173 lines
6.4 KiB
JavaScript
173 lines
6.4 KiB
JavaScript
/**
|
|
* Unit tests for Codex (OpenAI) refresh token mechanism
|
|
*
|
|
* Verifies that:
|
|
* - Early refresh lead times are configured per provider (synced with CLIProxyAPI)
|
|
* - New refresh_token from response is persisted (token rotation)
|
|
* - Falls back to old refresh_token when server doesn't return new one
|
|
*/
|
|
|
|
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
|
|
|
|
const originalFetch = global.fetch;
|
|
|
|
describe("Codex Refresh Token", () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks();
|
|
vi.resetModules();
|
|
global.fetch = originalFetch;
|
|
});
|
|
|
|
afterEach(() => {
|
|
global.fetch = originalFetch;
|
|
});
|
|
|
|
function mockFetchWithJson(payload) {
|
|
const fetchMock = vi.fn().mockResolvedValue({
|
|
ok: true,
|
|
json: () => Promise.resolve(payload),
|
|
});
|
|
global.fetch = fetchMock;
|
|
return fetchMock;
|
|
}
|
|
|
|
describe("refreshCodexToken", () => {
|
|
it("should return new refresh_token when server provides one (token rotation)", async () => {
|
|
const fetchMock = mockFetchWithJson({
|
|
access_token: "new-access",
|
|
refresh_token: "rotated-refresh-token",
|
|
id_token: "new-id-token",
|
|
expires_in: 3600,
|
|
});
|
|
|
|
const { refreshCodexToken } = await import("../../open-sse/services/tokenRefresh.js");
|
|
const result = await refreshCodexToken("old-refresh-token", null);
|
|
|
|
expect(result.refreshToken).toBe("rotated-refresh-token");
|
|
expect(result.accessToken).toBe("new-access");
|
|
expect(result.idToken).toBe("new-id-token");
|
|
expect(fetchMock).toHaveBeenCalledWith(
|
|
"https://auth.openai.com/oauth/token",
|
|
expect.objectContaining({
|
|
method: "POST",
|
|
headers: expect.objectContaining({
|
|
"Content-Type": "application/json",
|
|
Accept: "application/json",
|
|
}),
|
|
body: JSON.stringify({
|
|
client_id: "app_EMoamEEZ73f0CkXaXp7hrann",
|
|
grant_type: "refresh_token",
|
|
refresh_token: "old-refresh-token",
|
|
}),
|
|
})
|
|
);
|
|
});
|
|
|
|
it("should keep old refresh_token when server does not return new one", async () => {
|
|
mockFetchWithJson({
|
|
access_token: "new-access",
|
|
expires_in: 3600,
|
|
});
|
|
|
|
const { refreshCodexToken } = await import("../../open-sse/services/tokenRefresh.js");
|
|
const result = await refreshCodexToken("old-refresh-token-without-rotation", null);
|
|
|
|
expect(result.refreshToken).toBe("old-refresh-token-without-rotation");
|
|
});
|
|
});
|
|
|
|
describe("CodexExecutor credential lifecycle", () => {
|
|
it("should refresh Codex credentials and preserve omitted id_token", async () => {
|
|
mockFetchWithJson({
|
|
access_token: "new-access",
|
|
refresh_token: "rotated-refresh-token",
|
|
expires_in: 3600,
|
|
});
|
|
|
|
const { CodexExecutor } = await import("../../open-sse/executors/codex.js");
|
|
const executor = new CodexExecutor();
|
|
const result = await executor.refreshCredentials({
|
|
connectionId: "codex-1",
|
|
refreshToken: "old-refresh-token",
|
|
idToken: "old-id-token",
|
|
}, null);
|
|
|
|
expect(result.accessToken).toBe("new-access");
|
|
expect(result.refreshToken).toBe("rotated-refresh-token");
|
|
