mirror of
https://github.com/element-hq/element-web
synced 2024-11-25 10:45:51 +03:00
OIDC: Persist details in session storage, create store (#11302)
* utils to persist clientId and issuer after oidc authentication * add dep oidc-client-ts * persist issuer and clientId after successful oidc auth * add OidcClientStore * comments and tidy * format
This commit is contained in:
parent
882c85a028
commit
0b0d77cbcc
11 changed files with 446 additions and 2 deletions
|
@ -101,6 +101,7 @@
|
||||||
"matrix-widget-api": "^1.4.0",
|
"matrix-widget-api": "^1.4.0",
|
||||||
"memoize-one": "^6.0.0",
|
"memoize-one": "^6.0.0",
|
||||||
"minimist": "^1.2.5",
|
"minimist": "^1.2.5",
|
||||||
|
"oidc-client-ts": "^2.2.4",
|
||||||
"opus-recorder": "^8.0.3",
|
"opus-recorder": "^8.0.3",
|
||||||
"pako": "^2.0.3",
|
"pako": "^2.0.3",
|
||||||
"png-chunks-extract": "^1.0.0",
|
"png-chunks-extract": "^1.0.0",
|
||||||
|
|
|
@ -66,6 +66,7 @@ import { OverwriteLoginPayload } from "./dispatcher/payloads/OverwriteLoginPaylo
|
||||||
import { SdkContextClass } from "./contexts/SDKContext";
|
import { SdkContextClass } from "./contexts/SDKContext";
|
||||||
import { messageForLoginError } from "./utils/ErrorUtils";
|
import { messageForLoginError } from "./utils/ErrorUtils";
|
||||||
import { completeOidcLogin } from "./utils/oidc/authorize";
|
import { completeOidcLogin } from "./utils/oidc/authorize";
|
||||||
|
import { persistOidcAuthenticatedSettings } from "./utils/oidc/persistOidcSettings";
|
||||||
|
|
||||||
const HOMESERVER_URL_KEY = "mx_hs_url";
|
const HOMESERVER_URL_KEY = "mx_hs_url";
|
||||||
const ID_SERVER_URL_KEY = "mx_is_url";
|
const ID_SERVER_URL_KEY = "mx_is_url";
|
||||||
|
@ -215,7 +216,9 @@ export async function attemptDelegatedAuthLogin(
|
||||||
*/
|
*/
|
||||||
async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> {
|
async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> {
|
||||||
try {
|
try {
|
||||||
const { accessToken, homeserverUrl, identityServerUrl } = await completeOidcLogin(queryParams);
|
const { accessToken, homeserverUrl, identityServerUrl, clientId, issuer } = await completeOidcLogin(
|
||||||
|
queryParams,
|
||||||
|
);
|
||||||
|
|
||||||
const {
|
const {
|
||||||
user_id: userId,
|
user_id: userId,
|
||||||
|
@ -234,6 +237,8 @@ async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean>
|
||||||
|
|
||||||
logger.debug("Logged in via OIDC native flow");
|
logger.debug("Logged in via OIDC native flow");
|
||||||
await onSuccessfulDelegatedAuthLogin(credentials);
|
await onSuccessfulDelegatedAuthLogin(credentials);
|
||||||
|
// this needs to happen after success handler which clears storages
|
||||||
|
persistOidcAuthenticatedSettings(clientId, issuer);
|
||||||
return true;
|
return true;
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
logger.error("Failed to login via OIDC", error);
|
logger.error("Failed to login via OIDC", error);
|
||||||
|
|
|
@ -31,6 +31,7 @@ import TypingStore from "../stores/TypingStore";
|
||||||
import { UserProfilesStore } from "../stores/UserProfilesStore";
|
import { UserProfilesStore } from "../stores/UserProfilesStore";
|
||||||
import { WidgetLayoutStore } from "../stores/widgets/WidgetLayoutStore";
|
import { WidgetLayoutStore } from "../stores/widgets/WidgetLayoutStore";
|
||||||
import { WidgetPermissionStore } from "../stores/widgets/WidgetPermissionStore";
|
import { WidgetPermissionStore } from "../stores/widgets/WidgetPermissionStore";
|
||||||
|
import { OidcClientStore } from "../stores/oidc/OidcClientStore";
|
||||||
import WidgetStore from "../stores/WidgetStore";
|
import WidgetStore from "../stores/WidgetStore";
|
||||||
import {
|
import {
|
||||||
VoiceBroadcastPlaybacksStore,
|
VoiceBroadcastPlaybacksStore,
|
||||||
|
@ -80,6 +81,7 @@ export class SdkContextClass {
|
||||||
protected _VoiceBroadcastPlaybacksStore?: VoiceBroadcastPlaybacksStore;
|
protected _VoiceBroadcastPlaybacksStore?: VoiceBroadcastPlaybacksStore;
|
||||||
protected _AccountPasswordStore?: AccountPasswordStore;
|
protected _AccountPasswordStore?: AccountPasswordStore;
|
||||||
protected _UserProfilesStore?: UserProfilesStore;
|
protected _UserProfilesStore?: UserProfilesStore;
|
||||||
|
protected _OidcClientStore?: OidcClientStore;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Automatically construct stores which need to be created eagerly so they can register with
