842 lines
30 KiB
TypeScript
842 lines
30 KiB
TypeScript
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
|
|
// Antigravity and Windsurf public defaults come from
|
|
// open-sse/utils/publicCreds.ts — no env override needed in this suite.
|
|
const originalEnv = { ...process.env };
|
|
Object.assign(process.env, {
|
|
CLAUDE_OAUTH_CLIENT_ID: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
|
|
CODEX_OAUTH_CLIENT_ID: "app_EMoamEEZ73f0CkXaXp7hrann",
|
|
GITLAB_DUO_OAUTH_CLIENT_ID: "gitlab-duo-client-id",
|
|
QWEN_OAUTH_CLIENT_ID: "f0304373b74a44d2b584a3fb70ca9e56",
|
|
KIMI_CODING_OAUTH_CLIENT_ID: "17e5f671-d194-4dfb-9706-5516cb48c098",
|
|
KIMI_CODING_DEVICE_ID: "test-kimi-device-id",
|
|
GITHUB_OAUTH_CLIENT_ID: "Iv1.b507a08c87ecfe98",
|
|
});
|
|
|
|
const providersModule = await import("../../src/lib/oauth/providers/index.ts");
|
|
const oauthModule = await import("../../src/lib/oauth/constants/oauth.ts");
|
|
const antigravityHeadersModule = await import("../../open-sse/services/antigravityHeaders.ts");
|
|
const oauthHelpersModule = await import("../../src/lib/oauth/providers.ts");
|
|
|
|
const PROVIDERS = providersModule.default;
|
|
const { resolveBrowserOAuthRedirectUri } = oauthHelpersModule;
|
|
const {
|
|
ANTIGRAVITY_CONFIG,
|
|
AGY_CONFIG,
|
|
CLAUDE_CONFIG,
|
|
CLINE_CONFIG,
|
|
CODEX_CONFIG,
|
|
CODEBUDDY_CN_CONFIG,
|
|
ZED_CONFIG,
|
|
CURSOR_CONFIG,
|
|
GITHUB_CONFIG,
|
|
GITLAB_DUO_CONFIG,
|
|
GROK_CLI_CONFIG,
|
|
KILOCODE_CONFIG,
|
|
KIMI_CODING_CONFIG,
|
|
KIRO_CONFIG,
|
|
OAUTH_TIMEOUT,
|
|
PROVIDERS: OAUTH_PROVIDER_IDS,
|
|
QODER_CONFIG,
|
|
QWEN_CONFIG,
|
|
TRAE_CONFIG,
|
|
WINDSURF_CONFIG,
|
|
ZED_HOSTED_CONFIG,
|
|
} = oauthModule;
|
|
const { getAntigravityLoadCodeAssistMetadata } = antigravityHeadersModule;
|
|
|
|
const originalFetch = globalThis.fetch;
|
|
|
|
const EXPECTED_PROVIDER_KEYS = [
|
|
"claude",
|
|
"codex",
|
|
"antigravity",
|
|
"agy",
|
|
"qoder",
|
|
"qwen",
|
|
"kimi-coding",
|
|
"github",
|
|
"gitlab-duo",
|
|
"kiro",
|
|
"amazon-q",
|
|
"cursor",
|
|
"trae",
|
|
"kilocode",
|
|
"cline",
|
|
"windsurf",
|
|
"devin-cli",
|
|
"grok-cli",
|
|
"codebuddy-cn",
|
|
"zed",
|
|
"zed-hosted",
|
|
];
|
|
|
|
const EXPECTED_CONFIG_BY_PROVIDER = {
|
|
claude: CLAUDE_CONFIG,
|
|
codex: CODEX_CONFIG,
|
|
antigravity: ANTIGRAVITY_CONFIG,
|
|
agy: AGY_CONFIG,
|
|
qoder: QODER_CONFIG,
|
|
qwen: QWEN_CONFIG,
|
|
"kimi-coding": KIMI_CODING_CONFIG,
|
|
github: GITHUB_CONFIG,
|
|
"gitlab-duo": GITLAB_DUO_CONFIG,
|
|
kiro: KIRO_CONFIG,
|
|
"amazon-q": KIRO_CONFIG,
|
|
cursor: CURSOR_CONFIG,
|
|
kilocode: KILOCODE_CONFIG,
|
|
cline: CLINE_CONFIG,
|
|
windsurf: WINDSURF_CONFIG,
|
|
"devin-cli": WINDSURF_CONFIG,
|
|
trae: TRAE_CONFIG,
|
|
"grok-cli": GROK_CLI_CONFIG,
|
|
"codebuddy-cn": CODEBUDDY_CN_CONFIG,
|
|
zed: ZED_CONFIG,
|
|
"zed-hosted": ZED_HOSTED_CONFIG,
|
|
};
|
|
|
|
const REQUIRED_FIELDS_BY_PROVIDER = {
|
|
claude: ["authorizeUrl", "tokenUrl", "redirectUri", "scopes", "clientId"],
|
|
codex: ["authorizeUrl", "tokenUrl", "scope", "clientId"],
|
|
antigravity: ["authorizeUrl", "tokenUrl", "userInfoUrl", "scopes", "clientId"],
|
|
agy: ["authorizeUrl", "tokenUrl", "userInfoUrl", "scopes", "clientId"],
|
|
qoder: ["extraParams"],
|
|
qwen: ["deviceCodeUrl", "tokenUrl", "scope", "clientId"],
|
|
"kimi-coding": ["deviceCodeUrl", "tokenUrl", "clientId"],
|
|
github: ["deviceCodeUrl", "tokenUrl", "userInfoUrl", "copilotTokenUrl", "clientId"],
|
|
"gitlab-duo": [
|
|
"baseUrl",
|
|
"authorizeUrl",
|
|
"tokenUrl",
|
|
"userInfoUrl",
|
|
"directAccessUrl",
|
|
"scope",
|
|
"codeChallengeMethod",
|
|
"clientId",
|
|
],
|
|
kiro: [
|
|
"registerClientUrl",
|
|
"deviceAuthUrl",
|
|
"tokenUrl",
|
|
"socialAuthEndpoint",
|
|
"socialLoginUrl",
|
|
"socialTokenUrl",
|
|
"socialRefreshUrl",
|
|
"authMethods",
|
|
],
|
|
"amazon-q": [
|
|
"registerClientUrl",
|
|
"deviceAuthUrl",
|
|
"tokenUrl",
|
|
