cardosofelipe/pragma-stack
Template
1
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: cardosofelipe:38114b79f99f9c3ea20e04a7dc35f39e2fff3dcf
Branches Tags
cardosofelipe:main cardosofelipe:dev
...
compare: cardosofelipe:088c1725b0deb9cac479f289d728db0c7282271f
Branches Tags
cardosofelipe:dev cardosofelipe:main

7 Commits
38114b79f9 ... 088c1725b0

Author SHA1 Message Date
Felipe Cardoso
088c1725b0 Update ContextSection and TechStackSection with OAuth 2.0 and i18n features 
- Replaced outdated features with 'OAuth 2.0 + Social Login' and 'i18n Ready' in ContextSection.
- Updated TechStackSection to include OAuth 2.0 (social login + provider mode) and next-intl (English, Italian) support.
- Refined descriptions in FeatureGrid and HeroSection to highlight new features.
- Improved messaging around OAuth and internationalization readiness across components.
 2025-11-26 14:44:12 +01:00
Felipe Cardoso
7ba1767cea Refactor E2E tests for OAuth provider workflows 
- Renamed unused `code_verifier` variables to `_code_verifier` for clarity.
- Improved test readability by reformatting long lines and assertions.
- Streamlined `get` request calls by consolidating parameters into single lines.
 2025-11-26 14:10:25 +01:00
Felipe Cardoso
c63b6a4f76 Add E2E tests for OAuth consent page workflows 
- Added tests for OAuth consent page covering parameter validation, unauthenticated user redirects, authenticated user interactions, scope management, and consent API calls.
- Verified behaviors such as error handling, toggling scopes, loading states, and authorize/deny actions.
- Updated utility methods with `loginViaUI` for improved test setup.
 2025-11-26 14:06:36 +01:00
Felipe Cardoso
803b720530 Add comprehensive E2E tests for OAuth provider workflows 
- Introduced E2E test coverage for OAuth Provider mode, covering metadata discovery, client management, authorization flows, token operations, consent management, and security checks.
- Verified PKCE enforcement, consent submission, token rotation, and introspection.
- Expanded fixtures and utility methods for testing real OAuth scenarios with PostgreSQL via Testcontainers.
 2025-11-26 14:06:20 +01:00
Felipe Cardoso
7ff00426f2 Add detailed OAuth documentation and configuration examples 
- Updated `ARCHITECTURE.md` with thorough explanations of OAuth Consumer and Provider modes, supported flows, security features, and endpoints.
- Enhanced `.env.template` with environment variables for OAuth Provider mode setup.
- Expanded `README.md` to highlight OAuth Provider mode capabilities and MCP integration features.
- Added OAuth configuration section to `AGENTS.md`, including key settings for both social login and provider mode.
 2025-11-26 13:38:55 +01:00
Felipe Cardoso
b3f0dd4005 Add full OAuth provider functionality and enhance flows 
- Implemented OAuth 2.0 Authorization Server endpoints per RFCs, including token, introspection, revocation, and metadata discovery.
- Added user consent submission, listing, and revocation APIs alongside frontend integration for improved UX.
- Enforced stricter OAuth security measures (PKCE, state validation, scopes).
- Refactored schemas and services for consistency and expanded coverage of OAuth workflows.
- Updated documentation and type definitions for new API behaviors.
 2025-11-26 13:23:44 +01:00
Felipe Cardoso
707315facd Suppress jsdom XMLHttpRequest errors in Jest tests 
- Added `jest.environment.js` to create a custom Jest environment that filters out harmless XMLHttpRequest errors from jsdom's VirtualConsole.
- Updated `jest.config.js` to use the custom environment, reducing noisy test outputs.
 2025-11-26 11:23:56 +01:00
27 changed files with 2112 additions and 97 deletions
Expand all files Collapse all files

6
.env.demo
View File

@@ -40,6 +40,12 @@ OAUTH_AUTO_LINK_BY_EMAIL=true
# OAUTH_GITHUB_CLIENT_ID=your-github-client-id
# OAUTH_GITHUB_CLIENT_SECRET=your-github-client-secret
# OAuth Provider Mode (Authorization Server for MCP/third-party clients)
# Set OAUTH_PROVIDER_ENABLED=true to act as an OAuth 2.0 Authorization Server
OAUTH_PROVIDER_ENABLED=true
# IMPORTANT: Must be HTTPS in production!
OAUTH_ISSUER=http://localhost:8000
# Frontend settings
FRONTEND_PORT=3000
FRONTEND_URL=http://localhost:3000

6
.env.template
View File

@@ -40,6 +40,12 @@ OAUTH_AUTO_LINK_BY_EMAIL=true
# OAUTH_GITHUB_CLIENT_ID=your-github-client-id
# OAUTH_GITHUB_CLIENT_SECRET=your-github-client-secret
# OAuth Provider Mode (Authorization Server for MCP/third-party clients)
# Set OAUTH_PROVIDER_ENABLED=true to act as an OAuth 2.0 Authorization Server
OAUTH_PROVIDER_ENABLED=false
# IMPORTANT: Must be HTTPS in production!
OAUTH_ISSUER=http://localhost:8000
# Frontend settings
FRONTEND_PORT=3000
FRONTEND_URL=http://localhost:3000

20
AGENTS.md
View File

@@ -90,6 +90,26 @@ Full OAuth 2.0 Authorization Server for MCP (Model Context Protocol) clients:
**Scopes supported:** `openid`, `profile`, `email`, `read:users`, `write:users`, `admin`
**OAuth Configuration (backend `.env`):**
```bash
# OAuth Social Login (as OAuth Consumer)
OAUTH_ENABLED=true # Enable OAuth social login
OAUTH_AUTO_LINK_BY_EMAIL=true # Auto-link accounts by email
OAUTH_STATE_EXPIRE_MINUTES=10 # CSRF state expiration
# Google OAuth
OAUTH_GOOGLE_CLIENT_ID=your-google-client-id
OAUTH_GOOGLE_CLIENT_SECRET=your-google-client-secret
# GitHub OAuth
OAUTH_GITHUB_CLIENT_ID=your-github-client-id
OAUTH_GITHUB_CLIENT_SECRET=your-github-client-secret
# OAuth Provider Mode (as Authorization Server for MCP)
OAUTH_PROVIDER_ENABLED=true # Enable OAuth provider mode
OAUTH_ISSUER=https://api.yourdomain.com # JWT issuer URL (must be HTTPS in production)
```
### Database Pattern
- **Async SQLAlchemy 2.0** with PostgreSQL
- **Connection pooling**: 20 base connections, 50 max overflow

13
README.md
View File

@@ -53,12 +53,25 @@ Whether you're building a SaaS, an internal tool, or a side project, PragmaStack
### 🔐 **Authentication & Security**
- JWT-based authentication with access + refresh tokens
- **OAuth/Social Login** (Google, GitHub) with PKCE support
- **OAuth 2.0 Authorization Server** (MCP-ready) for third-party integrations
- Session management with device tracking and revocation
- Password reset flow (email integration ready)
- Secure password hashing (bcrypt)
- CSRF protection, rate limiting, and security headers
- Comprehensive security tests (JWT algorithm attacks, session hijacking, privilege escalation)
### 🔌 **OAuth Provider Mode (MCP Integration)**
Full OAuth 2.0 Authorization Server for Model Context Protocol (MCP) and third-party clients:
- **RFC 7636**: Authorization Code Flow with PKCE (S256 only)
- **RFC 8414**: Server metadata discovery at `/.well-known/oauth-authorization-server`
- **RFC 7662**: Token introspection endpoint
- **RFC 7009**: Token revocation endpoint
- **JWT access tokens**: Self-contained, configurable lifetime
- **Opaque refresh tokens**: Secure rotation, database-backed revocation
- **Consent management**: Users can review and revoke app permissions
- **Client management**: Admin endpoints for registering OAuth clients
- **Scopes**: `openid`, `profile`, `email`, `read:users`, `write:users`, `admin`
### 👥 **Multi-Tenancy & Organizations**
- Full organization system with role-based access control (Owner, Admin, Member)
- Invite/remove members, manage permissions

0
backend/app/alembic/versions/f8c3d2e1a4b5_add_oauth_provider_models.py Normal file → Executable file
View File

14
backend/app/api/routes/oauth_provider.py
View File

@@ -27,7 +27,11 @@ from slowapi import Limiter
from slowapi.util import get_remote_address
from sqlalchemy.ext.asyncio import AsyncSession
from app.api.dependencies.auth import get_current_active_user, get_current_superuser
from app.api.dependencies.auth import (
get_current_active_user,
get_current_superuser,
get_optional_current_user,
)
from app.core.config import settings
from app.core.database import get_db
from app.crud import oauth_client as oauth_client_crud
@@ -42,6 +46,8 @@ from app.schemas.oauth import (
from app.services import oauth_provider_service as provider_service
router = APIRouter()
# Separate router for RFC 8414 well-known endpoint (registered at root level)
wellknown_router = APIRouter()
logger = logging.getLogger(__name__)
limiter = Limiter(key_func=get_remote_address)
@@ -60,7 +66,7 @@ def require_provider_enabled():
# ============================================================================
@router.get(
@wellknown_router.get(
"/.well-known/oauth-authorization-server",
response_model=OAuthServerMetadata,
summary="OAuth Server Metadata",
@@ -69,6 +75,8 @@ def require_provider_enabled():
Returns server metadata including supported endpoints, scopes,
and capabilities. MCP clients use this to discover the server.
Note: This endpoint is at the root level per RFC 8414.
""",
operation_id="get_oauth_server_metadata",
tags=["OAuth Provider"],
@@ -153,7 +161,7 @@ async def authorize(
nonce: str | None = Query(default=None, description="OpenID Connect nonce"),
db: AsyncSession = Depends(get_db),
_: None = Depends(require_provider_enabled),
current_user: User | None = Depends(get_current_active_user),
current_user: User | None = Depends(get_optional_current_user),
) -> Any:
"""
Authorization endpoint - initiates OAuth flow.

