server/plugins/openid/routes/authorize.test.ts

import { afterAll, describe, expect, test } from "bun:test";
import { randomString } from "@/math";
import { RolePermissions } from "@versia/kit/tables";
import { SignJWT } from "jose";
import { Application } from "~/classes/database/application";
import { config } from "~/packages/config-manager";
import { fakeRequest, getTestUsers } from "~/tests/utils";

const { deleteUsers, tokens, users } = await getTestUsers(1);
const privateKey = await crypto.subtle.importKey(
    "pkcs8",
    Buffer.from(
        config.plugins?.config?.["@versia/openid"].keys.private,
        "base64",
    ),
    "Ed25519",
    false,
    ["sign"],
);

const application = await Application.insert({
    clientId: "test-client-id",
    redirectUri: "https://example.com/callback",
    scopes: "openid profile email",
    name: "Test Application",
    secret: "test-secret",
});

afterAll(async () => {
    await deleteUsers();
    await application.delete();
});

describe("/oauth/authorize", () => {
    test("should authorize and redirect with valid inputs", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: new URL(config.http.base_url).origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(location.origin + location.pathname).toBe(
            application.data.redirectUri,
        );
        expect(params.get("code")).toBeTruthy();
        expect(params.get("state")).toBe("test-state");
    });

    test("should return error for invalid JWT", async () => {
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: "jwt=invalid-jwt",
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT, could not verify",
        );
    });

    test("should return error for missing required fields in JWT", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: new URL(config.http.base_url).origin,
            aud: application.data.clientId,
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT, missing required fields (aud, sub, exp)",
        );
    });

    test("should return error for user not found", async () => {
        const jwt = await new SignJWT({
            sub: "non-existent-user",
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iss: new URL(config.http.base_url).origin,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT, sub is not a valid user ID",
        );

        const jwt2 = await new SignJWT({
            sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iss: new URL(config.http.base_url).origin,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response2 = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt2}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response2.status).toBe(302);
        const location2 = new URL(
            response2.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params2 = new URLSearchParams(location2.search);
        expect(params2.get("error")).toBe("invalid_request");
        expect(params2.get("error_description")).toBe(
            "Invalid JWT, could not find associated user",
        );
    });

    test("should return error for user missing required permissions", async () => {
        const oldPermissions = config.permissions.default;
        config.permissions.default = [];

        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: new URL(config.http.base_url).origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            `User is missing the required permission ${RolePermissions.OAuth}`,
        );

        config.permissions.default = oldPermissions;
    });

    test("should return error for invalid client_id", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            aud: "invalid-client-id",
            iss: new URL(config.http.base_url).origin,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: "invalid-client-id",
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid client_id: no associated application found",
        );
    });

    test("should return error for invalid redirect_uri", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: new URL(config.http.base_url).origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: "https://invalid.com/callback",
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid redirect_uri: does not match application's redirect_uri",
        );
    });

    test("should return error for invalid scope", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: new URL(config.http.base_url).origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(privateKey);

        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0]?.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: "invalid-scope",
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });

        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_scope");
        expect(params.get("error_description")).toBe(
            "Invalid scope: not a subset of the application's scopes",
        );
    });
});
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`import { afterAll, describe, expect, test } from "bun:test";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`import { randomString } from "@/math";`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`import { RolePermissions } from "@versia/kit/tables";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`import { SignJWT } from "jose";`
refactor(database): :truck: Move database ORM code to classes/database The old directory, packages/database-interface, was confusingly named so it was better to move it here 2024-10-24 16:28:38 +02:00			`import { Application } from "~/classes/database/application";`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`import { config } from "~/packages/config-manager";`
			`import { fakeRequest, getTestUsers } from "~/tests/utils";`

			`const { deleteUsers, tokens, users } = await getTestUsers(1);`
			`const privateKey = await crypto.subtle.importKey(`
			`"pkcs8",`
feat(plugin): :sparkles: Add override settings to plugin loading 2024-10-06 15:55:15 +02:00			`Buffer.from(`
			`config.plugins?.config?.["@versia/openid"].keys.private,`
			`"base64",`
			`),`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`"Ed25519",`
			`false,`
			`["sign"],`
			`);`

refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`const application = await Application.insert({`
			`clientId: "test-client-id",`
			`redirectUri: "https://example.com/callback",`
			`scopes: "openid profile email",`
			`name: "Test Application",`
			`secret: "test-secret",`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`});`

			`afterAll(async () => {`
			`await deleteUsers();`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`await application.delete();`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`});`