"socialAuthEndpoint",
|
|
"socialLoginUrl",
|
|
"socialTokenUrl",
|
|
"socialRefreshUrl",
|
|
"authMethods",
|
|
],
|
|
cursor: ["apiEndpoint", "api3Endpoint", "agentEndpoint", "agentNonPrivacyEndpoint", "dbKeys"],
|
|
kilocode: ["apiBaseUrl", "initiateUrl", "pollUrlBase"],
|
|
cline: ["appBaseUrl", "apiBaseUrl", "authorizeUrl", "tokenExchangeUrl", "refreshUrl"],
|
|
windsurf: ["authorizeUrl", "apiServerUrl", "exchangePath", "inferenceUrl"],
|
|
"devin-cli": ["authorizeUrl", "apiServerUrl", "exchangePath", "inferenceUrl"],
|
|
trae: ["apiEndpoint", "chatEndpoint", "webUrl"],
|
|
"zed-hosted": ["webBaseUrl", "cloudBaseUrl", "llmBaseUrl", "userInfoUrl", "llmTokenUrl", "modelsUrl"],
|
|
};
|
|
|
|
function getByPath(object, path) {
|
|
return path.split(".").reduce((value, segment) => value?.[segment], object);
|
|
}
|
|
|
|
function collectHttpsUrls(value, path = "config") {
|
|
const results = [];
|
|
|
|
if (typeof value === "string") {
|
|
if (/^https?:\/\//.test(value)) {
|
|
results.push({ path, value });
|
|
}
|
|
return results;
|
|
}
|
|
|
|
if (!value || typeof value !== "object" || Array.isArray(value)) {
|
|
return results;
|
|
}
|
|
|
|
for (const [key, nestedValue] of Object.entries(value)) {
|
|
results.push(...collectHttpsUrls(nestedValue, `${path}.${key}`));
|
|
}
|
|
|
|
return results;
|
|
}
|
|
|
|
function jsonResponse(body, status = 200) {
|
|
return new Response(JSON.stringify(body), {
|
|
status,
|
|
headers: { "Content-Type": "application/json" },
|
|
});
|
|
}
|
|
|
|
function textResponse(body, status = 200) {
|
|
return new Response(body, {
|
|
status,
|
|
headers: { "Content-Type": "text/plain" },
|
|
});
|
|
}
|
|
|
|
function createJwt(payload) {
|
|
const encode = (value) =>
|
|
Buffer.from(JSON.stringify(value)).toString("base64url").replace(/=/g, "");
|
|
|
|
return `${encode({ alg: "none", typ: "JWT" })}.${encode(payload)}.signature`;
|
|
}
|
|
|
|
function useFetchSequence(sequence) {
|
|
let index = 0;
|
|
globalThis.fetch = async (...args) => {
|
|
const next = sequence[index++];
|
|
if (!next) {
|
|
throw new Error(`Unexpected fetch call #${index}`);
|
|
}
|
|
return typeof next === "function" ? next(...args) : next;
|
|
};
|
|
}
|
|
|
|
test.afterEach(() => {
|
|
globalThis.fetch = originalFetch;
|
|
});
|
|
|
|
test.after(() => {
|
|
globalThis.fetch = originalFetch;
|
|
for (const key of Object.keys(process.env)) {
|
|
if (!(key in originalEnv)) {
|
|
delete process.env[key];
|
|
}
|
|
}
|
|
Object.assign(process.env, originalEnv);
|
|
});
|
|
|
|
test("OAuth provider registry exposes every expected provider exactly once", () => {
|
|
assert.deepEqual(Object.keys(PROVIDERS), EXPECTED_PROVIDER_KEYS);
|
|
assert.equal(new Set(Object.keys(PROVIDERS)).size, EXPECTED_PROVIDER_KEYS.length);
|
|
});
|
|
|
|
test("OAuth constants include all provider ids and use a sane timeout", () => {
|
|
const constantIds = Object.values(OAUTH_PROVIDER_IDS);
|
|
const registryIds = Object.keys(PROVIDERS);
|
|
|
|
assert.ok(Number.isInteger(OAUTH_TIMEOUT));
|
|
assert.ok(OAUTH_TIMEOUT > 0);
|
|
assert.equal(new Set(constantIds).size, constantIds.length);
|
|
|
|
for (const providerId of registryIds) {
|
|
assert.ok(
|
|
constantIds.includes(providerId),
|
|
`Expected oauth constants to include provider id ${providerId}`
|
|
);
|
|
}
|
|
});
|
|
|
|
test("every registered OAuth provider has a valid config object, flow type and token mapper", () => {
|
|
const allowedFlowTypes = new Set([
|
|
"authorization_code",
|
|
"authorization_code_pkce",
|
|
"device_code",
|
|
"import_token",
|
|
]);
|
|
|
|
for (const [providerId, provider] of Object.entries(PROVIDERS)) {
|
|
assert.equal(provider.config, EXPECTED_CONFIG_BY_PROVIDER[providerId]);
|
|
assert.ok(allowedFlowTypes.has(provider.flowType), `${providerId} has unsupported flowType`);
|
|
assert.equal(typeof provider.mapTokens, "function", `${providerId} must expose mapTokens`);