|
* Automatically construct stores which need to be created eagerly so they can register with
|
||||||
|
@ -203,6 +205,18 @@ export class SdkContextClass {
|
||||||
return this._UserProfilesStore;
|
return this._UserProfilesStore;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public get oidcClientStore(): OidcClientStore {
|
||||||
|
if (!this.client) {
|
||||||
|
throw new Error("Unable to create OidcClientStore without a client");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!this._OidcClientStore) {
|
||||||
|
this._OidcClientStore = new OidcClientStore(this.client);
|
||||||
|
}
|
||||||
|
|
||||||
|
return this._OidcClientStore;
|
||||||
|
}
|
||||||
|
|
||||||
public onLoggedOut(): void {
|
public onLoggedOut(): void {
|
||||||
this._UserProfilesStore = undefined;
|
this._UserProfilesStore = undefined;
|
||||||
}
|
}
|
||||||
|
|
88
src/stores/oidc/OidcClientStore.ts
Normal file
88
src/stores/oidc/OidcClientStore.ts
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import { IDelegatedAuthConfig, MatrixClient, M_AUTHENTICATION } from "matrix-js-sdk/src/client";
|
||||||
|
import { discoverAndValidateAuthenticationConfig } from "matrix-js-sdk/src/oidc/discovery";
|
||||||
|
import { logger } from "matrix-js-sdk/src/logger";
|
||||||
|
import { OidcClient } from "oidc-client-ts";
|
||||||
|
|
||||||
|
import { getStoredOidcTokenIssuer, getStoredOidcClientId } from "../../utils/oidc/persistOidcSettings";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @experimental
|
||||||
|
* Stores information about configured OIDC provider
|
||||||
|
*/
|
||||||
|
export class OidcClientStore {
|
||||||
|
private oidcClient?: OidcClient;
|
||||||
|
private initialisingOidcClientPromise: Promise<void> | undefined;
|
||||||
|
private authenticatedIssuer?: string;
|
||||||
|
private _accountManagementEndpoint?: string;
|
||||||
|
|
||||||
|
public constructor(private readonly matrixClient: MatrixClient) {
|
||||||
|
this.authenticatedIssuer = getStoredOidcTokenIssuer();
|
||||||
|
// don't bother initialising store when we didnt authenticate via oidc
|
||||||
|
if (this.authenticatedIssuer) {
|
||||||
|
this.getOidcClient();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* True when the active user is authenticated via OIDC
|
||||||
|
*/
|
||||||
|
public get isUserAuthenticatedWithOidc(): boolean {
|
||||||
|
return !!this.authenticatedIssuer;
|
||||||
|
}
|
||||||
|
|
||||||
|
public get accountManagementEndpoint(): string | undefined {
|
||||||
|
return this._accountManagementEndpoint;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async getOidcClient(): Promise<OidcClient | undefined> {
|
||||||
|
if (!this.oidcClient && !this.initialisingOidcClientPromise) {
|
||||||
|
this.initialisingOidcClientPromise = this.initOidcClient();
|
||||||
|
}
|
||||||
|
await this.initialisingOidcClientPromise;
|
||||||
|
this.initialisingOidcClientPromise = undefined;
|
||||||
|
return this.oidcClient;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async initOidcClient(): Promise<void> {
|
||||||
|
const wellKnown = this.matrixClient.getClientWellKnown();
|
||||||
|
if (!wellKnown) {
|
||||||
|
logger.error("Cannot initialise OidcClientStore: client well known required.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const delegatedAuthConfig = M_AUTHENTICATION.findIn<IDelegatedAuthConfig>(wellKnown) ?? undefined;
|
||||||
|
try {
|
||||||
|
const clientId = getStoredOidcClientId();
|
||||||
|
const { account, metadata, signingKeys } = await discoverAndValidateAuthenticationConfig(
|
||||||
|
delegatedAuthConfig,
|
||||||
|
);
|
||||||
|
// if no account endpoint is configured default to the issuer
|
||||||
|
this._accountManagementEndpoint = account ?? metadata.issuer;
|
||||||
|
this.oidcClient = new OidcClient({
|
||||||
|
...metadata,
|
||||||
|
authority: metadata.issuer,
|
||||||
|
signingKeys,
|
||||||
|
redirect_uri: window.location.origin,
|
||||||
|
client_id: clientId,
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
logger.error("Failed to initialise OidcClientStore", error);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -81,9 +81,12 @@ export const completeOidcLogin = async (
|
||||||
homeserverUrl: string;
|
homeserverUrl: string;
|
||||||
identityServerUrl?: string;
|
identityServerUrl?: string;
|
||||||
accessToken: string;
|
accessToken: string;
|
||||||
|
clientId: string;
|
||||||
|
