OIDC: revoke tokens on logout (#11718)
* test persistCredentials without a pickle key * test setLoggedIn with pickle key * lint * type error * extract token persisting code into function, persist refresh token * store has_refresh_token too * pass refreshToken from oidcAuthGrant into credentials * rest restore session with pickle key * retreive stored refresh token and add to credentials * extract token decryption into function * remove TODO * very messy poc * utils to persist clientId and issuer after oidc authentication * add dep oidc-client-ts * persist issuer and clientId after successful oidc auth * add OidcClientStore * comments and tidy * expose getters for stored refresh and access tokens in Lifecycle * revoke tokens with oidc provider * test logout action in MatrixChat * comments * prettier * test OidcClientStore.revokeTokens * put pickle key destruction back * comment pedantry * working refresh without persistence * extract token persistence functions to utils * add sugar * implement TokenRefresher class with persistence * tidying * persist idTokenClaims * persist idTokenClaims * tests * remove unused cde * create token refresher during doSetLoggedIn * tidying * also tidying * OidcClientStore.initClient use stored issuer when client well known unavailable * test Lifecycle.logout * update Lifecycle test replaceUsingCreds calls * fix test * tidy * test tokenrefresher creation in login flow * test token refresher * Update src/utils/oidc/TokenRefresher.ts Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> * use literal value for m.authentication Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> * improve comments * fix test mock, comment * typo * add sdkContext to SoftLogout, pass oidcClientStore to logout * fullstops * comments * fussy comment formatting --------- Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
This commit is contained in:
parent
fe3ad78a02
commit
84ca519b3f
6 changed files with 258 additions and 44 deletions
|
@ -65,6 +65,7 @@ import { OverwriteLoginPayload } from "./dispatcher/payloads/OverwriteLoginPaylo
|
||||||
import { SdkContextClass } from "./contexts/SDKContext";
|
import { SdkContextClass } from "./contexts/SDKContext";
|
||||||
import { messageForLoginError } from "./utils/ErrorUtils";
|
import { messageForLoginError } from "./utils/ErrorUtils";
|
||||||
import { completeOidcLogin } from "./utils/oidc/authorize";
|
import { completeOidcLogin } from "./utils/oidc/authorize";
|
||||||
|
import { OidcClientStore } from "./stores/oidc/OidcClientStore";
|
||||||
import {
|
import {
|
||||||
getStoredOidcClientId,
|
getStoredOidcClientId,
|
||||||
getStoredOidcIdTokenClaims,
|
getStoredOidcIdTokenClaims,
|
||||||
|
@ -922,9 +923,28 @@ async function persistCredentials(credentials: IMatrixClientCreds): Promise<void
|
||||||
let _isLoggingOut = false;
|
let _isLoggingOut = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Logs the current session out and transitions to the logged-out state
|
* Logs out the current session.
|
||||||
|
* When user has authenticated using OIDC native flow revoke tokens with OIDC provider.
|
||||||
|
* Otherwise, call /logout on the homeserver.