|
|
|
|
const mapped = provider.mapTokens({});
|
|
assert.ok(
|
|
mapped && typeof mapped === "object",
|
|
`${providerId} mapTokens must return an object`
|
|
);
|
|
}
|
|
});
|
|
|
|
test("every required provider config field is present when the provider is enabled for that flow", () => {
|
|
for (const [providerId, fields] of Object.entries(REQUIRED_FIELDS_BY_PROVIDER)) {
|
|
const provider = PROVIDERS[providerId];
|
|
const config = provider.config;
|
|
|
|
for (const field of fields) {
|
|
const value = getByPath(config, field);
|
|
|
|
if (
|
|
providerId === "qoder" &&
|
|
!config.enabled &&
|
|
["authorizeUrl", "tokenUrl", "userInfoUrl", "clientId"].includes(field)
|
|
) {
|
|
continue;
|
|
}
|
|
|
|
assert.notEqual(value, undefined, `${providerId} missing config field ${field}`);
|
|
|
|
if (Array.isArray(value)) {
|
|
assert.ok(value.length > 0, `${providerId}.${field} must not be empty`);
|
|
} else if (typeof value === "string") {
|
|
assert.ok(value.length > 0, `${providerId}.${field} must not be empty`);
|
|
} else if (typeof value === "object") {
|
|
assert.ok(
|
|
value && Object.keys(value).length > 0,
|
|
`${providerId}.${field} must not be empty`
|
|
);
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
test("all provider endpoint URLs use HTTPS when a URL is configured", () => {
|
|
for (const [providerId, provider] of Object.entries(PROVIDERS)) {
|
|
const httpsUrls = collectHttpsUrls(provider.config);
|
|
|
|
for (const entry of httpsUrls) {
|
|
const parsed = new URL(entry.value);
|
|
assert.equal(parsed.protocol, "https:", `${providerId} ${entry.path} must use HTTPS`);
|
|
}
|
|
}
|
|
});
|
|
|
|
test("Qwen OAuth uses qwen.ai (not chat.qwen.ai) for device/token URLs — upstream PR #683 / decolua issue #572", () => {
|
|
// The legacy host `chat.qwen.ai` started returning errors; the correct authoritative
|
|
// host for Qwen's device-code OAuth endpoints is `qwen.ai`. Regression guard for the
|
|
// port of decolua/9router#683 (closes decolua issue #572).
|
|
const deviceUrl = new URL(QWEN_CONFIG.deviceCodeUrl);
|
|
const tokenUrl = new URL(QWEN_CONFIG.tokenUrl);
|
|
assert.equal(deviceUrl.hostname, "qwen.ai", "deviceCodeUrl must use qwen.ai");
|
|
assert.equal(tokenUrl.hostname, "qwen.ai", "tokenUrl must use qwen.ai");
|
|
assert.equal(deviceUrl.pathname, "/api/v1/oauth2/device/code");
|
|
assert.equal(tokenUrl.pathname, "/api/v1/oauth2/token");
|
|
});
|
|
|
|
test("browser-based providers expose buildAuthUrl and return provider-specific auth URLs", () => {
|
|
const redirectUri = "http://localhost:43121/callback";
|
|
const state = "state-123";
|
|
const codeChallenge = "challenge-456";
|
|
|
|
const claudeUrl = new URL(
|
|
PROVIDERS.claude.buildAuthUrl(CLAUDE_CONFIG, redirectUri, state, codeChallenge)
|
|
);
|
|
const codexUrl = new URL(
|
|
PROVIDERS.codex.buildAuthUrl(CODEX_CONFIG, redirectUri, state, codeChallenge)
|
|
);
|
|
const antigravityUrl = new URL(
|
|
PROVIDERS.antigravity.buildAuthUrl(ANTIGRAVITY_CONFIG, redirectUri, state)
|
|
);
|
|
const clineUrl = new URL(PROVIDERS.cline.buildAuthUrl(CLINE_CONFIG, redirectUri));
|
|
|
|
assert.equal(claudeUrl.origin, "https://claude.ai");
|
|
assert.equal(claudeUrl.searchParams.get("client_id"), CLAUDE_CONFIG.clientId);
|
|
assert.equal(codexUrl.origin, "https://auth.openai.com");
|
|
assert.equal(codexUrl.searchParams.get("code_challenge"), codeChallenge);
|
|
assert.equal(antigravityUrl.origin, "https://accounts.google.com");
|
|
assert.equal(clineUrl.origin, "https://api.cline.bot");
|
|
});
|
|
|
|
// zed-hosted's buildAuthUrl deliberately returns an object (authUrl + codeVerifier +
|
|
// redirectUri) instead of a bare string — generateAuthData() in providers.ts special-
|
|
// cases this shape to thread an RSA private-key verifier through the existing PKCE
|
|
// codeVerifier slot (see src/lib/oauth/providers/zed-hosted.ts header comment).
