mirror of
https://github.com/element-hq/element-web
synced 2024-11-27 03:36:07 +03:00
84ca519b3f
* test persistCredentials without a pickle key * test setLoggedIn with pickle key * lint * type error * extract token persisting code into function, persist refresh token * store has_refresh_token too * pass refreshToken from oidcAuthGrant into credentials * rest restore session with pickle key * retreive stored refresh token and add to credentials * extract token decryption into function * remove TODO * very messy poc * utils to persist clientId and issuer after oidc authentication * add dep oidc-client-ts * persist issuer and clientId after successful oidc auth * add OidcClientStore * comments and tidy * expose getters for stored refresh and access tokens in Lifecycle * revoke tokens with oidc provider * test logout action in MatrixChat * comments * prettier * test OidcClientStore.revokeTokens * put pickle key destruction back * comment pedantry * working refresh without persistence * extract token persistence functions to utils * add sugar * implement TokenRefresher class with persistence * tidying * persist idTokenClaims * persist idTokenClaims * tests * remove unused cde * create token refresher during doSetLoggedIn * tidying * also tidying * OidcClientStore.initClient use stored issuer when client well known unavailable * test Lifecycle.logout * update Lifecycle test replaceUsingCreds calls * fix test * tidy * test tokenrefresher creation in login flow * test token refresher * Update src/utils/oidc/TokenRefresher.ts Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> * use literal value for m.authentication Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> * improve comments * fix test mock, comment * typo * add sdkContext to SoftLogout, pass oidcClientStore to logout * fullstops * comments * fussy comment formatting --------- Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
829 lines
34 KiB
TypeScript
829 lines
34 KiB
TypeScript
/*
|
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
import { Crypto } from "@peculiar/webcrypto";
|
|
import { logger } from "matrix-js-sdk/src/logger";
|
|
import * as MatrixJs from "matrix-js-sdk/src/matrix";
|
|
import { setCrypto } from "matrix-js-sdk/src/crypto/crypto";
|
|
import * as MatrixCryptoAes from "matrix-js-sdk/src/crypto/aes";
|
|
import { MockedObject } from "jest-mock";
|
|
import fetchMock from "fetch-mock-jest";
|
|
|
|
import StorageEvictedDialog from "../src/components/views/dialogs/StorageEvictedDialog";
|
|
import { logout, restoreFromLocalStorage, setLoggedIn } from "../src/Lifecycle";
|
|
import { MatrixClientPeg } from "../src/MatrixClientPeg";
|
|
import Modal from "../src/Modal";
|
|
import * as StorageManager from "../src/utils/StorageManager";
|
|
import { flushPromises, getMockClientWithEventEmitter, mockClientMethodsUser, mockPlatformPeg } from "./test-utils";
|
|
import ToastStore from "../src/stores/ToastStore";
|
|
import { OidcClientStore } from "../src/stores/oidc/OidcClientStore";
|
|
import { makeDelegatedAuthConfig } from "./test-utils/oidc";
|
|
import { persistOidcAuthenticatedSettings } from "../src/utils/oidc/persistOidcSettings";
|
|
|
|
const webCrypto = new Crypto();
|
|
|
|
const windowCrypto = window.crypto;
|
|
|
|
describe("Lifecycle", () => {
|
|
const mockPlatform = mockPlatformPeg();
|
|
|
|
const realLocalStorage = global.localStorage;
|
|
|
|
let mockClient!: MockedObject<MatrixJs.MatrixClient>;
|
|
|
|
beforeEach(() => {
|
|
mockClient = getMockClientWithEventEmitter({
|
|
...mockClientMethodsUser(),
|
|
stopClient: jest.fn(),
|
|
removeAllListeners: jest.fn(),
|
|
clearStores: jest.fn(),
|
|
getAccountData: jest.fn(),
|
|
getDeviceId: jest.fn(),
|
|
isVersionSupported: jest.fn().mockResolvedValue(true),
|
|
getCrypto: jest.fn(),
|
|
getClientWellKnown: jest.fn(),
