2024-10-23 17:56:47 +02:00
|
|
|
import { afterAll, describe, expect, test } from "bun:test";
|
2025-03-22 18:04:47 +01:00
|
|
|
import { RolePermission } from "@versia/client/schemas";
|
2024-11-01 20:57:16 +01:00
|
|
|
import { Application } from "@versia/kit/db";
|
2025-06-15 04:38:20 +02:00
|
|
|
import { config } from "@versia-server/config";
|
2025-06-15 22:17:33 +02:00
|
|
|
import { fakeRequest, getTestUsers } from "@versia-server/tests";
|
2025-03-30 22:10:33 +02:00
|
|
|
import { randomUUIDv7 } from "bun";
|
2024-09-24 14:42:39 +02:00
|
|
|
import { SignJWT } from "jose";
|
2025-04-10 19:15:31 +02:00
|
|
|
import { randomString } from "@/math";
|
2024-09-24 14:42:39 +02:00
|
|
|
|
|
|
|
|
const { deleteUsers, tokens, users } = await getTestUsers(1);
|
|
|
|
|
const privateKey = await crypto.subtle.importKey(
|
|
|
|
|
"pkcs8",
|
2024-10-06 15:55:15 +02:00
|
|
|
Buffer.from(
|
|
|
|
|
config.plugins?.config?.["@versia/openid"].keys.private,
|
|
|
|
|
"base64",
|
|
|
|
|
),
|
2024-09-24 14:42:39 +02:00
|
|
|
"Ed25519",
|
|
|
|
|
false,
|
|
|
|
|
["sign"],
|
|
|
|
|
);
|
|
|
|
|
|
2024-10-23 17:56:47 +02:00
|
|
|
const application = await Application.insert({
|
2025-03-30 22:10:33 +02:00
|
|
|
id: randomUUIDv7(),
|
2024-10-23 17:56:47 +02:00
|
|
|
clientId: "test-client-id",
|
|
|
|
|
redirectUri: "https://example.com/callback",
|
|
|
|
|
scopes: "openid profile email",
|
|
|
|
|
name: "Test Application",
|
|
|
|
|
secret: "test-secret",
|
2024-09-24 14:42:39 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterAll(async () => {
|
|
|
|
|
await deleteUsers();
|
2024-10-23 17:56:47 +02:00
|
|
|
await application.delete();
|
2024-09-24 14:42:39 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe("/oauth/authorize", () => {
|
|
|
|
|
test("should authorize and redirect with valid inputs", async () => {
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: users[0].id,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
|
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
2024-10-23 17:56:47 +02:00
|
|
|
expect(location.origin + location.pathname).toBe(
|
|
|
|
|
application.data.redirectUri,
|
|
|
|
|
);
|
2024-09-24 14:42:39 +02:00
|
|
|
expect(params.get("code")).toBeTruthy();
|
|
|
|
|
expect(params.get("state")).toBe("test-state");
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for invalid JWT", async () => {
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: "jwt=invalid-jwt",
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
|
|
|
|
expect(params.get("error")).toBe("invalid_request");
|
|
|
|
|
expect(params.get("error_description")).toBe(
|
2024-12-30 18:00:23 +01:00
|
|
|
"Invalid JWT: could not verify",
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for missing required fields in JWT", async () => {
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: users[0].id,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
|
|
|
|
expect(params.get("error")).toBe("invalid_request");
|
|
|
|
|
expect(params.get("error_description")).toBe(
|
2024-12-30 18:00:23 +01:00
|
|
|
"Invalid JWT: missing required fields (aud, sub, exp, iss)",
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for user not found", async () => {
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: "non-existent-user",
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-09-24 14:42:39 +02:00
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
|
|
|
|
expect(params.get("error")).toBe("invalid_request");
|
|
|
|
|
expect(params.get("error_description")).toBe(
|
2024-12-30 18:00:23 +01:00
|
|
|
"Invalid JWT: sub is not a valid user ID",
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const jwt2 = await new SignJWT({
|
|
|
|
|
sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-09-24 14:42:39 +02:00
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response2 = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt2}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response2.status).toBe(302);
|
|
|
|
|
const location2 = new URL(
|
|
|
|
|
response2.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params2 = new URLSearchParams(location2.search);
|
|
|
|
|