|
|
test("zed-hosted buildAuthUrl returns {authUrl, codeVerifier, redirectUri} carrying a fresh RSA keypair", () => {
|
|
const built = PROVIDERS["zed-hosted"].buildAuthUrl(ZED_HOSTED_CONFIG);
|
|
assert.equal(typeof built, "object");
|
|
assert.ok(built.authUrl.startsWith("https://zed.dev/native_app_signin?"));
|
|
const url = new URL(built.authUrl);
|
|
assert.ok(url.searchParams.get("native_app_public_key"));
|
|
assert.ok(built.codeVerifier.startsWith("zed-rsa-pkcs1:"));
|
|
assert.ok(built.redirectUri.startsWith("http://127.0.0.1:"));
|
|
});
|
|
|
|
test("generateAuthData honors an object-returning buildAuthUrl (zed-hosted) without breaking string-returning providers", async () => {
|
|
const oauthHelpers = await import("../../src/lib/oauth/providers.ts");
|
|
const zedAuthData = oauthHelpers.generateAuthData("zed-hosted", "http://localhost:20128/callback");
|
|
assert.equal(zedAuthData.flowType, "authorization_code");
|
|
assert.ok(zedAuthData.authUrl.startsWith("https://zed.dev/native_app_signin?"));
|
|
assert.ok(zedAuthData.codeVerifier.startsWith("zed-rsa-pkcs1:"));
|
|
assert.ok(zedAuthData.redirectUri.startsWith("http://127.0.0.1:"));
|
|
|
|
// A string-returning provider (cline) must still get the plain PKCE codeVerifier,
|
|
// not be affected by the object-return branch added for zed-hosted.
|
|
const clineAuthData = oauthHelpers.generateAuthData("cline", "http://localhost:20128/callback");
|
|
assert.equal(typeof clineAuthData.authUrl, "string");
|
|
assert.equal(clineAuthData.redirectUri, "http://localhost:20128/callback");
|
|
assert.ok(clineAuthData.codeVerifier);
|
|
assert.ok(!clineAuthData.codeVerifier.startsWith("zed-rsa-pkcs1:"));
|
|
});
|
|
|
|
// Regression for #3861: GitLab Duo needs an operator-registered OAuth client_id.
|
|
// When it's missing, buildAuthUrl must return null (like Qoder) so the authorize route
|
|
// can surface a clear "configure it" message — it previously THREW, which the route
|
|
// swallowed into an opaque "Internal server error" 500 at the Add Connection step.
|
|
test("gitlab-duo buildAuthUrl returns null (not throw) when client_id is unconfigured (#3861)", () => {
|
|
const redirectUri = "http://localhost:20128/callback";
|
|
const unconfigured = PROVIDERS["gitlab-duo"].buildAuthUrl(
|
|
{ ...GITLAB_DUO_CONFIG, clientId: "" },
|
|
redirectUri,
|
|
"state-x",
|
|
"challenge-y"
|
|
);
|
|
assert.equal(unconfigured, null);
|
|
|
|
// Configured: returns a real authorize URL carrying the client_id + PKCE challenge.
|
|
const configured = new URL(
|
|
PROVIDERS["gitlab-duo"].buildAuthUrl(GITLAB_DUO_CONFIG, redirectUri, "state-x", "challenge-y")
|
|
);
|
|
assert.equal(configured.searchParams.get("client_id"), GITLAB_DUO_CONFIG.clientId);
|
|
assert.equal(configured.searchParams.get("code_challenge"), "challenge-y");
|
|
});
|
|
|
|
test("custom Google OAuth credentials switch Antigravity remote callbacks to NEXT_PUBLIC_BASE_URL", () => {
|
|
const redirectUri = resolveBrowserOAuthRedirectUri(
|
|
"antigravity",
|
|
"http://localhost:20128/callback",
|
|
{
|
|
NEXT_PUBLIC_BASE_URL: "https://omniroute.example.com/",
|
|
ANTIGRAVITY_OAUTH_CLIENT_ID: "custom-antigravity.apps.googleusercontent.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_SECRET: "custom-antigravity-secret",
|
|
}
|
|
);
|
|
|
|
assert.equal(redirectUri, "https://omniroute.example.com/callback");
|
|
});
|
|
|
|
test("custom Google OAuth callbacks preserve the requested callback path and query", () => {
|
|
const redirectUri = resolveBrowserOAuthRedirectUri(
|
|
"antigravity",
|
|
"http://127.0.0.1:20128/auth/callback?source=popup",
|
|
{
|
|
NEXT_PUBLIC_BASE_URL: "https://omniroute.example.com/base",
|
|
ANTIGRAVITY_OAUTH_CLIENT_ID: "custom-antigravity.apps.googleusercontent.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_SECRET: "custom-antigravity-secret",
|
|
}
|
|
);
|
|
|
|
assert.equal(redirectUri, "https://omniroute.example.com/base/auth/callback?source=popup");
|
|
});
|
|
|
|
test("custom Google OAuth credentials switch IPv6 loopback callbacks to public base URL", () => {
|
|