5
backend/app/main.py
View File

@@ -14,6 +14,7 @@ from slowapi.errors import RateLimitExceeded
from slowapi.util import get_remote_address
from app.api.main import api_router
from app.api.routes.oauth_provider import wellknown_router as oauth_wellknown_router
from app.core.config import settings
from app.core.database import check_database_health
from app.core.exceptions import (
@@ -324,3 +325,7 @@ async def health_check() -> JSONResponse:
app.include_router(api_router, prefix=settings.API_V1_STR)
# OAuth 2.0 well-known endpoint at root level per RFC 8414
# This allows MCP clients to discover the OAuth server metadata at /.well-known/oauth-authorization-server
app.include_router(oauth_wellknown_router)

0
backend/app/models/oauth_account.py Normal file → Executable file
View File

0
backend/app/models/oauth_authorization_code.py Normal file → Executable file
View File

0
backend/app/models/oauth_client.py Normal file → Executable file
View File

0
backend/app/models/oauth_provider_token.py Normal file → Executable file
View File

0
backend/app/models/oauth_state.py Normal file → Executable file
View File

0
backend/app/services/oauth_provider_service.py Normal file → Executable file
View File

78
backend/docs/ARCHITECTURE.md
View File

@@ -818,6 +818,84 @@ def add_member(
pass
```
### OAuth Integration
The system supports two OAuth modes:
#### OAuth Consumer Mode (Social Login)
Users can authenticate via Google or GitHub OAuth providers:
```python
# Get authorization URL with PKCE support
GET /oauth/authorize/{provider}?redirect_uri=https://yourapp.com/callback
# Handle callback and exchange code for tokens
POST /oauth/callback/{provider}
{
"code": "authorization_code_from_provider",
"state": "csrf_state_token"
}
```
**Security Features:**
- PKCE (S256) for Google
- State parameter for CSRF protection
- Nonce for Google OIDC replay attack prevention
- Google ID token signature verification via JWKS
- Email normalization to prevent account duplication
- Auto-linking by email (configurable)
#### OAuth Provider Mode (MCP Integration)
Full OAuth 2.0 Authorization Server for third-party clients (RFC compliant):
```
┌─────────────┐ ┌─────────────┐
│ MCP Client │ │ Backend │
└──────┬──────┘ └──────┬──────┘
│ │
│ GET /.well-known/oauth-authorization-server│
│─────────────────────────────────────────────>│
│ {metadata} │
│<─────────────────────────────────────────────│
│ │
│ GET /oauth/provider/authorize │
│ ?response_type=code&client_id=... │
│ &redirect_uri=...&code_challenge=... │
│─────────────────────────────────────────────>│
│ │
│ (User consents) │
│ │
│ 302 redirect_uri?code=AUTH_CODE&state=... │
│<─────────────────────────────────────────────│
│ │
│ POST /oauth/provider/token │
│ {grant_type=authorization_code, │
│ code=AUTH_CODE, code_verifier=...} │
│─────────────────────────────────────────────>│
│ │
│ {access_token, refresh_token, expires_in} │
│<─────────────────────────────────────────────│
│ │
```
**Endpoints:**
- `GET /.well-known/oauth-authorization-server` - RFC 8414 metadata
- `GET /oauth/provider/authorize` - Authorization endpoint
- `POST /oauth/provider/token` - Token endpoint (authorization_code, refresh_token)
- `POST /oauth/provider/revoke` - RFC 7009 token revocation
- `POST /oauth/provider/introspect` - RFC 7662 token introspection
**Security Features:**
- PKCE S256 required for public clients (plain method rejected)
- Authorization codes are single-use with 10-minute expiry
- Code reuse detection triggers security incident (all tokens revoked)
- Refresh token rotation on use
- Opaque refresh tokens (hashed in database)
- JWT access tokens with standard claims
- Consent management per client
## Error Handling
### Exception Hierarchy

65
backend/tests/api/test_oauth.py
View File

@@ -291,9 +291,8 @@ class TestOAuthProviderEndpoints:
with patch("app.api.routes.oauth_provider.settings") as mock_settings:
mock_settings.OAUTH_PROVIDER_ENABLED = False
response = await client.get(
"/api/v1/oauth/.well-known/oauth-authorization-server"
)
# RFC 8414: well-known endpoint is at root level
response = await client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 404
@pytest.mark.asyncio
@@ -303,9 +302,8 @@ class TestOAuthProviderEndpoints:
mock_settings.OAUTH_PROVIDER_ENABLED = True
mock_settings.OAUTH_ISSUER = "https://api.example.com"
response = await client.get(
"/api/v1/oauth/.well-known/oauth-authorization-server"
)
# RFC 8414: well-known endpoint is at root level
response = await client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 200
data = response.json()
assert data["issuer"] == "https://api.example.com"
@@ -344,8 +342,10 @@ class TestOAuthProviderEndpoints:
assert response.status_code == 404
@pytest.mark.asyncio
async def test_provider_authorize_requires_auth(self, client, async_test_db):
"""Test provider authorize requires authentication."""
async def test_provider_authorize_public_client_requires_pkce(
self, client, async_test_db
):
"""Test provider authorize requires PKCE for public clients."""
_test_engine, AsyncTestingSessionLocal = async_test_db
# Create a test client
@@ -373,9 +373,54 @@ class TestOAuthProviderEndpoints:
"client_id": test_client_id,
"redirect_uri": "http://localhost:3000/callback",
},
follow_redirects=False,
)
# Authorize endpoint requires authentication
assert response.status_code == 401
# Public client without PKCE gets redirect with error
assert response.status_code == 302
assert "error=invalid_request" in response.headers.get("location", "")
assert "PKCE" in response.headers.get("location", "")
@pytest.mark.asyncio
async def test_provider_authorize_redirects_to_login(self, client, async_test_db):
"""Test provider authorize redirects unauthenticated users to login."""
_test_engine, AsyncTestingSessionLocal = async_test_db
# Create a test client
from app.crud.oauth import oauth_client
from app.schemas.oauth import OAuthClientCreate
async with AsyncTestingSessionLocal() as session:
client_data = OAuthClientCreate(
client_name="Test App",
redirect_uris=["http://localhost:3000/callback"],
allowed_scopes=["read:users"],
)
test_client, _ = await oauth_client.create_client(
session, obj_in=client_data
)
test_client_id = test_client.client_id
with patch("app.api.routes.oauth_provider.settings") as mock_settings:
mock_settings.OAUTH_PROVIDER_ENABLED = True
mock_settings.FRONTEND_URL = "http://localhost:3000"
# Include PKCE parameters for public client
response = await client.get(
"/api/v1/oauth/provider/authorize",
params={
"response_type": "code",
"client_id": test_client_id,
"redirect_uri": "http://localhost:3000/callback",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
},
follow_redirects=False,
)
# Unauthenticated users get redirected to login
assert response.status_code == 302
location = response.headers.get("location", "")
assert "/login" in location
assert "return_to" in location
@pytest.mark.asyncio
async def test_provider_token_requires_client_id(self, client):

942
backend/tests/e2e/test_oauth_provider_workflows.py Normal file
View File

@@ -0,0 +1,942 @@
"""
E2E Tests for OAuth Provider (Authorization Server) Workflows.
Tests the complete OAuth 2.0 Authorization Server functionality using
real PostgreSQL containers via Testcontainers.
Requirements:
- Docker must be running
- E2E dependencies: make install-e2e
Run with:
make test-e2e
# or specific file:
TESTCONTAINERS_RYUK_DISABLED=true IS_TEST=True uv run pytest tests/e2e/test_oauth_provider_workflows.py -v
"""
import base64
import hashlib
import secrets
from unittest.mock import patch
import pytest
import pytest_asyncio
from app.core.config import settings
def generate_pkce_pair():
"""Generate PKCE code_verifier and code_challenge pair."""
code_verifier = secrets.token_urlsafe(64)
# S256: SHA256(code_verifier) then base64url encode
digest = hashlib.sha256(code_verifier.encode()).digest()
code_challenge = base64.urlsafe_b64encode(digest).rstrip(b"=").decode()
return code_verifier, code_challenge
def get_error_message(response_json: dict) -> str:
"""Extract error message from API response (supports both formats)."""
# New standardized format with errors array
if response_json.get("errors"):
return response_json["errors"][0].get("message", "")
# Legacy format with detail
return response_json.get("detail", "")
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderServerMetadata:
"""Test OAuth Provider server metadata endpoint."""
@pytest.mark.asyncio
async def test_server_metadata_endpoint(self, e2e_client):
"""Test RFC 8414 well-known endpoint returns correct metadata."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "https://api.example.com"):
response = await e2e_client.get(
"/.well-known/oauth-authorization-server"
)
assert response.status_code == 200
data = response.json()
# Verify required metadata fields
assert data["issuer"] == "https://api.example.com"
assert "authorization_endpoint" in data
assert "token_endpoint" in data
assert "revocation_endpoint" in data
assert "introspection_endpoint" in data
# Verify supported features
assert "code" in data["response_types_supported"]
assert "authorization_code" in data["grant_types_supported"]
assert "refresh_token" in data["grant_types_supported"]
assert "S256" in data["code_challenge_methods_supported"]
@pytest.mark.asyncio
async def test_server_metadata_disabled(self, e2e_client):
"""Test server metadata returns 404 when provider mode is disabled."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", False):
response = await e2e_client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 404
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderClientManagement:
"""Test OAuth client registration and management."""
@pytest.mark.asyncio
async def test_register_public_client(self, e2e_client, e2e_superuser):
"""Test registering a public OAuth client."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Test MCP Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid profile email",
},
)
assert response.status_code == 200
data = response.json()
assert "client_id" in data
assert data["client_name"] == "Test MCP Client"
assert data["client_type"] == "public"
# Public clients don't get a secret
assert "client_secret" not in data
@pytest.mark.asyncio
async def test_register_confidential_client(self, e2e_client, e2e_superuser):
"""Test registering a confidential OAuth client."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Confidential App",