expect(result.idToken).toBe("old-id-token");
|
|
expect(result.lastRefreshAt).toBeTruthy();
|
|
expect(result.expiresAt).toBeTruthy();
|
|
});
|
|
|
|
it("should refresh Codex when lastRefreshAt is older than the upstream stale window", async () => {
|
|
const { CodexExecutor } = await import("../../open-sse/executors/codex.js");
|
|
const executor = new CodexExecutor();
|
|
const farFuture = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString();
|
|
const staleRefresh = new Date(Date.now() - 9 * 24 * 60 * 60 * 1000).toISOString();
|
|
const recentRefresh = new Date(Date.now() - 1 * 24 * 60 * 60 * 1000).toISOString();
|
|
|
|
expect(executor.needsRefresh({
|
|
refreshToken: "refresh-token",
|
|
expiresAt: farFuture,
|
|
lastRefreshAt: staleRefresh,
|
|
})).toBe(true);
|
|
|
|
expect(executor.needsRefresh({
|
|
refreshToken: "refresh-token",
|
|
expiresAt: farFuture,
|
|
lastRefreshAt: recentRefresh,
|
|
})).toBe(false);
|
|
});
|
|
|
|
it("should de-duplicate concurrent refreshes for the same Codex connection", async () => {
|
|
const fetchMock = mockFetchWithJson({
|
|
access_token: "new-access",
|
|
refresh_token: "rotated-refresh-token",
|
|
expires_in: 3600,
|
|
});
|
|
|
|
const { refreshProviderCredentials } = await import("../../open-sse/services/oauthCredentialManager.js");
|
|
const credentials = {
|
|
connectionId: "codex-single-flight",
|
|
refreshToken: "old-refresh-token",
|
|
};
|
|
|
|
const [first, second] = await Promise.all([
|
|
refreshProviderCredentials("codex", credentials, null),
|
|
refreshProviderCredentials("codex", credentials, null),
|
|
]);
|
|
|
|
expect(first.accessToken).toBe("new-access");
|
|
expect(second.accessToken).toBe("new-access");
|
|
expect(fetchMock).toHaveBeenCalledTimes(1);
|
|
});
|
|
});
|
|
|
|
describe("getRefreshLeadMs (early refresh config)", () => {
|
|
it("should return provider-specific lead time for OAuth providers", async () => {
|
|
const { getRefreshLeadMs } = await import("../../open-sse/services/tokenRefresh.js");
|
|
|
|
// Synced with CLIProxyAPI refresh_registry
|
|
expect(getRefreshLeadMs("codex")).toBe(5 * 24 * 60 * 60 * 1000); // 5 days
|
|
expect(getRefreshLeadMs("claude")).toBe(4 * 60 * 60 * 1000); // 4 hours
|
|
expect(getRefreshLeadMs("iflow")).toBe(24 * 60 * 60 * 1000); // 24 hours
|
|
expect(getRefreshLeadMs("qwen")).toBe(20 * 60 * 1000); // 20 minutes
|
|
expect(getRefreshLeadMs("kimi-coding")).toBe(5 * 60 * 1000); // 5 minutes
|
|
expect(getRefreshLeadMs("antigravity")).toBe(5 * 60 * 1000); // 5 minutes
|
|
});
|
|
|
|
it("should fallback to default buffer for unknown providers", async () => {
|
|
const { getRefreshLeadMs, TOKEN_EXPIRY_BUFFER_MS } = await import("../../open-sse/services/tokenRefresh.js");
|
|
|
|
expect(getRefreshLeadMs("unknown-provider")).toBe(TOKEN_EXPIRY_BUFFER_MS);
|
|
expect(getRefreshLeadMs("openai")).toBe(TOKEN_EXPIRY_BUFFER_MS);
|
|
});
|
|
|
|
it("codex lead should be greater than default buffer", async () => {
|
|
const { getRefreshLeadMs, TOKEN_EXPIRY_BUFFER_MS } = await import("../../open-sse/services/tokenRefresh.js");
|
|
|
|
expect(getRefreshLeadMs("codex")).toBeGreaterThan(TOKEN_EXPIRY_BUFFER_MS);
|
|
});
|
|
});
|
|
});
|