|
|
waitForClientWellKnown: jest.fn(),
|
|
getThirdpartyProtocols: jest.fn(),
|
|
store: {
|
|
destroy: jest.fn(),
|
|
},
|
|
getVersions: jest.fn().mockResolvedValue({ versions: ["v1.1"] }),
|
|
logout: jest.fn().mockResolvedValue(undefined),
|
|
getAccessToken: jest.fn(),
|
|
getRefreshToken: jest.fn(),
|
|
});
|
|
// stub this
|
|
jest.spyOn(MatrixClientPeg, "replaceUsingCreds").mockImplementation(() => {});
|
|
jest.spyOn(MatrixClientPeg, "start").mockResolvedValue(undefined);
|
|
|
|
// reset any mocking
|
|
// @ts-ignore mocking
|
|
delete global.localStorage;
|
|
global.localStorage = realLocalStorage;
|
|
|
|
setCrypto(webCrypto);
|
|
// @ts-ignore mocking
|
|
delete window.crypto;
|
|
window.crypto = webCrypto;
|
|
|
|
jest.spyOn(MatrixCryptoAes, "encryptAES").mockRestore();
|
|
});
|
|
|
|
afterAll(() => {
|
|
setCrypto(windowCrypto);
|
|
|
|
// @ts-ignore unmocking
|
|
delete window.crypto;
|
|
window.crypto = windowCrypto;
|
|
});
|
|
|
|
const initLocalStorageMock = (mockStore: Record<string, unknown> = {}): void => {
|
|
jest.spyOn(localStorage.__proto__, "getItem")
|
|
.mockClear()
|
|
.mockImplementation((key: unknown) => mockStore[key as string] ?? null);
|
|
jest.spyOn(localStorage.__proto__, "removeItem")
|
|
.mockClear()
|
|
.mockImplementation((key: unknown) => {
|
|
const { [key as string]: toRemove, ...newStore } = mockStore;
|
|
mockStore = newStore;
|
|
return toRemove;
|
|
});
|
|
jest.spyOn(localStorage.__proto__, "setItem")
|
|
.mockClear()
|
|
.mockImplementation((key: unknown, value: unknown) => {
|
|
mockStore[key as string] = value;
|
|
});
|
|
};
|
|
|
|
const initSessionStorageMock = (mockStore: Record<string, unknown> = {}): void => {
|
|
jest.spyOn(sessionStorage.__proto__, "getItem")
|
|
.mockClear()
|
|
.mockImplementation((key: unknown) => mockStore[key as string] ?? null);
|
|
jest.spyOn(sessionStorage.__proto__, "removeItem")
|
|
.mockClear()
|
|
.mockImplementation((key: unknown) => {
|
|
const { [key as string]: toRemove, ...newStore } = mockStore;
|
|
mockStore = newStore;
|
|
return toRemove;
|
|
});
|
|
jest.spyOn(sessionStorage.__proto__, "setItem")
|
|
.mockClear()
|
|
.mockImplementation((key: unknown, value: unknown) => {
|
|
mockStore[key as string] = value;
|
|
});
|
|
jest.spyOn(sessionStorage.__proto__, "clear").mockClear();
|
|
};
|
|
|
|
const initIdbMock = (mockStore: Record<string, Record<string, unknown>> = {}): void => {
|
|
jest.spyOn(StorageManager, "idbLoad")
|
|
.mockClear()
|
|
.mockImplementation(
|
|
// @ts-ignore mock type
|
|
async (table: string, key: string) => mockStore[table]?.[key] ?? null,
|
|
);
|
|
jest.spyOn(StorageManager, "idbSave")
|
|
.mockClear()
|
|
.mockImplementation(
|
|
// @ts-ignore mock type
|
|
async (tableKey: string, key: string, value: unknown) => {
|
|
const table = mockStore[tableKey] || {};
|
|
table[key as string] = value;
|
|
mockStore[tableKey] = table;
|
|
},
|
|
);
|
|
jest.spyOn(StorageManager, "idbDelete").mockClear().mockResolvedValue(undefined);
|
|
};
|
|
|
|
const homeserverUrl = "https://server.org";
|
|
const identityServerUrl = "https://is.org";
|
|
const userId = "@alice:server.org";
|
|
const deviceId = "abc123";
|
|
const accessToken = "test-access-token";
|
|
const localStorageSession = {
|
|
mx_hs_url: homeserverUrl,
|
|
mx_is_url: identityServerUrl,
|
|
mx_user_id: userId,
|
|
mx_device_id: deviceId,
|
|
};
|
|
const idbStorageSession = {
|
|
account: {
|
|
mx_access_token: accessToken,
|
|
},
|
|
};
|
|
const credentials = {
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
userId,
|
|
deviceId,
|
|
accessToken,
|
|
};
|
|
|
|
const refreshToken = "test-refresh-token";
|
|
|
|
const encryptedTokenShapedObject = {
|
|
ciphertext: expect.any(String),
|
|
iv: expect.any(String),
|
|
mac: expect.any(String),
|
|
};
|
|
|
|
describe("restoreFromLocalStorage()", () => {
