palaryn 0.1.0 → 0.3.2

package/dist/tests/unit/auth-routes-extended.test.js

@@ -0,0 +1,993 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = __importDefault(require("express"));
+const cookie_parser_1 = __importDefault(require("cookie-parser"));
+const supertest_1 = __importDefault(require("supertest"));
+const routes_1 = require("../../src/auth/routes");
+const memory_1 = require("../../src/storage/memory");
+const session_1 = require("../../src/auth/session");
+// ---------------------------------------------------------------------------
+// Mock OAuth providers
+// ---------------------------------------------------------------------------
+jest.mock('../../src/auth/providers', () => ({
+    buildGoogleAuthUrl: jest.fn().mockReturnValue({
+        url: 'https://accounts.google.com/o/oauth2/v2/auth?mock=true',
+        code_verifier: 'mock-verifier',
+        code_challenge: 'mock-challenge',
+    }),
+    buildGitHubAuthUrl: jest.fn().mockReturnValue('https://github.com/login/oauth/authorize?mock=true'),
+    exchangeGoogleCode: jest.fn(),
+    getGoogleUserInfo: jest.fn(),
+    exchangeGitHubCode: jest.fn(),
+    getGitHubUserInfo: jest.fn(),
+}));
+const { exchangeGoogleCode, getGoogleUserInfo, exchangeGitHubCode, getGitHubUserInfo, } = require('../../src/auth/providers');
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const SESSION_SECRET = 'test-session-secret-32-chars-long!!';
+function makeConfig(overrides) {
+    return {
+        enabled: true,
+        session_secret: SESSION_SECRET,
+        session_ttl_seconds: 3600,
+        ...overrides,
+    };
+}
+function createDeps(configOverrides) {
+    return {
+        config: makeConfig(configOverrides),
+        userStore: new memory_1.InMemoryUserStore(),
+        oauthAccountStore: new memory_1.InMemoryOAuthAccountStore(),
+        sessionStore: new memory_1.InMemorySessionStore(),
+        workspaceStore: new memory_1.InMemoryWorkspaceStore(),
+        workspaceMemberStore: new memory_1.InMemoryWorkspaceMemberStore(),
+        userApiKeyStore: new memory_1.InMemoryUserApiKeyStore(),
+    };
+}
+function createApp(deps) {
+    const app = (0, express_1.default)();
+    app.use(express_1.default.json());
+    app.use((0, cookie_parser_1.default)());
+    app.use('/auth', (0, routes_1.createAuthRouter)(deps));
+    return app;
+}
+/** Build an app that injects sessionUser/sessionData via middleware (for DELETE routes). */
+function createAuthenticatedApp(deps, user, sessionData) {
+    const app = (0, express_1.default)();
+    app.use(express_1.default.json());
+    app.use((0, cookie_parser_1.default)());
+    app.use((req, _res, next) => {
+        req.sessionUser = user;
+        req.sessionData = sessionData || {
+            id: 'sess-test',
+            workspace_id: 'ws-1',
+            expires_at: new Date(Date.now() + 3600000).toISOString(),
+        };
+        next();
+    });
+    app.use('/auth', (0, routes_1.createAuthRouter)(deps));
+    return app;
+}
+/**
+ * Create a valid encrypted state cookie for the callback tests.
