2025-02-03 16:57:49 +01:00
|
|
|
|
const fetch = require('node-fetch');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
const jwtDecode = require('jsonwebtoken/decode');
|
2025-08-11 18:49:34 -04:00
|
|
|
|
const { ErrorTypes } = require('librechat-data-provider');
|
2025-05-30 22:18:13 -04:00
|
|
|
|
const { findUser, createUser, updateUser } = require('~/models');
|
2025-08-11 18:49:34 -04:00
|
|
|
|
const { setupOpenId } = require('./openidStrategy');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// --- Mocks ---
|
|
|
|
|
|
jest.mock('node-fetch');
|
|
|
|
|
|
jest.mock('jsonwebtoken/decode');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
jest.mock('~/server/services/Files/strategies', () => ({
|
|
|
|
|
|
getStrategyFunctions: jest.fn(() => ({
|
2025-02-03 16:57:49 +01:00
|
|
|
|
saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
|
2024-10-27 11:41:48 -04:00
|
|
|
|
})),
|
|
|
|
|
|
}));
|
2025-05-30 22:18:13 -04:00
|
|
|
|
jest.mock('~/server/services/Config', () => ({
|
2025-08-26 12:10:18 -04:00
|
|
|
|
getAppConfig: jest.fn().mockResolvedValue({}),
|
|
|
|
|
|
}));
|
|
|
|
|
|
jest.mock('@librechat/api', () => ({
|
|
|
|
|
|
...jest.requireActual('@librechat/api'),
|
|
|
|
|
|
isEnabled: jest.fn(() => false),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
getBalanceConfig: jest.fn(() => ({
|
|
|
|
|
|
enabled: false,
|
|
|
|
|
|
})),
|
|
|
|
|
|
}));
|
|
|
|
|
|
jest.mock('~/models', () => ({
|
2025-02-03 16:57:49 +01:00
|
|
|
|
findUser: jest.fn(),
|
|
|
|
|
|
createUser: jest.fn(),
|
|
|
|
|
|
updateUser: jest.fn(),
|
|
|
|
|
|
}));
|
🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
|
jest.mock('@librechat/data-schemas', () => ({
|
|
|
|
|
|
...jest.requireActual('@librechat/api'),
|
2025-02-03 16:57:49 +01:00
|
|
|
|
logger: {
|
|
|
|
|
|
info: jest.fn(),
|
2025-08-27 12:59:40 -04:00
|
|
|
|
warn: jest.fn(),
|
2025-02-03 16:57:49 +01:00
|
|
|
|
debug: jest.fn(),
|
|
|
|
|
|
error: jest.fn(),
|
2025-05-22 14:19:24 +02:00
|
|
|
|
},
|
🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
|
hashToken: jest.fn().mockResolvedValue('hashed-token'),
|
2025-05-22 14:19:24 +02:00
|
|
|
|
}));
|
|
|
|
|
|
jest.mock('~/cache/getLogStores', () =>
|
|
|
|
|
|
jest.fn(() => ({
|
|
|
|
|
|
get: jest.fn(),
|
|
|
|
|
|
set: jest.fn(),
|
|
|
|
|
|
})),
|
|
|
|
|
|
);
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Mock the openid-client module and all its dependencies
|
|
|
|
|
|
jest.mock('openid-client', () => {
|
|
|
|
|
|
return {
|
|
|
|
|
|
discovery: jest.fn().mockResolvedValue({
|
|
|
|
|
|
clientId: 'fake_client_id',
|
|
|
|
|
|
clientSecret: 'fake_client_secret',
|
|
|
|
|
|
issuer: 'https://fake-issuer.com',
|
|
|
|
|
|
// Add any other properties needed by the implementation
|
|
|
|
|
|
}),
|
2025-08-11 18:49:34 -04:00
|
|
|
|
fetchUserInfo: jest.fn().mockImplementation(() => {
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Only return additional properties, but don't override any claims
|
2025-07-30 14:43:42 -04:00
|
|
|
|
return Promise.resolve({});
|
2025-05-22 14:19:24 +02:00
|
|
|
|
}),
|
|
|
|
|
|
customFetch: Symbol('customFetch'),
|
|
|
|
|
|
};
|