"redirect_uris": "http://localhost:8080/callback",
"client_type": "confidential",
"scopes": "openid profile email read:users",
},
)
assert response.status_code == 200
data = response.json()
assert "client_id" in data
assert "client_secret" in data
assert data["client_type"] == "confidential"
assert "warning" in data # Security warning about storing secret
@pytest.mark.asyncio
async def test_list_clients(self, e2e_client, e2e_superuser):
"""Test listing all OAuth clients."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
# First create a client
await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "List Test Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid",
},
)
# Then list all
response = await e2e_client.get(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
)
assert response.status_code == 200
data = response.json()
assert isinstance(data, list)
assert len(data) >= 1
@pytest.mark.asyncio
async def test_delete_client(self, e2e_client, e2e_superuser):
"""Test deleting an OAuth client."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
# Create a client
create_response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Delete Test Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid",
},
)
client_id = create_response.json()["client_id"]
# Delete it
delete_response = await e2e_client.delete(
f"/api/v1/oauth/provider/clients/{client_id}",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
)
assert delete_response.status_code == 204
# Verify it's gone
list_response = await e2e_client.get(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
)
clients = list_response.json()
assert not any(c["client_id"] == client_id for c in clients)
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderAuthorizationFlow:
"""Test OAuth authorization code flow."""
@pytest_asyncio.fixture
async def oauth_client(self, e2e_client, e2e_superuser):
"""Create a test OAuth client for authorization tests."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Auth Flow Test Client",
"redirect_uris": "http://localhost:3000/callback,http://localhost:3000/oauth/callback",
"client_type": "public",
"scopes": "openid profile email read:users",
},
)
return response.json()
@pytest.mark.asyncio
async def test_authorize_requires_pkce_for_public_client(
self, e2e_client, oauth_client
):
"""Test that public clients must use PKCE."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "FRONTEND_URL", "http://localhost:3000"):
response = await e2e_client.get(
"/api/v1/oauth/provider/authorize",
params={
"response_type": "code",
"client_id": oauth_client["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile",
"state": "test_state_123",
},
follow_redirects=False,
)
# Should redirect with error
assert response.status_code == 302
location = response.headers.get("location", "")
assert "error=invalid_request" in location
assert "PKCE" in location
@pytest.mark.asyncio
async def test_authorize_redirects_unauthenticated_to_login(
self, e2e_client, oauth_client
):
"""Test that unauthenticated users are redirected to login."""
_code_verifier, code_challenge = generate_pkce_pair()
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "FRONTEND_URL", "http://localhost:3000"):
response = await e2e_client.get(
"/api/v1/oauth/provider/authorize",
params={
"response_type": "code",
"client_id": oauth_client["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile",
"state": "test_state_123",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
follow_redirects=False,
)
# Should redirect to login
assert response.status_code == 302
location = response.headers.get("location", "")
assert "/login" in location
assert "return_to" in location
@pytest.mark.asyncio
async def test_authorize_redirects_to_consent_for_authenticated_user(
self, e2e_client, oauth_client, e2e_superuser
):
"""Test that authenticated users without consent are redirected to consent page."""
_code_verifier, code_challenge = generate_pkce_pair()
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "FRONTEND_URL", "http://localhost:3000"):
response = await e2e_client.get(
"/api/v1/oauth/provider/authorize",
params={
"response_type": "code",
"client_id": oauth_client["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile",
"state": "test_state_123",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
follow_redirects=False,
)
# Should redirect to consent page
assert response.status_code == 302
location = response.headers.get("location", "")
assert "/auth/consent" in location
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderCompleteFlow:
"""Test complete OAuth authorization code flow with token exchange."""
@pytest_asyncio.fixture
async def oauth_setup(self, e2e_client, e2e_superuser):
"""Create OAuth client and prepare for authorization flow."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
# Create a public client
response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Complete Flow Test Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid profile email",
},
)
client_data = response.json()
# Generate PKCE pair
code_verifier, code_challenge = generate_pkce_pair()
return {
"client": client_data,
"code_verifier": code_verifier,
"code_challenge": code_challenge,
"user": e2e_superuser,
}
@pytest.mark.asyncio
async def test_consent_submission_generates_code(self, e2e_client, oauth_setup):
"""Test that submitting consent generates an authorization code."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {oauth_setup['user']['tokens']['access_token']}"
},
data={
"approved": "true",
"client_id": oauth_setup["client"]["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile email",
"state": "test_state_456",
"code_challenge": oauth_setup["code_challenge"],
"code_challenge_method": "S256",
},
follow_redirects=False,
)
# Should redirect with code
assert response.status_code == 302
location = response.headers.get("location", "")
assert "code=" in location
assert "state=test_state_456" in location
assert "error" not in location
@pytest.mark.asyncio
async def test_consent_denial_returns_error(self, e2e_client, oauth_setup):
"""Test that denying consent returns access_denied error."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {oauth_setup['user']['tokens']['access_token']}"
},
data={
"approved": "false",
"client_id": oauth_setup["client"]["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile",
"state": "test_state_789",
},
follow_redirects=False,
)
# Should redirect with error
assert response.status_code == 302
location = response.headers.get("location", "")
assert "error=access_denied" in location
assert "state=test_state_789" in location
@pytest.mark.asyncio
async def test_complete_authorization_code_flow(self, e2e_client, oauth_setup):
"""Test complete flow: consent -> code -> token exchange."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
# Step 1: Submit consent
consent_response = await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {oauth_setup['user']['tokens']['access_token']}"
},
data={
"approved": "true",
"client_id": oauth_setup["client"]["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile email",
"state": "flow_test_state",
"code_challenge": oauth_setup["code_challenge"],
"code_challenge_method": "S256",
},
follow_redirects=False,
)
assert consent_response.status_code == 302
location = consent_response.headers.get("location", "")
# Extract code from redirect URL
from urllib.parse import parse_qs, urlparse
parsed = urlparse(location)
params = parse_qs(parsed.query)
assert "code" in params
auth_code = params["code"][0]
# Step 2: Exchange code for tokens
token_response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": "http://localhost:3000/callback",
"client_id": oauth_setup["client"]["client_id"],
"code_verifier": oauth_setup["code_verifier"],
},
)
assert token_response.status_code == 200
tokens = token_response.json()
assert "access_token" in tokens
assert "refresh_token" in tokens
assert tokens["token_type"] == "Bearer"
assert "expires_in" in tokens
assert "scope" in tokens
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderTokenOperations:
"""Test token refresh, revocation, and introspection."""
@pytest_asyncio.fixture
async def tokens_setup(self, e2e_client, e2e_superuser):
"""Get tokens through complete OAuth flow for testing."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
# Create client
client_response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Token Ops Test Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid profile email",
},
)
client_data = client_response.json()
# Generate PKCE
code_verifier, code_challenge = generate_pkce_pair()
# Submit consent
consent_response = await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"approved": "true",
"client_id": client_data["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile email",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
follow_redirects=False,
)
# Extract code
from urllib.parse import parse_qs, urlparse
location = consent_response.headers.get("location", "")
parsed = urlparse(location)
params = parse_qs(parsed.query)
auth_code = params["code"][0]
# Exchange for tokens
token_response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": "http://localhost:3000/callback",
"client_id": client_data["client_id"],
"code_verifier": code_verifier,
},
)
return {
"tokens": token_response.json(),
"client": client_data,
"user": e2e_superuser,
}
@pytest.mark.asyncio
async def test_token_introspection_active(self, e2e_client, tokens_setup):
"""Test introspecting an active access token."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
response = await e2e_client.post(
"/api/v1/oauth/provider/introspect",
data={
"token": tokens_setup["tokens"]["access_token"],
"token_type_hint": "access_token",
},
)
assert response.status_code == 200
data = response.json()
assert data["active"] is True
assert "scope" in data
assert data["client_id"] == tokens_setup["client"]["client_id"]
@pytest.mark.asyncio
async def test_token_introspection_refresh_token(self, e2e_client, tokens_setup):
"""Test introspecting a refresh token."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/introspect",
data={
"token": tokens_setup["tokens"]["refresh_token"],
"token_type_hint": "refresh_token",
},
)
assert response.status_code == 200
data = response.json()
assert data["active"] is True