+ */
+function makeStateCookie(overrides) {
+    const payload = {
+        provider: 'google',
+        code_verifier: 'test-verifier',
+        nonce: 'test-nonce',
+        redirect_uri: 'http://127.0.0.1/auth/google/callback',
+        created_at: Date.now(),
+        ...overrides,
+    };
+    return (0, session_1.encryptState)(payload, SESSION_SECRET);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('auth routes — extended coverage', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+    });
+    // =========================================================================
+    // GET /auth/:provider/authorize
+    // =========================================================================
+    describe('GET /auth/:provider/authorize', () => {
+        it('redirects to Google with state cookie when google is configured', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app).get('/auth/google/authorize');
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('https://accounts.google.com/o/oauth2/v2/auth?mock=true');
+            // State cookie should be set
+            const cookies = res.headers['set-cookie'];
+            expect(cookies).toBeDefined();
+            expect(cookies.some((c) => c.startsWith(`${session_1.STATE_COOKIE_NAME}=`))).toBe(true);
+        });
+        it('redirects to GitHub with state cookie when github is configured', async () => {
+            const deps = createDeps({
+                github: { client_id: 'ghid', client_secret: 'ghsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app).get('/auth/github/authorize');
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('https://github.com/login/oauth/authorize?mock=true');
+            const cookies = res.headers['set-cookie'];
+            expect(cookies).toBeDefined();
+            expect(cookies.some((c) => c.startsWith(`${session_1.STATE_COOKIE_NAME}=`))).toBe(true);
+        });
+        it('returns 400 for unsupported provider', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app).get('/auth/twitter/authorize');
+            expect(res.status).toBe(400);
+            expect(res.body.error).toContain('Unsupported or unconfigured provider');
+            expect(res.body.error).toContain('twitter');
+        });
+        it('returns 400 when google is requested but not configured', async () => {
+            // No google or github in config
+            const deps = createDeps();
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app).get('/auth/google/authorize');
+            expect(res.status).toBe(400);
+            expect(res.body.error).toContain('Unsupported or unconfigured provider');
+        });
+        it('returns 400 when github is requested but not configured', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+                // github intentionally omitted
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app).get('/auth/github/authorize');
+            expect(res.status).toBe(400);
+            expect(res.body.error).toContain('Unsupported or unconfigured provider');
+        });
+        it('uses default redirect_uri when not specified in google config', async () => {
+            const { buildGoogleAuthUrl } = require('../../src/auth/providers');
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            await (0, supertest_1.default)(app).get('/auth/google/authorize');
+            // buildGoogleAuthUrl should have been called with a redirect_uri derived from the request host
+            expect(buildGoogleAuthUrl).toHaveBeenCalledWith(expect.objectContaining({ client_id: 'gid' }), expect.stringContaining('/auth/google/callback'), expect.any(String), expect.any(String));
+        });
+        it('uses configured redirect_uri for google when provided', async () => {
+            const { buildGoogleAuthUrl } = require('../../src/auth/providers');
+            const deps = createDeps({
+                google: {
+                    client_id: 'gid',
+                    client_secret: 'gsecret',
+                    redirect_uri: 'https://custom.example.com/auth/google/callback',
+                },
+            });
+            const app = createApp(deps);
+            await (0, supertest_1.default)(app).get('/auth/google/authorize');
+            expect(buildGoogleAuthUrl).toHaveBeenCalledWith(expect.anything(), 'https://custom.example.com/auth/google/callback', expect.any(String), expect.any(String));
+        });
+        it('uses configured redirect_uri for github when provided', async () => {
+            const { buildGitHubAuthUrl } = require('../../src/auth/providers');
+            const deps = createDeps({
+                github: {
+                    client_id: 'ghid',
+                    client_secret: 'ghsecret',
+                    redirect_uri: 'https://custom.example.com/auth/github/callback',
+                },
+            });
+            const app = createApp(deps);
+            await (0, supertest_1.default)(app).get('/auth/github/authorize');
+            expect(buildGitHubAuthUrl).toHaveBeenCalledWith(expect.anything(), 'https://custom.example.com/auth/github/callback', expect.any(String));
+        });
+    });
+    // =========================================================================
+    // GET /auth/:provider/callback
+    // =========================================================================
+    describe('GET /auth/:provider/callback', () => {
+        it('redirects to /login?error=... when error param is present', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app)