2025-02-03 16:57:49 +01:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
jest.mock('openid-client/passport', () => {
|
|
|
|
|
|
let verifyCallback;
|
|
|
|
|
|
const mockStrategy = jest.fn((options, verify) => {
|
|
|
|
|
|
verifyCallback = verify;
|
|
|
|
|
|
return { name: 'openid', options, verify };
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
|
Strategy: mockStrategy,
|
|
|
|
|
|
__getVerifyCallback: () => verifyCallback,
|
|
|
|
|
|
};
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Mock passport
|
|
|
|
|
|
jest.mock('passport', () => ({
|
|
|
|
|
|
use: jest.fn(),
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
2024-10-27 11:41:48 -04:00
|
|
|
|
describe('setupOpenId', () => {
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Store a reference to the verify callback once it's set up
|
|
|
|
|
|
let verifyCallback;
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Helper to wrap the verify callback in a promise
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const validate = (tokenset) =>
|
2025-02-03 16:57:49 +01:00
|
|
|
|
new Promise((resolve, reject) => {
|
2025-05-22 14:19:24 +02:00
|
|
|
|
verifyCallback(tokenset, (err, user, details) => {
|
2025-02-03 16:57:49 +01:00
|
|
|
|
if (err) {
|
|
|
|
|
|
reject(err);
|
|
|
|
|
|
} else {
|
|
|
|
|
|
resolve({ user, details });
|
|
|
|
|
|
}
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const tokenset = {
|
|
|
|
|
|
id_token: 'fake_id_token',
|
|
|
|
|
|
access_token: 'fake_access_token',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
claims: () => ({
|
|
|
|
|
|
sub: '1234',
|
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
|
email_verified: true,
|
|
|
|
|
|
given_name: 'First',
|
|
|
|
|
|
family_name: 'Last',
|
|
|
|
|
|
name: 'My Full',
|
2025-07-30 14:43:42 -04:00
|
|
|
|
preferred_username: 'testusername',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
username: 'flast',
|
|
|
|
|
|
picture: 'https://example.com/avatar.png',
|
|
|
|
|
|
}),
|
2025-02-03 16:57:49 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
beforeEach(async () => {
|
|
|
|
|
|
// Clear previous mock calls and reset implementations
|
|
|
|
|
|
jest.clearAllMocks();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Reset environment variables needed by the strategy
|
|
|
|
|
|
process.env.OPENID_ISSUER = 'https://fake-issuer.com';
|
|
|
|
|
|
process.env.OPENID_CLIENT_ID = 'fake_client_id';
|
|
|
|
|
|
process.env.OPENID_CLIENT_SECRET = 'fake_client_secret';
|
|
|
|
|
|
process.env.DOMAIN_SERVER = 'https://example.com';
|
|
|
|
|
|
process.env.OPENID_CALLBACK_URL = '/callback';
|
|
|
|
|
|
process.env.OPENID_SCOPE = 'openid profile email';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'requiredRole';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'roles';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = 'id';
|
|
|
|
|
|
delete process.env.OPENID_USERNAME_CLAIM;
|
|
|
|
|
|
delete process.env.OPENID_NAME_CLAIM;
|
|
|
|
|
|
delete process.env.PROXY;
|
2025-05-22 14:19:24 +02:00
|
|
|
|
delete process.env.OPENID_USE_PKCE;
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Default jwtDecode mock returns a token that includes the required role.