issuer: string;
|
||||||
}> => {
|
}> => {
|
||||||
const { code, state } = getCodeAndStateFromQueryParams(queryParams);
|
const { code, state } = getCodeAndStateFromQueryParams(queryParams);
|
||||||
const { homeserverUrl, tokenResponse, identityServerUrl } = await completeAuthorizationCodeGrant(code, state);
|
const { homeserverUrl, tokenResponse, identityServerUrl, oidcClientSettings } =
|
||||||
|
await completeAuthorizationCodeGrant(code, state);
|
||||||
|
|
||||||
// @TODO(kerrya) do something with the refresh token https://github.com/vector-im/element-web/issues/25444
|
// @TODO(kerrya) do something with the refresh token https://github.com/vector-im/element-web/issues/25444
|
||||||
|
|
||||||
|
@ -91,5 +94,7 @@ export const completeOidcLogin = async (
|
||||||
homeserverUrl: homeserverUrl,
|
homeserverUrl: homeserverUrl,
|
||||||
identityServerUrl: identityServerUrl,
|
identityServerUrl: identityServerUrl,
|
||||||
accessToken: tokenResponse.access_token,
|
accessToken: tokenResponse.access_token,
|
||||||
|
clientId: oidcClientSettings.clientId,
|
||||||
|
issuer: oidcClientSettings.issuer,
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
51
src/utils/oidc/persistOidcSettings.ts
Normal file
51
src/utils/oidc/persistOidcSettings.ts
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
const clientIdStorageKey = "mx_oidc_client_id";
|
||||||
|
const tokenIssuerStorageKey = "mx_oidc_token_issuer";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Persists oidc clientId and issuer in session storage
|
||||||
|
* Only set after successful authentication
|
||||||
|
* @param clientId
|
||||||
|
* @param issuer
|
||||||
|
*/
|
||||||
|
export const persistOidcAuthenticatedSettings = (clientId: string, issuer: string): void => {
|
||||||
|
sessionStorage.setItem(clientIdStorageKey, clientId);
|
||||||
|
sessionStorage.setItem(tokenIssuerStorageKey, issuer);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Retrieve stored oidc issuer from session storage
|
||||||
|
* When user has token from OIDC issuer, this will be set
|
||||||
|
* @returns issuer or undefined
|
||||||
|
*/
|
||||||
|
export const getStoredOidcTokenIssuer = (): string | undefined => {
|
||||||
|
return sessionStorage.getItem(tokenIssuerStorageKey) ?? undefined;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Retrieves stored oidc client id from session storage
|
||||||
|
* @returns clientId
|
||||||
|
* @throws when clientId is not found in session storage
|
||||||
|
*/
|
||||||
|
export const getStoredOidcClientId = (): string => {
|
||||||
|
const clientId = sessionStorage.getItem(clientIdStorageKey);
|
||||||
|
if (!clientId) {
|
||||||
|
throw new Error("Oidc client id not found in storage");
|
||||||
|
}
|
||||||
|
return clientId;
|
||||||
|
};
|
|
@ -887,6 +887,15 @@ describe("<MatrixChat />", () => {
|
||||||
|
|
||||||
expect(loginClient.clearStores).not.toHaveBeenCalled();
|
expect(loginClient.clearStores).not.toHaveBeenCalled();
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it("should not store clientId or issuer", async () => {
|
||||||
|
getComponent({ realQueryParams });
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
expect(sessionStorageSetSpy).not.toHaveBeenCalledWith("mx_oidc_client_id", clientId);
|
||||||
|
expect(sessionStorageSetSpy).not.toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("when login succeeds", () => {
|
describe("when login succeeds", () => {
|
||||||
|
@ -911,6 +920,15 @@ describe("<MatrixChat />", () => {
|
||||||
expect(localStorageSetSpy).toHaveBeenCalledWith("mx_device_id", deviceId);
|
expect(localStorageSetSpy).toHaveBeenCalledWith("mx_device_id", deviceId);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it("should store clientId and issuer in session storage", async () => {
|
||||||
|
getComponent({ realQueryParams });
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
expect(sessionStorageSetSpy).toHaveBeenCalledWith("mx_oidc_client_id", clientId);
|
||||||
|
expect(sessionStorageSetSpy).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
|
||||||
|
});
|
||||||
|
|
||||||
it("should set logged in and start MatrixClient", async () => {
|
it("should set logged in and start MatrixClient", async () => {
|
||||||
getComponent({ realQueryParams });
|
getComponent({ realQueryParams });
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,7 @@ limitations under the License.