assert data["token_type"] == "refresh_token"
@pytest.mark.asyncio
async def test_token_refresh(self, e2e_client, tokens_setup):
"""Test refreshing an access token."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "refresh_token",
"refresh_token": tokens_setup["tokens"]["refresh_token"],
"client_id": tokens_setup["client"]["client_id"],
},
)
assert response.status_code == 200
data = response.json()
assert "access_token" in data
assert "refresh_token" in data
# New tokens should be different (token rotation)
assert data["access_token"] != tokens_setup["tokens"]["access_token"]
assert data["refresh_token"] != tokens_setup["tokens"]["refresh_token"]
@pytest.mark.asyncio
async def test_token_revocation(self, e2e_client, tokens_setup):
"""Test revoking a refresh token."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
# Revoke refresh token
revoke_response = await e2e_client.post(
"/api/v1/oauth/provider/revoke",
data={
"token": tokens_setup["tokens"]["refresh_token"],
"token_type_hint": "refresh_token",
},
)
# Per RFC 7009, always returns 200
assert revoke_response.status_code == 200
# Verify token is no longer active
introspect_response = await e2e_client.post(
"/api/v1/oauth/provider/introspect",
data={
"token": tokens_setup["tokens"]["refresh_token"],
"token_type_hint": "refresh_token",
},
)
assert introspect_response.status_code == 200
assert introspect_response.json()["active"] is False
@pytest.mark.asyncio
async def test_revoked_refresh_token_cannot_be_used(self, e2e_client, tokens_setup):
"""Test that a revoked refresh token cannot be used for refresh."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
# Revoke first
await e2e_client.post(
"/api/v1/oauth/provider/revoke",
data={
"token": tokens_setup["tokens"]["refresh_token"],
},
)
# Try to use revoked token
refresh_response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "refresh_token",
"refresh_token": tokens_setup["tokens"]["refresh_token"],
"client_id": tokens_setup["client"]["client_id"],
},
)
assert refresh_response.status_code == 400
assert "invalid_grant" in get_error_message(refresh_response.json())
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderConsentManagement:
"""Test user consent listing and revocation."""
@pytest_asyncio.fixture
async def consent_setup(self, e2e_client, e2e_superuser):
"""Create OAuth client and grant consent for testing."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
# Create client
client_response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Consent Test Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid profile email",
},
)
client_data = client_response.json()
# Generate PKCE and grant consent
_code_verifier, code_challenge = generate_pkce_pair()
await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"approved": "true",
"client_id": client_data["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile email",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
follow_redirects=False,
)
return {
"client": client_data,
"user": e2e_superuser,
}
@pytest.mark.asyncio
async def test_list_my_consents(self, e2e_client, consent_setup):
"""Test listing user's OAuth consents."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.get(
"/api/v1/oauth/provider/consents",
headers={
"Authorization": f"Bearer {consent_setup['user']['tokens']['access_token']}"
},
)
assert response.status_code == 200
data = response.json()
assert isinstance(data, list)
assert len(data) >= 1
# Find our consent
consent = next(
(
c
for c in data
if c["client_id"] == consent_setup["client"]["client_id"]
),
None,
)
assert consent is not None
assert consent["client_name"] == "Consent Test Client"
assert "granted_scopes" in consent
assert "granted_at" in consent
@pytest.mark.asyncio
async def test_revoke_my_consent(self, e2e_client, consent_setup):
"""Test revoking user's OAuth consent."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
# Revoke consent
revoke_response = await e2e_client.delete(
f"/api/v1/oauth/provider/consents/{consent_setup['client']['client_id']}",
headers={
"Authorization": f"Bearer {consent_setup['user']['tokens']['access_token']}"
},
)
assert revoke_response.status_code == 204
# Verify consent is gone
list_response = await e2e_client.get(
"/api/v1/oauth/provider/consents",
headers={
"Authorization": f"Bearer {consent_setup['user']['tokens']['access_token']}"
},
)
consents = list_response.json()
assert not any(
c["client_id"] == consent_setup["client"]["client_id"] for c in consents
)
@pytest.mark.e2e
@pytest.mark.postgres
class TestOAuthProviderSecurityChecks:
"""Test OAuth Provider security features."""
@pytest_asyncio.fixture
async def security_setup(self, e2e_client, e2e_superuser):
"""Create OAuth client for security tests."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/clients",
headers={
"Authorization": f"Bearer {e2e_superuser['tokens']['access_token']}"
},
data={
"client_name": "Security Test Client",
"redirect_uris": "http://localhost:3000/callback",
"client_type": "public",
"scopes": "openid profile email",
},
)
return {
"client": response.json(),
"user": e2e_superuser,
}
@pytest.mark.asyncio
async def test_invalid_redirect_uri_rejected(self, e2e_client, security_setup):
"""Test that unregistered redirect_uri is rejected."""
_code_verifier, code_challenge = generate_pkce_pair()
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.get(
"/api/v1/oauth/provider/authorize",
params={
"response_type": "code",
"client_id": security_setup["client"]["client_id"],
"redirect_uri": "http://evil.com/callback", # Not registered
"scope": "openid",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
headers={
"Authorization": f"Bearer {security_setup['user']['tokens']['access_token']}"
},
)
# Should return 400, not redirect
assert response.status_code == 400
assert "Invalid redirect_uri" in get_error_message(response.json())
@pytest.mark.asyncio
async def test_plain_pkce_method_rejected(self, e2e_client, security_setup):
"""Test that 'plain' PKCE method is rejected (security requirement)."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "FRONTEND_URL", "http://localhost:3000"):
response = await e2e_client.get(
"/api/v1/oauth/provider/authorize",
params={
"response_type": "code",
"client_id": security_setup["client"]["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid",
"code_challenge": "some_challenge",
"code_challenge_method": "plain", # Should be rejected
},
headers={
"Authorization": f"Bearer {security_setup['user']['tokens']['access_token']}"
},
)
assert response.status_code == 400
assert "S256" in get_error_message(response.json())
@pytest.mark.asyncio
async def test_authorization_code_single_use(self, e2e_client, security_setup):
"""Test that authorization codes can only be used once."""
code_verifier, code_challenge = generate_pkce_pair()
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
# Get an authorization code
consent_response = await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {security_setup['user']['tokens']['access_token']}"
},
data={
"approved": "true",
"client_id": security_setup["client"]["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
follow_redirects=False,
)
from urllib.parse import parse_qs, urlparse
location = consent_response.headers.get("location", "")
parsed = urlparse(location)
params = parse_qs(parsed.query)
auth_code = params["code"][0]
# First use - should succeed
first_response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": "http://localhost:3000/callback",
"client_id": security_setup["client"]["client_id"],
"code_verifier": code_verifier,
},
)
assert first_response.status_code == 200
# Second use - should fail
second_response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": "http://localhost:3000/callback",
"client_id": security_setup["client"]["client_id"],
"code_verifier": code_verifier,
},
)
assert second_response.status_code == 400
assert "already been used" in get_error_message(second_response.json())
@pytest.mark.asyncio
async def test_invalid_pkce_verifier_rejected(self, e2e_client, security_setup):
"""Test that wrong code_verifier is rejected."""
_code_verifier, code_challenge = generate_pkce_pair()
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
with patch.object(settings, "OAUTH_ISSUER", "http://e2e-test"):
# Get an authorization code
consent_response = await e2e_client.post(
"/api/v1/oauth/provider/authorize/consent",
headers={
"Authorization": f"Bearer {security_setup['user']['tokens']['access_token']}"
},
data={
"approved": "true",
"client_id": security_setup["client"]["client_id"],
"redirect_uri": "http://localhost:3000/callback",
"scope": "openid profile",
"code_challenge": code_challenge,
"code_challenge_method": "S256",
},
follow_redirects=False,
)
from urllib.parse import parse_qs, urlparse
location = consent_response.headers.get("location", "")
parsed = urlparse(location)
params = parse_qs(parsed.query)
auth_code = params["code"][0]
# Use wrong verifier
response = await e2e_client.post(
"/api/v1/oauth/provider/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": "http://localhost:3000/callback",
"client_id": security_setup["client"]["client_id"],
"code_verifier": "wrong_verifier_value",
},
)
assert response.status_code == 400
assert "code_verifier" in get_error_message(response.json()).lower()
@pytest.mark.asyncio
async def test_introspect_invalid_token(self, e2e_client):
"""Test that introspecting an invalid token returns active=false."""
with patch.object(settings, "OAUTH_PROVIDER_ENABLED", True):
response = await e2e_client.post(
"/api/v1/oauth/provider/introspect",
data={
"token": "invalid_token_that_does_not_exist",
},
)
assert response.status_code == 200
assert response.json()["active"] is False

253
frontend/e2e/auth-oauth.spec.ts
View File

@@ -4,7 +4,7 @@
*/
import { test, expect } from '@playwright/test';
import { setupAuthenticatedMocks } from './helpers/auth';
import { setupAuthenticatedMocks, loginViaUI } from './helpers/auth';
test.describe('OAuth Authentication', () => {
test.describe('Login Page OAuth', () => {
@@ -167,4 +167,255 @@ test.describe('OAuth Authentication', () => {
expect(authorizationCalled).toBe(true);
});
});
test.describe('OAuth Provider Consent Page', () => {
const mockConsentParams = {
client_id: 'test-mcp-client-id',
client_name: 'Test MCP Application',
redirect_uri: 'http://localhost:3001/callback',
