versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2025-12-06 00:18:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(api): Fix all failing tests

Browse source
This commit is contained in:
Jesse Wierzbinski 2025-08-21 01:15:38 +02:00
parent 1bfc5fb013
commit 6f97903f3b
No known key found for this signature in database
11 changed files with 111 additions and 179 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config/config.example.toml
View file

@ -466,10 +466,8 @@ forced_openid = false
# If signups.registration is false, it will only be possible to register with OpenID # If signups.registration is false, it will only be possible to register with OpenID
openid_registration = true openid_registration = true
# [authentication.keys] # Run Versia Server with this value missing to generate a new key
# Run Versia Server with those values missing to generate a new key # key = ""
# public = ""
# private = ""
# The provider MUST support OpenID Connect with .well-known discovery # The provider MUST support OpenID Connect with .well-known discovery
# Most notably, GitHub does not support this # Most notably, GitHub does not support this

2
packages/api/routes/api/auth/login/index.ts
View file

@ -153,7 +153,7 @@ export default apiRoute((app) =>
iat: Math.floor(Date.now() / 1000), iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000),
}, },
config.authentication.keys.private, config.authentication.key,
); );
const application = await Application.fromClientId(client_id); const application = await Application.fromClientId(client_id);

92
packages/api/routes/oauth.test.ts
View file

@ -1,17 +1,11 @@
import { afterAll, describe, expect, test } from "bun:test"; import { afterAll, describe, expect, test } from "bun:test";
import type { Token } from "@versia/client/schemas";
import { import {
fakeRequest, fakeRequest,
generateClient, generateClient,
getTestUsers, getTestUsers,
} from "@versia-server/tests"; } from "@versia-server/tests";
import type { z } from "zod/v4";
let clientId: string; let clientId: string;
let clientSecret: string;
let code: string;
let jwt: string;
let token: z.infer<typeof Token>;
const { users, passwords, deleteUsers } = await getTestUsers(1); const { users, passwords, deleteUsers } = await getTestUsers(1);
afterAll(async () => { afterAll(async () => {
@ -41,7 +35,6 @@ describe("Login flow", () => {
}); });
clientId = data.client_id; clientId = data.client_id;
clientSecret = data.client_secret;
}); });
test("should get a JWT", async () => { test("should get a JWT", async () => {
@ -60,89 +53,8 @@ describe("Login flow", () => {
expect(response.status).toBe(302); expect(response.status).toBe(302);
jwt = //jwt = response.headers.get("Set-Cookie")?.match(/jwt=([^;]+);/)?.[1] ?? "";
response.headers.get("Set-Cookie")?.match(/jwt=([^;]+);/)?.[1] ??
"";
}); });
test("should get a code", async () => { // TODO: Test full flow including OpenID part
const response = await fakeRequest("/oauth/authorize", {
method: "POST",
headers: {
Cookie: `jwt=${jwt}`,
},
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
redirect_uri: "https://example.com",
response_type: "code",
scope: "read write",
max_age: "604800",
}),
});
expect(response.status).toBe(302);
expect(response.headers.get("location")).toBeDefined();
const locationHeader = new URL(
response.headers.get("Location") ?? "",
"",
);
expect(locationHeader.origin).toBe("https://example.com");
code = locationHeader.searchParams.get("code") ?? "";
});
test("should get an access token", async () => {
const response = await fakeRequest("/oauth/token", {
method: "POST",
headers: {
Authorization: `Bearer ${jwt}`,
"Content-Type": "application/x-www-form-urlencoded",
},
body: new URLSearchParams({
grant_type: "authorization_code",
code,
redirect_uri: "https://example.com",
client_id: clientId,
client_secret: clientSecret,
scope: "read write",
}),
});
const json = await response.json();
expect(response.status).toBe(200);
expect(response.headers.get("content-type")).toContain(
"application/json",
);
expect(json).toEqual({
access_token: expect.any(String),
token_type: "Bearer",
scope: "read write",
created_at: expect.any(Number),
expires_in: expect.any(Number),
id_token: null,
refresh_token: null,
});
token = json;
});
test("should return the authenticated application's credentials", async () => {
const client = await generateClient(users[0]);
const { ok, data } = await client.verifyAppCredentials({
headers: {
Authorization: `Bearer ${token.access_token}`,
},
});
expect(ok).toBe(true);
const credentials = data;
expect(credentials.name).toBe("Test Application");
expect(credentials.website).toBe("https://example.com");
});
}); });

0
packages/api/routes/api/oauth/revoke.test.ts → packages/api/routes/oauth/revoke.test.ts
View file