|
|
beforeEach(() => {
|
|
initLocalStorageMock();
|
|
initSessionStorageMock();
|
|
initIdbMock();
|
|
|
|
jest.clearAllMocks();
|
|
jest.spyOn(logger, "log").mockClear();
|
|
|
|
jest.spyOn(MatrixJs, "createClient").mockReturnValue(mockClient);
|
|
|
|
// stub this out
|
|
jest.spyOn(Modal, "createDialog").mockReturnValue(
|
|
// @ts-ignore allow bad mock
|
|
{ finished: Promise.resolve([true]) },
|
|
);
|
|
});
|
|
|
|
it("should return false when localStorage is not available", async () => {
|
|
// @ts-ignore dirty mocking
|
|
delete global.localStorage;
|
|
// @ts-ignore dirty mocking
|
|
global.localStorage = undefined;
|
|
|
|
expect(await restoreFromLocalStorage()).toEqual(false);
|
|
});
|
|
|
|
it("should return false when no session data is found in local storage", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(false);
|
|
expect(logger.log).toHaveBeenCalledWith("No previous session found.");
|
|
});
|
|
|
|
it("should abort login when we expect to find an access token but don't", async () => {
|
|
initLocalStorageMock({ mx_has_access_token: "true" });
|
|
|
|
await expect(() => restoreFromLocalStorage()).rejects.toThrow();
|
|
expect(Modal.createDialog).toHaveBeenCalledWith(StorageEvictedDialog);
|
|
expect(mockClient.clearStores).toHaveBeenCalled();
|
|
});
|
|
|
|
describe("when session is found in storage", () => {
|
|
beforeEach(() => {
|
|
initLocalStorageMock(localStorageSession);
|
|
initIdbMock(idbStorageSession);
|
|
});
|
|
|
|
describe("guest account", () => {
|
|
it("should ignore guest accounts when ignoreGuest is true", async () => {
|
|
initLocalStorageMock({ ...localStorageSession, mx_is_guest: "true" });
|
|
|
|
expect(await restoreFromLocalStorage({ ignoreGuest: true })).toEqual(false);
|
|
expect(logger.log).toHaveBeenCalledWith(`Ignoring stored guest account: ${userId}`);
|
|
});
|
|
|
|
it("should restore guest accounts when ignoreGuest is false", async () => {
|
|
initLocalStorageMock({ ...localStorageSession, mx_is_guest: "true" });
|
|
|
|
expect(await restoreFromLocalStorage({ ignoreGuest: false })).toEqual(true);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
expect.objectContaining({
|
|
userId,
|
|
guest: true,
|
|
}),
|
|
undefined,
|
|
);
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_is_guest", "true");
|
|
});
|
|
});
|
|
|
|
describe("without a pickle key", () => {
|
|
it("should persist credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_user_id", userId);
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_access_token", "true");
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_is_guest", "false");
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_device_id", deviceId);
|
|
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_access_token", accessToken);
|
|
// dont put accessToken in localstorage when we have idb
|
|
expect(localStorage.setItem).not.toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should persist access token when idb is not available", async () => {
|
|
jest.spyOn(StorageManager, "idbSave").mockRejectedValue("oups");
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_access_token", accessToken);
|
|
// put accessToken in localstorage as fallback
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should create new matrix client with credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
{
|
|
userId,
|
|
accessToken,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
deviceId,
|
|
freshLogin: false,
|
|
guest: false,
|
|
pickleKey: undefined,
|
|
},
|
|
undefined,
|
|
);
|
|
});
|
|
|
|
it("should remove fresh login flag from session storage", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(sessionStorage.removeItem).toHaveBeenCalledWith("mx_fresh_login");
|
|
});
|
|
|
|