|
||||||
|
* @param client
|
||||||
|
* @param oidcClientStore
|
||||||
*/
|
*/
|
||||||
export function logout(): void {
|
async function doLogout(client: MatrixClient, oidcClientStore?: OidcClientStore): Promise<void> {
|
||||||
|
if (oidcClientStore?.isUserAuthenticatedWithOidc) {
|
||||||
|
const accessToken = client.getAccessToken() ?? undefined;
|
||||||
|
const refreshToken = client.getRefreshToken() ?? undefined;
|
||||||
|
|
||||||
|
await oidcClientStore.revokeTokens(accessToken, refreshToken);
|
||||||
|
} else {
|
||||||
|
await client.logout(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Logs the current session out and transitions to the logged-out state
|
||||||
|
* @param oidcClientStore store instance from SDKContext
|
||||||
|
*/
|
||||||
|
export function logout(oidcClientStore?: OidcClientStore): void {
|
||||||
const client = MatrixClientPeg.get();
|
const client = MatrixClientPeg.get();
|
||||||
if (!client) return;
|
if (!client) return;
|
||||||
|
|
||||||
|
@ -940,7 +960,8 @@ export function logout(): void {
|
||||||
|
|
||||||
_isLoggingOut = true;
|
_isLoggingOut = true;
|
||||||
PlatformPeg.get()?.destroyPickleKey(client.getSafeUserId(), client.getDeviceId() ?? "");
|
PlatformPeg.get()?.destroyPickleKey(client.getSafeUserId(), client.getDeviceId() ?? "");
|
||||||
client.logout(true).then(onLoggedOut, (err) => {
|
|
||||||
|
doLogout(client, oidcClientStore).then(onLoggedOut, (err) => {
|
||||||
// Just throwing an error here is going to be very unhelpful
|
// Just throwing an error here is going to be very unhelpful
|
||||||
// if you're trying to log out because your server's down and
|
// if you're trying to log out because your server's down and
|
||||||
// you want to log into a different server, so just forget the
|
// you want to log into a different server, so just forget the
|
||||||
|
|
|
@ -650,7 +650,7 @@ export default class MatrixChat extends React.PureComponent<IProps, IState> {
|
||||||
Promise.all([
|
Promise.all([
|
||||||
...[...CallStore.instance.activeCalls].map((call) => call.disconnect()),
|
...[...CallStore.instance.activeCalls].map((call) => call.disconnect()),
|
||||||
cleanUpBroadcasts(this.stores),
|
cleanUpBroadcasts(this.stores),
|
||||||
]).finally(() => Lifecycle.logout());
|
]).finally(() => Lifecycle.logout(this.stores.oidcClientStore));
|
||||||
break;
|
break;
|
||||||
case "require_registration":
|
case "require_registration":
|
||||||
startAnyRegistrationFlow(payload as any);
|
startAnyRegistrationFlow(payload as any);
|
||||||
|
|
|
@ -34,6 +34,7 @@ import AccessibleButton from "../../views/elements/AccessibleButton";
|
||||||
import Spinner from "../../views/elements/Spinner";
|
import Spinner from "../../views/elements/Spinner";
|
||||||
import AuthHeader from "../../views/auth/AuthHeader";
|
import AuthHeader from "../../views/auth/AuthHeader";
|
||||||
import AuthBody from "../../views/auth/AuthBody";
|
import AuthBody from "../../views/auth/AuthBody";
|
||||||
|
import { SDKContext } from "../../../contexts/SDKContext";
|
||||||
|
|
||||||
enum LoginView {
|
enum LoginView {
|
||||||
Loading,
|
Loading,
|
||||||
|
@ -70,8 +71,13 @@ interface IState {
|
||||||
}
|
}
|
||||||
|
|
||||||
export default class SoftLogout extends React.Component<IProps, IState> {
|
export default class SoftLogout extends React.Component<IProps, IState> {
|
||||||
public constructor(props: IProps) {
|
public static contextType = SDKContext;
|
||||||
super(props);
|
public context!: React.ContextType<typeof SDKContext>;
|
||||||
|
|
||||||
|
public constructor(props: IProps, context: React.ContextType<typeof SDKContext>) {
|
||||||
|
super(props, context);
|
||||||
|
|
||||||
|
this.context = context;
|
||||||
|
|
||||||
this.state = {
|
this.state = {
|
||||||
loginView: LoginView.Loading,
|
loginView: LoginView.Loading,
|
||||||
|