0
packages/api/routes/api/oauth/revoke.ts → packages/api/routes/oauth/revoke.ts
View file

2
packages/api/routes/api/oauth/sso/[issuer]/callback.ts → packages/api/routes/oauth/sso/[issuer]/callback.ts
View file

@ -286,7 +286,7 @@ export default apiRoute((app) => {
iat: Math.floor(Date.now() / 1000), iat: Math.floor(Date.now() / 1000),
nbf: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000),
}, },
config.authentication.keys.private, config.authentication.key,
); );
// Redirect back to application // Redirect back to application

0
packages/api/routes/api/oauth/sso/[issuer]/index.ts → packages/api/routes/oauth/sso/[issuer]/index.ts
View file

64
packages/api/routes/api/oauth/token.test.ts → packages/api/routes/oauth/token.test.ts
View file

@ -1,7 +1,10 @@
import { afterAll, describe, expect, test } from "bun:test"; import { afterAll, describe, expect, test } from "bun:test";
import { Application, Token } from "@versia-server/kit/db"; import { Application, db } from "@versia-server/kit/db";
import { fakeRequest, getTestUsers } from "@versia-server/tests"; import { fakeRequest, getTestUsers } from "@versia-server/tests";
import { randomUUIDv7 } from "bun"; import { randomUUIDv7 } from "bun";
import { eq } from "drizzle-orm";
import { randomString } from "@/math";
import { AuthorizationCodes } from "~/packages/kit/tables/schema";
const { deleteUsers, users } = await getTestUsers(1); const { deleteUsers, users } = await getTestUsers(1);
@ -13,19 +16,25 @@ const application = await Application.insert({
name: "Test Application", name: "Test Application",
}); });
const token = await Token.insert({ const authorizationCode = (
id: randomUUIDv7(), await db
clientId: application.data.id, .insert(AuthorizationCodes)
accessToken: "test-access-token", .values({
expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(), clientId: application.id,
createdAt: new Date().toISOString(), code: randomString(10),
userId: users[0].id, redirectUri: application.data.redirectUris[0],
}); userId: users[0].id,
expiresAt: new Date(Date.now() + 300 * 1000).toISOString(),
})
.returning()
)[0];
afterAll(async () => { afterAll(async () => {
await deleteUsers(); await deleteUsers();
await application.delete(); await application.delete();
await token.delete(); await db
.delete(AuthorizationCodes)
.where(eq(AuthorizationCodes.code, authorizationCode.code));
}); });
describe("/oauth/token", () => { describe("/oauth/token", () => {
@ -37,7 +46,7 @@ describe("/oauth/token", () => {
}, },
body: JSON.stringify({ body: JSON.stringify({
grant_type: "authorization_code", grant_type: "authorization_code",
code: "test-code", code: authorizationCode.code,
redirect_uri: application.data.redirectUris[0], redirect_uri: application.data.redirectUris[0],
client_id: application.data.id, client_id: application.data.id,
client_secret: application.data.secret, client_secret: application.data.secret,
@ -46,9 +55,9 @@ describe("/oauth/token", () => {
expect(response.status).toBe(200); expect(response.status).toBe(200);
const body = await response.json(); const body = await response.json();
expect(body.access_token).toBe("test-access-token"); expect(body.access_token).toBeString();
expect(body.token_type).toBe("Bearer"); expect(body.token_type).toBe("Bearer");
expect(body.expires_in).toBeGreaterThan(0); expect(body.expires_in).toBeNull();
}); });
test("should return error for missing code", async () => { test("should return error for missing code", async () => {
@ -65,10 +74,9 @@ describe("/oauth/token", () => {
}), }),
}); });
expect(response.status).toBe(401); expect(response.status).toBe(422);