it("should start matrix client", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(MatrixClientPeg.start).toHaveBeenCalled();
|
|
});
|
|
|
|
describe("with a refresh token", () => {
|
|
beforeEach(() => {
|
|
initLocalStorageMock({
|
|
...localStorageSession,
|
|
mx_refresh_token: refreshToken,
|
|
});
|
|
initIdbMock(idbStorageSession);
|
|
});
|
|
|
|
it("should persist credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
// refresh token from storage is re-persisted
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_refresh_token", "true");
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith(
|
|
"account",
|
|
"mx_refresh_token",
|
|
refreshToken,
|
|
);
|
|
});
|
|
|
|
it("should create new matrix client with credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
{
|
|
userId,
|
|
accessToken,
|
|
// refreshToken included in credentials
|
|
refreshToken,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
deviceId,
|
|
freshLogin: false,
|
|
guest: false,
|
|
pickleKey: undefined,
|
|
},
|
|
undefined,
|
|
);
|
|
});
|
|
});
|
|
});
|
|
|
|
describe("with a pickle key", () => {
|
|
beforeEach(async () => {
|
|
initLocalStorageMock({});
|
|
initIdbMock({});
|
|
// setup storage with a session with encrypted token
|
|
await setLoggedIn(credentials);
|
|
});
|
|
|
|
it("should persist credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_access_token", "true");
|
|
|
|
// token encrypted and persisted
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith(
|
|
"account",
|
|
"mx_access_token",
|
|
encryptedTokenShapedObject,
|
|
);
|
|
});
|
|
|
|
it("should persist access token when idb is not available", async () => {
|
|
// dont fail for pickle key persist
|
|
jest.spyOn(StorageManager, "idbSave").mockImplementation(
|
|
async (table: string, key: string | string[]) => {
|
|
if (table === "account" && key === "mx_access_token") {
|
|
throw new Error("oups");
|
|
}
|
|
},
|
|
);
|
|
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith(
|
|
"account",
|
|
"mx_access_token",
|
|
encryptedTokenShapedObject,
|
|
);
|
|
// put accessToken in localstorage as fallback
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should create new matrix client with credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
{
|
|
userId,
|
|
// decrypted accessToken
|
|
accessToken,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
deviceId,
|
|
freshLogin: true,
|
|
guest: false,
|
|
pickleKey: expect.any(String),
|
|
},
|
|
undefined,
|
|
);
|
|
});
|
|
|
|
describe("with a refresh token", () => {
|
|
beforeEach(async () => {
|
|
initLocalStorageMock({});
|
|
initIdbMock({});
|
|
// setup storage with a session with encrypted token
|
|
await setLoggedIn({
|
|
...credentials,
|
|
refreshToken,
|
|
});
|
|
});
|
|
|
|
it("should persist credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
// refresh token from storage is re-persisted
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_refresh_token", "true");
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith(
|
|
"account",
|
|
"mx_refresh_token",
|
|
encryptedTokenShapedObject,
|
|
);
|
|
});
|
|
|
|
it("should create new matrix client with credentials", async () => {
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
{
|
|
userId,
|
|
accessToken,
|
|
// refreshToken included in credentials
|
|
refreshToken,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
deviceId,
|
|
freshLogin: false,
|
|
guest: false,
|
|
pickleKey: expect.any(String),
|
|
},
|
|
undefined,
|
|
);
|
|
});
|
|
});
|
|
});
|
|
|
|
it("should show a toast if the matrix server version is unsupported", async () => {
|
|
const toastSpy = jest.spyOn(ToastStore.sharedInstance(), "addOrReplaceToast");
|
|
mockClient.getVersions.mockResolvedValue({
|
|
versions: ["r0.6.0"],
|
|
unstable_features: {},
|
|
});
|
|
initLocalStorageMock({ ...localStorageSession });