			`describe("/oauth/authorize", () => {`
			`test("should authorize and redirect with valid inputs", async () => {`
			`const jwt = await new SignJWT({`
			`sub: users[0].id,`
			`iss: new URL(config.http.base_url).origin,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`expect(location.origin + location.pathname).toBe(`
			`application.data.redirectUri,`
			`);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`expect(params.get("code")).toBeTruthy();`
			`expect(params.get("state")).toBe("test-state");`
			`});`

			`test("should return error for invalid JWT", async () => {`
			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			`Cookie: "jwt=invalid-jwt",`
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_request");`
			`expect(params.get("error_description")).toBe(`
			`"Invalid JWT, could not verify",`
			`);`
			`});`

			`test("should return error for missing required fields in JWT", async () => {`
			`const jwt = await new SignJWT({`
			`sub: users[0].id,`
			`iss: new URL(config.http.base_url).origin,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_request");`
			`expect(params.get("error_description")).toBe(`
			`"Invalid JWT, missing required fields (aud, sub, exp)",`
			`);`
			`});`

			`test("should return error for user not found", async () => {`
			`const jwt = await new SignJWT({`
			`sub: "non-existent-user",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iss: new URL(config.http.base_url).origin,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_request");`
			`expect(params.get("error_description")).toBe(`
			`"Invalid JWT, sub is not a valid user ID",`
			`);`

			`const jwt2 = await new SignJWT({`
			`sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iss: new URL(config.http.base_url).origin,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response2 = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt2}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response2.status).toBe(302);`
			`const location2 = new URL(`
			`response2.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params2 = new URLSearchParams(location2.search);`
			`expect(params2.get("error")).toBe("invalid_request");`
			`expect(params2.get("error_description")).toBe(`
			`"Invalid JWT, could not find associated user",`
			`);`
			`});`

			`test("should return error for user missing required permissions", async () => {`
			`const oldPermissions = config.permissions.default;`
			`config.permissions.default = [];`

			`const jwt = await new SignJWT({`
			`sub: users[0].id,`
			`iss: new URL(config.http.base_url).origin,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_request");`
			`expect(params.get("error_description")).toBe(`
			`User is missing the required permission ${RolePermissions.OAuth}`,
			`);`

			`config.permissions.default = oldPermissions;`
			`});`

			`test("should return error for invalid client_id", async () => {`
			`const jwt = await new SignJWT({`
			`sub: users[0].id,`
			`aud: "invalid-client-id",`
			`iss: new URL(config.http.base_url).origin,`
			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
			`client_id: "invalid-client-id",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_request");`
			`expect(params.get("error_description")).toBe(`
			`"Invalid client_id: no associated application found",`
			`);`
			`});`

			`test("should return error for invalid redirect_uri", async () => {`
			`const jwt = await new SignJWT({`
			`sub: users[0].id,`
			`iss: new URL(config.http.base_url).origin,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`redirect_uri: "https://invalid.com/callback",`
			`response_type: "code",`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`scope: application.data.scopes,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_request");`
			`expect(params.get("error_description")).toBe(`
			`"Invalid redirect_uri: does not match application's redirect_uri",`
			`);`
			`});`

			`test("should return error for invalid scope", async () => {`
			`const jwt = await new SignJWT({`
			`sub: users[0].id,`
			`iss: new URL(config.http.base_url).origin,`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`aud: application.data.clientId,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`exp: Math.floor(Date.now() / 1000) + 60 * 60,`
			`iat: Math.floor(Date.now() / 1000),`
			`nbf: Math.floor(Date.now() / 1000),`
			`})`
			`.setProtectedHeader({ alg: "EdDSA" })`
			`.sign(privateKey);`

			`const response = await fakeRequest("/oauth/authorize", {`
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${tokens[0]?.accessToken}`,
			`"Content-Type": "application/json",`
			Cookie: `jwt=${jwt}`,
			`},`
			`body: JSON.stringify({`
refactor(database): :recycle: Move Applications to our custom ORM 2024-10-23 17:56:47 +02:00			`client_id: application.data.clientId,`
			`redirect_uri: application.data.redirectUri,`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`response_type: "code",`
			`scope: "invalid-scope",`
			`state: "test-state",`
			`code_challenge: randomString(43),`
			`code_challenge_method: "S256",`
			`}),`
			`});`

			`expect(response.status).toBe(302);`
			`const location = new URL(`
			`response.headers.get("Location") ?? "",`
			`config.http.base_url,`
			`);`
			`const params = new URLSearchParams(location.search);`
			`expect(params.get("error")).toBe("invalid_scope");`
			`expect(params.get("error_description")).toBe(`
			`"Invalid scope: not a subset of the application's scopes",`
			`);`
			`});`
			`});`