cleanup

whoiskatrin · whoiskatrin · commit 3671c99e3e7e · 2025-08-07T14:01:20.000+01:00
diff --git a/__tests__/oauth-provider.test.ts b/__tests__/oauth-provider.test.ts
@@ -365,6 +365,23 @@ describe('OAuthProvider', () => {
       expect(grants.keys.length).toBe(1);
     });
 
+    it('should reject authorization request with invalid redirect URI', async () => {
+      // Create an authorization request with an invalid redirect URI
+      const invalidRedirectUri = 'https://attacker.example.com/callback';
+      const authRequest = createMockRequest(
+        `https://example.com/authorize?response_type=code&client_id=${clientId}` +
+          `&redirect_uri=${encodeURIComponent(invalidRedirectUri)}` +
+          `&scope=read%20write&state=xyz123`
+      );
+
+      // Expect the request to be rejected
+      await expect(oauthProvider.fetch(authRequest, mockEnv, mockCtx)).rejects.toThrow('Invalid redirect URI');
+
+      // Verify no grant was created
+      const grants = await mockEnv.OAUTH_KV.list({ prefix: 'grant:' });
+      expect(grants.keys.length).toBe(0);
+    });
+
     // Add more tests for auth code flow...
   });
 
@@ -694,6 +711,44 @@ describe('OAuthProvider', () => {
       expect(tokens.expires_in).toBe(3600);
     });
 
+    it('should reject token exchange with code_verifier when PKCE was not used in authorization', async () => {
+      // First get an auth code WITHOUT using PKCE
+      const authRequest = createMockRequest(
+        `https://example.com/authorize?response_type=code&client_id=${clientId}` +
+          `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+          `&scope=read%20write&state=xyz123`
+      );
+
+      const authResponse = await oauthProvider.fetch(authRequest, mockEnv, mockCtx);
+      const location = authResponse.headers.get('Location')!;
+      const url = new URL(location);
+      const code = url.searchParams.get('code')!;
+
+      // Now exchange the code and incorrectly provide a code_verifier
+      const params = new URLSearchParams();
+      params.append('grant_type', 'authorization_code');
+      params.append('code', code);
+      params.append('redirect_uri', redirectUri);
+      params.append('client_id', clientId);
+      params.append('client_secret', clientSecret);
+      params.append('code_verifier', 'some_random_verifier_that_wasnt_used_in_auth');
+
+      const tokenRequest = createMockRequest(
+        'https://example.com/oauth/token',
+        'POST',
+        { 'Content-Type': 'application/x-www-form-urlencoded' },
+        params.toString()
+      );
+
+      const tokenResponse = await oauthProvider.fetch(tokenRequest, mockEnv, mockCtx);
+
+      // Should fail because code_verifier is provided but PKCE wasn't used in authorization
+      expect(tokenResponse.status).toBe(400);
+      const error = await tokenResponse.json();
+      expect(error.error).toBe('invalid_request');
+      expect(error.error_description).toBe('code_verifier provided for a flow that did not use PKCE');
+    });
+
     it('should accept the access token for API requests', async () => {
       // Get an auth code
       const authRequest = createMockRequest(
@@ -2047,6 +2102,135 @@ describe('OAuthProvider', () => {
     });
   });
 
