server/packages/api/routes/oauth/token.test.ts

import { afterAll, describe, expect, test } from "bun:test";
import { Client, db } from "@versia-server/kit/db";
import { fakeRequest, getTestUsers } from "@versia-server/tests";
import { randomUUIDv7 } from "bun";
import { eq } from "drizzle-orm";
import { randomString } from "@/math";
import { AuthorizationCodes } from "~/packages/kit/tables/schema";

const { deleteUsers, users } = await getTestUsers(1);

const application = await Client.insert({
    id: randomUUIDv7(),
    redirectUris: ["https://example.com/callback"],
    scopes: ["openid", "profile", "email"],
    secret: "test-secret",
    name: "Test Application",
});

const authorizationCode = (
    await db
        .insert(AuthorizationCodes)
        .values({
            clientId: application.id,
            code: randomString(10),
            redirectUri: application.data.redirectUris[0],
            userId: users[0].id,
            expiresAt: new Date(Date.now() + 300 * 1000).toISOString(),
        })
        .returning()
)[0];

afterAll(async () => {
    await deleteUsers();
    await application.delete();
    await db
        .delete(AuthorizationCodes)
        .where(eq(AuthorizationCodes.code, authorizationCode.code));
});

describe("/oauth/token", () => {
    test("should return token with valid inputs", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: authorizationCode.code,
                redirect_uri: application.data.redirectUris[0],
                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });

        expect(response.status).toBe(200);
        const body = await response.json();
        expect(body.access_token).toBeString();
        expect(body.token_type).toBe("Bearer");
        expect(body.expires_in).toBeNull();
    });

    test("should return error for missing code", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
                redirect_uri: application.data.redirectUris[0],
                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });

        expect(response.status).toBe(422);
        const body = await response.json();
        expect(body.error).toInclude(
            `expected string, received undefined at "code"`,
        );
    });

    test("should return error for missing redirect_uri", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: authorizationCode.code,
                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });

        expect(response.status).toBe(422);
        const body = await response.json();
        expect(body.error).toInclude(
            `expected string, received undefined at "redirect_uri"`,
        );
    });

    test("should return error for missing client_id", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: authorizationCode.code,
                redirect_uri: application.data.redirectUris[0],
                client_secret: application.data.secret,
            }),
        });

        expect(response.status).toBe(422);
        const body = await response.json();
        expect(body.error).toInclude(
            `expected string, received undefined at "client_id"`,
        );
    });

    test("should return error for invalid client credentials", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: authorizationCode.code,
                redirect_uri: application.data.redirectUris[0],
                client_id: application.data.id,
                client_secret: "invalid-secret",
            }),
        });

        expect(response.status).toBe(401);
        const body = await response.json();
        expect(body.error).toBe("invalid_client");
        expect(body.error_description).toBe("Invalid client credentials");
    });

    test("should return error for code not found", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "invalid-code",
                redirect_uri: application.data.redirectUris[0],
                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });

        expect(response.status).toBe(404);
        const body = await response.json();
        expect(body.error).toBe("invalid_grant");
        expect(body.error_description).toBe(
            "Authorization code not found or expired",
        );
    });

    test("should return error for unsupported grant type", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
                grant_type: "refresh_token",
                code: authorizationCode.code,
                redirect_uri: application.data.redirectUris[0],
                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });

        expect(response.status).toBe(401);
        const body = await response.json();
        expect(body.error).toBe("unsupported_grant_type");
        expect(body.error_description).toBe("Unsupported grant type");
    });
});
refactor(database): :recycle: Move Token to its own ORM abstraction, optimize familiar_followers route 2024-11-03 17:45:21 +01:00			`import { afterAll, describe, expect, test } from "bun:test";`
refactor(database): :truck: Rename Application to Client everywhere 2025-08-21 01:21:32 +02:00			`import { Client, db } from "@versia-server/kit/db";`
refactor: :truck: Move testing to its own sub-package 2025-06-15 22:17:33 +02:00			`import { fakeRequest, getTestUsers } from "@versia-server/tests";`
refactor(database): :heavy_minus_sign: Remove dependency on pg_uuidv7 extension 2025-03-30 22:10:33 +02:00			`import { randomUUIDv7 } from "bun";`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`import { eq } from "drizzle-orm";`
			`import { randomString } from "@/math";`
			`import { AuthorizationCodes } from "~/packages/kit/tables/schema";`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00
			`const { deleteUsers, users } = await getTestUsers(1);`