+                .get('/auth/google/callback?error=access_denied');
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=access_denied');
+        });
+        it('redirects to /login?error=missing_params when code is missing', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app)
+                .get('/auth/google/callback?state=somestate');
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=missing_params');
+        });
+        it('redirects to /login?error=missing_params when state is missing', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app)
+                .get('/auth/google/callback?code=somecode');
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=missing_params');
+        });
+        it('redirects to /login?error=invalid_state when state cookie is missing', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app)
+                .get('/auth/google/callback?code=abc&state=somestate');
+            // No state cookie set
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=invalid_state');
+        });
+        it('redirects to /login?error=invalid_state when state cookie does not match query param', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const stateCookie = makeStateCookie();
+            const res = await (0, supertest_1.default)(app)
+                .get('/auth/google/callback?code=abc&state=different-state-value')
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=invalid_state');
+        });
+        it('redirects to /login?error=invalid_state when state decryption fails', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            // Use a garbled state that cannot be decrypted
+            const garbledState = 'this-is-not-valid-encrypted-state';
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=abc&state=${garbledState}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${garbledState}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=invalid_state');
+        });
+        it('redirects to /login?error=state_expired when state is older than 10 minutes', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            // Created 11 minutes ago
+            const stateCookie = makeStateCookie({
+                created_at: Date.now() - 11 * 60 * 1000,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=abc&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=state_expired');
+        });
+        it('redirects to /login?error=unsupported_provider for unsupported provider in callback', async () => {
+            // Config has no twitter provider
+            const deps = createDeps();
+            const app = createApp(deps);
+            const stateCookie = makeStateCookie({ provider: 'twitter' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/twitter/callback?code=abc&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=unsupported_provider');
+        });
+        it('redirects to /login?error=auth_failed when token exchange throws', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            exchangeGoogleCode.mockRejectedValue(new Error('Token exchange failed'));
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=abc&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=auth_failed');
+        });
+        it('redirects to /onboarding for a new user (Google)', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            exchangeGoogleCode.mockResolvedValue({
+                access_token: 'google-access-token',
+                refresh_token: 'google-refresh-token',
+            });
+            getGoogleUserInfo.mockResolvedValue({
+                provider: 'google',
+                provider_user_id: 'g-123',
+                email: 'newuser@gmail.com',
+                display_name: 'New User',
+                avatar_url: 'https://example.com/avatar.jpg',
+            });
+            const stateCookie = makeStateCookie({
+                provider: 'google',
+                code_verifier: 'test-verifier',
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/onboarding');
+            // Session cookie should be set
+            const cookies = res.headers['set-cookie'];
+            expect(cookies.some((c) => c.startsWith(`${session_1.SESSION_COOKIE_NAME}=`))).toBe(true);
+            // User should have been created
+            const user = deps.userStore.getByEmail('newuser@gmail.com');
+            expect(user).toBeDefined();
+            expect(user.display_name).toBe('New User');
+            expect(user.onboarding_completed).toBe(false);
+        });
+        it('redirects to /onboarding for a new user (GitHub)', async () => {
+            const deps = createDeps({
+                github: { client_id: 'ghid', client_secret: 'ghsecret' },
+            });
+            const app = createApp(deps);
+            exchangeGitHubCode.mockResolvedValue({
+                access_token: 'gh-access-token',
+            });
+            getGitHubUserInfo.mockResolvedValue({
+                provider: 'github',
+                provider_user_id: 'gh-456',
+                email: 'dev@github.com',
+                display_name: 'GH Dev',
+            });
+            const stateCookie = makeStateCookie({
+                provider: 'github',
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/github/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/onboarding');
+            // User should have been created
+            const user = deps.userStore.getByEmail('dev@github.com');