@ -98,7 +104,7 @@ export default class SoftLogout extends React.Component<IProps, IState> {
|
||||||
if (!wipeData) return;
|
if (!wipeData) return;
|
||||||
|
|
||||||
logger.log("Clearing data from soft-logged-out session");
|
logger.log("Clearing data from soft-logged-out session");
|
||||||
Lifecycle.logout();
|
Lifecycle.logout(this.context.oidcClientStore);
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
|
@ -50,6 +50,54 @@ export class OidcClientStore {
|
||||||
return this._accountManagementEndpoint;
|
return this._accountManagementEndpoint;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revokes provided access and refresh tokens with the configured OIDC provider
|
||||||
|
* @param accessToken
|
||||||
|
* @param refreshToken
|
||||||
|
* @returns Promise that resolves when tokens have been revoked
|
||||||
|
* @throws when OidcClient cannot be initialised, or revoking either token fails
|
||||||
|
*/
|
||||||
|
public async revokeTokens(accessToken?: string, refreshToken?: string): Promise<void> {
|
||||||
|
const client = await this.getOidcClient();
|
||||||
|
|
||||||
|
if (!client) {
|
||||||
|
throw new Error("No OIDC client");
|
||||||
|
}
|
||||||
|
|
||||||
|
const results = await Promise.all([
|
||||||
|
this.tryRevokeToken(client, accessToken, "access_token"),
|
||||||
|
this.tryRevokeToken(client, refreshToken, "refresh_token"),
|
||||||
|
]);
|
||||||
|
|
||||||
|
if (results.some((success) => !success)) {
|
||||||
|
throw new Error("Failed to revoke tokens");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Try to revoke a given token
|
||||||
|
* @param oidcClient
|
||||||
|
* @param token
|
||||||
|
* @param tokenType passed to revocation endpoint as token type hint
|
||||||
|
* @returns Promise that resolved with boolean whether the token revocation succeeded or not
|
||||||
|
*/
|
||||||
|
private async tryRevokeToken(
|
||||||
|
oidcClient: OidcClient,
|
||||||
|
token: string | undefined,
|
||||||
|
tokenType: "access_token" | "refresh_token",
|
||||||
|
): Promise<boolean> {
|
||||||
|
try {
|
||||||
|
if (!token) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
await oidcClient.revokeToken(token, tokenType);
|
||||||
|
return true;
|
||||||
|
} catch (error) {
|
||||||
|
logger.error(`Failed to revoke ${tokenType}`, error);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private async getOidcClient(): Promise<OidcClient | undefined> {
|
private async getOidcClient(): Promise<OidcClient | undefined> {
|
||||||
if (!this.oidcClient && !this.initialisingOidcClientPromise) {
|
if (!this.oidcClient && !this.initialisingOidcClientPromise) {
|
||||||
this.initialisingOidcClientPromise = this.initOidcClient();
|
this.initialisingOidcClientPromise = this.initOidcClient();
|
||||||
|
@ -59,18 +107,27 @@ export class OidcClientStore {
|
||||||
return this.oidcClient;
|
return this.oidcClient;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tries to initialise an OidcClient using stored clientId and OIDC discovery.
|
||||||
|
* Assigns this.oidcClient and accountManagement endpoint.
|
||||||
|
* Logs errors and does not throw when oidc client cannot be initialised.
|
||||||
|
* @returns promise that resolves when initialising OidcClient succeeds or fails
|
||||||
|
*/
|
||||||
private async initOidcClient(): Promise<void> {
|
private async initOidcClient(): Promise<void> {
|
||||||
const wellKnown = this.matrixClient.getClientWellKnown();
|
const wellKnown = await this.matrixClient.waitForClientWellKnown();
|
||||||
if (!wellKnown) {
|
if (!wellKnown && !this.authenticatedIssuer) {
|
||||||
logger.error("Cannot initialise OidcClientStore: client well known required.");
|
logger.error("Cannot initialise OIDC client without issuer.");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
const delegatedAuthConfig =
|
||||||
|
(wellKnown && M_AUTHENTICATION.findIn<IDelegatedAuthConfig>(wellKnown)) ?? undefined;
|
||||||
|
|
||||||