refactor(database): :truck: Rename Application to Client everywhere 2025-08-21 01:21:32 +02:00			`const application = await Client.insert({`
refactor(database): :heavy_minus_sign: Remove dependency on pg_uuidv7 extension 2025-03-30 22:10:33 +02:00			`id: randomUUIDv7(),`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirectUris: ["https://example.com/callback"],`
			`scopes: ["openid", "profile", "email"],`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`secret: "test-secret",`
			`name: "Test Application",`
			`});`
refactor(database): :heavy_minus_sign: Remove dependency on pg_uuidv7 extension 2025-03-30 22:10:33 +02:00
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`const authorizationCode = (`
			`await db`
			`.insert(AuthorizationCodes)`
			`.values({`
			`clientId: application.id,`
			`code: randomString(10),`
			`redirectUri: application.data.redirectUris[0],`
			`userId: users[0].id,`
			`expiresAt: new Date(Date.now() + 300 * 1000).toISOString(),`
			`})`
			`.returning()`
			`)[0];`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00
			`afterAll(async () => {`
			`await deleteUsers();`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`await application.delete();`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`await db`
			`.delete(AuthorizationCodes)`
			`.where(eq(AuthorizationCodes.code, authorizationCode.code));`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`});`

			`describe("/oauth/token", () => {`
			`test("should return token with valid inputs", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "authorization_code",`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`code: authorizationCode.code,`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirect_uri: application.data.redirectUris[0],`
			`client_id: application.data.id,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_secret: application.data.secret,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`}),`
			`});`

			`expect(response.status).toBe(200);`
			`const body = await response.json();`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(body.access_token).toBeString();`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`expect(body.token_type).toBe("Bearer");`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(body.expires_in).toBeNull();`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`});`

			`test("should return error for missing code", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "authorization_code",`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirect_uri: application.data.redirectUris[0],`
			`client_id: application.data.id,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_secret: application.data.secret,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`}),`
			`});`

fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(response.status).toBe(422);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`const body = await response.json();`
chore: :arrow_up: Upgrade dependencies 2025-11-21 08:31:02 +01:00			`expect(body.error).toInclude(`
			`expected string, received undefined at "code"`,
			`);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`});`

			`test("should return error for missing redirect_uri", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "authorization_code",`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`code: authorizationCode.code,`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`client_id: application.data.id,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_secret: application.data.secret,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`}),`
			`});`

fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(response.status).toBe(422);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`const body = await response.json();`
chore: :arrow_up: Upgrade dependencies 2025-11-21 08:31:02 +01:00			`expect(body.error).toInclude(`
			`expected string, received undefined at "redirect_uri"`,
			`);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`});`

			`test("should return error for missing client_id", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "authorization_code",`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`code: authorizationCode.code,`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirect_uri: application.data.redirectUris[0],`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_secret: application.data.secret,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`}),`
			`});`

fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(response.status).toBe(422);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`const body = await response.json();`
chore: :arrow_up: Upgrade dependencies 2025-11-21 08:31:02 +01:00			`expect(body.error).toInclude(`
			`expected string, received undefined at "client_id"`,
			`);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`});`

			`test("should return error for invalid client credentials", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "authorization_code",`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`code: authorizationCode.code,`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirect_uri: application.data.redirectUris[0],`
			`client_id: application.data.id,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`client_secret: "invalid-secret",`
			`}),`
			`});`

			`expect(response.status).toBe(401);`
			`const body = await response.json();`
			`expect(body.error).toBe("invalid_client");`
			`expect(body.error_description).toBe("Invalid client credentials");`
			`});`

			`test("should return error for code not found", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "authorization_code",`
			`code: "invalid-code",`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirect_uri: application.data.redirectUris[0],`
			`client_id: application.data.id,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_secret: application.data.secret,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`}),`
			`});`

fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(response.status).toBe(404);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`const body = await response.json();`
			`expect(body.error).toBe("invalid_grant");`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`expect(body.error_description).toBe(`
			`"Authorization code not found or expired",`
			`);`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`});`

			`test("should return error for unsupported grant type", async () => {`
			`const response = await fakeRequest("/oauth/token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
			`grant_type: "refresh_token",`
fix(api): :white_check_mark: Fix all failing tests 2025-08-21 01:15:38 +02:00			`code: authorizationCode.code,`
refactor(api): :recycle: Rewrite full authentication code to go OpenID-only 2025-08-21 00:45:58 +02:00			`redirect_uri: application.data.redirectUris[0],`
			`client_id: application.data.id,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_secret: application.data.secret,`
refactor(api): :recycle: Move token endpoint to OpenID plugin, add revoke endpoint 2024-09-30 13:42:12 +02:00			`}),`
			`});`

			`expect(response.status).toBe(401);`
			`const body = await response.json();`
			`expect(body.error).toBe("unsupported_grant_type");`
			`expect(body.error_description).toBe("Unsupported grant type");`
			`});`
			`});`