scope: 'openid profile email',
state: 'mock-state-token-123',
code_challenge: 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM',
code_challenge_method: 'S256',
};
test.beforeEach(async ({ page }) => {
// Set up API mocks
await setupAuthenticatedMocks(page);
});
test('should display error when required params are missing', async ({ page }) => {
// Navigate to consent page without params
await page.goto('/en/auth/consent');
// Should show error alert
await expect(page.getByText(/invalid authorization request/i)).toBeVisible({
timeout: 10000,
});
await expect(page.getByText(/missing required parameters/i)).toBeVisible();
});
test('should redirect unauthenticated users to login', async ({ page }) => {
// Build consent URL with params
const params = new URLSearchParams(mockConsentParams);
// Navigate to consent page without being logged in
await page.goto(`/en/auth/consent?${params.toString()}`);
// Should redirect to login page with return_to parameter
await expect(page).toHaveURL(/\/login\?return_to=/i, { timeout: 10000 });
});
test('should display consent page with client info for authenticated user', async ({
page,
}) => {
// First log in
await loginViaUI(page);
// Build consent URL with params
const params = new URLSearchParams(mockConsentParams);
// Navigate to consent page
await page.goto(`/en/auth/consent?${params.toString()}`);
// Should display authorization request header
await expect(page.getByText(/authorization request/i)).toBeVisible({ timeout: 10000 });
// Should display client name
await expect(page.getByText('Test MCP Application')).toBeVisible();
// Should display the requested scopes (use exact match to avoid duplicates)
await expect(page.getByText('OpenID Connect')).toBeVisible();
await expect(page.getByLabel('Profile')).toBeVisible();
await expect(page.getByLabel('Email')).toBeVisible();
// Should display redirect URI
await expect(page.getByText(/localhost:3001\/callback/i)).toBeVisible();
// Should display Authorize and Deny buttons
await expect(page.getByRole('button', { name: /authorize/i })).toBeVisible();
await expect(page.getByRole('button', { name: /deny/i })).toBeVisible();
});
test('should allow toggling scopes', async ({ page }) => {
// First log in
await loginViaUI(page);
// Build consent URL with params
const params = new URLSearchParams(mockConsentParams);
await page.goto(`/en/auth/consent?${params.toString()}`);
// Wait for page to load
await expect(page.getByText(/authorization request/i)).toBeVisible({ timeout: 10000 });
// Find OpenID scope checkbox and toggle it
const openidCheckbox = page.locator('#scope-openid');
await expect(openidCheckbox).toBeChecked();
// Uncheck it
await openidCheckbox.click();
await expect(openidCheckbox).not.toBeChecked();
// Check it again
await openidCheckbox.click();
await expect(openidCheckbox).toBeChecked();
});
test('should disable Authorize button when no scopes selected', async ({ page }) => {
// First log in
await loginViaUI(page);
// Build consent URL with single scope for easier testing
const params = new URLSearchParams({
...mockConsentParams,
scope: 'openid',
});
await page.goto(`/en/auth/consent?${params.toString()}`);
// Wait for page to load
await expect(page.getByText(/authorization request/i)).toBeVisible({ timeout: 10000 });
// Initially Authorize button should be enabled
const authorizeButton = page.getByRole('button', { name: /authorize/i });
await expect(authorizeButton).toBeEnabled();
// Uncheck the only scope
await page.locator('#scope-openid').click();
// Now Authorize button should be disabled
await expect(authorizeButton).toBeDisabled();
});
test('should call consent API when clicking Authorize', async ({ page }) => {
// First log in
await loginViaUI(page);
// Mock the consent submission endpoint (use wildcard to catch all variations)
let consentSubmitted = false;
await page.route('**/api/v1/oauth/provider/authorize/consent', async (route) => {
if (route.request().method() === 'POST') {
consentSubmitted = true;
// Simulate redirect response
await route.fulfill({
status: 302,
headers: {
Location: `${mockConsentParams.redirect_uri}?code=mock-auth-code&state=${mockConsentParams.state}`,
},
});
} else {
await route.continue();
}
});
// Prevent actual navigation to callback URL
await page.route('http://localhost:3001/**', (route) => route.fulfill({ status: 200 }));
// Build consent URL with params
const params = new URLSearchParams(mockConsentParams);
await page.goto(`/en/auth/consent?${params.toString()}`);
// Wait for page to load
await expect(page.getByText(/authorization request/i)).toBeVisible({ timeout: 10000 });
// Click Authorize
await page.getByRole('button', { name: /authorize/i }).click();
// Wait for API call
await page.waitForTimeout(1000);
// Verify consent was submitted
expect(consentSubmitted).toBe(true);
});
test('should call consent API with approved=false when clicking Deny', async ({ page }) => {
// First log in
await loginViaUI(page);
// Track the request
let requestMade = false;
let postDataContainsFalse = false;
// Mock the consent submission endpoint
await page.route('**/api/v1/oauth/provider/authorize/consent', async (route) => {
requestMade = true;
const postData = route.request().postData();
// FormData is multipart, so we check if "false" appears after "approved"
if (postData && postData.includes('name="approved"')) {
// The multipart format has approved value after the field name line
postDataContainsFalse = postData.includes('false');
}
// Return a simple success response
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify({ success: true }),
});
});
// Build consent URL with params
const params = new URLSearchParams(mockConsentParams);
await page.goto(`/en/auth/consent?${params.toString()}`);
// Wait for page to load
await expect(page.getByText(/authorization request/i)).toBeVisible({ timeout: 10000 });
// Click Deny and wait for the request
await Promise.all([
page.waitForResponse('**/api/v1/oauth/provider/authorize/consent'),
page.getByRole('button', { name: /deny/i }).click(),
]);
// Verify the request was made with approved=false
expect(requestMade).toBe(true);
expect(postDataContainsFalse).toBe(true);
});
test('should show loading state while submitting', async ({ page }) => {
// First log in
await loginViaUI(page);
// We'll use a promise that we can resolve manually to control when the request completes
let resolveRequest: () => void;
const requestComplete = new Promise<void>((resolve) => {
resolveRequest = resolve;
});
// Mock the consent submission endpoint with controlled delay
await page.route('**/api/v1/oauth/provider/authorize/consent', async (route) => {
// Wait until we've verified the loading state, then complete
await requestComplete;
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify({ success: true }),
});
});
// Build consent URL with params
const params = new URLSearchParams(mockConsentParams);
await page.goto(`/en/auth/consent?${params.toString()}`);
// Wait for page to load
await expect(page.getByText(/authorization request/i)).toBeVisible({ timeout: 10000 });
// Get buttons before clicking
const authorizeBtn = page.getByRole('button', { name: /authorize/i });
const denyBtn = page.getByRole('button', { name: /deny/i });
// Verify buttons are initially enabled
await expect(authorizeBtn).toBeEnabled();
await expect(denyBtn).toBeEnabled();
// Click Authorize (don't await - let it start the request)
authorizeBtn.click();
// Should show loading spinner while request is pending
await expect(page.locator('.animate-spin').first()).toBeVisible({ timeout: 5000 });
// Now resolve the request to clean up
resolveRequest!();
});
});
});

3
frontend/jest.config.js
View File

@@ -8,7 +8,8 @@ const createJestConfig = nextJest({
// Add any custom config to be passed to Jest
const customJestConfig = {
setupFilesAfterEnv: ['<rootDir>/jest.setup.js'],
testEnvironment: 'jest-environment-jsdom',
// Custom environment that suppresses jsdom VirtualConsole XMLHttpRequest errors
testEnvironment: '<rootDir>/jest.environment.js',
moduleNameMapper: {
'^next-intl$': '<rootDir>/tests/__mocks__/next-intl.tsx',
'^next-intl/routing$': '<rootDir>/tests/__mocks__/next-intl-routing.tsx',

54
frontend/jest.environment.js Normal file
View File

@@ -0,0 +1,54 @@
/**
* Custom Jest environment that suppresses jsdom VirtualConsole XMLHttpRequest errors
*
* These errors occur when jsdom tries to make network requests during tests
* (e.g., XMLHttpRequest to localhost:8000) and they fail. They're harmless
* noise that clutters test output.
*/
// This file is executed by Jest in a CommonJS context; using require() here is intentional.
// eslint-disable-next-line @typescript-eslint/no-require-imports
const JSDOMEnvironment = require('jest-environment-jsdom').default;
class CustomJSDOMEnvironment extends JSDOMEnvironment {
constructor(config, context) {
// Customize virtualConsole options to suppress specific errors
const customConfig = {
...config,
projectConfig: {
...config.projectConfig,
testEnvironmentOptions: {
...config.projectConfig?.testEnvironmentOptions,
// Custom error handling via virtualConsole.sendTo
},
},
};
super(customConfig, context);
}
async setup() {
await super.setup();
// After setup, intercept console.error to filter XMLHttpRequest noise
// This is called by jsdom's VirtualConsole when errors occur
const originalConsoleError = this.global.console.error;
this.global.console.error = (...args) => {
const message = args[0]?.toString() || '';
const errorType = args[0]?.type || '';
// Filter out XMLHttpRequest/AggregateError noise from jsdom
if (
message.includes('AggregateError') ||
message.includes('XMLHttpRequest') ||
errorType === 'XMLHttpRequest'
) {
return;
}
originalConsoleError.apply(this.global.console, args);
};
}
}
module.exports = CustomJSDOMEnvironment;

7
frontend/src/app/[locale]/(auth)/auth/consent/page.tsx
View File

@@ -95,7 +95,7 @@ export default function OAuthConsentPage() {
// Note: t is available for future i18n use
const _t = useTranslations('auth.oauth');
void _t; // Suppress unused warning - ready for i18n
const { isAuthenticated, isLoading: authLoading } = useAuth();
const { isAuthenticated, isLoading: authLoading, accessToken } = useAuth();
const [isSubmitting, setIsSubmitting] = useState(false);
const [error, setError] = useState<string | null>(null);
@@ -181,9 +181,14 @@ export default function OAuthConsentPage() {