const redirectUri = resolveBrowserOAuthRedirectUri("antigravity", "http://[::1]:20128/callback", {
|
|
NEXT_PUBLIC_BASE_URL: "https://omniroute.example.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_ID: "custom-antigravity.apps.googleusercontent.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_SECRET: "custom-antigravity-secret",
|
|
});
|
|
|
|
assert.equal(redirectUri, "https://omniroute.example.com/callback");
|
|
});
|
|
|
|
test("custom Google OAuth callbacks default root loopback paths to callback path", () => {
|
|
const redirectUri = resolveBrowserOAuthRedirectUri("antigravity", "http://127.0.0.1:20128", {
|
|
NEXT_PUBLIC_BASE_URL: "https://omniroute.example.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_ID: "custom-antigravity.apps.googleusercontent.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_SECRET: "custom-antigravity-secret",
|
|
});
|
|
|
|
assert.equal(redirectUri, "https://omniroute.example.com/callback");
|
|
});
|
|
|
|
test("Google OAuth callbacks stay on loopback when custom credentials are incomplete", () => {
|
|
const redirectUri = resolveBrowserOAuthRedirectUri(
|
|
"antigravity",
|
|
"http://127.0.0.1:20128/callback",
|
|
{
|
|
NEXT_PUBLIC_BASE_URL: "https://omniroute.example.com",
|
|
ANTIGRAVITY_OAUTH_CLIENT_ID: "custom-antigravity.apps.googleusercontent.com",
|
|
}
|
|
);
|
|
|
|
assert.equal(redirectUri, "http://127.0.0.1:20128/callback");
|
|
});
|
|
|
|
test("Google OAuth callbacks stay on localhost when no custom credentials are configured", () => {
|
|
const redirectUri = resolveBrowserOAuthRedirectUri(
|
|
"antigravity",
|
|
"http://localhost:20128/callback",
|
|
{
|
|
NEXT_PUBLIC_BASE_URL: "https://omniroute.example.com",
|
|
}
|
|
);
|
|
|
|
assert.equal(redirectUri, "http://localhost:20128/callback");
|
|
});
|
|
|
|
test("device and import-token providers expose the flow-specific fields expected by their configs", () => {
|
|
const deviceProviders = ["qwen", "kimi-coding", "github", "kiro", "amazon-q", "kilocode"];
|
|
|
|
for (const providerId of deviceProviders) {
|
|
const provider = PROVIDERS[providerId];
|
|
assert.equal(provider.flowType, "device_code");
|
|
assert.equal(typeof provider.requestDeviceCode, "function");
|
|
assert.equal(typeof provider.pollToken, "function");
|
|
}
|
|
|
|
assert.equal(PROVIDERS.cursor.flowType, "import_token");
|
|
assert.equal(CURSOR_CONFIG.dbKeys.accessToken, "cursorAuth/accessToken");
|
|
assert.equal(CURSOR_CONFIG.dbKeys.machineId, "storage.serviceMachineId");
|
|
assert.equal(PROVIDERS.trae.flowType, "import_token");
|
|
assert.equal(typeof TRAE_CONFIG.apiEndpoint, "string");
|
|
assert.ok(Array.isArray(KIRO_CONFIG.authMethods));
|
|
assert.ok(KIRO_CONFIG.authMethods.includes("builder-id"));
|
|
});
|
|
|
|
test("provider-specific config shapes remain valid for special cases", () => {
|
|
assert.ok(Array.isArray(CLAUDE_CONFIG.scopes) && CLAUDE_CONFIG.scopes.length > 0);
|
|
assert.ok(Array.isArray(ANTIGRAVITY_CONFIG.scopes) && ANTIGRAVITY_CONFIG.scopes.length > 0);
|
|
assert.equal(typeof CODEX_CONFIG.extraParams.originator, "string");
|
|
assert.equal(typeof QODER_CONFIG.extraParams.loginMethod, "string");
|
|
assert.ok(Array.isArray(KIRO_CONFIG.grantTypes) && KIRO_CONFIG.grantTypes.length > 0);
|
|
assert.equal(typeof KILOCODE_CONFIG.pollUrlBase, "string");
|
|
});
|
|
|
|
test("Qoder remains a safe special case when browser OAuth is disabled", () => {
|
|
if (!QODER_CONFIG.enabled) {
|
|
assert.equal(
|
|
PROVIDERS.qoder.buildAuthUrl(QODER_CONFIG, "http://localhost/callback", "state"),
|
|
null
|
|
);
|
|
return;
|
|
}
|
|
|
|
const authUrl = PROVIDERS.qoder.buildAuthUrl(
|
|
QODER_CONFIG,
|
|
"http://localhost/callback",
|
|
"state-123"
|
|
);
|
|
assert.equal(typeof authUrl, "string");
|
|
assert.ok(authUrl.startsWith("https://"));
|
|
});
|
|
|
|
test("Codex parses id_token metadata and prefers a team workspace when the JWT only marks the personal plan", async () => {
|
|
const idToken = createJwt({
|
|
email: "dev@example.com",
|
|
"https://api.openai.com/auth": {
|
|
chatgpt_account_id: "personal-workspace",
|
|
chatgpt_plan_type: "free",
|
|
