThrow('access_denied');
-    });
-
-    it('should throw when no access token received', async () => {
-      const { OidcClient } = require('oidc-client-ts');
-      OidcClient.mockImplementation(() => ({
-        processSigninResponse: jest.fn().mockResolvedValue({
-          access_token: null
-        })
-      }));
-
-      const authNew = new GameGlueAuth(mockConfig);
-
-      await expect(authNew._processCallback()).rejects.toThrow('No access token received');
-    });
-
-    it('should handle concurrent calls (only process once)', async () => {
-      const { OidcClient } = require('oidc-client-ts');
-      const processSigninResponse = jest.fn().mockResolvedValue({
-        access_token: validAccessToken,
-        refresh_token: validRefreshToken
-      });
-      OidcClient.mockImplementation(() => ({
-        processSigninResponse
-      }));
-
-      const authNew = new GameGlueAuth(mockConfig);
-
-      // Call twice concurrently
-      await Promise.all([
-        authNew._processCallback(),
-        authNew._processCallback()
-      ]);
-
-      // Should only have been called once due to locking
-      expect(processSigninResponse).toHaveBeenCalledTimes(1);
-    });
-  });
-});
+const { GameGlueAuth } = require('./auth');
+const { storage } = require('./utils');
+const {
+  mockConfig,
+  validAccessToken,
+  expiredAccessToken,
+  validRefreshToken,
+  createMockJwt
+} = require('./test/fixtures');
+
+// Mock the oidc-client-ts module
+jest.mock('oidc-client-ts', () => ({
+  OidcClient: jest.fn().mockImplementation(() => ({
+    createSigninRequest: jest.fn().mockResolvedValue({ url: 'https://auth.example.com/login' }),
+    processSigninResponse: jest.fn().mockResolvedValue({
+      access_token: 'new-access-token',
+      refresh_token: 'new-refresh-token'
+    })
+  }))
+}));
+
+// Mock fetch for token refresh
+global.fetch = jest.fn();
+
+// Suppress console output during tests
+const originalConsoleLog = console.log;
+const originalConsoleError = console.error;
+
+describe('GameGlueAuth', () => {
+  let auth;
+
+  beforeEach(() => {
+    auth = new GameGlueAuth(mockConfig);
+    jest.clearAllMocks();
+    jest.useFakeTimers();
+    // Suppress console output
+    console.log = jest.fn();
+    console.error = jest.fn();
+  });
+
+  afterEach(() => {
+    // Restore console
+    console.log = originalConsoleLog;
+    console.error = originalConsoleError;
+    jest.useRealTimers();
+    // Clear storage
+    storage.remove('gg-auth-token');
+    storage.remove('gg-refresh-token');
+  });
+
+  describe('constructor', () => {
+    it('should initialize with correct OIDC settings', () => {
+      expect(auth._oidcSettings).toMatchObject({
+        authority: 'https://auth.gameglue.gg/realms/GameGlue',
+        client_id: 'test-client-id',
+        redirect_uri: 'http://localhost:3000/callback',
+        response_type: 'code',
+        scope: 'openid msfs:read gg:broadcast',
+        response_mode: 'fragment',
+        filterProtocolClaims: true
+      });
+      // post_logout_redirect_uri is based on window.location.href which varies by environment
+      expect(auth._oidcSettings.post_logout_redirect_uri).toBeDefined();
+    });
+
+    it('should use window.location.href as default redirect_uri', () => {
+      const configNoRedirect = { clientId: 'test', scopes: [] };
+      const authNoRedirect = new GameGlueAuth(configNoRedirect);
+
+      // The redirect_uri should be based on window.location.href (varies by environment)
+      expect(authNoRedirect._oidcSettings.redirect_uri).toMatch(/^http:\/\/localhost/);
+    });
+
+    it('should handle empty scopes array', () => {
+      const configEmptyScopes = { clientId: 'test', scopes: [] };
+      const authEmptyScopes = new GameGlueAuth(configEmptyScopes);
+
+      expect(authEmptyScopes._oidcSettings.scope).toBe('openid ');
+    });
+
+    it('should handle undefined scopes', () => {
+      const configNoScopes = { clientId: 'test' };
+      const authNoScopes = new GameGlueAuth(configNoScopes);
+
+      expect(authNoScopes._oidcSettings.scope).toBe('openid ');
+    });
+
