tests for device auth

nkottary · nkottary · commit 192157a569b7 · 2025-05-08T13:32:21.000Z
diff --git a/src/PkgAuthentication.jl b/src/PkgAuthentication.jl
@@ -504,6 +504,7 @@ function step(state::ClaimToken)::Union{ClaimToken, HasNewToken, Failure}
         body = JSON.parse(String(take!(output)))
         body["client"] = "device"
         body["expires"] = body["expires_in"] + Int(floor(time()))
+        body["expires_at"] = body["expires"]
         body["refresh_url"] = joinpath(state.server, "auth/renew/token.toml/device/") # Need to be careful with auth suffix, if set
         return HasNewToken(state.server, body)
     elseif response isa Downloads.Response && response.status in [401, 400] && is_device
diff --git a/test/authserver.jl b/test/authserver.jl
@@ -59,7 +59,7 @@ function claimtoken_handler(req)
     @show payload
     @show challenge_response_map
     if haskey(challenge_response_map, payload["challenge"]) &&
-       challenge_response_map[payload["challenge"]] == payload["response"]
+        challenge_response_map[payload["challenge"]] == payload["response"]
 
         delete!(challenge_response_map, payload["challenge"])
         delete!(response_challenge_map, payload["response"])
@@ -99,12 +99,81 @@ function check_validity(req)
     return HTTP.Response(200, payload == TOKEN[])
 end
 
+
+
+# --------- Device auth methods -----------------
+
+function openid_configuration(req)
+    return HTTP.Response(
+        200,
+        """ {
+            "device_authorization_endpoint": "http://localhost:8888/auth/device/code",
+            "token_endpoint": "http://localhost:8888/auth/token"
+        } """,
+    )
+end
+
+device_code_user_code_map = Dict{String, Any}()
+user_code_device_code_map = Dict{String, Any}()
+authenticated = Dict{String, Any}()
+function auth_device_code(req)
+    device_code = randstring(64)
+    user_code = randstring(8)
+    device_code_user_code_map[device_code] = user_code
+    user_code_device_code_map[user_code] = device_code
+    return HTTP.Response(
+        200,
+        """ {
+            "device_code": "$device_code",
+            "user_code": "$user_code",
+            "verification_uri_complete": "http://localhost:8888/auth/device?user_code=$user_code",
+            "expires_in": $CHALLENGE_EXPIRY
+        } """,
+    )
+end
+
+function auth_device(req)
+    params = HTTP.queryparams(req)
+    user_code = get(params, "user_code", "")
+    device_code = get(user_code_device_code_map, user_code, nothing)
+    if device_code === nothing
+        return HTTP.Response(400)
+    end
+    authenticated[device_code] = true
+    refresh_token = Random.randstring(10)
+    TOKEN[]["access_token"] = "full-$ID_TOKEN"
+    TOKEN[]["token_type"] = "bearer"
+    TOKEN[]["expires_in"] = EXPIRY
+    TOKEN[]["refresh_token"] = refresh_token
+    TOKEN[]["id_token"] = "full-$ID_TOKEN"
+    return HTTP.Response(200)
+end
+
+function auth_token(req)
+    p = split(String(req.body), "&")
+    d = Dict{String, Any}()
+    for l in p
+        kv = split(String(l), "=")
+        d[String(kv[1])] = String(kv[2])
+    end
+    device_code = get(d, "device_code", nothing)
+    if device_code === nothing || !get(authenticated, device_code, false)
+        return HTTP.Response(401)
+    end
+    return HTTP.Response(200, JSON.json(TOKEN[]))
+end
+
 router = HTTP.Router()
 HTTP.register!(router, "POST", "/auth/challenge", challenge_handler)
 HTTP.register!(router, "GET", "/auth/response", response_handler)
 HTTP.register!(router, "POST", "/auth/claimtoken", claimtoken_handler)
 HTTP.register!(router, "GET", "/auth/renew/token.toml/v2", renew_handler)
 HTTP.register!(router, "POST", "/auth/isvalid", check_validity)
+HTTP.register!(router, "GET", "/.well-known/openid-configuration", openid_configuration)
+HTTP.register!(router, "POST", "/auth/device/code", auth_device_code)
+HTTP.register!(router, "GET", "/auth/device", auth_device)
+HTTP.register!(router, "POST", "/auth/token", auth_token)
+HTTP.register!(router, "GET", "/auth/renew/token.toml/device", renew_handler)
 
 function run()
     println("starting server")
diff --git a/test/tests.jl b/test/tests.jl
@@ -61,6 +61,34 @@ PkgAuthentication.register_open_browser_hook(url -> HTTP.get(url))
     @test startswith(success2.token["id_token"], "refresh-")
 end
 
+ENV["JULIA_PKG_AUTHENTICATION_DEVICE_CLIENT_ID"] = "device"
+
+@testset "auth with running server (device flow)" begin
+    delete_token()
+
+    @info "testing inital auth"
+    success = PkgAuthentication.authenticate(test_pkg_server)
+
+    @test success isa PkgAuthentication.Success
+    @test success.token["expires_at"] > time()
+    @test startswith(success.token["id_token"], "full-")
+    @test !occursin("id_token", sprint(show, success))
+
+    sleeptimer = ceil(Int, success.token["expires_at"]  - time() + 1)
+    @info "sleep for $(sleeptimer)s (until refresh necessary)"
+    sleep(sleeptimer)
+
+    @info "testing auth refresh"
+    success2 = PkgAuthentication.authenticate(test_pkg_server)
+    @test success2 isa PkgAuthentication.Success
+    @test !occursin("id_token", sprint(show, success2))
+    @test success2.token["expires_at"] > time()
+    @test success2.token["refresh_token"] !== success.token["refresh_token"]
+    @test startswith(success2.token["id_token"], "refresh-")
+end
+
+ENV["JULIA_PKG_AUTHENTICATION_DEVICE_CLIENT_ID"] = ""
+
 @testset "PkgAuthentication.install" begin
     delete_token()
 
