stage 2 of oauth removal, switch to sanctum pat tokens completed, docs updated
This commit is contained in:
Codex Agent
@@ -1,6 +1,5 @@
|
||||
import 'dotenv/config';
|
||||
import { test as base, expect, Page, APIRequestContext } from '@playwright/test';
|
||||
import { randomBytes, createHash } from 'node:crypto';
|
||||
|
||||
export type TenantCredentials = {
|
||||
email: string;
|
||||
@@ -44,16 +43,13 @@ export const test = base.extend<TenantAdminFixtures>({
|
||||
|
||||
export const expectFixture = expect;
|
||||
|
||||
const clientId = process.env.VITE_OAUTH_CLIENT_ID ?? 'tenant-admin-app';
|
||||
const redirectUri = new URL('/event-admin/auth/callback', process.env.PLAYWRIGHT_BASE_URL ?? 'http://localhost:8000').toString();
|
||||
const scopes = (process.env.VITE_OAUTH_SCOPES as string | undefined) ?? 'tenant:read tenant:write';
|
||||
|
||||
async function performTenantSignIn(page: Page, _credentials: TenantCredentials) {
|
||||
const tokens = await exchangeTokens(page.request);
|
||||
async function performTenantSignIn(page: Page, credentials: TenantCredentials) {
|
||||
const token = await exchangeToken(page.request, credentials);
|
||||
|
||||
await page.addInitScript(({ stored }) => {
|
||||
localStorage.setItem('tenant_oauth_tokens.v1', JSON.stringify(stored));
|
||||
}, { stored: tokens });
|
||||
localStorage.setItem('tenant_admin.token.v1', JSON.stringify(stored));
|
||||
sessionStorage.setItem('tenant_admin.token.session.v1', JSON.stringify(stored));
|
||||
}, { stored: token });
|
||||
|
||||
await page.goto('/event-admin');
|
||||
await page.waitForLoadState('domcontentloaded');
|
||||
@@ -61,78 +57,27 @@ async function performTenantSignIn(page: Page, _credentials: TenantCredentials)
|
||||
|
||||
type StoredTokenPayload = {
|
||||
accessToken: string;
|
||||
refreshToken: string;
|
||||
expiresAt: number;
|
||||
scope?: string;
|
||||
clientId?: string;
|
||||
abilities: string[];
|
||||
issuedAt: number;
|
||||
};
|
||||
|
||||
async function exchangeTokens(request: APIRequestContext): Promise<StoredTokenPayload> {
|
||||
const verifier = generateCodeVerifier();
|
||||
const challenge = generateCodeChallenge(verifier);
|
||||
const state = randomBytes(12).toString('hex');
|
||||
|
||||
const params = new URLSearchParams({
|
||||
response_type: 'code',
|
||||
client_id: clientId,
|
||||
redirect_uri: redirectUri,
|
||||
scope: scopes,
|
||||
state,
|
||||
code_challenge: challenge,
|
||||
code_challenge_method: 'S256',
|
||||
});
|
||||
|
||||
const authResponse = await request.get(`/api/v1/oauth/authorize?${params.toString()}`, {
|
||||
maxRedirects: 0,
|
||||
headers: {
|
||||
'x-playwright-test': 'tenant-admin',
|
||||
async function exchangeToken(request: APIRequestContext, credentials: TenantCredentials): Promise<StoredTokenPayload> {
|
||||
const response = await request.post('/api/v1/tenant-auth/login', {
|
||||
data: {
|
||||
login: credentials.email,
|
||||
password: credentials.password,
|
||||
},
|
||||
});
|
||||
|
||||
if (authResponse.status() >= 400) {
|
||||
throw new Error(`OAuth authorize failed: ${authResponse.status()} ${await authResponse.text()}`);
|
||||
if (!response.ok()) {
|
||||
throw new Error(`Tenant PAT login failed: ${response.status()} ${await response.text()}`);
|
||||
}
|
||||
|
||||
const location = authResponse.headers()['location'];
|
||||
if (!location) {
|
||||
throw new Error('OAuth authorize did not return redirect location');
|
||||
}
|
||||
|
||||
const code = new URL(location).searchParams.get('code');
|
||||
if (!code) {
|
||||
throw new Error('OAuth authorize response missing code');
|
||||
}
|
||||
|
||||
const tokenResponse = await request.post('/api/v1/oauth/token', {
|
||||
form: {
|
||||
grant_type: 'authorization_code',
|
||||
code,
|
||||
client_id: clientId,
|
||||
redirect_uri: redirectUri,
|
||||
code_verifier: verifier,
|
||||
},
|
||||
});
|
||||
|
||||
if (!tokenResponse.ok()) {
|
||||
throw new Error(`OAuth token exchange failed: ${tokenResponse.status()} ${await tokenResponse.text()}`);
|
||||
}
|
||||
|
||||
const body = await tokenResponse.json();
|
||||
const expiresIn = typeof body.expires_in === 'number' ? body.expires_in : 3600;
|
||||
const body = await response.json();
|
||||
|
||||
return {
|
||||
accessToken: body.access_token,
|
||||
refreshToken: body.refresh_token,
|
||||
expiresAt: Date.now() + Math.max(expiresIn - 30, 0) * 1000,
|
||||
scope: body.scope,
|
||||
clientId,
|
||||
accessToken: body.token,
|
||||
abilities: Array.isArray(body.abilities) ? body.abilities : [],
|
||||
issuedAt: Date.now(),
|
||||
};
|
||||
}
|
||||
|
||||
function generateCodeVerifier(): string {
|
||||
return randomBytes(32).toString('base64url');
|
||||
}
|
||||
|
||||
function generateCodeChallenge(verifier: string): string {
|
||||
return createHash('sha256').update(verifier).digest('base64url');
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user