+    it('should remove trailing slashes from redirect_uri', () => {
+      const configWithSlash = {
+        clientId: 'test',
+        redirect_uri: 'http://localhost:3000/callback/'
+      };
+      const authWithSlash = new GameGlueAuth(configWithSlash);
+
+      expect(authWithSlash._oidcSettings.redirect_uri).toBe('http://localhost:3000/callback');
+    });
+  });
+
+  describe('_setAccessToken / getAccessToken', () => {
+    it('should store and retrieve access token', () => {
+      auth._setAccessToken(validAccessToken);
+      const retrieved = auth.getAccessToken();
+
+      expect(retrieved).toBe(validAccessToken);
+    });
+
+    it('should set up token refresh timeout when setting token', () => {
+      auth._setAccessToken(validAccessToken);
+
+      // Check that a timeout was scheduled
+      expect(jest.getTimerCount()).toBeGreaterThan(0);
+    });
+
+    it('should not set timeout for null token', () => {
+      auth._setAccessToken(null);
+
+      expect(jest.getTimerCount()).toBe(0);
+    });
+  });
+
+  describe('_setRefreshToken / _getRefreshToken', () => {
+    it('should store and retrieve refresh token', () => {
+      auth._setRefreshToken(validRefreshToken);
+      const retrieved = auth._getRefreshToken();
+
+      expect(retrieved).toBe(validRefreshToken);
+    });
+  });
+
+  describe('getUser', () => {
+    it('should extract user ID from JWT', () => {
+      auth._setAccessToken(validAccessToken);
+
+      const userId = auth.getUser();
+
+      expect(userId).toBe('user-123');
+    });
+
+    it('should throw error when not authenticated', () => {
+      expect(() => auth.getUser()).toThrow('Not authenticated');
+    });
+  });
+
+  describe('_hasValidTokens', () => {
+    it('should return false when no token exists', () => {
+      const result = auth._hasValidTokens();
+
+      expect(result).toBe(false);
+    });
+
+    it('should return true for valid non-expired token', () => {
+      auth._setAccessToken(validAccessToken);
+
+      const result = auth._hasValidTokens();
+
+      expect(result).toBe(true);
+    });
+
+    it('should return false for expired token', () => {
+      auth._setAccessToken(expiredAccessToken);
+
+      const result = auth._hasValidTokens();
+
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('isAuthenticated', () => {
+    it('should return false when no token exists', async () => {
+      const result = await auth.isAuthenticated();
+
+      expect(result).toBe(false);
+    });
+
+    it('should return true for valid non-expired token', async () => {
+      auth._setAccessToken(validAccessToken);
+
+      const result = await auth.isAuthenticated();
+
+      expect(result).toBe(true);
+    });
+
+    it('should return false for expired token', async () => {
+      auth._setAccessToken(expiredAccessToken);
+
+      const result = await auth.isAuthenticated();
+
+      expect(result).toBe(false);
+    });
+
+    it('should process callback params if present in URL', async () => {
+      window.location.hash = '#state=abc123&code=xyz789';
+
+      const { OidcClient } = require('oidc-client-ts');
+      OidcClient.mockImplementation(() => ({
+        createSigninRequest: jest.fn(),
+        processSigninResponse: jest.fn().mockResolvedValue({
+          access_token: validAccessToken,
+          refresh_token: validRefreshToken
+        })
+      }));
+
+      const authNew = new GameGlueAuth(mockConfig);
+      const result = await authNew.isAuthenticated();
+
+      expect(result).toBe(true);
+      // URL should be cleared
+      expect(window.history.replaceState).toHaveBeenCalled();
+    });
+  });
+
+  describe('login', () => {
+    it('should call createSigninRequest', async () => {
+      const createSigninRequest = jest.fn().mockResolvedValue({ url: 'https://auth.example.com/login' });
+      const { OidcClient } = require('oidc-client-ts');
+      OidcClient.mockImplementation(() => ({
+        createSigninRequest,
+        processSigninResponse: jest.fn()
+      }));
+
+      const authNew = new GameGlueAuth(mockConfig);
+      authNew.login();
+
+      // Wait for promise to resolve
+      await Promise.resolve();