|
|
|
|
expect(await restoreFromLocalStorage()).toEqual(true);
|
|
expect(toastSpy).toHaveBeenCalledWith(
|
|
expect.objectContaining({
|
|
title: "Your server is unsupported",
|
|
}),
|
|
);
|
|
});
|
|
});
|
|
});
|
|
|
|
describe("setLoggedIn()", () => {
|
|
beforeEach(() => {
|
|
initLocalStorageMock();
|
|
initSessionStorageMock();
|
|
initIdbMock();
|
|
|
|
jest.clearAllMocks();
|
|
jest.spyOn(logger, "log").mockClear();
|
|
|
|
jest.spyOn(MatrixJs, "createClient").mockReturnValue(mockClient);
|
|
// remove any mock implementations
|
|
jest.spyOn(mockPlatform, "createPickleKey").mockRestore();
|
|
// but still spy and call through
|
|
jest.spyOn(mockPlatform, "createPickleKey");
|
|
});
|
|
|
|
const refreshToken = "test-refresh-token";
|
|
|
|
it("should remove fresh login flag from session storage", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
expect(sessionStorage.removeItem).toHaveBeenCalledWith("mx_fresh_login");
|
|
});
|
|
|
|
it("should start matrix client", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
expect(MatrixClientPeg.start).toHaveBeenCalled();
|
|
});
|
|
|
|
describe("without a pickle key", () => {
|
|
beforeEach(() => {
|
|
jest.spyOn(mockPlatform, "createPickleKey").mockResolvedValue(null);
|
|
});
|
|
|
|
it("should persist credentials", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_user_id", userId);
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_access_token", "true");
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_is_guest", "false");
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_device_id", deviceId);
|
|
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_access_token", accessToken);
|
|
// dont put accessToken in localstorage when we have idb
|
|
expect(localStorage.setItem).not.toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should persist a refreshToken when present", async () => {
|
|
await setLoggedIn({
|
|
...credentials,
|
|
refreshToken,
|
|
});
|
|
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_access_token", accessToken);
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_refresh_token", refreshToken);
|
|
// dont put accessToken in localstorage when we have idb
|
|
expect(localStorage.setItem).not.toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should remove any access token from storage when there is none in credentials and idb save fails", async () => {
|
|
jest.spyOn(StorageManager, "idbSave").mockRejectedValue("oups");
|
|
await setLoggedIn({
|
|
...credentials,
|
|
// @ts-ignore
|
|
accessToken: undefined,
|
|
});
|
|
|
|
expect(localStorage.removeItem).toHaveBeenCalledWith("mx_has_access_token");
|
|
expect(localStorage.removeItem).toHaveBeenCalledWith("mx_access_token");
|
|
});
|
|
|
|
it("should clear stores", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
expect(StorageManager.idbDelete).toHaveBeenCalledWith("account", "mx_access_token");
|
|
expect(sessionStorage.clear).toHaveBeenCalled();
|
|
expect(mockClient.clearStores).toHaveBeenCalled();
|
|
});
|
|
|
|
it("should create new matrix client with credentials", async () => {
|
|
expect(await setLoggedIn(credentials)).toEqual(mockClient);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
{
|
|
userId,
|
|
accessToken,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
deviceId,
|
|
freshLogin: true,
|
|
guest: false,
|
|
pickleKey: null,
|
|
},
|
|
undefined,
|
|
);
|
|
});
|
|
});
|
|
|
|
describe("with a pickle key", () => {
|
|
it("should not create a pickle key when credentials do not include deviceId", async () => {
|
|
await setLoggedIn({
|
|
...credentials,
|
|
deviceId: undefined,
|
|
});
|
|
|
|
// unpickled access token saved
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_access_token", accessToken);
|
|