const delegatedAuthConfig = M_AUTHENTICATION.findIn<IDelegatedAuthConfig>(wellKnown) ?? undefined;
|
|
||||||
try {
|
try {
|
||||||
const clientId = getStoredOidcClientId();
|
const clientId = getStoredOidcClientId();
|
||||||
const { account, metadata, signingKeys } = await discoverAndValidateAuthenticationConfig(
|
const { account, metadata, signingKeys } = await discoverAndValidateAuthenticationConfig(
|
||||||
delegatedAuthConfig,
|
// if HS has valid delegated auth config in .well-known, use it
|
||||||
|
// otherwise fallback to the known issuer
|
||||||
|
delegatedAuthConfig ?? { issuer: this.authenticatedIssuer! },
|
||||||
);
|
);
|
||||||
// if no account endpoint is configured default to the issuer
|
// if no account endpoint is configured default to the issuer
|
||||||
this._accountManagementEndpoint = account ?? metadata.issuer;
|
this._accountManagementEndpoint = account ?? metadata.issuer;
|
||||||
|
|
|
@ -19,15 +19,17 @@ import { logger } from "matrix-js-sdk/src/logger";
|
||||||
import * as MatrixJs from "matrix-js-sdk/src/matrix";
|
import * as MatrixJs from "matrix-js-sdk/src/matrix";
|
||||||
import { setCrypto } from "matrix-js-sdk/src/crypto/crypto";
|
import { setCrypto } from "matrix-js-sdk/src/crypto/crypto";
|
||||||
import * as MatrixCryptoAes from "matrix-js-sdk/src/crypto/aes";
|
import * as MatrixCryptoAes from "matrix-js-sdk/src/crypto/aes";
|
||||||
|
import { MockedObject } from "jest-mock";
|
||||||
import fetchMock from "fetch-mock-jest";
|
import fetchMock from "fetch-mock-jest";
|
||||||
|
|
||||||
import StorageEvictedDialog from "../src/components/views/dialogs/StorageEvictedDialog";
|
import StorageEvictedDialog from "../src/components/views/dialogs/StorageEvictedDialog";
|
||||||
import { restoreFromLocalStorage, setLoggedIn } from "../src/Lifecycle";
|
import { logout, restoreFromLocalStorage, setLoggedIn } from "../src/Lifecycle";
|
||||||
import { MatrixClientPeg } from "../src/MatrixClientPeg";
|
import { MatrixClientPeg } from "../src/MatrixClientPeg";
|
||||||
import Modal from "../src/Modal";
|
import Modal from "../src/Modal";
|
||||||
import * as StorageManager from "../src/utils/StorageManager";
|
import * as StorageManager from "../src/utils/StorageManager";
|
||||||
import { getMockClientWithEventEmitter, mockPlatformPeg } from "./test-utils";
|
import { flushPromises, getMockClientWithEventEmitter, mockClientMethodsUser, mockPlatformPeg } from "./test-utils";
|
||||||
import ToastStore from "../src/stores/ToastStore";
|
import ToastStore from "../src/stores/ToastStore";
|
||||||
|
import { OidcClientStore } from "../src/stores/oidc/OidcClientStore";
|
||||||
import { makeDelegatedAuthConfig } from "./test-utils/oidc";
|
import { makeDelegatedAuthConfig } from "./test-utils/oidc";
|
||||||
import { persistOidcAuthenticatedSettings } from "../src/utils/oidc/persistOidcSettings";
|
import { persistOidcAuthenticatedSettings } from "../src/utils/oidc/persistOidcSettings";
|
||||||
|
|
||||||
|
@ -40,24 +42,29 @@ describe("Lifecycle", () => {
|
||||||
|
|
||||||
const realLocalStorage = global.localStorage;
|
const realLocalStorage = global.localStorage;
|
||||||
|
|
||||||
const mockClient = getMockClientWithEventEmitter({
|
let mockClient!: MockedObject<MatrixJs.MatrixClient>;
|
||||||
stopClient: jest.fn(),
|
|
||||||
removeAllListeners: jest.fn(),
|
|
||||||
clearStores: jest.fn(),
|
|
||||||
getAccountData: jest.fn(),
|
|
||||||
getUserId: jest.fn(),
|
|
||||||
getDeviceId: jest.fn(),
|
|
||||||
isVersionSupported: jest.fn().mockResolvedValue(true),
|
|
||||||
getCrypto: jest.fn(),
|
|
||||||
getClientWellKnown: jest.fn(),
|
|
||||||
getThirdpartyProtocols: jest.fn(),
|
|
||||||
store: {
|
|
||||||
destroy: jest.fn(),
|
|
||||||
},
|
|
||||||
getVersions: jest.fn().mockResolvedValue({ versions: ["v1.1"] }),
|
|
||||||
});
|
|
||||||
|
|
||||||
beforeEach(() => {
|
beforeEach(() => {