+            expect(user).toBeDefined();
+        });
+        it('redirects to /dashboard for returning user with onboarding completed', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const now = new Date().toISOString();
+            const existingUserId = 'u-existing';
+            // Seed existing user
+            deps.userStore.create({
+                id: existingUserId,
+                email: 'existing@gmail.com',
+                display_name: 'Existing User',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            // Seed existing OAuth link
+            deps.oauthAccountStore.create({
+                id: 'oa-1',
+                user_id: existingUserId,
+                provider: 'google',
+                provider_user_id: 'g-existing',
+                provider_email: 'existing@gmail.com',
+                created_at: now,
+                updated_at: now,
+            });
+            exchangeGoogleCode.mockResolvedValue({
+                access_token: 'new-access-token',
+                refresh_token: 'new-refresh-token',
+            });
+            getGoogleUserInfo.mockResolvedValue({
+                provider: 'google',
+                provider_user_id: 'g-existing',
+                email: 'existing@gmail.com',
+                display_name: 'Existing User',
+            });
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/dashboard');
+        });
+        it('redirects to /onboarding for returning user without onboarding completed', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const now = new Date().toISOString();
+            const existingUserId = 'u-noonboard';
+            // Seed existing user with onboarding NOT completed
+            deps.userStore.create({
+                id: existingUserId,
+                email: 'noonboard@gmail.com',
+                display_name: 'Noonboard User',
+                status: 'active',
+                onboarding_completed: false,
+                created_at: now,
+                updated_at: now,
+            });
+            // Seed existing OAuth link
+            deps.oauthAccountStore.create({
+                id: 'oa-noonboard',
+                user_id: existingUserId,
+                provider: 'google',
+                provider_user_id: 'g-noonboard',
+                provider_email: 'noonboard@gmail.com',
+                created_at: now,
+                updated_at: now,
+            });
+            exchangeGoogleCode.mockResolvedValue({
+                access_token: 'at',
+                refresh_token: 'rt',
+            });
+            getGoogleUserInfo.mockResolvedValue({
+                provider: 'google',
+                provider_user_id: 'g-noonboard',
+                email: 'noonboard@gmail.com',
+                display_name: 'Noonboard User',
+            });
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/onboarding');
+        });
+        it('redirects to /login?error=account_exists when email exists but OAuth is not linked', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const now = new Date().toISOString();
+            // Seed a password-based user (no OAuth link)
+            deps.userStore.create({
+                id: 'u-pw-only',
+                email: 'pwonly@gmail.com',
+                display_name: 'PW Only',
+                password_hash: 'hashed-pw',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            exchangeGoogleCode.mockResolvedValue({
+                access_token: 'at',
+                refresh_token: 'rt',
+            });
+            getGoogleUserInfo.mockResolvedValue({
+                provider: 'google',
+                provider_user_id: 'g-new-id',
+                email: 'pwonly@gmail.com',
+                display_name: 'PW Only',
+            });
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toContain('/login?error=account_exists');
+        });
+        it('creates a session with workspace_id when user has memberships', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const now = new Date().toISOString();
+            const userId = 'u-withmember';
+            // Seed user and OAuth link
+            deps.userStore.create({
+                id: userId,
+                email: 'member@gmail.com',
+                display_name: 'Member User',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            deps.oauthAccountStore.create({
+                id: 'oa-member',
+                user_id: userId,
+                provider: 'google',
+                provider_user_id: 'g-member',
+                provider_email: 'member@gmail.com',
+                created_at: now,
+                updated_at: now,
+            });
+            // Create workspace and membership
+            deps.workspaceStore.create({
+                id: 'ws-member',
+                name: 'Test Workspace',
+                slug: 'test-ws',
+                owner_user_id: userId,
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            deps.workspaceMemberStore.create({
+                id: 'wm-1',
+                workspace_id: 'ws-member',
+                user_id: userId,
+                role: 'owner',
+                joined_at: now,
+            });
+            exchangeGoogleCode.mockResolvedValue({ access_token: 'at' });
+            getGoogleUserInfo.mockResolvedValue({
+                provider: 'google',
+                provider_user_id: 'g-member',
+                email: 'member@gmail.com',
+                display_name: 'Member User',