|
||||||
import { MatrixClient } from "matrix-js-sdk/src/matrix";
|
import { MatrixClient } from "matrix-js-sdk/src/matrix";
|
||||||
|
|
||||||
import { SdkContextClass } from "../../src/contexts/SDKContext";
|
import { SdkContextClass } from "../../src/contexts/SDKContext";
|
||||||
|
import { OidcClientStore } from "../../src/stores/oidc/OidcClientStore";
|
||||||
import { UserProfilesStore } from "../../src/stores/UserProfilesStore";
|
import { UserProfilesStore } from "../../src/stores/UserProfilesStore";
|
||||||
import { VoiceBroadcastPreRecordingStore } from "../../src/voice-broadcast";
|
import { VoiceBroadcastPreRecordingStore } from "../../src/voice-broadcast";
|
||||||
import { createTestClient } from "../test-utils";
|
import { createTestClient } from "../test-utils";
|
||||||
|
@ -52,6 +53,12 @@ describe("SdkContextClass", () => {
|
||||||
}).toThrow("Unable to create UserProfilesStore without a client");
|
}).toThrow("Unable to create UserProfilesStore without a client");
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it("oidcClientStore should raise an error without a client", () => {
|
||||||
|
expect(() => {
|
||||||
|
sdkContext.oidcClientStore;
|
||||||
|
}).toThrow("Unable to create OidcClientStore without a client");
|
||||||
|
});
|
||||||
|
|
||||||
describe("when SDKContext has a client", () => {
|
describe("when SDKContext has a client", () => {
|
||||||
beforeEach(() => {
|
beforeEach(() => {
|
||||||
sdkContext.client = client;
|
sdkContext.client = client;
|
||||||
|
@ -69,5 +76,12 @@ describe("SdkContextClass", () => {
|
||||||
sdkContext.onLoggedOut();
|
sdkContext.onLoggedOut();
|
||||||
expect(sdkContext.userProfilesStore).not.toBe(store);
|
expect(sdkContext.userProfilesStore).not.toBe(store);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it("oidcClientstore should return a OidcClientStore", () => {
|
||||||
|
const store = sdkContext.oidcClientStore;
|
||||||
|
expect(store).toBeInstanceOf(OidcClientStore);
|
||||||
|
// it should return the same instance
|
||||||
|
expect(sdkContext.oidcClientStore).toBe(store);
|
||||||
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
183
test/stores/oidc/OidcClientStore-test.ts
Normal file
183
test/stores/oidc/OidcClientStore-test.ts
Normal file
|
@ -0,0 +1,183 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import { mocked } from "jest-mock";
|
||||||
|
import { M_AUTHENTICATION } from "matrix-js-sdk/src/client";
|
||||||
|
import { logger } from "matrix-js-sdk/src/logger";
|
||||||
|
import { discoverAndValidateAuthenticationConfig } from "matrix-js-sdk/src/oidc/discovery";
|
||||||
|
import { OidcError } from "matrix-js-sdk/src/oidc/error";
|
||||||
|
|
||||||
|
import { OidcClientStore } from "../../../src/stores/oidc/OidcClientStore";
|
||||||
|
import { flushPromises, getMockClientWithEventEmitter } from "../../test-utils";
|
||||||
|
import { mockOpenIdConfiguration } from "../../test-utils/oidc";
|
||||||
|
|
||||||
|
jest.mock("matrix-js-sdk/src/oidc/discovery", () => ({
|
||||||
|
discoverAndValidateAuthenticationConfig: jest.fn(),
|
||||||
|
}));
|
||||||
|
|
||||||
|
describe("OidcClientStore", () => {
|
||||||
|
const clientId = "test-client-id";
|
||||||
|
const metadata = mockOpenIdConfiguration();
|
||||||
|
const account = metadata.issuer + "account";
|
||||||
|
const mockSessionStorage: Record<string, string> = {
|
||||||
|
mx_oidc_client_id: clientId,
|
||||||
|
mx_oidc_token_issuer: metadata.issuer,
|
||||||
|
};
|
||||||
|
|
||||||
|
const mockClient = getMockClientWithEventEmitter({
|
||||||
|
getClientWellKnown: jest.fn().mockReturnValue({}),
|
||||||
|
});
|
||||||
|
|
||||||
|
beforeEach(() => {
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem")
|
||||||
|
.mockClear()
|
||||||
|
.mockImplementation((key) => mockSessionStorage[key as string] ?? null);
|
||||||
|
mocked(discoverAndValidateAuthenticationConfig).mockClear().mockResolvedValue({