chatgpt_user_id: "user-123",
|
|
organizations: [
|
|
{
|
|
id: "team-workspace",
|
|
is_default: false,
|
|
role: "member",
|
|
title: "Platform Team",
|
|
},
|
|
],
|
|
},
|
|
});
|
|
|
|
const extra = await PROVIDERS.codex.postExchange({ id_token: idToken });
|
|
const mapped = PROVIDERS.codex.mapTokens(
|
|
{
|
|
access_token: "access-token",
|
|
refresh_token: "refresh-token",
|
|
id_token: idToken,
|
|
expires_in: 3600,
|
|
},
|
|
extra
|
|
);
|
|
|
|
assert.equal(extra.authInfo.chatgpt_account_id, "personal-workspace");
|
|
assert.equal(mapped.email, "dev@example.com");
|
|
assert.equal(mapped.providerSpecificData.workspaceId, "team-workspace");
|
|
assert.equal(mapped.providerSpecificData.workspacePlanType, "team");
|
|
});
|
|
|
|
test("Cline decodes embedded callback payloads without using the network", async () => {
|
|
const encodedCode = Buffer.from(
|
|
JSON.stringify({
|
|
accessToken: "cline-access",
|
|
refreshToken: "cline-refresh",
|
|
email: "cline@example.com",
|
|
firstName: "Cline",
|
|
lastName: "Bot",
|
|
expiresAt: "2030-01-01T00:00:00.000Z",
|
|
})
|
|
).toString("base64");
|
|
|
|
const tokens = await PROVIDERS.cline.exchangeToken(CLINE_CONFIG, encodedCode, "http://localhost");
|
|
const mapped = PROVIDERS.cline.mapTokens(tokens);
|
|
|
|
assert.equal(tokens.access_token, "cline-access");
|
|
assert.equal(mapped.accessToken, "cline-access");
|
|
assert.equal(mapped.email, "cline@example.com");
|
|
assert.equal(mapped.name, "Cline Bot");
|
|
});
|
|
|
|
test("Antigravity runs mocked browser OAuth exchanges and post-exchange enrichment", async () => {
|
|
useFetchSequence([
|
|
jsonResponse({ access_token: "anti-access", refresh_token: "anti-refresh", expires_in: 7200 }),
|
|
jsonResponse({ email: "anti@example.com" }),
|
|
(_url, init: any = {}) => {
|
|
assert.equal(init.method, "POST");
|
|
assert.equal(init.headers.Authorization, "Bearer anti-access");
|
|
assert.match(init.headers["User-Agent"], /^vscode\/1\.X\.X \(Antigravity\//);
|
|
assert.equal(init.headers["X-Goog-Api-Client"], undefined);
|
|
assert.deepEqual(
|
|
JSON.parse(String(init.body)).metadata,
|
|
getAntigravityLoadCodeAssistMetadata()
|
|
);
|
|
assert.equal(JSON.parse(String(init.body)).cloudaicompanionProject, undefined);
|
|
return jsonResponse({
|
|
cloudaicompanionProject: { id: "anti-project" },
|
|
allowedTiers: [{ id: "tier-default", isDefault: true }],
|
|
});
|
|
},
|
|
(_url, init: any = {}) => {
|
|
assert.equal(init.method, "POST");
|
|
assert.equal(init.headers.Authorization, "Bearer anti-access");
|
|
assert.match(init.headers["User-Agent"], /^vscode\/1\.X\.X \(Antigravity\//);
|
|
assert.equal(init.headers["X-Goog-Api-Client"], undefined);
|
|
assert.deepEqual(
|
|
JSON.parse(String(init.body)).metadata,
|
|
getAntigravityLoadCodeAssistMetadata()
|
|
);
|
|
assert.equal(JSON.parse(String(init.body)).tier_id, "tier-default");
|
|
assert.equal(JSON.parse(String(init.body)).cloudaicompanionProject, undefined);
|
|
return jsonResponse({
|
|
done: true,
|
|
response: { cloudaicompanionProject: { id: "anti-project-final" } },
|
|
});
|
|
},
|
|
]);
|
|
|
|
const antigravityTokens = await PROVIDERS.antigravity.exchangeToken(
|
|
ANTIGRAVITY_CONFIG,
|
|
"code-2",
|
|
"http://localhost/callback"
|
|
);
|
|
const antigravityExtra = await PROVIDERS.antigravity.postExchange(antigravityTokens);
|
|
const antigravityMapped = PROVIDERS.antigravity.mapTokens(antigravityTokens, antigravityExtra);
|
|
// postExchange runs onboarding fire-and-forget now (it must never block the OAuth
|
|
// login response); give the background onboard call a tick to consume its mocked
|
|
// fetch so the sequence drains deterministically.
|
|
await new Promise((r) => setTimeout(r, 50));
|
|
|
|
assert.equal(antigravityMapped.email, "anti@example.com");
|
|
// projectId comes from loadCodeAssist ("anti-project"), NOT the backgrounded
|
|
// onboardUser response ("anti-project-final"). Onboarding is fire-and-forget, so it
|
|
// no longer updates the returned projectId synchronously — matching the 9router web
|
|
// flow, which also returns the loadCodeAssist project id.