expect(params2.get("error")).toBe("invalid_request");
|
|
|
|
|
expect(params2.get("error_description")).toBe(
|
|
|
|
|
"Invalid JWT, could not find associated user",
|
|
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for user missing required permissions", async () => {
|
|
|
|
|
const oldPermissions = config.permissions.default;
|
|
|
|
|
config.permissions.default = [];
|
|
|
|
|
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: users[0].id,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
|
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
2024-12-30 18:00:23 +01:00
|
|
|
expect(params.get("error")).toBe("unauthorized");
|
2024-09-24 14:42:39 +02:00
|
|
|
expect(params.get("error_description")).toBe(
|
2025-03-22 18:04:47 +01:00
|
|
|
`User missing required '${RolePermission.OAuth}' permission`,
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
config.permissions.default = oldPermissions;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for invalid client_id", async () => {
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: users[0].id,
|
|
|
|
|
aud: "invalid-client-id",
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
|
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
|
|
|
|
client_id: "invalid-client-id",
|
2024-10-23 17:56:47 +02:00
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
|
|
|
|
expect(params.get("error")).toBe("invalid_request");
|
|
|
|
|
expect(params.get("error_description")).toBe(
|
2024-12-30 18:00:23 +01:00
|
|
|
"Invalid client_id: no associated API application found",
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for invalid redirect_uri", async () => {
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: users[0].id,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
|
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
redirect_uri: "https://invalid.com/callback",
|
|
|
|
|
response_type: "code",
|
2024-10-23 17:56:47 +02:00
|
|
|
scope: application.data.scopes,
|
2024-09-24 14:42:39 +02:00
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
|
|
|
|
expect(params.get("error")).toBe("invalid_request");
|
|
|
|
|
expect(params.get("error_description")).toBe(
|
2024-12-30 18:00:23 +01:00
|
|
|
"Invalid redirect_uri: does not match API application's redirect_uri",
|
2024-09-24 14:42:39 +02:00
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("should return error for invalid scope", async () => {
|
|
|
|
|
const jwt = await new SignJWT({
|
|
|
|
|
sub: users[0].id,
|
2025-02-13 01:31:15 +01:00
|
|
|
iss: config.http.base_url.origin,
|
2024-10-23 17:56:47 +02:00
|
|
|
aud: application.data.clientId,
|
2024-09-24 14:42:39 +02:00
|
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60,
|
|
|
|
|
iat: Math.floor(Date.now() / 1000),
|
|
|
|
|
nbf: Math.floor(Date.now() / 1000),
|
|
|
|
|
})
|
|
|
|
|
.setProtectedHeader({ alg: "EdDSA" })
|
|
|
|
|
.sign(privateKey);
|
|
|
|
|
|
|
|
|
|
const response = await fakeRequest("/oauth/authorize", {
|
|
|
|
|
method: "POST",
|
|
|
|
|
headers: {
|
2024-11-03 17:45:21 +01:00
|
|
|
Authorization: `Bearer ${tokens[0].data.accessToken}`,
|
2024-09-24 14:42:39 +02:00
|
|
|
"Content-Type": "application/json",
|
|
|
|
|
Cookie: `jwt=${jwt}`,
|
|
|
|
|
},
|
|
|
|
|
body: JSON.stringify({
|
2024-10-23 17:56:47 +02:00
|
|
|
client_id: application.data.clientId,
|
|
|
|
|
redirect_uri: application.data.redirectUri,
|
2024-09-24 14:42:39 +02:00
|
|
|
response_type: "code",
|
|
|
|
|
scope: "invalid-scope",
|
|
|
|
|
state: "test-state",
|
|
|
|
|
code_challenge: randomString(43),
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
}),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(response.status).toBe(302);
|
|
|
|
|
const location = new URL(
|
|
|
|
|
response.headers.get("Location") ?? "",
|
|
|
|
|
config.http.base_url,
|
|
|
|
|
);
|
|
|
|
|
const params = new URLSearchParams(location.search);
|
2024-12-30 18:00:23 +01:00
|
|
|
expect(params.get("error")).toBe("invalid_request");
|
2024-09-24 14:42:39 +02:00
|
|
|
expect(params.get("error_description")).toBe(
|
|
|
|
|
"Invalid scope: not a subset of the application's scopes",
|
|
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
});
|