|
||||||
|
metadata,
|
||||||
|
account,
|
||||||
|
issuer: metadata.issuer,
|
||||||
|
});
|
||||||
|
mockClient.getClientWellKnown.mockReturnValue({
|
||||||
|
[M_AUTHENTICATION.stable!]: {
|
||||||
|
issuer: metadata.issuer,
|
||||||
|
account,
|
||||||
|
},
|
||||||
|
});
|
||||||
|
jest.spyOn(logger, "error").mockClear();
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("isUserAuthenticatedWithOidc()", () => {
|
||||||
|
it("should return true when an issuer is in session storage", () => {
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
expect(store.isUserAuthenticatedWithOidc).toEqual(true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should return false when no issuer is in session storage", () => {
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockReturnValue(null);
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
expect(store.isUserAuthenticatedWithOidc).toEqual(false);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("initialising oidcClient", () => {
|
||||||
|
it("should initialise oidc client from constructor", () => {
|
||||||
|
mockClient.getClientWellKnown.mockReturnValue(undefined);
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
// started initialising
|
||||||
|
// @ts-ignore private property
|
||||||
|
expect(store.initialisingOidcClientPromise).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should log and return when no client well known is available", async () => {
|
||||||
|
mockClient.getClientWellKnown.mockReturnValue(undefined);
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
expect(logger.error).toHaveBeenCalledWith("Cannot initialise OidcClientStore: client well known required.");
|
||||||
|
// no oidc client
|
||||||
|
// @ts-ignore private property
|
||||||
|
expect(await store.getOidcClient()).toEqual(undefined);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should log and return when no clientId is found in storage", async () => {
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockImplementation((key) =>
|
||||||
|
key === "mx_oidc_token_issuer" ? metadata.issuer : null,
|
||||||
|
);
|
||||||
|
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
expect(logger.error).toHaveBeenCalledWith(
|
||||||
|
"Failed to initialise OidcClientStore",
|
||||||
|
new Error("Oidc client id not found in storage"),
|
||||||
|
);
|
||||||
|
// no oidc client
|
||||||
|
// @ts-ignore private property
|
||||||
|
expect(await store.getOidcClient()).toEqual(undefined);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should log and return when discovery and validation fails", async () => {
|
||||||
|
mocked(discoverAndValidateAuthenticationConfig).mockRejectedValue(new Error(OidcError.OpSupport));
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
expect(logger.error).toHaveBeenCalledWith(
|
||||||
|
"Failed to initialise OidcClientStore",
|
||||||
|
new Error(OidcError.OpSupport),
|
||||||
|
);
|
||||||
|
// no oidc client
|
||||||
|
// @ts-ignore private property
|
||||||
|
expect(await store.getOidcClient()).toEqual(undefined);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should create oidc client correctly", async () => {
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
// @ts-ignore private property
|
||||||
|
const client = await store.getOidcClient();
|
||||||
|
|
||||||
|
expect(client?.settings.client_id).toEqual(clientId);
|
||||||
|
expect(client?.settings.authority).toEqual(metadata.issuer);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should set account management endpoint when configured", async () => {
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
// @ts-ignore private property
|
||||||
|
await store.getOidcClient();
|
||||||
|
|
||||||
|
expect(store.accountManagementEndpoint).toEqual(account);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should set account management endpoint to issuer when not configured", async () => {
|
||||||