const body = await response.json(); const body = await response.json();
expect(body.error).toBe("invalid_request"); expect(body.error).toInclude(`Expected string at "code"`);
expect(body.error_description).toBe("Code is required");
}); });
test("should return error for missing redirect_uri", async () => { test("should return error for missing redirect_uri", async () => {
@ -79,16 +87,15 @@ describe("/oauth/token", () => {
}, },
body: JSON.stringify({ body: JSON.stringify({
grant_type: "authorization_code", grant_type: "authorization_code",
code: "test-code", code: authorizationCode.code,
client_id: application.data.id, client_id: application.data.id,
client_secret: application.data.secret, client_secret: application.data.secret,
}), }),
}); });
expect(response.status).toBe(401); expect(response.status).toBe(422);
const body = await response.json(); const body = await response.json();
expect(body.error).toBe("invalid_request"); expect(body.error).toInclude(`Expected string at "redirect_uri"`);
expect(body.error_description).toBe("Redirect URI is required");
}); });
test("should return error for missing client_id", async () => { test("should return error for missing client_id", async () => {
@ -99,16 +106,15 @@ describe("/oauth/token", () => {
}, },
body: JSON.stringify({ body: JSON.stringify({
grant_type: "authorization_code", grant_type: "authorization_code",
code: "test-code", code: authorizationCode.code,
redirect_uri: application.data.redirectUris[0], redirect_uri: application.data.redirectUris[0],
client_secret: application.data.secret, client_secret: application.data.secret,
}), }),
}); });
expect(response.status).toBe(401); expect(response.status).toBe(422);
const body = await response.json(); const body = await response.json();
expect(body.error).toBe("invalid_request"); expect(body.error).toInclude(`Expected string at "client_id"`);
expect(body.error_description).toBe("Client ID is required");
}); });
test("should return error for invalid client credentials", async () => { test("should return error for invalid client credentials", async () => {
@ -119,7 +125,7 @@ describe("/oauth/token", () => {
}, },
body: JSON.stringify({ body: JSON.stringify({
grant_type: "authorization_code", grant_type: "authorization_code",
code: "test-code", code: authorizationCode.code,
redirect_uri: application.data.redirectUris[0], redirect_uri: application.data.redirectUris[0],
client_id: application.data.id, client_id: application.data.id,
client_secret: "invalid-secret", client_secret: "invalid-secret",
@ -147,10 +153,12 @@ describe("/oauth/token", () => {
}), }),
}); });
expect(response.status).toBe(401); expect(response.status).toBe(404);
const body = await response.json(); const body = await response.json();
expect(body.error).toBe("invalid_grant"); expect(body.error).toBe("invalid_grant");
expect(body.error_description).toBe("Code not found"); expect(body.error_description).toBe(
"Authorization code not found or expired",
);
}); });
test("should return error for unsupported grant type", async () => { test("should return error for unsupported grant type", async () => {
@ -161,7 +169,7 @@ describe("/oauth/token", () => {
}, },
body: JSON.stringify({ body: JSON.stringify({
grant_type: "refresh_token", grant_type: "refresh_token",
code: "test-code", code: authorizationCode.code,
redirect_uri: application.data.redirectUris[0], redirect_uri: application.data.redirectUris[0],
client_id: application.data.id, client_id: application.data.id,
client_secret: application.data.secret, client_secret: application.data.secret,

