OIDC: navigate to authorization endpoint (#11096)

* add delegatedauthentication to validated server config * dynamic client registration functions * test OP registration functions * add stubbed nativeOidc flow setup in Login * cover more error cases in Login * tidy * test dynamic client registration in Login * comment oidc_static_clients * register oidc inside Login.getFlows * strict fixes * remove unused code * and imports * comments * comments 2 * util functions to get static client id * check static client ids in login flow * remove dead code * OidcRegistrationClientMetadata type * navigate to oidc authorize url * navigate to oidc authorize url * test * adjust for js-sdk code * update test for response_mode query * use new types * strict * tidy
2023-06-29 09:08:56 +12:00 · 2023-06-29 09:08:56 +12:00 · 3f04e41c21
commit 3f04e41c21
parent 3de2bcdc1a
6 changed files with 205 additions and 8 deletions
--- a/test/utils/oidc/authorize-test.ts
+++ b/test/utils/oidc/authorize-test.ts
@ -0,0 +1,102 @@
+/*
+Copyright 2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import fetchMockJest from "fetch-mock-jest";
+import * as randomStringUtils from "matrix-js-sdk/src/randomstring";
+
+import { startOidcLogin } from "../../../src/utils/oidc/authorize";
+
+describe("startOidcLogin()", () => {
+    const issuer = "https://auth.com/";
+    const authorizationEndpoint = "https://auth.com/authorization";
+    const homeserver = "https://matrix.org";
+    const clientId = "xyz789";
+    const baseUrl = "https://test.com";
+
+    const delegatedAuthConfig = {
+        issuer,
+        registrationEndpoint: issuer + "registration",
+        authorizationEndpoint,
+        tokenEndpoint: issuer + "token",
+    };
+
+    const sessionStorageGetSpy = jest.spyOn(sessionStorage.__proto__, "setItem").mockReturnValue(undefined);
+    const randomStringMockImpl = (length: number) => new Array(length).fill("x").join("");
+
+    // to restore later
+    const realWindowLocation = window.location;
+
+    beforeEach(() => {
+        fetchMockJest.mockClear();
+        fetchMockJest.resetBehavior();
+
+        sessionStorageGetSpy.mockClear();
+
+        // @ts-ignore allow delete of non-optional prop
+        delete window.location;
+        // @ts-ignore ugly mocking
+        window.location = {
+            href: baseUrl,
+            origin: baseUrl,
+        };
+
+        jest.spyOn(randomStringUtils, "randomString").mockRestore();
+    });
+
+    afterAll(() => {
+        window.location = realWindowLocation;
+    });
+
+    it("should store authorization params in session storage", async () => {
+        jest.spyOn(randomStringUtils, "randomString").mockReset().mockImplementation(randomStringMockImpl);
+        await startOidcLogin(delegatedAuthConfig, clientId, homeserver);
+
+        const state = randomStringUtils.randomString(8);
+
+        expect(sessionStorageGetSpy).toHaveBeenCalledWith(`oidc_${state}_nonce`, randomStringUtils.randomString(8));
+        expect(sessionStorageGetSpy).toHaveBeenCalledWith(`oidc_${state}_redirectUri`, baseUrl);
+        expect(sessionStorageGetSpy).toHaveBeenCalledWith(
+            `oidc_${state}_codeVerifier`,
+            randomStringUtils.randomString(64),
+        );
+        expect(sessionStorageGetSpy).toHaveBeenCalledWith(`oidc_${state}_clientId`, clientId);
+        expect(sessionStorageGetSpy).toHaveBeenCalledWith(`oidc_${state}_issuer`, issuer);
+        expect(sessionStorageGetSpy).toHaveBeenCalledWith(`oidc_${state}_homeserver`, homeserver);
+    });
+
+    it("navigates to authorization endpoint with correct parameters", async () => {
+        await startOidcLogin(delegatedAuthConfig, clientId, homeserver);
+
+        const expectedScopeWithoutDeviceId = `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:`;
+
+        const authUrl = new URL(window.location.href);
+
+        expect(authUrl.searchParams.get("response_mode")).toEqual("query");
+        expect(authUrl.searchParams.get("response_type")).toEqual("code");
+        expect(authUrl.searchParams.get("client_id")).toEqual(clientId);
+        expect(authUrl.searchParams.get("code_challenge_method")).toEqual("S256");
+
+        // scope ends with a 10char randomstring deviceId
+        const scope = authUrl.searchParams.get("scope")!;
+        expect(scope.substring(0, scope.length - 10)).toEqual(expectedScopeWithoutDeviceId);
+        expect(scope.substring(scope.length - 10)).toBeTruthy();
+
+        // random string, just check they are set
+        expect(authUrl.searchParams.has("state")).toBeTruthy();
+        expect(authUrl.searchParams.has("nonce")).toBeTruthy();
+        expect(authUrl.searchParams.has("code_challenge")).toBeTruthy();
+    });
+});