|
||||||
|
mockClient = getMockClientWithEventEmitter({
|
||||||
|
...mockClientMethodsUser(),
|
||||||
|
stopClient: jest.fn(),
|
||||||
|
removeAllListeners: jest.fn(),
|
||||||
|
clearStores: jest.fn(),
|
||||||
|
getAccountData: jest.fn(),
|
||||||
|
getDeviceId: jest.fn(),
|
||||||
|
isVersionSupported: jest.fn().mockResolvedValue(true),
|
||||||
|
getCrypto: jest.fn(),
|
||||||
|
getClientWellKnown: jest.fn(),
|
||||||
|
waitForClientWellKnown: jest.fn(),
|
||||||
|
getThirdpartyProtocols: jest.fn(),
|
||||||
|
store: {
|
||||||
|
destroy: jest.fn(),
|
||||||
|
},
|
||||||
|
getVersions: jest.fn().mockResolvedValue({ versions: ["v1.1"] }),
|
||||||
|
logout: jest.fn().mockResolvedValue(undefined),
|
||||||
|
getAccessToken: jest.fn(),
|
||||||
|
getRefreshToken: jest.fn(),
|
||||||
|
});
|
||||||
// stub this
|
// stub this
|
||||||
jest.spyOn(MatrixClientPeg, "replaceUsingCreds").mockImplementation(() => {});
|
jest.spyOn(MatrixClientPeg, "replaceUsingCreds").mockImplementation(() => {});
|
||||||
jest.spyOn(MatrixClientPeg, "start").mockResolvedValue(undefined);
|
jest.spyOn(MatrixClientPeg, "start").mockResolvedValue(undefined);
|
||||||
|
@ -692,7 +699,7 @@ describe("Lifecycle", () => {
|
||||||
|
|
||||||
beforeEach(() => {
|
beforeEach(() => {
|
||||||
// mock oidc config for oidc client initialisation
|
// mock oidc config for oidc client initialisation
|
||||||
mockClient.getClientWellKnown.mockReturnValue({
|
mockClient.waitForClientWellKnown.mockResolvedValue({
|
||||||
"m.authentication": {
|
"m.authentication": {
|
||||||
issuer: issuer,
|
issuer: issuer,
|
||||||
},
|
},
|
||||||
|
@ -776,4 +783,47 @@ describe("Lifecycle", () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe("logout()", () => {
|
||||||
|
let oidcClientStore!: OidcClientStore;
|
||||||
|
const accessToken = "test-access-token";
|
||||||
|
const refreshToken = "test-refresh-token";
|
||||||
|
|
||||||
|
beforeEach(() => {
|
||||||
|
oidcClientStore = new OidcClientStore(mockClient);
|
||||||
|
// stub
|
||||||
|
jest.spyOn(oidcClientStore, "revokeTokens").mockResolvedValue(undefined);
|
||||||
|
|
||||||
|
mockClient.getAccessToken.mockReturnValue(accessToken);
|
||||||
|
mockClient.getRefreshToken.mockReturnValue(refreshToken);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should call logout on the client when oidcClientStore is falsy", async () => {
|
||||||
|
logout();
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
expect(mockClient.logout).toHaveBeenCalledWith(true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should call logout on the client when oidcClientStore.isUserAuthenticatedWithOidc is falsy", async () => {
|
||||||
|
jest.spyOn(oidcClientStore, "isUserAuthenticatedWithOidc", "get").mockReturnValue(false);
|
||||||
|
logout(oidcClientStore);
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
expect(mockClient.logout).toHaveBeenCalledWith(true);
|
||||||
|
expect(oidcClientStore.revokeTokens).not.toHaveBeenCalled();
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should revoke tokens when user is authenticated with oidc", async () => {
|
||||||
|
jest.spyOn(oidcClientStore, "isUserAuthenticatedWithOidc", "get").mockReturnValue(true);
|
||||||
|
logout(oidcClientStore);
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
expect(mockClient.logout).not.toHaveBeenCalled();
|
||||||
|
expect(oidcClientStore.revokeTokens).toHaveBeenCalledWith(accessToken, refreshToken);
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -14,7 +14,9 @@ See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
import fetchMock from "fetch-mock-jest";
|
||||||
import { mocked } from "jest-mock";
|
import { mocked } from "jest-mock";
|
||||||
|
import { OidcClient } from "oidc-client-ts";
|
||||||
import { M_AUTHENTICATION } from "matrix-js-sdk/src/matrix";
|
import { M_AUTHENTICATION } from "matrix-js-sdk/src/matrix";