// Submit consent to backend
const apiUrl = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8000';
const headers: HeadersInit = {};
if (accessToken) {
headers['Authorization'] = `Bearer ${accessToken}`;
}
const response = await fetch(`${apiUrl}/api/v1/oauth/provider/authorize/consent`, {
method: 'POST',
body: formData,
headers,
credentials: 'include',
});

4
frontend/src/components/home/ContextSection.tsx
View File

@@ -11,8 +11,8 @@ import { CheckCircle2 } from 'lucide-react';
export function ContextSection() {
const features = [
'Clone & Deploy in < 5 minutes',
'Comprehensive Test Suite',
'12+ Documentation Guides',
'OAuth 2.0 + Social Login',
'i18n Ready (EN, IT)',
'Zero Commercial Dependencies',
];

8
frontend/src/components/home/FeatureGrid.tsx
View File

@@ -14,8 +14,8 @@ const features = [
icon: Shield,
title: 'Authentication & Security',
description:
'JWT authentication with refresh tokens, session management, password reset flow, rate limiting, CSRF protection, and comprehensive security tests preventing common attacks (CVE-2015-9235, session hijacking)',
highlight: 'Battle-tested security',
'JWT with refresh tokens, OAuth social login (Google, GitHub with PKCE), OAuth Provider mode for MCP clients, session management, rate limiting, and comprehensive security tests',
highlight: 'OAuth 2.0 + MCP ready',
ctaText: 'View Auth Flow',
ctaHref: '/login',
},
@@ -59,8 +59,8 @@ const features = [
icon: Code,
title: 'Developer Experience',
description:
'Auto-generated TypeScript API client from OpenAPI spec, hot reload in development, migration helpers (python migrate.py auto), VS Code settings, and comprehensive component library',
highlight: 'Delightful DX',
'Auto-generated TypeScript API client, i18n with next-intl (English, Italian), hot reload, migration helpers, VS Code settings, and a comprehensive component library',
highlight: 'Delightful DX + i18n',
ctaText: 'Explore Components',
ctaHref: '/dev',
},

2
frontend/src/components/home/HeroSection.tsx
View File

@@ -46,7 +46,7 @@ export function HeroSection({ onOpenDemoModal }: HeroSectionProps) {
/>
<span className="font-medium">MIT Licensed</span>
<span className="text-muted-foreground"></span>
<span className="font-medium">Comprehensive Tests</span>
<span className="font-medium">OAuth 2.0 + i18n</span>
<span className="text-muted-foreground"></span>
<span className="font-medium">Pragmatic by Design</span>
</div>

24
frontend/src/components/home/TechStackSection.tsx
View File

@@ -35,25 +35,25 @@ const technologies: Tech[] = [
color: 'from-blue-500 to-blue-700',
},
{
name: 'Docker',
description: 'Containerized deployment',
color: 'from-blue-400 to-blue-600',
name: 'OAuth 2.0',
description: 'Social login + MCP Provider mode with PKCE',
color: 'from-orange-500 to-red-600',
},
{
name: 'TailwindCSS',
description: 'Utility-first styling with OKLCH colors',
color: 'from-cyan-500 to-blue-500',
},
{
name: 'shadcn/ui',
description: 'Accessible component library (New York variant)',
color: 'from-slate-800 to-slate-600',
name: 'next-intl',
description: 'Type-safe internationalization (EN, IT)',
color: 'from-violet-500 to-purple-600',
},
{
name: 'Playwright',
description: 'Reliable E2E testing (zero flaky tests)',
description: 'Frontend E2E testing (zero flaky tests)',
color: 'from-green-600 to-emerald-700',
},
{
name: 'pytest',
description: 'Backend testing with Testcontainers',
color: 'from-yellow-500 to-orange-500',
},
];
export function TechStackSection() {

213
frontend/src/lib/api/generated/sdk.gen.ts
View File

@@ -3,7 +3,7 @@
import { type Client, type Options as Options2, type TDataShape, urlSearchParamsBodySerializer } from './client';
import { client } from './client.gen';
import type { AdminActivateUserData, AdminActivateUserErrors, AdminActivateUserResponses, AdminAddOrganizationMemberData, AdminAddOrganizationMemberErrors, AdminAddOrganizationMemberResponses, AdminBulkUserActionData, AdminBulkUserActionErrors, AdminBulkUserActionResponses, AdminCreateOrganizationData, AdminCreateOrganizationErrors, AdminCreateOrganizationResponses, AdminCreateUserData, AdminCreateUserErrors, AdminCreateUserResponses, AdminDeactivateUserData, AdminDeactivateUserErrors, AdminDeactivateUserResponses, AdminDeleteOrganizationData, AdminDeleteOrganizationErrors, AdminDeleteOrganizationResponses, AdminDeleteUserData, AdminDeleteUserErrors, AdminDeleteUserResponses, AdminGetOrganizationData, AdminGetOrganizationErrors, AdminGetOrganizationResponses, AdminGetStatsData, AdminGetStatsResponses, AdminGetUserData, AdminGetUserErrors, AdminGetUserResponses, AdminListOrganizationMembersData, AdminListOrganizationMembersErrors, AdminListOrganizationMembersResponses, AdminListOrganizationsData, AdminListOrganizationsErrors, AdminListOrganizationsResponses, AdminListSessionsData, AdminListSessionsErrors, AdminListSessionsResponses, AdminListUsersData, AdminListUsersErrors, AdminListUsersResponses, AdminRemoveOrganizationMemberData, AdminRemoveOrganizationMemberErrors, AdminRemoveOrganizationMemberResponses, AdminUpdateOrganizationData, AdminUpdateOrganizationErrors, AdminUpdateOrganizationResponses, AdminUpdateUserData, AdminUpdateUserErrors, AdminUpdateUserResponses, ChangeCurrentUserPasswordData, ChangeCurrentUserPasswordErrors, ChangeCurrentUserPasswordResponses, CleanupExpiredSessionsData, CleanupExpiredSessionsResponses, ConfirmPasswordResetData, ConfirmPasswordResetErrors, ConfirmPasswordResetResponses, DeleteUserData, DeleteUserErrors, DeleteUserResponses, GetCurrentUserProfileData, GetCurrentUserProfileResponses, GetMyOrganizationsData, GetMyOrganizationsErrors, GetMyOrganizationsResponses, GetOauthAuthorizationUrlData, GetOauthAuthorizationUrlErrors, GetOauthAuthorizationUrlResponses, GetOauthServerMetadataData, GetOauthServerMetadataResponses, GetOrganizationData, GetOrganizationErrors, GetOrganizationMembersData, GetOrganizationMembersErrors, GetOrganizationMembersResponses, GetOrganizationResponses, GetUserByIdData, GetUserByIdErrors, GetUserByIdResponses, HandleOauthCallbackData, HandleOauthCallbackErrors, HandleOauthCallbackResponses, HealthCheckData, HealthCheckResponses, ListMySessionsData, ListMySessionsResponses, ListOauthAccountsData, ListOauthAccountsResponses, ListOauthProvidersData, ListOauthProvidersResponses, ListUsersData, ListUsersErrors, ListUsersResponses, LoginData, LoginErrors, LoginOauthData, LoginOauthErrors, LoginOauthResponses, LoginResponses, LogoutAllData, LogoutAllResponses, LogoutData, LogoutErrors, LogoutResponses, OauthProviderAuthorizeData, OauthProviderAuthorizeErrors, OauthProviderAuthorizeResponses, OauthProviderRevokeData, OauthProviderRevokeErrors, OauthProviderRevokeResponses, OauthProviderTokenData, OauthProviderTokenErrors, OauthProviderTokenResponses, RefreshTokenData, RefreshTokenErrors, RefreshTokenResponses, RegisterData, RegisterErrors, RegisterOauthClientData, RegisterOauthClientErrors, RegisterOauthClientResponses, RegisterResponses, RequestPasswordResetData, RequestPasswordResetErrors, RequestPasswordResetResponses, RevokeSessionData, RevokeSessionErrors, RevokeSessionResponses, RootGetData, RootGetResponses, StartOauthLinkData, StartOauthLinkErrors, StartOauthLinkResponses, UnlinkOauthAccountData, UnlinkOauthAccountErrors, UnlinkOauthAccountResponses, UpdateCurrentUserData, UpdateCurrentUserErrors, UpdateCurrentUserResponses, UpdateOrganizationData, UpdateOrganizationErrors, UpdateOrganizationResponses, UpdateUserData, UpdateUserErrors, UpdateUserResponses } from './types.gen';
import type { AdminActivateUserData, AdminActivateUserErrors, AdminActivateUserResponses, AdminAddOrganizationMemberData, AdminAddOrganizationMemberErrors, AdminAddOrganizationMemberResponses, AdminBulkUserActionData, AdminBulkUserActionErrors, AdminBulkUserActionResponses, AdminCreateOrganizationData, AdminCreateOrganizationErrors, AdminCreateOrganizationResponses, AdminCreateUserData, AdminCreateUserErrors, AdminCreateUserResponses, AdminDeactivateUserData, AdminDeactivateUserErrors, AdminDeactivateUserResponses, AdminDeleteOrganizationData, AdminDeleteOrganizationErrors, AdminDeleteOrganizationResponses, AdminDeleteUserData, AdminDeleteUserErrors, AdminDeleteUserResponses, AdminGetOrganizationData, AdminGetOrganizationErrors, AdminGetOrganizationResponses, AdminGetStatsData, AdminGetStatsResponses, AdminGetUserData, AdminGetUserErrors, AdminGetUserResponses, AdminListOrganizationMembersData, AdminListOrganizationMembersErrors, AdminListOrganizationMembersResponses, AdminListOrganizationsData, AdminListOrganizationsErrors, AdminListOrganizationsResponses, AdminListSessionsData, AdminListSessionsErrors, AdminListSessionsResponses, AdminListUsersData, AdminListUsersErrors, AdminListUsersResponses, AdminRemoveOrganizationMemberData, AdminRemoveOrganizationMemberErrors, AdminRemoveOrganizationMemberResponses, AdminUpdateOrganizationData, AdminUpdateOrganizationErrors, AdminUpdateOrganizationResponses, AdminUpdateUserData, AdminUpdateUserErrors, AdminUpdateUserResponses, ChangeCurrentUserPasswordData, ChangeCurrentUserPasswordErrors, ChangeCurrentUserPasswordResponses, CleanupExpiredSessionsData, CleanupExpiredSessionsResponses, ConfirmPasswordResetData, ConfirmPasswordResetErrors, ConfirmPasswordResetResponses, DeleteOauthClientData, DeleteOauthClientErrors, DeleteOauthClientResponses, DeleteUserData, DeleteUserErrors, DeleteUserResponses, GetCurrentUserProfileData, GetCurrentUserProfileResponses, GetMyOrganizationsData, GetMyOrganizationsErrors, GetMyOrganizationsResponses, GetOauthAuthorizationUrlData, GetOauthAuthorizationUrlErrors, GetOauthAuthorizationUrlResponses, GetOauthServerMetadataData, GetOauthServerMetadataResponses, GetOrganizationData, GetOrganizationErrors, GetOrganizationMembersData, GetOrganizationMembersErrors, GetOrganizationMembersResponses, GetOrganizationResponses, GetUserByIdData, GetUserByIdErrors, GetUserByIdResponses, HandleOauthCallbackData, HandleOauthCallbackErrors, HandleOauthCallbackResponses, HealthCheckData, HealthCheckResponses, ListMyOauthConsentsData, ListMyOauthConsentsResponses, ListMySessionsData, ListMySessionsResponses, ListOauthAccountsData, ListOauthAccountsResponses, ListOauthClientsData, ListOauthClientsResponses, ListOauthProvidersData, ListOauthProvidersResponses, ListUsersData, ListUsersErrors, ListUsersResponses, LoginData, LoginErrors, LoginOauthData, LoginOauthErrors, LoginOauthResponses, LoginResponses, LogoutAllData, LogoutAllResponses, LogoutData, LogoutErrors, LogoutResponses, OauthProviderAuthorizeData, OauthProviderAuthorizeErrors, OauthProviderAuthorizeResponses, OauthProviderConsentData, OauthProviderConsentErrors, OauthProviderConsentResponses, OauthProviderIntrospectData, OauthProviderIntrospectErrors, OauthProviderIntrospectResponses, OauthProviderRevokeData, OauthProviderRevokeErrors, OauthProviderRevokeResponses, OauthProviderTokenData, OauthProviderTokenErrors, OauthProviderTokenResponses, RefreshTokenData, RefreshTokenErrors, RefreshTokenResponses, RegisterData, RegisterErrors, RegisterOauthClientData, RegisterOauthClientErrors, RegisterOauthClientResponses, RegisterResponses, RequestPasswordResetData, RequestPasswordResetErrors, RequestPasswordResetResponses, RevokeMyOauthConsentData, RevokeMyOauthConsentErrors, RevokeMyOauthConsentResponses, RevokeSessionData, RevokeSessionErrors, RevokeSessionResponses, RootGetData, RootGetResponses, StartOauthLinkData, StartOauthLinkErrors, StartOauthLinkResponses, UnlinkOauthAccountData, UnlinkOauthAccountErrors, UnlinkOauthAccountResponses, UpdateCurrentUserData, UpdateCurrentUserErrors, UpdateCurrentUserResponses, UpdateOrganizationData, UpdateOrganizationErrors, UpdateOrganizationResponses, UpdateUserData, UpdateUserErrors, UpdateUserResponses } from './types.gen';