expect(mockPlatform.createPickleKey).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("creates a pickle key with userId and deviceId", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
expect(mockPlatform.createPickleKey).toHaveBeenCalledWith(userId, deviceId);
|
|
});
|
|
|
|
it("should persist credentials", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_user_id", userId);
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_access_token", "true");
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_is_guest", "false");
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_device_id", deviceId);
|
|
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_has_pickle_key", "true");
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith(
|
|
"account",
|
|
"mx_access_token",
|
|
encryptedTokenShapedObject,
|
|
);
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith(
|
|
"pickleKey",
|
|
[userId, deviceId],
|
|
expect.any(Object),
|
|
);
|
|
// dont put accessToken in localstorage when we have idb
|
|
expect(localStorage.setItem).not.toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should persist token when encrypting the token fails", async () => {
|
|
jest.spyOn(MatrixCryptoAes, "encryptAES").mockRejectedValue("MOCK REJECT ENCRYPTAES");
|
|
await setLoggedIn(credentials);
|
|
|
|
// persist the unencrypted token
|
|
expect(StorageManager.idbSave).toHaveBeenCalledWith("account", "mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should persist token in localStorage when idb fails to save token", async () => {
|
|
// dont fail for pickle key persist
|
|
jest.spyOn(StorageManager, "idbSave").mockImplementation(
|
|
async (table: string, key: string | string[]) => {
|
|
if (table === "account" && key === "mx_access_token") {
|
|
throw new Error("oups");
|
|
}
|
|
},
|
|
);
|
|
await setLoggedIn(credentials);
|
|
|
|
// put plain accessToken in localstorage when we dont have idb
|
|
expect(localStorage.setItem).toHaveBeenCalledWith("mx_access_token", accessToken);
|
|
});
|
|
|
|
it("should remove any access token from storage when there is none in credentials and idb save fails", async () => {
|
|
// dont fail for pickle key persist
|
|
jest.spyOn(StorageManager, "idbSave").mockImplementation(
|
|
async (table: string, key: string | string[]) => {
|
|
if (table === "account" && key === "mx_access_token") {
|
|
throw new Error("oups");
|
|
}
|
|
},
|
|
);
|
|
await setLoggedIn({
|
|
...credentials,
|
|
// @ts-ignore
|
|
accessToken: undefined,
|
|
});
|
|
|
|
expect(localStorage.removeItem).toHaveBeenCalledWith("mx_has_access_token");
|
|
expect(localStorage.removeItem).toHaveBeenCalledWith("mx_access_token");
|
|
});
|
|
|
|
it("should create new matrix client with credentials", async () => {
|
|
expect(await setLoggedIn(credentials)).toEqual(mockClient);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
{
|
|
userId,
|
|
accessToken,
|
|
homeserverUrl,
|
|
identityServerUrl,
|
|
deviceId,
|
|
freshLogin: true,
|
|
guest: false,
|
|
pickleKey: expect.any(String),
|
|
},
|
|
undefined,
|
|
);
|
|
});
|
|
});
|
|
|
|
describe("when authenticated via OIDC native flow", () => {
|
|
const clientId = "test-client-id";
|
|
const issuer = "https://auth.com/";
|
|
|
|
const delegatedAuthConfig = makeDelegatedAuthConfig(issuer);
|
|
const idTokenClaims = {
|
|
aud: "123",
|
|
iss: issuer,
|
|
sub: "123",
|
|
exp: 123,
|
|
iat: 456,
|
|
};
|
|
|
|
beforeAll(() => {
|
|
fetchMock.get(
|
|
`${delegatedAuthConfig.issuer}.well-known/openid-configuration`,
|
|
delegatedAuthConfig.metadata,
|
|
);
|
|
fetchMock.get(`${delegatedAuthConfig.issuer}jwks`, {
|
|
status: 200,
|
|
headers: {
|
|
"Content-Type": "application/json",
|
|
},
|
|
keys: [],
|
|
});
|
|
});
|
|
|
|
beforeEach(() => {
|
|
// mock oidc config for oidc client initialisation
|
|
mockClient.waitForClientWellKnown.mockResolvedValue({
|
|