|
||||||
import { logger } from "matrix-js-sdk/src/logger";
|
import { logger } from "matrix-js-sdk/src/logger";
|
||||||
import { discoverAndValidateAuthenticationConfig } from "matrix-js-sdk/src/oidc/discovery";
|
import { discoverAndValidateAuthenticationConfig } from "matrix-js-sdk/src/oidc/discovery";
|
||||||
|
@ -38,7 +40,7 @@ describe("OidcClientStore", () => {
|
||||||
};
|
};
|
||||||
|
|
||||||
const mockClient = getMockClientWithEventEmitter({
|
const mockClient = getMockClientWithEventEmitter({
|
||||||
getClientWellKnown: jest.fn().mockReturnValue({}),
|
waitForClientWellKnown: jest.fn().mockResolvedValue({}),
|
||||||
});
|
});
|
||||||
|
|
||||||
beforeEach(() => {
|
beforeEach(() => {
|
||||||
|
@ -50,13 +52,15 @@ describe("OidcClientStore", () => {
|
||||||
account,
|
account,
|
||||||
issuer: metadata.issuer,
|
issuer: metadata.issuer,
|
||||||
});
|
});
|
||||||
mockClient.getClientWellKnown.mockReturnValue({
|
mockClient.waitForClientWellKnown.mockResolvedValue({
|
||||||
[M_AUTHENTICATION.stable!]: {
|
[M_AUTHENTICATION.stable!]: {
|
||||||
issuer: metadata.issuer,
|
issuer: metadata.issuer,
|
||||||
account,
|
account,
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
jest.spyOn(logger, "error").mockClear();
|
jest.spyOn(logger, "error").mockClear();
|
||||||
|
|
||||||
|
fetchMock.get(`${metadata.issuer}.well-known/openid-configuration`, metadata);
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("isUserAuthenticatedWithOidc()", () => {
|
describe("isUserAuthenticatedWithOidc()", () => {
|
||||||
|
@ -76,7 +80,7 @@ describe("OidcClientStore", () => {
|
||||||
|
|
||||||
describe("initialising oidcClient", () => {
|
describe("initialising oidcClient", () => {
|
||||||
it("should initialise oidc client from constructor", () => {
|
it("should initialise oidc client from constructor", () => {
|
||||||
mockClient.getClientWellKnown.mockReturnValue(undefined);
|
mockClient.waitForClientWellKnown.mockResolvedValue(undefined as any);
|
||||||
const store = new OidcClientStore(mockClient);
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
// started initialising
|
// started initialising
|
||||||
|
@ -84,30 +88,33 @@ describe("OidcClientStore", () => {
|
||||||
expect(store.initialisingOidcClientPromise).toBeTruthy();
|
expect(store.initialisingOidcClientPromise).toBeTruthy();
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should log and return when no client well known is available", async () => {
|
it("should fallback to stored issuer when no client well known is available", async () => {
|
||||||
mockClient.getClientWellKnown.mockReturnValue(undefined);
|
mockClient.waitForClientWellKnown.mockResolvedValue(undefined as any);
|
||||||
const store = new OidcClientStore(mockClient);
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
expect(logger.error).toHaveBeenCalledWith("Cannot initialise OidcClientStore: client well known required.");
|
// successfully created oidc client
|
||||||
// no oidc client
|
|
||||||
// @ts-ignore private property
|
// @ts-ignore private property
|
||||||
expect(await store.getOidcClient()).toEqual(undefined);
|
expect(await store.getOidcClient()).toBeTruthy();
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should log and return when no clientId is found in storage", async () => {
|
it("should log and return when no clientId is found in storage", async () => {
|
||||||
jest.spyOn(sessionStorage.__proto__, "getItem").mockImplementation((key) =>
|
const sessionStorageWithoutClientId: Record<string, string | null> = {
|
||||||
key === "mx_oidc_token_issuer" ? metadata.issuer : null,
|
...mockSessionStorage,
|
||||||
|
mx_oidc_client_id: null,
|
||||||
|
};
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockImplementation(
|
||||||
|
(key) => sessionStorageWithoutClientId[key as string] ?? null,
|
||||||
);
|
);
|
||||||
|
|
||||||