export type Options<TData extends TDataShape = TDataShape, ThrowOnError extends boolean = boolean> = Options2<TData, ThrowOnError> & {
/**
@@ -353,34 +353,26 @@ export const startOauthLink = <ThrowOnError extends boolean = false>(options: Op
};
/**
* OAuth Server Metadata
*
* OAuth 2.0 Authorization Server Metadata (RFC 8414).
*
* Returns server metadata including supported endpoints, scopes,
* and capabilities for MCP clients.
*/
export const getOauthServerMetadata = <ThrowOnError extends boolean = false>(options?: Options<GetOauthServerMetadataData, ThrowOnError>) => {
return (options?.client ?? client).get<GetOauthServerMetadataResponses, unknown, ThrowOnError>({
responseType: 'json',
url: '/api/v1/oauth/.well-known/oauth-authorization-server',
...options
});
};
/**
* Authorization Endpoint (Skeleton)
* Authorization Endpoint
*
* OAuth 2.0 Authorization Endpoint.
*
* **NOTE**: This is a skeleton implementation. In a full implementation,
* this would:
* 1. Validate client_id and redirect_uri
* 2. Display consent screen to user
* 3. Generate authorization code
* 4. Redirect back to client with code
* Initiates the authorization code flow:
* 1. Validates client and parameters
* 2. Checks if user is authenticated (redirects to login if not)
* 3. Checks existing consent
* 4. Redirects to consent page if needed
* 5. Issues authorization code and redirects back to client
*
* Currently returns a 501 Not Implemented response.
* Required parameters:
* - response_type: Must be "code"
* - client_id: Registered client ID
* - redirect_uri: Must match registered URI
*
* Recommended parameters:
* - state: CSRF protection
* - code_challenge + code_challenge_method: PKCE (required for public clients)
* - scope: Requested permissions
*/
export const oauthProviderAuthorize = <ThrowOnError extends boolean = false>(options: Options<OauthProviderAuthorizeData, ThrowOnError>) => {
return (options.client ?? client).get<OauthProviderAuthorizeResponses, OauthProviderAuthorizeErrors, ThrowOnError>({
@@ -391,14 +383,43 @@ export const oauthProviderAuthorize = <ThrowOnError extends boolean = false>(opt
};
/**
* Token Endpoint (Skeleton)
* Submit Authorization Consent
*
* Submit user consent for OAuth authorization.
*
* Called by the consent page after user approves or denies.
*/
export const oauthProviderConsent = <ThrowOnError extends boolean = false>(options: Options<OauthProviderConsentData, ThrowOnError>) => {
return (options.client ?? client).post<OauthProviderConsentResponses, OauthProviderConsentErrors, ThrowOnError>({
...urlSearchParamsBodySerializer,
responseType: 'json',
security: [
{
scheme: 'bearer',
type: 'http'
}
],
url: '/api/v1/oauth/provider/authorize/consent',
...options,
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
...options.headers
}
});
};
/**
* Token Endpoint
*
* OAuth 2.0 Token Endpoint.
*
* **NOTE**: This is a skeleton implementation. In a full implementation,
* this would exchange authorization codes for access tokens.
* Supports:
* - authorization_code: Exchange code for tokens
* - refresh_token: Refresh access token
*
* Currently returns a 501 Not Implemented response.
* Client authentication:
* - Confidential clients: client_secret (Basic auth or POST body)
* - Public clients: No secret, but PKCE code_verifier required
*/
export const oauthProviderToken = <ThrowOnError extends boolean = false>(options: Options<OauthProviderTokenData, ThrowOnError>) => {
return (options.client ?? client).post<OauthProviderTokenResponses, OauthProviderTokenErrors, ThrowOnError>({
@@ -414,13 +435,12 @@ export const oauthProviderToken = <ThrowOnError extends boolean = false>(options
};
/**
* Token Revocation Endpoint (Skeleton)
* Token Revocation Endpoint
*
* OAuth 2.0 Token Revocation Endpoint (RFC 7009).
*
* **NOTE**: This is a skeleton implementation.
*
* Currently returns a 501 Not Implemented response.
* Revokes an access token or refresh token.
* Always returns 200 OK (even if token is invalid) per spec.
*/
export const oauthProviderRevoke = <ThrowOnError extends boolean = false>(options: Options<OauthProviderRevokeData, ThrowOnError>) => {
return (options.client ?? client).post<OauthProviderRevokeResponses, OauthProviderRevokeErrors, ThrowOnError>({
@@ -436,19 +456,65 @@ export const oauthProviderRevoke = <ThrowOnError extends boolean = false>(option
};
/**
* Register OAuth Client (Admin)
* Token Introspection Endpoint
*
* OAuth 2.0 Token Introspection Endpoint (RFC 7662).
*
* Allows resource servers to query the authorization server
* to determine the active state and metadata of a token.
*/
export const oauthProviderIntrospect = <ThrowOnError extends boolean = false>(options: Options<OauthProviderIntrospectData, ThrowOnError>) => {
return (options.client ?? client).post<OauthProviderIntrospectResponses, OauthProviderIntrospectErrors, ThrowOnError>({
...urlSearchParamsBodySerializer,
responseType: 'json',
url: '/api/v1/oauth/provider/introspect',
...options,
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
...options.headers
}
});
};
/**
* List OAuth Clients
*
* List all registered OAuth clients (admin only).
*/
export const listOauthClients = <ThrowOnError extends boolean = false>(options?: Options<ListOauthClientsData, ThrowOnError>) => {
return (options?.client ?? client).get<ListOauthClientsResponses, unknown, ThrowOnError>({
responseType: 'json',
security: [
{
scheme: 'bearer',
type: 'http'
}
],
url: '/api/v1/oauth/provider/clients',
...options
});
};
/**
* Register OAuth Client
*
* Register a new OAuth client (admin only).
*
* This endpoint allows creating MCP clients that can authenticate
* against this API.
* Creates an MCP client that can authenticate against this API.
* Returns client_id and client_secret (for confidential clients).
*
* **NOTE**: This is a minimal implementation.
* **Important:** Store the client_secret securely - it won't be shown again!
*/
export const registerOauthClient = <ThrowOnError extends boolean = false>(options: Options<RegisterOauthClientData, ThrowOnError>) => {
return (options.client ?? client).post<RegisterOauthClientResponses, RegisterOauthClientErrors, ThrowOnError>({
...urlSearchParamsBodySerializer,
responseType: 'json',
security: [
{
scheme: 'bearer',
type: 'http'
}
],
url: '/api/v1/oauth/provider/clients',
...options,
headers: {
@@ -458,6 +524,61 @@ export const registerOauthClient = <ThrowOnError extends boolean = false>(option
});
};
/**
* Delete OAuth Client
*
* Delete an OAuth client (admin only). Revokes all tokens.
*/
export const deleteOauthClient = <ThrowOnError extends boolean = false>(options: Options<DeleteOauthClientData, ThrowOnError>) => {
return (options.client ?? client).delete<DeleteOauthClientResponses, DeleteOauthClientErrors, ThrowOnError>({
security: [
{
scheme: 'bearer',
type: 'http'
}
],
url: '/api/v1/oauth/provider/clients/{client_id}',
...options
});
};
/**
* List My Consents
*
* List OAuth applications the current user has authorized.
*/
export const listMyOauthConsents = <ThrowOnError extends boolean = false>(options?: Options<ListMyOauthConsentsData, ThrowOnError>) => {
return (options?.client ?? client).get<ListMyOauthConsentsResponses, unknown, ThrowOnError>({
responseType: 'json',
security: [
{
scheme: 'bearer',
type: 'http'
}
],
url: '/api/v1/oauth/provider/consents',
...options
});
};
/**
* Revoke My Consent
*
* Revoke authorization for an OAuth application. Also revokes all tokens.
*/
export const revokeMyOauthConsent = <ThrowOnError extends boolean = false>(options: Options<RevokeMyOauthConsentData, ThrowOnError>) => {
return (options.client ?? client).delete<RevokeMyOauthConsentResponses, RevokeMyOauthConsentErrors, ThrowOnError>({
security: [
{
scheme: 'bearer',
type: 'http'
}
],
url: '/api/v1/oauth/provider/consents/{client_id}',
...options
});
};
/**
* List Users
*
@@ -1166,3 +1287,21 @@ export const getOrganizationMembers = <ThrowOnError extends boolean = false>(opt
...options
});
};
/**
* OAuth Server Metadata
*
* OAuth 2.0 Authorization Server Metadata (RFC 8414).
*
* Returns server metadata including supported endpoints, scopes,
* and capabilities. MCP clients use this to discover the server.
*
* Note: This endpoint is at the root level per RFC 8414.
*/
export const getOauthServerMetadata = <ThrowOnError extends boolean = false>(options?: Options<GetOauthServerMetadataData, ThrowOnError>) => {
return (options?.client ?? client).get<GetOauthServerMetadataResponses, unknown, ThrowOnError>({
responseType: 'json',
url: '/.well-known/oauth-authorization-server',
...options
});
};

490
frontend/src/lib/api/generated/types.gen.ts
View File

@@ -145,6 +145,84 @@ export type BodyLoginOauth = {
client_secret?: string | null;
};
/**
* Body_oauth_provider_consent
*/
export type BodyOauthProviderConsent = {
/**
* Approved
*
* Whether user approved
*/
approved: boolean;
/**
* Client Id
*
* OAuth client ID
*/
client_id: string;
/**
* Redirect Uri
*
* Redirect URI
*/
redirect_uri: string;
/**
* Scope
*
* Granted scopes
*/
scope?: string;