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// By default, assume that no user is found, so createUser will be called
|
|
|
|
|
|
findUser.mockResolvedValue(null);
|
|
|
|
|
|
createUser.mockImplementation(async (userData) => {
|
|
|
|
|
|
// simulate created user with an _id property
|
|
|
|
|
|
return { _id: 'newUserId', ...userData };
|
|
|
|
|
|
});
|
|
|
|
|
|
updateUser.mockImplementation(async (id, userData) => {
|
|
|
|
|
|
return { _id: id, ...userData };
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// For image download, simulate a successful response
|
|
|
|
|
|
const fakeBuffer = Buffer.from('fake image');
|
|
|
|
|
|
const fakeResponse = {
|
|
|
|
|
|
ok: true,
|
|
|
|
|
|
buffer: jest.fn().mockResolvedValue(fakeBuffer),
|
2024-10-27 11:41:48 -04:00
|
|
|
|
};
|
2025-02-03 16:57:49 +01:00
|
|
|
|
fetch.mockResolvedValue(fakeResponse);
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Call the setup function and capture the verify callback
|
2025-02-03 16:57:49 +01:00
|
|
|
|
await setupOpenId();
|
2025-05-22 14:19:24 +02:00
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
2025-02-03 16:57:49 +01:00
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-07-30 14:43:42 -04:00
|
|
|
|
it('should create a new user with correct username when preferred_username claim exists', async () => {
|
|
|
|
|
|
// Arrange – our userinfo already has preferred_username 'testusername'
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Assert
|
2025-07-30 14:43:42 -04:00
|
|
|
|
expect(user.username).toBe(userinfo.preferred_username);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({
|
|
|
|
|
|
provider: 'openid',
|
|
|
|
|
|
openidId: userinfo.sub,
|
2025-07-30 14:43:42 -04:00
|
|
|
|
username: userinfo.preferred_username,
|
2025-02-03 16:57:49 +01:00
|
|
|
|
email: userinfo.email,
|
|
|
|
|
|
name: `${userinfo.given_name} ${userinfo.family_name}`,
|
|
|
|
|
|
}),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-07-30 14:43:42 -04:00
|
|
|
|
it('should use username as username when preferred_username claim is missing', async () => {
|
|
|
|
|
|
// Arrange – remove preferred_username from userinfo
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims() };
|
2025-07-30 14:43:42 -04:00
|
|
|
|
delete userinfo.preferred_username;
|
|
|
|
|
|
// Expect the username to be the "username"
|
|
|
|
|
|
const expectUsername = userinfo.username;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate({ ...tokenset, claims: () => userinfo });
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.username).toBe(expectUsername);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({ username: expectUsername }),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-07-30 14:43:42 -04:00
|
|
|
|
it('should use email as username when username and preferred_username are missing', async () => {
|
|
|
|
|
|
// Arrange – remove username and preferred_username
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims() };
|
2025-02-03 16:57:49 +01:00
|
|
|
|
delete userinfo.username;
|
2025-07-30 14:43:42 -04:00
|
|
|
|
delete userinfo.preferred_username;
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const expectUsername = userinfo.email;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate({ ...tokenset, claims: () => userinfo });
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.username).toBe(expectUsername);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({ username: expectUsername }),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
it('should override username with OPENID_USERNAME_CLAIM when set', async () => {
|
|
|
|
|
|
// Arrange – set OPENID_USERNAME_CLAIM so that the sub claim is used
|
|
|
|
|
|
process.env.OPENID_USERNAME_CLAIM = 'sub';
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – username should equal the sub (converted as-is)
|
|
|
|
|
|
expect(user.username).toBe(userinfo.sub);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({ username: userinfo.sub }),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
it('should set the full name correctly when given_name and family_name exist', async () => {
|
|
|
|
|
|
// Arrange
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const expectedFullName = `${userinfo.given_name} ${userinfo.family_name}`;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.name).toBe(expectedFullName);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should override full name with OPENID_NAME_CLAIM when set', async () => {
|
|
|
|
|
|
// Arrange – use the name claim as the full name
|
|
|
|
|
|
process.env.OPENID_NAME_CLAIM = 'name';
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims(), name: 'Custom Name' };
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate({ ...tokenset, claims: () => userinfo });
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.name).toBe('Custom Name');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should update an existing user on login', async () => {
