165 lines
5.7 KiB
TypeScript
165 lines
5.7 KiB
TypeScript
/*
|
|
Copyright 2024 New Vector Ltd.
|
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
|
|
Please see LICENSE files in the repository root for full details.
|
|
*/
|
|
|
|
import fetchMock from "fetch-mock-jest";
|
|
import { completeAuthorizationCodeGrant } from "matrix-js-sdk/src/oidc/authorize";
|
|
import * as randomStringUtils from "matrix-js-sdk/src/randomstring";
|
|
import { BearerTokenResponse } from "matrix-js-sdk/src/oidc/validate";
|
|
import { mocked } from "jest-mock";
|
|
import { Crypto } from "@peculiar/webcrypto";
|
|
import { getRandomValues } from "node:crypto";
|
|
|
|
import { completeOidcLogin, startOidcLogin } from "../../../src/utils/oidc/authorize";
|
|
import { makeDelegatedAuthConfig } from "../../test-utils/oidc";
|
|
import { OidcClientError } from "../../../src/utils/oidc/error";
|
|
import { mockPlatformPeg } from "../../test-utils";
|
|
|
|
jest.unmock("matrix-js-sdk/src/randomstring");
|
|
|
|
jest.mock("matrix-js-sdk/src/oidc/authorize", () => ({
|
|
...jest.requireActual("matrix-js-sdk/src/oidc/authorize"),
|
|
completeAuthorizationCodeGrant: jest.fn(),
|
|
}));
|
|
|
|
const webCrypto = new Crypto();
|
|
|
|
describe("OIDC authorization", () => {
|
|
const issuer = "https://auth.com/";
|
|
const homeserverUrl = "https://matrix.org";
|
|
const identityServerUrl = "https://is.org";
|
|
const clientId = "xyz789";
|
|
const baseUrl = "https://test.com";
|
|
|
|
const delegatedAuthConfig = makeDelegatedAuthConfig(issuer);
|
|
|
|
// to restore later
|
|
const realWindowLocation = window.location;
|
|
|
|
beforeEach(() => {
|
|
// @ts-ignore allow delete of non-optional prop
|
|
delete window.location;
|
|
// @ts-ignore ugly mocking
|
|
window.location = {
|
|
href: baseUrl,
|
|
origin: baseUrl,
|
|
};
|
|
|
|
jest.spyOn(randomStringUtils, "randomString").mockRestore();
|
|
mockPlatformPeg();
|
|
Object.defineProperty(window, "crypto", {
|
|
value: {
|
|
getRandomValues,
|
|
randomUUID: jest.fn().mockReturnValue("not-random-uuid"),
|
|
subtle: webCrypto.subtle,
|
|
},
|
|
});
|
|
});
|
|
|
|
beforeAll(() => {
|
|
fetchMock.get(
|
|
`${delegatedAuthConfig.metadata.issuer}.well-known/openid-configuration`,
|
|
delegatedAuthConfig.metadata,
|
|
);
|
|
});
|
|
|
|
afterAll(() => {
|
|
window.location = realWindowLocation;
|
|
});
|
|
|
|
describe("startOidcLogin()", () => {
|
|
it("navigates to authorization endpoint with correct parameters", async () => {
|
|
await startOidcLogin(delegatedAuthConfig, clientId, homeserverUrl);
|
|
|
|
const expectedScopeWithoutDeviceId = `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:`;
|
|
|
|
const authUrl = new URL(window.location.href);
|
|
|
|
expect(authUrl.searchParams.get("response_mode")).toEqual("query");
|
|
expect(authUrl.searchParams.get("response_type")).toEqual("code");
|
|
expect(authUrl.searchParams.get("client_id")).toEqual(clientId);
|
|
expect(authUrl.searchParams.get("code_challenge_method")).toEqual("S256");
|
|
|
|
// scope ends with a 10char randomstring deviceId
|
|
const scope = authUrl.searchParams.get("scope")!;
|
|
expect(scope.substring(0, scope.length - 10)).toEqual(expectedScopeWithoutDeviceId);
|
|
expect(scope.substring(scope.length - 10)).toBeTruthy();
|
|
|
|
// random string, just check they are set
|
|
expect(authUrl.searchParams.has("state")).toBeTruthy();
|
|
expect(authUrl.searchParams.has("nonce")).toBeTruthy();
|
|
expect(authUrl.searchParams.has("code_challenge")).toBeTruthy();
|
|
});
|
|
});
|
|
|
|
describe("completeOidcLogin()", () => {
|
|
const state = "test-state-444";
|
|
const code = "test-code-777";
|
|
const queryDict = {
|
|
code,
|
|
state: state,
|
|
};
|
|
|
|
const tokenResponse: BearerTokenResponse = {
|
|
access_token: "abc123",
|
|
refresh_token: "def456",
|
|
id_token: "ghi789",
|
|
scope: "test",
|
|
token_type: "Bearer",
|
|
expires_at: 12345,
|
|
};
|
|
|
|
beforeEach(() => {
|
|
mocked(completeAuthorizationCodeGrant)
|
|
.mockClear()
|
|
.mockResolvedValue({
|
|
oidcClientSettings: {
|
|
clientId,
|
|
issuer,
|
|
},
|
|
tokenResponse,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
idTokenClaims: {
|
|
aud: "123",
|
|
iss: issuer,
|
|
sub: "123",
|
|
exp: 123,
|
|
iat: 456,
|
|
},
|
|
});
|
|
});
|
|
|
|
it("should throw when query params do not include state and code", async () => {
|
|
await expect(async () => await completeOidcLogin({})).rejects.toThrow(
|
|
OidcClientError.InvalidQueryParameters,
|
|
);
|
|
});
|
|
|
|
it("should make request complete authorization code grant", async () => {
|
|
await completeOidcLogin(queryDict);
|
|
|
|
expect(completeAuthorizationCodeGrant).toHaveBeenCalledWith(code, state);
|
|
});
|
|
|
|
it("should return accessToken, configured homeserver and identityServer", async () => {
|
|
const result = await completeOidcLogin(queryDict);
|
|
|
|
expect(result).toEqual({
|
|
accessToken: tokenResponse.access_token,
|
|
refreshToken: tokenResponse.refresh_token,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
issuer,
|
|
clientId,
|
|
idToken: "ghi789",
|
|
idTokenClaims: result.idTokenClaims,
|
|
});
|
|
});
|
|
});
|
|
});
|