+            });
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/dashboard');
+            // Verify session was created with workspace_id
+            // Extract session id from cookie
+            const cookies = res.headers['set-cookie'];
+            const sessionCookie = cookies.find((c) => c.startsWith(`${session_1.SESSION_COOKIE_NAME}=`));
+            const sessionId = sessionCookie.split('=')[1].split(';')[0];
+            const session = deps.sessionStore.getById(sessionId);
+            expect(session).toBeDefined();
+            expect(session.workspace_id).toBe('ws-member');
+        });
+        it('redirects to /login?error=auth_failed when getGoogleUserInfo throws', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            exchangeGoogleCode.mockResolvedValue({
+                access_token: 'at',
+            });
+            getGoogleUserInfo.mockRejectedValue(new Error('Google API error'));
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=auth_failed');
+        });
+        it('redirects to /login?error=auth_failed when exchangeGitHubCode throws', async () => {
+            const deps = createDeps({
+                github: { client_id: 'ghid', client_secret: 'ghsecret' },
+            });
+            const app = createApp(deps);
+            exchangeGitHubCode.mockRejectedValue(new Error('GitHub exchange error'));
+            const stateCookie = makeStateCookie({ provider: 'github' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/github/callback?code=bad-code&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=auth_failed');
+        });
+        it('clears the state cookie after successful validation', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            exchangeGoogleCode.mockResolvedValue({ access_token: 'at' });
+            getGoogleUserInfo.mockResolvedValue({
+                provider: 'google',
+                provider_user_id: 'g-clear',
+                email: 'clearcookie@gmail.com',
+                display_name: 'Clear Cookie',
+            });
+            const stateCookie = makeStateCookie({ provider: 'google' });
+            const res = await (0, supertest_1.default)(app)
+                .get(`/auth/google/callback?code=valid&state=${encodeURIComponent(stateCookie)}`)
+                .set('Cookie', `${session_1.STATE_COOKIE_NAME}=${stateCookie}`);
+            expect(res.status).toBe(302);
+            // The state cookie should be cleared (expired)
+            const cookies = res.headers['set-cookie'];
+            const stateCookieCleared = cookies.find((c) => c.startsWith(`${session_1.STATE_COOKIE_NAME}=`));
+            if (stateCookieCleared) {
+                // Express clearCookie sets expires to the past
+                expect(stateCookieCleared).toMatch(/Expires=Thu, 01 Jan 1970/i);
+            }
+        });
+        it('URL-encodes error messages in redirect', async () => {
+            const deps = createDeps({
+                google: { client_id: 'gid', client_secret: 'gsecret' },
+            });
+            const app = createApp(deps);
+            const res = await (0, supertest_1.default)(app)
+                .get('/auth/google/callback?error=some%20error%20with%20spaces');
+            expect(res.status).toBe(302);
+            expect(res.headers.location).toBe('/login?error=some%20error%20with%20spaces');
+        });
+    });
+    // =========================================================================
+    // DELETE /auth/users/:id
+    // =========================================================================
+    describe('DELETE /auth/users/:id', () => {
+        it('returns 401 when not authenticated', async () => {
+            const deps = createDeps();
+            const app = createApp(deps); // No session middleware
+            const res = await (0, supertest_1.default)(app).delete('/auth/users/u-123');
+            expect(res.status).toBe(401);
+            expect(res.body.error).toContain('Not authenticated');
+        });
+        it('returns 403 when trying to delete someone else\'s account', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const user = {
+                id: 'u-self',
+                email: 'self@example.com',
+                display_name: 'Self',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app).delete('/auth/users/u-other');
+            expect(res.status).toBe(403);
+            expect(res.body.error).toContain('Can only delete your own account');
+        });
+        it('deletes own account, workspace, members, api keys, and OAuth accounts when sole owner', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const userId = 'u-sole-owner';
+            // Create user
+            const user = {
+                id: userId,
+                email: 'sole@example.com',
+                display_name: 'Sole Owner',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            // Create workspace
+            deps.workspaceStore.create({
+                id: 'ws-owned',
+                name: 'Owned Workspace',
+                slug: 'owned-ws',
+                owner_user_id: userId,
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            // Create memberships — user is sole owner
+            deps.workspaceMemberStore.create({
+                id: 'wm-owner',
+                workspace_id: 'ws-owned',
+                user_id: userId,
+                role: 'owner',
+                joined_at: now,
+            });
+            // Add another member (non-owner) to the workspace