|
|
assert.equal(antigravityMapped.projectId, "anti-project");
|
|
});
|
|
|
|
test("Qoder enabled mode exchanges tokens and loads profile metadata through mocked endpoints", async () => {
|
|
const originalQoderConfig = structuredClone(QODER_CONFIG);
|
|
const qoderConfig = Object.assign(QODER_CONFIG, {
|
|
enabled: true,
|
|
clientId: "qoder-client",
|
|
clientSecret: "qoder-secret",
|
|
authorizeUrl: "https://auth.qoder.dev/authorize",
|
|
tokenUrl: "https://auth.qoder.dev/token",
|
|
userInfoUrl: "https://auth.qoder.dev/user",
|
|
extraParams: {
|
|
loginMethod: "phone",
|
|
type: "phone",
|
|
},
|
|
});
|
|
|
|
try {
|
|
useFetchSequence([
|
|
jsonResponse({
|
|
access_token: "qoder-access",
|
|
refresh_token: "qoder-refresh",
|
|
expires_in: 1800,
|
|
}),
|
|
jsonResponse({
|
|
success: true,
|
|
data: {
|
|
apiKey: "qoder-api-key",
|
|
email: "qoder@example.com",
|
|
nickname: "Qoder User",
|
|
},
|
|
}),
|
|
]);
|
|
|
|
const authUrl = PROVIDERS.qoder.buildAuthUrl(
|
|
qoderConfig,
|
|
"http://localhost/callback",
|
|
"state-123"
|
|
);
|
|
const tokens = await PROVIDERS.qoder.exchangeToken(
|
|
qoderConfig,
|
|
"browser-code",
|
|
"http://localhost/callback"
|
|
);
|
|
const extra = await PROVIDERS.qoder.postExchange(tokens);
|
|
const mapped = PROVIDERS.qoder.mapTokens(tokens, extra);
|
|
|
|
assert.ok(authUrl.startsWith("https://auth.qoder.dev/authorize?"));
|
|
assert.equal(mapped.apiKey, "qoder-api-key");
|
|
assert.equal(mapped.email, "qoder@example.com");
|
|
assert.equal(mapped.displayName, "Qoder User");
|
|
} finally {
|
|
Object.assign(QODER_CONFIG, originalQoderConfig);
|
|
}
|
|
});
|
|
|
|
test("Qwen and Kimi Coding execute mocked device-code flows and token mapping", async () => {
|
|
const qwenIdToken = createJwt({
|
|
email: "qwen@example.com",
|
|
name: "Qwen User",
|
|
});
|
|
|
|
useFetchSequence([
|
|
jsonResponse({
|
|
device_code: "qwen-device",
|
|
user_code: "QWEN123",
|
|
verification_uri: "https://chat.qwen.ai/activate",
|
|
expires_in: 300,
|
|
interval: 5,
|
|
}),
|
|
jsonResponse({
|
|
access_token: createJwt({ sub: "qwen-subject" }),
|
|
refresh_token: "qwen-refresh",
|
|
expires_in: 3600,
|
|
id_token: qwenIdToken,
|
|
resource_url: "https://chat.qwen.ai/resource",
|
|
}),
|
|
(url, init) => {
|
|
const params = init.body;
|
|
assert.equal(String(url), KIMI_CODING_CONFIG.deviceCodeUrl);
|
|
assert.equal(params.get("client_id"), KIMI_CODING_CONFIG.clientId);
|
|
assert.equal(init.headers["X-Msh-Platform"], "kimi_cli");
|
|
assert.equal(init.headers["X-Msh-Device-Id"], "test-kimi-device-id");
|
|
assert.ok(init.headers["X-Msh-Os-Version"]);
|
|
|
|
return jsonResponse({
|
|
device_code: "kimi-device",
|
|
user_code: "KIMI123",
|
|
verification_uri: "https://www.kimi.com/code/authorize_device",
|
|
verification_uri_complete: "https://www.kimi.com/code/authorize_device?user_code=KIMI123",
|
|
expires_in: 600,
|
|
interval: 4,
|
|
});
|
|
},
|
|
(url, init) => {
|
|
const params = init.body;
|
|
assert.equal(String(url), KIMI_CODING_CONFIG.tokenUrl);
|
|
assert.equal(params.get("client_id"), KIMI_CODING_CONFIG.clientId);
|
|
assert.equal(params.get("device_code"), "kimi-device");
|
|
assert.equal(params.get("grant_type"), "urn:ietf:params:oauth:grant-type:device_code");
|
|
assert.equal(init.headers["X-Msh-Platform"], "kimi_cli");
|
|
assert.equal(init.headers["X-Msh-Device-Id"], "test-kimi-device-id");
|
|
|
|
return jsonResponse({
|
|
access_token: "kimi-access",
|
|
refresh_token: "kimi-refresh",
|
|
expires_in: 7200,
|
|
token_type: "Bearer",
|
|
scope: "profile",
|
|
});
|
|
},
|
|
]);
|
|
|
|
const qwenDevice = await PROVIDERS.qwen.requestDeviceCode(QWEN_CONFIG, "challenge-123");
|
|
const qwenPoll = await PROVIDERS.qwen.pollToken(QWEN_CONFIG, qwenDevice.device_code, "verifier");
|
|
const qwenMapped = PROVIDERS.qwen.mapTokens(qwenPoll.data);
|
|
|
|
const kimiDevice = await PROVIDERS["kimi-coding"].requestDeviceCode(KIMI_CODING_CONFIG);
|
|
