diff --git a/packages/backend/test/e2e/oauth.ts b/packages/backend/test/e2e/oauth.ts index d52853aa6b..66c3a970bc 100644 --- a/packages/backend/test/e2e/oauth.ts +++ b/packages/backend/test/e2e/oauth.ts @@ -95,7 +95,6 @@ describe('OAuth', () => { const location = new URL(decisionResponse.headers.get('location')!); assert.strictEqual(location.origin + location.pathname, redirect_uri); - assert.ok(location.searchParams.has('code')); assert.strictEqual(location.searchParams.get('state'), 'state'); @@ -366,11 +365,54 @@ describe('OAuth', () => { // TODO: error code (invalid_token) }); + describe('Redirection', () => { + test('Invalid redirect_uri at authorization endpoint', async () => { + const client = getClient(); + + const response = await fetch(client.authorizeURL({ + redirect_uri: 'http://127.0.0.2/', + scope: 'write:notes', + state: 'state', + code_challenge: 'code', + code_challenge_method: 'S256', + })); + // TODO: status code + assert.strictEqual(response.status, 500); + }); + + test('Invalid redirect_uri at token endpoint', async () => { + const { code_challenge, code_verifier } = pkceChallenge.default(128); + + const client = getClient(); + + const response = await fetch(client.authorizeURL({ + redirect_uri, + scope: 'write:notes', + state: 'state', + code_challenge, + code_challenge_method: 'S256', + })); + assert.strictEqual(response.status, 200); + + const decisionResponse = await fetchDecisionFromResponse(response, alice); + assert.strictEqual(decisionResponse.status, 302); + + const location = new URL(decisionResponse.headers.get('location')!); + assert.ok(location.searchParams.has('code')); + + await assert.rejects(client.getToken({ + code: location.searchParams.get('code')!, + redirect_uri: 'http://127.0.0.2/', + code_verifier, + })); + }); + + // TODO: disallow random same-origin URLs with strict redirect_uris with client information discovery + }); + // TODO: .well-known/oauth-authorization-server // TODO: authorizing two users concurrently - // TODO: invalid redirect_uri (at authorize / at token) - // TODO: Error format required by OAuth spec });