+
+      expect(createSigninRequest).toHaveBeenCalledWith({ state: { bar: 15 } });
+    });
+  });
+
+  describe('logout', () => {
+    it('should clear tokens from storage', () => {
+      auth._setAccessToken(validAccessToken);
+      auth._setRefreshToken(validRefreshToken);
+
+      auth.logout({ redirect: false });
+
+      // After remove, storage.get returns undefined in Node environment (in-memory map)
+      expect(auth.getAccessToken()).toBeUndefined();
+      expect(auth._getRefreshToken()).toBeUndefined();
+    });
+
+    it('should not clear tokens when redirect: false not passed', () => {
+      // We can't easily test the redirect behavior in jsdom, but we can verify
+      // the method accepts options and clears tokens regardless
+      auth._setAccessToken(validAccessToken);
+      auth._setRefreshToken(validRefreshToken);
+
+      // logout() clears tokens first, then redirects
+      auth.logout({ redirect: false });
+
+      expect(auth.getAccessToken()).toBeUndefined();
+    });
+
+    it('should accept options object', () => {
+      auth._setAccessToken(validAccessToken);
+
+      // Should not throw when called with different options
+      expect(() => auth.logout({ redirect: false })).not.toThrow();
+    });
+  });
+
+  describe('_attemptRefresh', () => {
+    it('should call token endpoint with correct parameters', async () => {
+      auth._setRefreshToken(validRefreshToken);
+
+      global.fetch.mockResolvedValueOnce({
+        status: 200,
+        json: () =>
+          Promise.resolve({
+            access_token: validAccessToken,
+            refresh_token: validRefreshToken
+          })
+      });
+
+      await auth._attemptRefresh();
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        'https://auth.gameglue.gg/realms/GameGlue/protocol/openid-connect/token',
+        expect.objectContaining({
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded'
+          }
+        })
+      );
+    });
+
+    it('should update tokens on successful refresh', async () => {
+      auth._setRefreshToken(validRefreshToken);
+
+      const newAccessToken = createMockJwt({ sub: 'user-456' }, 3600);
+      const newRefreshToken = createMockJwt({ sub: 'user-456', type: 'refresh' }, 86400);
+
+      global.fetch.mockResolvedValueOnce({
+        status: 200,
+        json: () =>
+          Promise.resolve({
+            access_token: newAccessToken,
+            refresh_token: newRefreshToken
+          })
+      });
+
+      await auth._attemptRefresh();
+
+      expect(auth.getAccessToken()).toBe(newAccessToken);
+      expect(auth._getRefreshToken()).toBe(newRefreshToken);
+    });
+
+    it('should call refresh callback with access token on successful refresh', async () => {
+      const callback = jest.fn();
+      auth.onTokenRefreshed(callback);
+      auth._setRefreshToken(validRefreshToken);
+
+      const responseData = {
+        access_token: validAccessToken,
+        refresh_token: validRefreshToken
+      };
+
+      global.fetch.mockResolvedValueOnce({
+        status: 200,
+        json: () => Promise.resolve(responseData)
+      });
+
+      await auth._attemptRefresh();
+
+      expect(callback).toHaveBeenCalledWith(validAccessToken);
+    });
+
+    it('should handle network errors gracefully', async () => {
+      auth._setRefreshToken(validRefreshToken);
+      global.fetch.mockRejectedValueOnce(new Error('Network error'));
+
+      // Should not throw
+      await expect(auth._attemptRefresh()).resolves.toBeUndefined();
+    });
+
+    it('should not update tokens on non-200 response', async () => {
+      auth._setRefreshToken(validRefreshToken);
+      const originalAccessToken = auth.getAccessToken();
+
+      global.fetch.mockResolvedValueOnce({
+        status: 400,
+        json: () => Promise.resolve({ error: 'invalid_grant' })
+      });
+
+      await auth._attemptRefresh();
+
+      // Access token should remain unchanged (null in this case)
+      expect(auth.getAccessToken()).toBe(originalAccessToken);
+    });
+  });
+
+  describe('onTokenRefreshed', () => {
+    it('should register callback for token refresh', () => {