const kimiPoll = await PROVIDERS["kimi-coding"].pollToken(
|
|
KIMI_CODING_CONFIG,
|
|
kimiDevice.device_code
|
|
);
|
|
const kimiMapped = PROVIDERS["kimi-coding"].mapTokens(kimiPoll.data);
|
|
|
|
assert.equal(qwenMapped.email, "qwen@example.com");
|
|
assert.equal(qwenMapped.displayName, "Qwen User");
|
|
assert.equal(qwenMapped.providerSpecificData.resourceUrl, "https://chat.qwen.ai/resource");
|
|
assert.equal(kimiMapped.accessToken, "kimi-access");
|
|
assert.equal(kimiMapped.tokenType, "Bearer");
|
|
assert.equal(
|
|
kimiDevice.verification_uri_complete,
|
|
"https://www.kimi.com/code/authorize_device?user_code=KIMI123"
|
|
);
|
|
});
|
|
|
|
test("GitHub executes mocked device-code and profile enrichment flows", async () => {
|
|
useFetchSequence([
|
|
jsonResponse({
|
|
device_code: "github-device",
|
|
user_code: "GH123",
|
|
verification_uri: "https://github.com/login/device",
|
|
expires_in: 900,
|
|
interval: 5,
|
|
}),
|
|
jsonResponse({
|
|
access_token: "github-access",
|
|
refresh_token: "github-refresh",
|
|
expires_in: 3600,
|
|
}),
|
|
jsonResponse({ token: "copilot-token", expires_at: "2030-01-01T00:00:00.000Z" }),
|
|
jsonResponse({
|
|
id: 42,
|
|
login: "octocat",
|
|
name: "Octo Cat",
|
|
email: "octo@example.com",
|
|
}),
|
|
]);
|
|
|
|
const device = await PROVIDERS.github.requestDeviceCode(GITHUB_CONFIG);
|
|
const poll = await PROVIDERS.github.pollToken(GITHUB_CONFIG, device.device_code);
|
|
const extra = await PROVIDERS.github.postExchange(poll.data);
|
|
const mapped = PROVIDERS.github.mapTokens(poll.data, extra);
|
|
|
|
assert.equal(poll.ok, true);
|
|
assert.equal(mapped.providerSpecificData.copilotToken, "copilot-token");
|
|
assert.equal(mapped.providerSpecificData.githubLogin, "octocat");
|
|
assert.equal(mapped.providerSpecificData.githubEmail, "octo@example.com");
|
|
});
|
|
|
|
test("Kiro and KiloCode execute mocked device-code flows across their custom endpoints", async () => {
|
|
useFetchSequence([
|
|
jsonResponse({ clientId: "kiro-client", clientSecret: "kiro-secret" }),
|
|
jsonResponse({
|
|
deviceCode: "kiro-device",
|
|
userCode: "KIRO123",
|
|
verificationUri: "https://device.kiro.dev/verify",
|
|
verificationUriComplete: "https://device.kiro.dev/verify?code=KIRO123",
|
|
expiresIn: 600,
|
|
interval: 5,
|
|
}),
|
|
jsonResponse({
|
|
accessToken: "kiro-access",
|
|
refreshToken: "kiro-refresh",
|
|
expiresIn: 3600,
|
|
}),
|
|
jsonResponse({
|
|
code: "kilo-code",
|
|
verificationUrl: "https://api.kilo.ai/device-auth/kilo-code",
|
|
expiresIn: 300,
|
|
}),
|
|
jsonResponse({ status: "approved", token: "kilo-access", userEmail: "kilo@example.com" }),
|
|
textResponse("", 202),
|
|
textResponse("", 403),
|
|
textResponse("", 410),
|
|
]);
|
|
|
|
const kiroDevice = await PROVIDERS.kiro.requestDeviceCode(KIRO_CONFIG);
|
|
const kiroPoll = await PROVIDERS.kiro.pollToken(
|
|
KIRO_CONFIG,
|
|
kiroDevice.device_code,
|
|
undefined,
|
|
kiroDevice
|
|
);
|
|
const kiroMapped = PROVIDERS.kiro.mapTokens(kiroPoll.data);
|
|
|
|
const kiloDevice = await PROVIDERS.kilocode.requestDeviceCode(KILOCODE_CONFIG);
|
|
const kiloApproved = await PROVIDERS.kilocode.pollToken(KILOCODE_CONFIG, kiloDevice.device_code);
|
|
const kiloPending = await PROVIDERS.kilocode.pollToken(KILOCODE_CONFIG, kiloDevice.device_code);
|
|
const kiloDenied = await PROVIDERS.kilocode.pollToken(KILOCODE_CONFIG, kiloDevice.device_code);
|
|
const kiloExpired = await PROVIDERS.kilocode.pollToken(KILOCODE_CONFIG, kiloDevice.device_code);
|
|
const kiloMapped = PROVIDERS.kilocode.mapTokens(kiloApproved.data);
|
|
|
|
assert.equal(kiroMapped.accessToken, "kiro-access");
|
|
assert.equal(kiroMapped.providerSpecificData.clientId, "kiro-client");
|
|
assert.equal(kiloApproved.ok, true);
|
|
assert.equal(kiloPending.data.error, "authorization_pending");
|
|
assert.equal(kiloDenied.data.error, "access_denied");
|
|
assert.equal(kiloExpired.data.error, "expired_token");
|
|
assert.equal(kiloMapped.email, "kilo@example.com");
|
|
});
|