+            deps.workspaceMemberStore.create({
+                id: 'wm-member',
+                workspace_id: 'ws-owned',
+                user_id: 'u-other-member',
+                role: 'member',
+                joined_at: now,
+            });
+            // Create API keys in the workspace
+            deps.userApiKeyStore.create({
+                id: 'ak-1',
+                key_hash: 'hash1',
+                key_prefix: 'pk_1234',
+                user_id: userId,
+                workspace_id: 'ws-owned',
+                name: 'Key 1',
+                roles: ['admin'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+            // Create user-level API key
+            deps.userApiKeyStore.create({
+                id: 'ak-user',
+                key_hash: 'hash2',
+                key_prefix: 'pk_5678',
+                user_id: userId,
+                workspace_id: 'ws-other',
+                name: 'User Key',
+                roles: ['member'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+            // Create OAuth account
+            deps.oauthAccountStore.create({
+                id: 'oa-del',
+                user_id: userId,
+                provider: 'google',
+                provider_user_id: 'g-del',
+                provider_email: 'sole@example.com',
+                created_at: now,
+                updated_at: now,
+            });
+            // Create session
+            deps.sessionStore.create({
+                id: 'sess-del',
+                user_id: userId,
+                expires_at: new Date(Date.now() + 3600000).toISOString(),
+                last_active_at: now,
+                created_at: now,
+            });
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/auth/users/${userId}`)
+                .set('Cookie', `${session_1.SESSION_COOKIE_NAME}=sess-del`);
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.deleted_user_id).toBe(userId);
+            // Verify: user deleted
+            expect(deps.userStore.getById(userId)).toBeUndefined();
+            // Verify: workspace deleted
+            expect(deps.workspaceStore.getById('ws-owned')).toBeUndefined();
+            // Verify: all workspace members deleted (including the non-owner)
+            expect(deps.workspaceMemberStore.getById('wm-owner')).toBeUndefined();
+            expect(deps.workspaceMemberStore.getById('wm-member')).toBeUndefined();
+            // Verify: workspace API keys deleted
+            expect(deps.userApiKeyStore.getById('ak-1')).toBeUndefined();
+            // Verify: user-level API keys deleted
+            expect(deps.userApiKeyStore.getById('ak-user')).toBeUndefined();
+            // Verify: OAuth accounts deleted
+            expect(deps.oauthAccountStore.getById('oa-del')).toBeUndefined();
+            // Verify: session deleted
+            expect(deps.sessionStore.getById('sess-del')).toBeUndefined();
+        });
+        it('removes membership only when other owners exist, keeps workspace', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const userId = 'u-co-owner';
+            // Create user
+            const user = {
+                id: userId,
+                email: 'coowner@example.com',
+                display_name: 'Co Owner',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            // Create workspace
+            deps.workspaceStore.create({
+                id: 'ws-shared',
+                name: 'Shared Workspace',
+                slug: 'shared-ws',
+                owner_user_id: userId,
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            // Two owners — the user being deleted and another owner
+            deps.workspaceMemberStore.create({
+                id: 'wm-deleting',
+                workspace_id: 'ws-shared',
+                user_id: userId,
+                role: 'owner',
+                joined_at: now,
+            });
+            deps.workspaceMemberStore.create({
+                id: 'wm-other-owner',
+                workspace_id: 'ws-shared',
+                user_id: 'u-other-owner',
+                role: 'owner',
+                joined_at: now,
+            });
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/auth/users/${userId}`);
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            // Workspace should still exist
+            expect(deps.workspaceStore.getById('ws-shared')).toBeDefined();
+            // The deleting user's membership should be gone
+            expect(deps.workspaceMemberStore.getById('wm-deleting')).toBeUndefined();
+            // The other owner's membership should still exist
+            expect(deps.workspaceMemberStore.getById('wm-other-owner')).toBeDefined();
+            // User should be deleted
+            expect(deps.userStore.getById(userId)).toBeUndefined();
+        });
+        it('handles user with no workspaces', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const userId = 'u-no-ws';
+            const user = {
+                id: userId,
+                email: 'nows@example.com',
+                display_name: 'No WS',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/auth/users/${userId}`);
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(deps.userStore.getById(userId)).toBeUndefined();
+        });
+        it('handles user with no OAuth accounts', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const userId = 'u-no-oauth';
+            const user = {
+                id: userId,