const store = new OidcClientStore(mockClient);
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
// no oidc client
|
||||||
|
// @ts-ignore private property
|
||||||
|
expect(await store.getOidcClient()).toEqual(undefined);
|
||||||
expect(logger.error).toHaveBeenCalledWith(
|
expect(logger.error).toHaveBeenCalledWith(
|
||||||
"Failed to initialise OidcClientStore",
|
"Failed to initialise OidcClientStore",
|
||||||
new Error("Oidc client id not found in storage"),
|
new Error("Oidc client id not found in storage"),
|
||||||
);
|
);
|
||||||
// no oidc client
|
|
||||||
// @ts-ignore private property
|
|
||||||
expect(await store.getOidcClient()).toEqual(undefined);
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should log and return when discovery and validation fails", async () => {
|
it("should log and return when discovery and validation fails", async () => {
|
||||||
|
@ -180,4 +187,77 @@ describe("OidcClientStore", () => {
|
||||||
expect(discoverAndValidateAuthenticationConfig).toHaveBeenCalledTimes(1);
|
expect(discoverAndValidateAuthenticationConfig).toHaveBeenCalledTimes(1);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe("revokeTokens()", () => {
|
||||||
|
const accessToken = "test-access-token";
|
||||||
|
const refreshToken = "test-refresh-token";
|
||||||
|
|
||||||
|
beforeEach(() => {
|
||||||
|
// spy and call through
|
||||||
|
jest.spyOn(OidcClient.prototype, "revokeToken").mockClear();
|
||||||
|
|
||||||
|
fetchMock.resetHistory();
|
||||||
|
fetchMock.post(
|
||||||
|
metadata.revocation_endpoint,
|
||||||
|
{
|
||||||
|
status: 200,
|
||||||
|
},
|
||||||
|
{ sendAsJson: true },
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should throw when oidcClient could not be initialised", async () => {
|
||||||
|
// make oidcClient initialisation fail
|
||||||
|
mockClient.waitForClientWellKnown.mockResolvedValue(undefined as any);
|
||||||
|
const sessionStorageWithoutIssuer: Record<string, string | null> = {
|
||||||
|
...mockSessionStorage,
|
||||||
|
mx_oidc_token_issuer: null,
|
||||||
|
};
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockImplementation(
|
||||||
|
(key) => sessionStorageWithoutIssuer[key as string] ?? null,
|
||||||
|
);
|
||||||
|
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
await expect(() => store.revokeTokens(accessToken, refreshToken)).rejects.toThrow("No OIDC client");
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should revoke access and refresh tokens", async () => {
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
await store.revokeTokens(accessToken, refreshToken);
|
||||||
|
|
||||||
|
expect(fetchMock).toHaveFetchedTimes(2, metadata.revocation_endpoint);
|
||||||
|
expect(OidcClient.prototype.revokeToken).toHaveBeenCalledWith(accessToken, "access_token");
|
||||||
|
expect(OidcClient.prototype.revokeToken).toHaveBeenCalledWith(refreshToken, "refresh_token");
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should still attempt to revoke refresh token when access token revocation fails", async () => {
|
||||||
|
// fail once, then succeed
|
||||||
|
fetchMock
|
||||||
|
.postOnce(
|
||||||
|
metadata.revocation_endpoint,
|
||||||
|
{
|
||||||
|
status: 404,
|
||||||
|
},
|
||||||
|
{ overwriteRoutes: true, sendAsJson: true },
|
||||||
|
)
|
||||||
|
.post(
|
||||||
|
metadata.revocation_endpoint,
|
||||||
|
{
|
||||||
|
status: 200,
|
||||||
|
},
|
||||||
|
{ sendAsJson: true },
|
||||||
|
);
|
||||||
|
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
await expect(() => store.revokeTokens(accessToken, refreshToken)).rejects.toThrow(
|
||||||
|
"Failed to revoke tokens",
|
||||||
|
);
|
||||||
|
|
||||||
|
expect(fetchMock).toHaveFetchedTimes(2, metadata.revocation_endpoint);
|
||||||
|
expect(OidcClient.prototype.revokeToken).toHaveBeenCalledWith(accessToken, "access_token");
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in a new issue