|
mocked(discoverAndValidateAuthenticationConfig).mockClear().mockResolvedValue({
|
||||||
|
metadata,
|
||||||
|
account: undefined,
|
||||||
|
issuer: metadata.issuer,
|
||||||
|
});
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
// @ts-ignore private property
|
||||||
|
await store.getOidcClient();
|
||||||
|
|
||||||
|
expect(store.accountManagementEndpoint).toEqual(metadata.issuer);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should reuse initialised oidc client", async () => {
|
||||||
|
const store = new OidcClientStore(mockClient);
|
||||||
|
|
||||||
|
// @ts-ignore private property
|
||||||
|
store.getOidcClient();
|
||||||
|
// @ts-ignore private property
|
||||||
|
store.getOidcClient();
|
||||||
|
|
||||||
|
await flushPromises();
|
||||||
|
|
||||||
|
// finished initialising
|
||||||
|
// @ts-ignore private property
|
||||||
|
expect(await store.getOidcClient()).toBeTruthy();
|
||||||
|
|
||||||
|
// @ts-ignore private property
|
||||||
|
store.getOidcClient();
|
||||||
|
|
||||||
|
// only called once for multiple calls to getOidcClient
|
||||||
|
// before and after initialisation is complete
|
||||||
|
expect(discoverAndValidateAuthenticationConfig).toHaveBeenCalledTimes(1);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
|
@ -132,6 +132,8 @@ describe("OIDC authorization", () => {
|
||||||
accessToken: tokenResponse.access_token,
|
accessToken: tokenResponse.access_token,
|
||||||
homeserverUrl,
|
homeserverUrl,
|
||||||
identityServerUrl,
|
identityServerUrl,
|
||||||
|
issuer,
|
||||||
|
clientId,
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
63
test/utils/oidc/persistOidcSettings-test.ts
Normal file
63
test/utils/oidc/persistOidcSettings-test.ts
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import {
|
||||||
|
getStoredOidcClientId,
|
||||||
|
getStoredOidcTokenIssuer,
|
||||||
|
persistOidcAuthenticatedSettings,
|
||||||
|
} from "../../../src/utils/oidc/persistOidcSettings";
|
||||||
|
|
||||||
|
describe("persist OIDC settings", () => {
|
||||||
|
beforeEach(() => {
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockClear().mockReturnValue(null);
|
||||||
|
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "setItem").mockClear();
|
||||||
|
});
|
||||||
|
|
||||||
|
const clientId = "test-client-id";
|
||||||
|
const issuer = "https://auth.org/";
|
||||||
|
|
||||||
|
describe("persistOidcAuthenticatedSettings", () => {
|
||||||
|
it("should set clientId and issuer in session storage", () => {
|
||||||
|
persistOidcAuthenticatedSettings(clientId, issuer);
|
||||||
|
expect(sessionStorage.setItem).toHaveBeenCalledWith("mx_oidc_client_id", clientId);
|
||||||
|
expect(sessionStorage.setItem).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("getStoredOidcTokenIssuer()", () => {
|
||||||
|
it("should return issuer from session storage", () => {
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockReturnValue(issuer);
|
||||||
|
expect(getStoredOidcTokenIssuer()).toEqual(issuer);
|
||||||
|
expect(sessionStorage.getItem).toHaveBeenCalledWith("mx_oidc_token_issuer");
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should return undefined when no issuer in session storage", () => {
|
||||||
|
expect(getStoredOidcTokenIssuer()).toBeUndefined();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("Name of the group", () => {
|
||||||
|
it("should return clientId from session storage", () => {
|
||||||
|
jest.spyOn(sessionStorage.__proto__, "getItem").mockReturnValue(clientId);
|
||||||
|
expect(getStoredOidcClientId()).toEqual(clientId);
|
||||||
|
expect(sessionStorage.getItem).toHaveBeenCalledWith("mx_oidc_client_id");
|
||||||
|
});
|
||||||
|
it("should throw when no clientId in session storage", () => {
|
||||||
|
expect(() => getStoredOidcClientId()).toThrow("Oidc client id not found in storage");
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
Loading…
Reference in a new issue