+                email: 'nooauth@example.com',
+                display_name: 'No OAuth',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/auth/users/${userId}`);
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(deps.userStore.getById(userId)).toBeUndefined();
+        });
+        it('clears session cookie on deletion', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const userId = 'u-cookie';
+            const user = {
+                id: userId,
+                email: 'cookie@example.com',
+                display_name: 'Cookie',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/auth/users/${userId}`);
+            expect(res.status).toBe(200);
+            // Session cookie should be cleared
+            const cookies = res.headers['set-cookie'];
+            if (cookies) {
+                const sessionCookie = cookies.find((c) => c.startsWith(`${session_1.SESSION_COOKIE_NAME}=`));
+                if (sessionCookie) {
+                    expect(sessionCookie).toMatch(/Expires=Thu, 01 Jan 1970/i);
+                }
+            }
+        });
+        it('works without userApiKeyStore configured (optional dep)', async () => {
+            const now = new Date().toISOString();
+            const userId = 'u-no-keystore';
+            // Create deps without userApiKeyStore
+            const deps = {
+                config: makeConfig(),
+                userStore: new memory_1.InMemoryUserStore(),
+                oauthAccountStore: new memory_1.InMemoryOAuthAccountStore(),
+                sessionStore: new memory_1.InMemorySessionStore(),
+                workspaceStore: new memory_1.InMemoryWorkspaceStore(),
+                workspaceMemberStore: new memory_1.InMemoryWorkspaceMemberStore(),
+                // userApiKeyStore intentionally omitted
+            };
+            const user = {
+                id: userId,
+                email: 'nokeys@example.com',
+                display_name: 'No Keys',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            // Workspace where user is sole owner
+            deps.workspaceStore.create({
+                id: 'ws-nokeys',
+                name: 'WS No Keys',
+                slug: 'ws-nokeys',
+                owner_user_id: userId,
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            deps.workspaceMemberStore.create({
+                id: 'wm-nokeys',
+                workspace_id: 'ws-nokeys',
+                user_id: userId,
+                role: 'owner',
+                joined_at: now,
+            });
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app).delete(`/auth/users/${userId}`);
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            // Workspace should be deleted since sole owner
+            expect(deps.workspaceStore.getById('ws-nokeys')).toBeUndefined();
+            expect(deps.userStore.getById(userId)).toBeUndefined();
+        });
+        it('handles multiple workspaces — sole owner of one, co-owner of another', async () => {
+            const deps = createDeps();
+            const now = new Date().toISOString();
+            const userId = 'u-multi-ws';
+            const user = {
+                id: userId,
+                email: 'multi@example.com',
+                display_name: 'Multi WS',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            };
+            deps.userStore.create(user);
+            // Workspace 1: sole owner → should be deleted
+            deps.workspaceStore.create({
+                id: 'ws-sole',
+                name: 'Sole WS',
+                slug: 'sole-ws',
+                owner_user_id: userId,
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            deps.workspaceMemberStore.create({
+                id: 'wm-sole',
+                workspace_id: 'ws-sole',
+                user_id: userId,
+                role: 'owner',
+                joined_at: now,
+            });
+            // Workspace 2: co-owner → should only remove membership
+            deps.workspaceStore.create({
+                id: 'ws-co',
+                name: 'Co WS',
+                slug: 'co-ws',
+                owner_user_id: 'u-other',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            deps.workspaceMemberStore.create({
+                id: 'wm-co-self',
+                workspace_id: 'ws-co',
+                user_id: userId,
+                role: 'owner',
+                joined_at: now,
+            });
+            deps.workspaceMemberStore.create({
+                id: 'wm-co-other',
+                workspace_id: 'ws-co',
+                user_id: 'u-other',
+                role: 'owner',
+                joined_at: now,
+            });
+            const app = createAuthenticatedApp(deps, user);
+            const res = await (0, supertest_1.default)(app).delete(`/auth/users/${userId}`);
+            expect(res.status).toBe(200);
+            // Workspace 1 (sole owner) should be deleted
+            expect(deps.workspaceStore.getById('ws-sole')).toBeUndefined();
+            expect(deps.workspaceMemberStore.getById('wm-sole')).toBeUndefined();
+            // Workspace 2 (co-owner) should still exist
+            expect(deps.workspaceStore.getById('ws-co')).toBeDefined();
+            expect(deps.workspaceMemberStore.getById('wm-co-self')).toBeUndefined();
+            expect(deps.workspaceMemberStore.getById('wm-co-other')).toBeDefined();
+        });
+    });
+});
+//# sourceMappingURL=auth-routes-extended.test.js.map