feat: implement tenant OAuth flow and guest achievements

tests/e2e/oauth-flow.test.ts

@@ -0,0 +1,76 @@
+import { test, expect } from '@playwright/test';
+
+test('OAuth Flow for tenant-admin-app', async ({ page }) => {
+  const code_challenge = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
+  const code_verifier = 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM';
+  const redirect_uri = 'http://localhost:8000/auth/callback';
+  const state = 'teststate';
+  const scope = 'tenant:read tenant:write tenant:admin';
+
+  const authorizeUrl = `/api/v1/oauth/authorize?response_type=code&client_id=tenant-admin-app&redirect_uri=${encodeURIComponent(redirect_uri)}&scope=${encodeURIComponent(scope)}&code_challenge=${code_challenge}&code_challenge_method=S256&state=${state}`;
+
+  // Navigate to authorize - should immediately redirect to callback
+  await page.goto(authorizeUrl);
+  await page.waitForLoadState('networkidle');
+
+  // Log response if no redirect
+  const currentUrl = page.url();
+  if (currentUrl.includes('/authorize')) {
+    const response = await page.content();
+    console.log('No redirect, response:', response.substring(0, 500)); // First 500 chars
+  }
+
+  // Wait for redirect to callback and parse params
+  await expect(page).toHaveURL(new RegExp(`${redirect_uri}\\?.*`));
+  const urlObj = new URL(currentUrl);
+  const code = urlObj.searchParams.get('code') || '';
+  const receivedState = urlObj.searchParams.get('state') || '';
+
+  expect(receivedState).toBe(state);
+  expect(code).not.toBeNull();
+
+  console.log('Authorization code:', code);
+
+  // Token exchange via fetch
+  const tokenParams = {
+    code: code!,
+    redirect_uri,
+    code_verifier
+  };
+  const tokenResponse = await page.evaluate(async (params) => {
+    const response = await fetch('/api/v1/oauth/token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: 'tenant-admin-app',
+        code: params.code,
+        redirect_uri: params.redirect_uri,
+        code_verifier: params.code_verifier,
+      }).toString(),
+    });
+    return await response.json();
+  }, tokenParams);
+
+  console.log('Token response:', tokenResponse);
+  expect(tokenResponse.access_token).toBeTruthy();
+
+  const accessToken = tokenResponse.access_token;
+
+  // Call /tenant/me with token
+  const meResponse = await page.evaluate(async (token) => {
+    const response = await fetch('/api/v1/tenant/me', {
+      headers: {
+        'Authorization': `Bearer ${token}`,
+        'Accept': 'application/json',
+      },
+    });
+    return await response.json();
+  }, accessToken);
+
+  console.log('/tenant/me response:', meResponse);
+  expect(meResponse).toHaveProperty('id');
+  expect(meResponse.email).toBe('demo@example.com');
+});