+  describe('API Route Configuration', () => {
+    it('should support multi-handler configuration with apiHandlers', async () => {
+      // Create handler classes for different API routes
+      class UsersApiHandler extends WorkerEntrypoint {
+        fetch(request: Request) {
+          return new Response('Users API response', { status: 200 });
+        }
+      }
+
+      class DocumentsApiHandler extends WorkerEntrypoint {
+        fetch(request: Request) {
+          return new Response('Documents API response', { status: 200 });
+        }
+      }
+
+      // Create provider with multi-handler configuration
+      const providerWithMultiHandler = new OAuthProvider({
+        apiHandlers: {
+          '/api/users/': UsersApiHandler,
+          '/api/documents/': DocumentsApiHandler,
+        },
+        defaultHandler: testDefaultHandler,
+        authorizeEndpoint: '/authorize',
+        tokenEndpoint: '/oauth/token',
+        clientRegistrationEndpoint: '/oauth/register', // Important for registering clients in the test
+        scopesSupported: ['read', 'write'],
+      });
+
+      // Create a client and get an access token
+      const clientData = {
+        redirect_uris: ['https://client.example.com/callback'],
+        client_name: 'Test Client',
+        token_endpoint_auth_method: 'client_secret_basic',
+      };
+
+      const registerRequest = createMockRequest(
+        'https://example.com/oauth/register',
+        'POST',
+        { 'Content-Type': 'application/json' },
+        JSON.stringify(clientData)
+      );
+
+      const registerResponse = await providerWithMultiHandler.fetch(registerRequest, mockEnv, mockCtx);
+      const client = await registerResponse.json();
+      const clientId = client.client_id;
+      const clientSecret = client.client_secret;
+      const redirectUri = 'https://client.example.com/callback';
+
+      // Get an auth code
+      const authRequest = createMockRequest(
+        `https://example.com/authorize?response_type=code&client_id=${clientId}` +
+          `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+          `&scope=read%20write&state=xyz123`
+      );
+
+      const authResponse = await providerWithMultiHandler.fetch(authRequest, mockEnv, mockCtx);
+      const location = authResponse.headers.get('Location')!;
+      const code = new URL(location).searchParams.get('code')!;
+
+      // Exchange for tokens
+      const params = new URLSearchParams();
+      params.append('grant_type', 'authorization_code');
+      params.append('code', code);
+      params.append('redirect_uri', redirectUri);
+      params.append('client_id', clientId);
+      params.append('client_secret', clientSecret);
+
+      const tokenRequest = createMockRequest(
+        'https://example.com/oauth/token',
+        'POST',
+        { 'Content-Type': 'application/x-www-form-urlencoded' },
+        params.toString()
+      );
+
+      const tokenResponse = await providerWithMultiHandler.fetch(tokenRequest, mockEnv, mockCtx);
+      const tokens = await tokenResponse.json();
+      const accessToken = tokens.access_token;
+
+      // Make requests to different API routes
+      const usersApiRequest = createMockRequest('https://example.com/api/users/profile', 'GET', {
+        Authorization: `Bearer ${accessToken}`,
+      });
+
+      const documentsApiRequest = createMockRequest('https://example.com/api/documents/list', 'GET', {
+        Authorization: `Bearer ${accessToken}`,
+      });
+
+      // Request to Users API should be handled by UsersApiHandler
+      const usersResponse = await providerWithMultiHandler.fetch(usersApiRequest, mockEnv, mockCtx);
+      expect(usersResponse.status).toBe(200);
+      expect(await usersResponse.text()).toBe('Users API response');
+
+      // Request to Documents API should be handled by DocumentsApiHandler
+      const documentsResponse = await providerWithMultiHandler.fetch(documentsApiRequest, mockEnv, mockCtx);
+      expect(documentsResponse.status).toBe(200);
+      expect(await documentsResponse.text()).toBe('Documents API response');
+    });
+
+    it('should throw an error when both single-handler and multi-handler configs are provided', () => {
+      expect(() => {
+        new OAuthProvider({
+          apiRoute: '/api/',
+          apiHandler: {
+            fetch: () => Promise.resolve(new Response()),
+          },
+          apiHandlers: {
+            '/api/users/': {
+              fetch: () => Promise.resolve(new Response()),
+            },
+          },
+          defaultHandler: testDefaultHandler,
+          authorizeEndpoint: '/authorize',
+          tokenEndpoint: '/oauth/token',
+        });
+      }).toThrow('Cannot use both apiRoute/apiHandler and apiHandlers');
+    });
+
+    it('should throw an error when neither single-handler nor multi-handler config is provided', () => {
+      expect(() => {
+        new OAuthProvider({
+          // Intentionally omitting apiRoute and apiHandler and apiHandlers
+          defaultHandler: testDefaultHandler,
+          authorizeEndpoint: '/authorize',
+          tokenEndpoint: '/oauth/token',
+        });
+      }).toThrow('Must provide either apiRoute + apiHandler OR apiHandlers');
+    });
+  });
+
   describe('Token Revocation', () => {
     let clientId: string;
     let clientSecret: string;