|
2025-08-11 18:49:34 -04:00
|
|
|
|
// Arrange – simulate that a user already exists with openid provider
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const existingUser = {
|
|
|
|
|
|
_id: 'existingUserId',
|
2025-08-11 18:49:34 -04:00
|
|
|
|
provider: 'openid',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
email: tokenset.claims().email,
|
2025-02-03 16:57:49 +01:00
|
|
|
|
openidId: '',
|
|
|
|
|
|
username: '',
|
|
|
|
|
|
name: '',
|
|
|
|
|
|
};
|
|
|
|
|
|
findUser.mockImplementation(async (query) => {
|
2025-08-11 18:49:34 -04:00
|
|
|
|
if (
|
|
|
|
|
|
query.openidId === tokenset.claims().sub ||
|
|
|
|
|
|
(query.email === tokenset.claims().email && query.provider === 'openid')
|
|
|
|
|
|
) {
|
2025-02-03 16:57:49 +01:00
|
|
|
|
return existingUser;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – updateUser should be called and the user object updated
|
2025-02-03 16:08:34 -05:00
|
|
|
|
expect(updateUser).toHaveBeenCalledWith(
|
|
|
|
|
|
existingUser._id,
|
|
|
|
|
|
expect.objectContaining({
|
|
|
|
|
|
provider: 'openid',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
openidId: userinfo.sub,
|
2025-07-30 14:43:42 -04:00
|
|
|
|
username: userinfo.preferred_username,
|
2025-05-22 14:19:24 +02:00
|
|
|
|
name: `${userinfo.given_name} ${userinfo.family_name}`,
|
2025-02-03 16:08:34 -05:00
|
|
|
|
}),
|
|
|
|
|
|
);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-08-11 18:49:34 -04:00
|
|
|
|
it('should block login when email exists with different provider', async () => {
|
|
|
|
|
|
// Arrange – simulate that a user exists with same email but different provider
|
|
|
|
|
|
const existingUser = {
|
|
|
|
|
|
_id: 'existingUserId',
|
|
|
|
|
|
provider: 'google',
|
|
|
|
|
|
email: tokenset.claims().email,
|
|
|
|
|
|
googleId: 'some-google-id',
|
|
|
|
|
|
username: 'existinguser',
|
|
|
|
|
|
name: 'Existing User',
|
|
|
|
|
|
};
|
|
|
|
|
|
findUser.mockImplementation(async (query) => {
|
|
|
|
|
|
if (query.email === tokenset.claims().email && !query.provider) {
|
|
|
|
|
|
return existingUser;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const result = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the strategy rejects login
|
|
|
|
|
|
expect(result.user).toBe(false);
|
|
|
|
|
|
expect(result.details.message).toBe(ErrorTypes.AUTH_FAILED);
|
|
|
|
|
|
expect(createUser).not.toHaveBeenCalled();
|
|
|
|
|
|
expect(updateUser).not.toHaveBeenCalled();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
it('should enforce the required role and reject login if missing', async () => {
|
|
|
|
|
|
// Arrange – simulate a token without the required role.
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['SomeOtherRole'],
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user, details } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the strategy rejects login
|
|
|
|
|
|
expect(user).toBe(false);
|
2025-02-03 16:08:34 -05:00
|
|
|
|
expect(details.message).toBe('You must have the "requiredRole" role to log in.');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
it('should attempt to download and save the avatar if picture is provided', async () => {
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – verify that download was attempted and the avatar field was set via updateUser
|
|
|
|
|
|
expect(fetch).toHaveBeenCalled();
|
|
|
|
|
|
// Our mock getStrategyFunctions.saveBuffer returns '/fake/path/to/avatar.png'
|
|
|
|
|
|
expect(user.avatar).toBe('/fake/path/to/avatar.png');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should not attempt to download avatar if picture is not provided', async () => {
|
|
|
|
|
|
// Arrange – remove picture
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims() };
|
2025-02-03 16:57:49 +01:00
|
|
|
|
delete userinfo.picture;
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
await validate({ ...tokenset, claims: () => userinfo });
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – fetch should not be called and avatar should remain undefined or empty
|
|
|
|
|
|
expect(fetch).not.toHaveBeenCalled();
|
|
|
|
|
|
// Depending on your implementation, user.avatar may be undefined or an empty string.
|
|
|
|
|
|
});
|
2025-05-22 14:19:24 +02:00
|
|
|
|
|
|
|
|
|
|
it('should default to usePKCE false when OPENID_USE_PKCE is not defined', async () => {
|
|
|
|
|
|
const OpenIDStrategy = require('openid-client/passport').Strategy;
|
|
|
|
|
|
|
|
|
|
|
|
delete process.env.OPENID_USE_PKCE;
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
|
|
|
|
|
|
const callOptions = OpenIDStrategy.mock.calls[OpenIDStrategy.mock.calls.length - 1][0];
|
|
|
|
|
|
expect(callOptions.usePKCE).toBe(false);
|
|
|
|
|
|
expect(callOptions.params?.code_challenge_method).toBeUndefined();
|
|
|
|
|
|
});
|
2025-02-03 16:08:34 -05:00
|
|
|
|
});
|