mirror of
https://github.com/Monadical-SAS/reflector.git
synced 2026-03-21 22:56:47 +00:00
89 lines
2.7 KiB
TypeScript
89 lines
2.7 KiB
TypeScript
// env vars must be set before any module imports
|
|
process.env.AUTHENTIK_REFRESH_TOKEN_URL =
|
|
"https://authentik.example.com/application/o/token/";
|
|
process.env.AUTHENTIK_ISSUER =
|
|
"https://authentik.example.com/application/o/reflector/";
|
|
process.env.AUTHENTIK_CLIENT_ID = "test-client-id";
|
|
process.env.AUTHENTIK_CLIENT_SECRET = "test-client-secret";
|
|
process.env.SERVER_API_URL = "http://localhost:1250";
|
|
process.env.FEATURE_REQUIRE_LOGIN = "true";
|
|
// must NOT be "credentials" so authOptions() returns the Authentik path
|
|
delete process.env.AUTH_PROVIDER;
|
|
|
|
jest.mock("../next", () => ({ isBuildPhase: false }));
|
|
|
|
jest.mock("../features", () => ({
|
|
featureEnabled: (name: string) => name === "requireLogin",
|
|
}));
|
|
|
|
jest.mock("../redisClient", () => ({
|
|
tokenCacheRedis: {},
|
|
redlock: {
|
|
using: jest.fn((_keys: string[], _ttl: number, fn: () => unknown) => fn()),
|
|
},
|
|
}));
|
|
|
|
jest.mock("../redisTokenCache", () => ({
|
|
getTokenCache: jest.fn().mockResolvedValue(null),
|
|
setTokenCache: jest.fn().mockResolvedValue(undefined),
|
|
deleteTokenCache: jest.fn().mockResolvedValue(undefined),
|
|
}));
|
|
|
|
const mockFetch = jest.fn();
|
|
global.fetch = mockFetch;
|
|
|
|
import { authOptions } from "../authBackend";
|
|
|
|
describe("Authentik token refresh", () => {
|
|
beforeEach(() => {
|
|
mockFetch.mockReset();
|
|
});
|
|
|
|
test("refresh request preserves trailing slash in token URL", async () => {
|
|
mockFetch.mockResolvedValue({
|
|
ok: true,
|
|
json: async () => ({
|
|
access_token: "new-access-token",
|
|
expires_in: 300,
|
|
refresh_token: "new-refresh-token",
|
|
}),
|
|
});
|
|
|
|
const options = authOptions();
|
|
const jwtCallback = options.callbacks!.jwt!;
|
|
|
|
// Simulate a returning user whose access token has expired (no account/user = not initial login)
|
|
const expiredToken = {
|
|
sub: "test-user-123",
|
|
accessToken: "expired-access-token",
|
|
accessTokenExpires: Date.now() - 60_000,
|
|
refreshToken: "old-refresh-token",
|
|
};
|
|
|
|
await jwtCallback({
|
|
token: expiredToken,
|
|
user: undefined as any,
|
|
account: null,
|
|
profile: undefined,
|
|
trigger: "update",
|
|
isNewUser: false,
|
|
session: undefined,
|
|
});
|
|
|
|
// The refresh POST must go to the exact URL from the env var (trailing slash included)
|
|
expect(mockFetch).toHaveBeenCalledWith(
|
|
"https://authentik.example.com/application/o/token/",
|
|
expect.objectContaining({
|
|
method: "POST",
|
|
body: expect.any(String),
|
|
}),
|
|
);
|
|
|
|
const body = new URLSearchParams(mockFetch.mock.calls[0][1].body);
|
|
expect(body.get("grant_type")).toBe("refresh_token");
|
|
expect(body.get("refresh_token")).toBe("old-refresh-token");
|
|
expect(body.get("client_id")).toBe("test-client-id");
|
|
expect(body.get("client_secret")).toBe("test-client-secret");
|
|
});
|
|
});
|