Files
2026-07-13 13:39:12 +08:00

184 lines
7.9 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
const { grokCli } = await import("../../src/lib/oauth/providers/grok-cli.ts");
const { resolvePublicCred } = await import("@omniroute/open-sse/utils/publicCreds");
test("Grok Build OAuth Provider - config", () => {
assert.ok(grokCli.config.clientId, "clientId should be defined");
// The public client_id must come from the embedded default (Hard Rule #11),
// not a string literal — assert it matches resolvePublicCred("grok_id").
assert.equal(
grokCli.config.clientId,
resolvePublicCred("grok_id", "GROK_OAUTH_CLIENT_ID"),
"clientId must resolve from the embedded grok_id default"
);
assert.equal(grokCli.config.tokenUrl, "https://auth.x.ai/oauth2/token");
});
test("publicCreds: grok_id embedded default is present and decodes", () => {
const decoded = resolvePublicCred("grok_id");
assert.ok(decoded.length > 0, "grok_id must decode to a non-empty client id");
});
test("Grok Build OAuth Provider - flowType is import_token", () => {
assert.equal(grokCli.flowType, "import_token");
});
test("Grok Build OAuth Provider - mapTokens from raw JWT", () => {
// Create a valid JWT with base64url-encoded payload
const payload = { sub: "12345", email: "test@example.com", team_id: "team-67890", tier: 1 };
const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
const mockJwt = `eyJhbGciOiJFUzI1NiJ9.${payloadBase64}.signature`;
const result = grokCli.mapTokens(mockJwt, null);
assert.equal(result.accessToken, mockJwt);
assert.equal(result.refreshToken, null);
assert.equal(result.email, "test@example.com");
assert.equal(result.expiresIn, 21600);
assert.equal(result.providerSpecificData?.userId, "12345");
assert.equal(result.providerSpecificData?.teamId, "team-67890");
assert.equal(result.providerSpecificData?.tier, 1);
});
test("Grok Build OAuth Provider - mapTokens from auth.json", () => {
const authJson = {
"https://auth.x.ai::clientId": {
key: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.signature",
refresh_token: "test-refresh-token",
},
};
const result = grokCli.mapTokens(authJson, null);
assert.ok(result.accessToken.includes("eyJ"), "accessToken should be JWT");
assert.equal(result.refreshToken, "test-refresh-token");
assert.equal(result.email, "test@example.com");
});
test("Grok Build OAuth Provider - mapTokens from empty string", () => {
const result = grokCli.mapTokens("", null);
assert.equal(result.accessToken, "");
});
test("Grok Build OAuth Provider - mapTokens from object with accessToken", () => {
const input = { accessToken: "direct-token" };
const result = grokCli.mapTokens(input, null);
assert.equal(result.accessToken, "direct-token");
});
test("Grok Build OAuth Provider - mapTokens from route-wrapped auth.json", () => {
// The route handler wraps the token: { accessToken: <token> }.
// This simulates what the import-token endpoint passes to mapTokens.