13
packages/api/routes/api/oauth/token.ts → packages/api/routes/oauth/token.ts
View file

@ -63,9 +63,19 @@ export default apiRoute((app) => {
handleZodError, handleZodError,
), ),
async (context) => { async (context) => {
const { code, client_id, client_secret, redirect_uri } = const { code, client_id, client_secret, redirect_uri, grant_type } =
context.req.valid("json"); context.req.valid("json");
if (grant_type !== "authorization_code") {
return context.json(
{
error: "unsupported_grant_type",
error_description: "Unsupported grant type",
},
401,
);
}
// Verify the client_secret // Verify the client_secret
const client = await Application.fromClientId(client_id); const client = await Application.fromClientId(client_id);
@ -108,6 +118,7 @@ export default apiRoute((app) => {
clientId: client.id, clientId: client.id,
id: randomUUIDv7(), id: randomUUIDv7(),
userId: authorizationCode.userId, userId: authorizationCode.userId,
expiresAt: null,
}); });
// Invalidate the code // Invalidate the code

106
packages/config/index.ts
View file

@ -6,7 +6,6 @@ import ISO6391 from "iso-639-1";
import { types as mimeTypes } from "mime-types"; import { types as mimeTypes } from "mime-types";
import { generateVAPIDKeys } from "web-push"; import { generateVAPIDKeys } from "web-push";
import { z } from "zod/v4"; import { z } from "zod/v4";
import { fromZodError } from "zod-validation-error";
export class ProxiableUrl extends URL { export class ProxiableUrl extends URL {
private isAllowedOrigin(): boolean { private isAllowedOrigin(): boolean {
@ -174,9 +173,10 @@ export const keyPair = z
await crypto.subtle.exportKey("spki", keys.publicKey), await crypto.subtle.exportKey("spki", keys.publicKey),
).toString("base64"); ).toString("base64");
ctx.addIssue({ ctx.issues.push({
code: "custom", code: "custom",
error: `Public and private keys are not set. Here are generated keys for you to copy.\n\nPublic: ${publicKey}\nPrivate: ${privateKey}`, message: `Public and private keys are not set. Here are generated keys for you to copy.\n\nPublic: ${publicKey}\nPrivate: ${privateKey}`,
input: k,
}); });
return z.NEVER; return z.NEVER;
@ -194,9 +194,10 @@ export const keyPair = z
["verify"], ["verify"],
); );
} catch { } catch {
ctx.addIssue({ ctx.issues.push({
code: "custom", code: "custom",
error: "Public key is invalid", message: "Public key is invalid",
input: k,
}); });
return z.NEVER; return z.NEVER;
@ -211,9 +212,10 @@ export const keyPair = z
["sign"], ["sign"],
); );
} catch { } catch {
ctx.addIssue({ ctx.issues.push({
code: "custom", code: "custom",
error: "Private key is invalid", message: "Private key is invalid",
input: k,
}); });
return z.NEVER; return z.NEVER;
@ -235,9 +237,10 @@ export const vapidKeyPair = z
if (!(k?.public && k?.private)) { if (!(k?.public && k?.private)) {
const keys = generateVAPIDKeys(); const keys = generateVAPIDKeys();
ctx.addIssue({ ctx.issues.push({
code: "custom", code: "custom",
error: `VAPID keys are not set. Here are generated keys for you to copy.\n\nPublic: ${keys.publicKey}\nPrivate: ${keys.privateKey}`, message: `VAPID keys are not set. Here are generated keys for you to copy.\n\nPublic: ${keys.publicKey}\nPrivate: ${keys.privateKey}`,
input: k,
}); });
return z.NEVER; return z.NEVER;
@ -246,51 +249,55 @@ export const vapidKeyPair = z
return k; return k;
}); });
export const hmacKey = sensitiveString.transform(async (text, ctx) => { export const hmacKey = sensitiveString
if (!text) { .optional()
const key = await crypto.subtle.generateKey( .transform(async (text, ctx) => {
{ if (!text) {
name: "HMAC", const key = await crypto.subtle.generateKey(
hash: "SHA-256", {
}, name: "HMAC",
true, hash: "SHA-256",
["sign"], },
); true,
["sign"],
);
const exported = await crypto.subtle.exportKey("raw", key); const exported = await crypto.subtle.exportKey("raw", key);
const base64 = Buffer.from(exported).toString("base64"); const base64 = Buffer.from(exported).toString("base64");
ctx.addIssue({ ctx.issues.push({
code: "custom", code: "custom",
error: `HMAC key is not set. Here is a generated key for you to copy: ${base64}`, message: `HMAC key is not set. Here is a generated key for you to copy: ${base64}`,
}); input: text,
});
return z.NEVER; return z.NEVER;
} }
try { try {
await crypto.subtle.importKey( await crypto.subtle.importKey(
"raw", "raw",
Buffer.from(text, "base64"), Buffer.from(text, "base64"),
{ {
name: "HMAC", name: "HMAC",
hash: "SHA-256", hash: "SHA-256",
}, },
true, true,
["sign"], ["sign"],
); );
} catch { } catch {
ctx.addIssue({ ctx.issues.push({
code: "custom", code: "custom",
error: "HMAC key is invalid", message: "HMAC key is invalid",
}); input: text,
});
return z.NEVER; return z.NEVER;
} }
return text; return text;
}); });
export const ConfigSchema = z export const ConfigSchema = z
.strictObject({ .strictObject({
@ -807,7 +814,7 @@ export const ConfigSchema = z
) )
.default([]), .default([]),
openid_registration: z.boolean().default(true), openid_registration: z.boolean().default(true),
keys: keyPair, key: hmacKey,
}), }),
}) })
.refine( .refine(
@ -840,9 +847,8 @@ if (!parsed.success) {
console.error( console.error(
"⚠ Here is the error message, please fix the configuration file accordingly:", "⚠ Here is the error message, please fix the configuration file accordingly:",
); );
const errorMessage = fromZodError(parsed.error).message;
console.info(errorMessage); console.info(z.prettifyError(parsed.error));
throw new Error("Configuration file is invalid."); throw new Error("Configuration file is invalid.");
} }

5
utils/bull-board.ts
View file

@ -57,10 +57,7 @@ export const applyToHono = (app: Hono<HonoEnv>): void => {
throw new ApiError(401, "Missing JWT cookie"); throw new ApiError(401, "Missing JWT cookie");
} }
const result = await verify( const result = await verify(jwtCookie, config.authentication.key);
jwtCookie,
config.authentication.keys.public,
);
const { sub } = result; const { sub } = result;