yaak-mountain-loop/plugins/auth-oauth2/tests/util.test.ts

import { describe, expect, test } from "vite-plus/test";
import { extractCode } from "../src/util";

describe("extractCode", () => {
  test("extracts code from query when same origin + path", () => {
    const url = "https://app.example.com/cb?code=abc123&state=xyz";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBe("abc123");
  });

  test("extracts code from query with weird path", () => {
    const url = "https://app.example.com/cbwithextra?code=abc123&state=xyz";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBeNull();
  });

  test("allows trailing slash differences", () => {
    expect(extractCode("https://app.example.com/cb/?code=abc", "https://app.example.com/cb")).toBe(
      "abc",
    );
    expect(extractCode("https://app.example.com/cb?code=abc", "https://app.example.com/cb/")).toBe(
      "abc",
    );
  });

  test("treats default ports as equal (https:443, http:80)", () => {
    expect(
      extractCode("https://app.example.com/cb?code=abc", "https://app.example.com:443/cb"),
    ).toBe("abc");
    expect(extractCode("http://app.example.com/cb?code=abc", "http://app.example.com:80/cb")).toBe(
      "abc",
    );
  });

  test("rejects different port", () => {
    expect(
      extractCode("https://app.example.com/cb?code=abc", "https://app.example.com:8443/cb"),
    ).toBeNull();
  });

  test("rejects different hostname (including subdomain changes)", () => {
    expect(
      extractCode("https://evil.example.com/cb?code=abc", "https://app.example.com/cb"),
    ).toBeNull();
  });

  test("requires path to start with redirect path (ignoring query/hash)", () => {
    // same origin but wrong path -> null
    expect(
      extractCode("https://app.example.com/other?code=abc", "https://app.example.com/cb"),
    ).toBeNull();

    // deeper subpath under the redirect path -> allowed (prefix match)
    expect(
      extractCode("https://app.example.com/cb/deep?code=abc", "https://app.example.com/cb"),
    ).toBe("abc");
  });

  test("works with custom schemes", () => {
    expect(extractCode("myapp://cb?code=abc", "myapp://cb")).toBe("abc");
  });

  test("prefers query over fragment when both present", () => {
    const url = "https://app.example.com/cb?code=queryCode#code=hashCode";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBe("queryCode");
  });

  test("extracts code from fragment when query lacks code", () => {
    const url = "https://app.example.com/cb#code=fromHash&state=xyz";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBe("fromHash");
  });

  test("returns null if no code present (query or fragment)", () => {
    const url = "https://app.example.com/cb?state=only";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBeNull();
  });

  test("returns null when provider reports an error", () => {
    const url = "https://app.example.com/cb?error=access_denied&error_description=oopsy";
    const redirect = "https://app.example.com/cb";
    expect(() => extractCode(url, redirect)).toThrow("Failed to authorize: access_denied");
  });

  test("when redirectUri is null, extracts code from any URL", () => {
    expect(extractCode("https://random.example.com/whatever?code=abc", null)).toBe("abc");
  });

  test("handles extra params gracefully", () => {
    const url = "https://app.example.com/cb?foo=1&bar=2&code=abc&baz=3";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBe("abc");
  });

  test("ignores fragment noise when code is in query", () => {
    const url = "https://app.example.com/cb?code=abc#some=thing";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBe("abc");
  });

  // If you decide NOT to support fragment-based codes, flip these to expect null or mark as .skip
  test("supports fragment-only code for response_mode=fragment providers", () => {
    const url = "https://app.example.com/cb#state=xyz&code=abc";
    const redirect = "https://app.example.com/cb";
    expect(extractCode(url, redirect)).toBe("abc");
  });
});