const authJson = {
"https://auth.x.ai::b1a00492-073a-47ea-816f-4c329264a828": {
key: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.signature",
refresh_token: "test-refresh-token-wrapped",
expires_at: "2026-12-31T00:00:00Z",
},
};
const wrapped = { accessToken: authJson };
const result = grokCli.mapTokens(wrapped, null);
assert.ok(
result.accessToken.startsWith("eyJ"),
"accessToken should be JWT from wrapped auth.json"
);
assert.equal(result.refreshToken, "test-refresh-token-wrapped");
assert.equal(result.email, "test@example.com");
assert.ok(result.providerSpecificData?.rawAuthJson, "rawAuthJson should be populated");
assert.deepEqual(
result.providerSpecificData?.rawAuthJson,
authJson,
"rawAuthJson should equal the original auth.json"
);
});
test("Grok Build OAuth Provider - mapTokens from direct auth.json has rawAuthJson", () => {
const authJson = {
"https://auth.x.ai::clientId": {
key: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.signature",
refresh_token: "direct-refresh",
},
};
const result = grokCli.mapTokens(authJson, null);
assert.ok(result.accessToken.startsWith("eyJ"));
assert.equal(result.refreshToken, "direct-refresh");
assert.deepEqual(result.providerSpecificData?.rawAuthJson, authJson);
});
test("Grok Build OAuth Provider - mapTokens from raw JWT has no rawAuthJson", () => {
const payload = { sub: "12345", email: "test@example.com" };
const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
const mockJwt = `eyJhbGciOiJFUzI1NiJ9.${payloadBase64}.signature`;
const result = grokCli.mapTokens(mockJwt, null);
assert.equal(result.accessToken, mockJwt);
assert.equal(result.refreshToken, null);
assert.equal(result.providerSpecificData?.rawAuthJson, undefined);
});
test("Grok Build OAuth Provider - mapTokens extracts expiresIn from JWT exp (dynamic)", () => {
const futureSec = Math.floor(Date.now() / 1000) + 1200; // 20 minutes from now
const payload = { sub: "12345", email: "test@example.com", exp: futureSec };
const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
const mockJwt = `eyJhbGciOiJFUzI1NiJ9.${payloadBase64}.signature`;
const result = grokCli.mapTokens(mockJwt, null);
assert.ok(result.expiresIn > 0);
assert.ok(Math.abs(result.expiresIn - 1200) <= 2);
});
test("Grok Build OAuth Provider - mapTokens extracts expiresIn from JSON expires_at (dynamic)", () => {
const futureDateStr = new Date(Date.now() + 1800 * 1000).toISOString(); // 30 minutes from now
const authJson = {
"https://auth.x.ai::clientId": {
key: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.signature",
refresh_token: "test-refresh-token",
expires_at: futureDateStr,
},
};
const result = grokCli.mapTokens(authJson, null);
assert.ok(result.expiresIn > 0);
assert.ok(Math.abs(result.expiresIn - 1800) <= 2);
});
test("Grok Build OAuth Provider - mapTokens falls back to 21600 if no exp or expires_at", () => {
const payload = { sub: "12345", email: "test@example.com" };
const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
const mockJwt = `eyJhbGciOiJFUzI1NiJ9.${payloadBase64}.signature`;
const result = grokCli.mapTokens(mockJwt, null);
assert.equal(result.expiresIn, 21600);
});
// #5775 follow-up: an already-expired token must NOT produce a negative expiresIn.
// A negative value is truthy in the import-token route (route.ts), yielding a PAST
// expiresAt that AutoCombo (virtualFactory.ts) reads as "already expired" and excludes
// the connection immediately — instead of clamping to a tiny positive TTL so the token
// is treated as due-for-refresh. Clamp with Math.max(1, …).
test("Grok Build OAuth Provider - mapTokens clamps expired JWT exp to a positive expiresIn", () => {
const pastSec = Math.floor(Date.now() / 1000) - 3600; // expired 1h ago
const payload = { sub: "12345", email: "test@example.com", exp: pastSec };
const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
const mockJwt = `eyJhbGciOiJFUzI1NiJ9.${payloadBase64}.signature`;
const result = grokCli.mapTokens(mockJwt, null);
assert.ok(result.expiresIn >= 1, `expected expiresIn >= 1, got ${result.expiresIn}`);
});
test("Grok Build OAuth Provider - mapTokens clamps expired JSON expires_at to a positive expiresIn", () => {
const pastDateStr = new Date(Date.now() - 3600 * 1000).toISOString(); // expired 1h ago
const authJson = {
"https://auth.x.ai::clientId": {
key: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.signature",
refresh_token: "test-refresh-token",
expires_at: pastDateStr,
},
};
const result = grokCli.mapTokens(authJson, null);
assert.ok(result.expiresIn >= 1, `expected expiresIn >= 1, got ${result.expiresIn}`);
});