"m.authentication": {
|
|
issuer: issuer,
|
|
},
|
|
});
|
|
initSessionStorageMock();
|
|
// set values in session storage as they would be after a successful oidc authentication
|
|
persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims);
|
|
});
|
|
|
|
it("should not try to create a token refresher without a refresh token", async () => {
|
|
await setLoggedIn(credentials);
|
|
|
|
// didn't try to initialise token refresher
|
|
expect(fetchMock).not.toHaveFetched(`${delegatedAuthConfig.issuer}.well-known/openid-configuration`);
|
|
});
|
|
|
|
it("should not try to create a token refresher without a deviceId", async () => {
|
|
await setLoggedIn({
|
|
...credentials,
|
|
refreshToken,
|
|
deviceId: undefined,
|
|
});
|
|
|
|
// didn't try to initialise token refresher
|
|
expect(fetchMock).not.toHaveFetched(`${delegatedAuthConfig.issuer}.well-known/openid-configuration`);
|
|
});
|
|
|
|
it("should not try to create a token refresher without an issuer in session storage", async () => {
|
|
persistOidcAuthenticatedSettings(
|
|
clientId,
|
|
// @ts-ignore set undefined issuer
|
|
undefined,
|
|
idTokenClaims,
|
|
);
|
|
await setLoggedIn({
|
|
...credentials,
|
|
refreshToken,
|
|
});
|
|
|
|
// didn't try to initialise token refresher
|
|
expect(fetchMock).not.toHaveFetched(`${delegatedAuthConfig.issuer}.well-known/openid-configuration`);
|
|
});
|
|
|
|
it("should create a client with a tokenRefreshFunction", async () => {
|
|
expect(
|
|
await setLoggedIn({
|
|
...credentials,
|
|
refreshToken,
|
|
}),
|
|
).toEqual(mockClient);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
expect.objectContaining({
|
|
accessToken,
|
|
refreshToken,
|
|
}),
|
|
expect.any(Function),
|
|
);
|
|
});
|
|
|
|
it("should create a client when creating token refresher fails", async () => {
|
|
// set invalid value in session storage for a malformed oidc authentication
|
|
persistOidcAuthenticatedSettings(null as any, issuer, idTokenClaims);
|
|
|
|
// succeeded
|
|
expect(
|
|
await setLoggedIn({
|
|
...credentials,
|
|
refreshToken,
|
|
}),
|
|
).toEqual(mockClient);
|
|
|
|
expect(MatrixClientPeg.replaceUsingCreds).toHaveBeenCalledWith(
|
|
expect.objectContaining({
|
|
accessToken,
|
|
refreshToken,
|
|
}),
|
|
// no token refresh function
|
|
undefined,
|
|
);
|
|
});
|
|
});
|
|
});
|
|
|
|
describe("logout()", () => {
|
|
let oidcClientStore!: OidcClientStore;
|
|
const accessToken = "test-access-token";
|
|
const refreshToken = "test-refresh-token";
|
|
|
|
beforeEach(() => {
|
|
oidcClientStore = new OidcClientStore(mockClient);
|
|
// stub
|
|
jest.spyOn(oidcClientStore, "revokeTokens").mockResolvedValue(undefined);
|
|
|
|
mockClient.getAccessToken.mockReturnValue(accessToken);
|
|
mockClient.getRefreshToken.mockReturnValue(refreshToken);
|
|
});
|
|
|
|
it("should call logout on the client when oidcClientStore is falsy", async () => {
|
|
logout();
|
|
|
|
await flushPromises();
|
|
|
|
expect(mockClient.logout).toHaveBeenCalledWith(true);
|
|
});
|
|
|
|
it("should call logout on the client when oidcClientStore.isUserAuthenticatedWithOidc is falsy", async () => {
|
|
jest.spyOn(oidcClientStore, "isUserAuthenticatedWithOidc", "get").mockReturnValue(false);
|
|
logout(oidcClientStore);
|
|
|
|
await flushPromises();
|
|
|
|
expect(mockClient.logout).toHaveBeenCalledWith(true);
|
|
expect(oidcClientStore.revokeTokens).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("should revoke tokens when user is authenticated with oidc", async () => {
|
|
jest.spyOn(oidcClientStore, "isUserAuthenticatedWithOidc", "get").mockReturnValue(true);
|
|
logout(oidcClientStore);
|
|
|
|
await flushPromises();
|
|
|
|
expect(mockClient.logout).not.toHaveBeenCalled();
|
|
expect(oidcClientStore.revokeTokens).toHaveBeenCalledWith(accessToken, refreshToken);
|
|
});
|
|
});
|
|
});
|