+      const callback = jest.fn();
+      auth.onTokenRefreshed(callback);
+
+      expect(auth._refreshCallback).toBe(callback);
+    });
+  });
+
+  describe('_setTokenRefreshTimeout', () => {
+    it('should schedule refresh before token expiration', () => {
+      // Token expires in 1 hour (3600 seconds)
+      auth._setTokenRefreshTimeout(validAccessToken);
+
+      // Should have scheduled a timeout
+      expect(jest.getTimerCount()).toBe(1);
+    });
+
+    it('should clear previous timeout when setting new one', () => {
+      auth._setTokenRefreshTimeout(validAccessToken);
+      auth._setTokenRefreshTimeout(validAccessToken);
+
+      // Should only have one active timeout
+      expect(jest.getTimerCount()).toBe(1);
+    });
+
+    it('should not schedule timeout for expired token', () => {
+      auth._setTokenRefreshTimeout(expiredAccessToken);
+
+      // Timer count may be 0 since the timeUntilExp is negative
+      // The important thing is it doesn't throw
+    });
+  });
+
+  describe('_hasCallbackParams', () => {
+    it('should return true when hash contains state and code', () => {
+      window.location.hash = '#state=abc123&code=xyz789';
+
+      expect(auth._hasCallbackParams()).toBe(true);
+    });
+
+    it('should return true when hash contains state and error', () => {
+      window.location.hash = '#state=abc123&error=access_denied';
+
+      expect(auth._hasCallbackParams()).toBe(true);
+    });
+
+    it('should return false when hash does not contain state', () => {
+      window.location.hash = '#code=xyz789';
+
+      expect(auth._hasCallbackParams()).toBe(false);
+    });
+
+    it('should return false when hash is empty', () => {
+      window.location.hash = '';
+
+      expect(auth._hasCallbackParams()).toBe(false);
+    });
+  });
+
+  describe('_processCallback', () => {
+    it('should process signin response and store tokens', async () => {
+      const { OidcClient } = require('oidc-client-ts');
+      OidcClient.mockImplementation(() => ({
+        processSigninResponse: jest.fn().mockResolvedValue({
+          access_token: validAccessToken,
+          refresh_token: validRefreshToken
+        })
+      }));
+
+      const authNew = new GameGlueAuth(mockConfig);
+      await authNew._processCallback();
+
+      expect(authNew.getAccessToken()).toBe(validAccessToken);
+      expect(authNew._getRefreshToken()).toBe(validRefreshToken);
+      expect(window.history.replaceState).toHaveBeenCalled();
+    });
+
+    it('should throw on error response', async () => {
+      const { OidcClient } = require('oidc-client-ts');
+      OidcClient.mockImplementation(() => ({
+        processSigninResponse: jest.fn().mockResolvedValue({
+          error: 'access_denied',
+          access_token: null
+        })
+      }));
+
+      const authNew = new GameGlueAuth(mockConfig);
+
+      await expect(authNew._processCallback()).rejects.toThrow('access_denied');
+    });
+
+    it('should throw when no access token received', async () => {
+      const { OidcClient } = require('oidc-client-ts');
+      OidcClient.mockImplementation(() => ({
+        processSigninResponse: jest.fn().mockResolvedValue({
+          access_token: null
+        })
+      }));
+
+      const authNew = new GameGlueAuth(mockConfig);
+
+      await expect(authNew._processCallback()).rejects.toThrow('No access token received');
+    });
+
+    it('should handle concurrent calls (only process once)', async () => {
+      const { OidcClient } = require('oidc-client-ts');
+      const processSigninResponse = jest.fn().mockResolvedValue({
+        access_token: validAccessToken,
+        refresh_token: validRefreshToken
+      });
+      OidcClient.mockImplementation(() => ({
+        processSigninResponse
+      }));
+
+      const authNew = new GameGlueAuth(mockConfig);
+
+      // Call twice concurrently
+      await Promise.all([
+        authNew._processCallback(),
+        authNew._processCallback()
+      ]);
+
+      // Should only have been called once due to locking
+      expect(processSigninResponse).toHaveBeenCalledTimes(1);
+    });
+  });
+});