/**
* State
*
* CSRF state parameter
*/
state?: string;
/**
* Code Challenge
*/
code_challenge?: string | null;
/**
* Code Challenge Method
*/
code_challenge_method?: string | null;
/**
* Nonce
*/
nonce?: string | null;
};
/**
* Body_oauth_provider_introspect
*/
export type BodyOauthProviderIntrospect = {
/**
* Token
*
* Token to introspect
*/
token: string;
/**
* Token Type Hint
*
* Token type hint (access_token, refresh_token)
*/
token_type_hint?: string | null;
/**
* Client Id
*
* Client ID
*/
client_id?: string | null;
/**
* Client Secret
*
* Client secret
*/
client_secret?: string | null;
};
/**
* Body_oauth_provider_revoke
*/
@@ -182,7 +260,7 @@ export type BodyOauthProviderToken = {
/**
* Grant Type
*
* Grant type (authorization_code)
* Grant type
*/
grant_type: string;
/**
@@ -221,6 +299,12 @@ export type BodyOauthProviderToken = {
* Refresh token
*/
refresh_token?: string | null;
/**
* Scope
*
* Scope (for refresh)
*/
scope?: string | null;
};
/**
@@ -236,7 +320,7 @@ export type BodyRegisterOauthClient = {
/**
* Redirect Uris
*
* Comma-separated list of redirect URIs
* Comma-separated redirect URIs
*/
redirect_uris: string;
/**
@@ -245,6 +329,18 @@ export type BodyRegisterOauthClient = {
* public or confidential
*/
client_type?: string;
/**
* Scopes
*
* Allowed scopes (space-separated)
*/
scopes?: string;
/**
* Mcp Server Url
*
* MCP server URL
*/
mcp_server_url?: string | null;
};
/**
@@ -454,6 +550,60 @@ export type OAuthCallbackResponse = {
is_new_user?: boolean;
};
/**
* OAuthClientResponse
*
* Schema for OAuth client response.
*/
export type OAuthClientResponse = {
/**
* Client Name
*
* Client application name
*/
client_name: string;
/**
* Client Description
*
* Client description
*/
client_description?: string | null;
/**
* Redirect Uris
*
* Allowed redirect URIs
*/
redirect_uris?: Array<string>;
/**
* Allowed Scopes
*
* Allowed OAuth scopes
*/
allowed_scopes?: Array<string>;
/**
* Id
*/
id: string;
/**
* Client Id
*
* OAuth client ID
*/
client_id: string;
/**
* Client Type
*/
client_type: string;
/**
* Is Active
*/
is_active: boolean;
/**
* Created At
*/
created_at: string;
};
/**
* OAuthProviderInfo
*
@@ -536,6 +686,12 @@ export type OAuthServerMetadata = {
* Token revocation endpoint
*/
revocation_endpoint?: string | null;
/**
* Introspection Endpoint
*
* Token introspection endpoint (RFC 7662)
*/
introspection_endpoint?: string | null;
/**
* Scopes Supported
*
@@ -560,6 +716,124 @@ export type OAuthServerMetadata = {
* Supported PKCE methods
*/
code_challenge_methods_supported?: Array<string>;
/**
* Token Endpoint Auth Methods Supported
*
* Supported client authentication methods
*/
token_endpoint_auth_methods_supported?: Array<string>;
};
/**
* OAuthTokenIntrospectionResponse
*
* OAuth 2.0 Token Introspection Response (RFC 7662).
*/
export type OAuthTokenIntrospectionResponse = {
/**
* Active
*
* Whether the token is currently active
*/
active: boolean;
/**
* Scope
*
* Space-separated list of scopes
*/
scope?: string | null;
/**
* Client Id
*
* Client identifier for the token
*/
client_id?: string | null;
/**
* Username
*
* Human-readable identifier for the resource owner
*/
username?: string | null;
/**
* Token Type
*
* Type of the token (e.g., 'Bearer')
*/
token_type?: string | null;
/**
* Exp
*
* Token expiration time (Unix timestamp)
*/
exp?: number | null;
/**
* Iat
*
* Token issue time (Unix timestamp)
*/
iat?: number | null;
/**
* Nbf
*
* Token not-before time (Unix timestamp)
*/
nbf?: number | null;
/**
* Sub
*
* Subject of the token (user ID)
*/
sub?: string | null;
/**
* Aud
*
* Intended audience of the token
*/
aud?: string | null;
/**
* Iss
*
* Issuer of the token
*/
iss?: string | null;
};
/**
* OAuthTokenResponse
*
* OAuth 2.0 Token Response (RFC 6749 Section 5.1).
*/
export type OAuthTokenResponse = {
/**
* Access Token
*
* The access token issued by the server
*/
access_token: string;
/**
* Token Type
*
* The type of token (typically 'Bearer')
*/
token_type?: string;
/**
* Expires In
*
* Token lifetime in seconds
*/
expires_in?: number | null;
/**
* Refresh Token
*
* Refresh token for obtaining new access tokens
*/
refresh_token?: string | null;
/**
* Scope
*
* Space-separated list of granted scopes
*/
scope?: string | null;
};
/**
@@ -1610,24 +1884,14 @@ export type StartOauthLinkResponses = {
export type StartOauthLinkResponse = StartOauthLinkResponses[keyof StartOauthLinkResponses];
export type GetOauthServerMetadataData = {
body?: never;
path?: never;
query?: never;
url: '/api/v1/oauth/.well-known/oauth-authorization-server';
};
export type GetOauthServerMetadataResponses = {
/**
* Successful Response
*/
200: OAuthServerMetadata;
};
export type GetOauthServerMetadataResponse = GetOauthServerMetadataResponses[keyof GetOauthServerMetadataResponses];
export type OauthProviderAuthorizeData = {
body?: never;
headers?: {
/**
* Authorization
*/
authorization?: string;
};
path?: never;
query: {
/**
@@ -1651,7 +1915,7 @@ export type OauthProviderAuthorizeData = {
/**
* Scope
*
* Requested scopes
* Requested scopes (space-separated)
*/
scope?: string;
/**
@@ -1672,6 +1936,12 @@ export type OauthProviderAuthorizeData = {
* PKCE method (S256)
*/
code_challenge_method?: string | null;
/**
* Nonce
*
* OpenID Connect nonce
*/
nonce?: string | null;
};
url: '/api/v1/oauth/provider/authorize';
};
@@ -1694,6 +1964,31 @@ export type OauthProviderAuthorizeResponses = {
200: unknown;
};
export type OauthProviderConsentData = {
body: BodyOauthProviderConsent;
path?: never;
query?: never;
url: '/api/v1/oauth/provider/authorize/consent';
};
export type OauthProviderConsentErrors = {
/**
* Validation Error
*/
422: HttpValidationError;
};
export type OauthProviderConsentError = OauthProviderConsentErrors[keyof OauthProviderConsentErrors];
export type OauthProviderConsentResponses = {
/**
* Response Oauth Provider Consent
*
* Successful Response
*/
200: unknown;
};
export type OauthProviderTokenData = {
body: BodyOauthProviderToken;
path?: never;
@@ -1712,13 +2007,13 @@ export type OauthProviderTokenError = OauthProviderTokenErrors[keyof OauthProvid
export type OauthProviderTokenResponses = {
/**
* Response Oauth Provider Token
*
* Successful Response
*/
200: unknown;
200: OAuthTokenResponse;
};
export type OauthProviderTokenResponse = OauthProviderTokenResponses[keyof OauthProviderTokenResponses];
export type OauthProviderRevokeData = {
body: BodyOauthProviderRevoke;
path?: never;
@@ -1741,9 +2036,56 @@ export type OauthProviderRevokeResponses = {
*
* Successful Response
*/
200: unknown;
200: {
[key: string]: string;
};
};
export type OauthProviderRevokeResponse = OauthProviderRevokeResponses[keyof OauthProviderRevokeResponses];
export type OauthProviderIntrospectData = {
body: BodyOauthProviderIntrospect;
path?: never;
query?: never;
url: '/api/v1/oauth/provider/introspect';
};
export type OauthProviderIntrospectErrors = {
/**
* Validation Error
*/
422: HttpValidationError;
};
export type OauthProviderIntrospectError = OauthProviderIntrospectErrors[keyof OauthProviderIntrospectErrors];
export type OauthProviderIntrospectResponses = {
/**
* Successful Response
*/
200: OAuthTokenIntrospectionResponse;
};
export type OauthProviderIntrospectResponse = OauthProviderIntrospectResponses[keyof OauthProviderIntrospectResponses];
export type ListOauthClientsData = {
body?: never;
path?: never;
query?: never;
url: '/api/v1/oauth/provider/clients';
};
export type ListOauthClientsResponses = {
/**
* Response List Oauth Clients
*
* Successful Response
*/
200: Array<OAuthClientResponse>;
};
export type ListOauthClientsResponse = ListOauthClientsResponses[keyof ListOauthClientsResponses];
export type RegisterOauthClientData = {
body: BodyRegisterOauthClient;
path?: never;
@@ -1766,9 +2108,93 @@ export type RegisterOauthClientResponses = {
*
* Successful Response
*/
200: unknown;
200: {
[key: string]: unknown;
};
};
export type RegisterOauthClientResponse = RegisterOauthClientResponses[keyof RegisterOauthClientResponses];
export type DeleteOauthClientData = {
body?: never;
path: {
/**
* Client Id
*/
client_id: string;
};
query?: never;
url: '/api/v1/oauth/provider/clients/{client_id}';
};
export type DeleteOauthClientErrors = {
/**
* Validation Error
*/
422: HttpValidationError;
};
export type DeleteOauthClientError = DeleteOauthClientErrors[keyof DeleteOauthClientErrors];
export type DeleteOauthClientResponses = {
/**
* Successful Response
*/
204: void;
};
export type DeleteOauthClientResponse = DeleteOauthClientResponses[keyof DeleteOauthClientResponses];
export type ListMyOauthConsentsData = {
body?: never;
path?: never;
query?: never;
url: '/api/v1/oauth/provider/consents';
};
export type ListMyOauthConsentsResponses = {
/**
* Response List My Oauth Consents
*
* Successful Response
*/
200: Array<{
[key: string]: unknown;
}>;
};
export type ListMyOauthConsentsResponse = ListMyOauthConsentsResponses[keyof ListMyOauthConsentsResponses];
export type RevokeMyOauthConsentData = {
body?: never;
path: {
/**
* Client Id
*/
client_id: string;
};
query?: never;
url: '/api/v1/oauth/provider/consents/{client_id}';
};
export type RevokeMyOauthConsentErrors = {
/**
* Validation Error
*/
422: HttpValidationError;
};
export type RevokeMyOauthConsentError = RevokeMyOauthConsentErrors[keyof RevokeMyOauthConsentErrors];
export type RevokeMyOauthConsentResponses = {
/**
* Successful Response
*/
204: void;
};
export type RevokeMyOauthConsentResponse = RevokeMyOauthConsentResponses[keyof RevokeMyOauthConsentResponses];
export type ListUsersData = {
body?: never;
path?: never;
@@ -2759,3 +3185,19 @@ export type GetOrganizationMembersResponses = {
};
export type GetOrganizationMembersResponse = GetOrganizationMembersResponses[keyof GetOrganizationMembersResponses];
export type GetOauthServerMetadataData = {
body?: never;
path?: never;
query?: never;
url: '/.well-known/oauth-authorization-server';
};
export type GetOauthServerMetadataResponses = {
/**
* Successful Response
*/
200: OAuthServerMetadata;
};
export type GetOauthServerMetadataResponse = GetOauthServerMetadataResponses[keyof GetOauthServerMetadataResponses];

2
frontend/src/mocks/handlers/generated.ts
View File

@@ -8,7 +8,7 @@
*
* For custom handler behavior, use src/mocks/handlers/overrides.ts
*
* Generated: 2025-11-25T00:22:46.981Z
* Generated: 2025-11-26T12:21:51.098Z
*/
import { http, HttpResponse, delay } from 'msw';