chore: add cypress tests

Author: nsklikas

cypress/integration/oauth2/device_auth.js

@@ -0,0 +1,118 @@
+// Copyright © 2022 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+import { prng } from "../../helpers"
+
+const accessTokenStrategies = ["opaque", "jwt"]
+
+describe("The OAuth 2.0 Device Authorization Grant", function () {
+  accessTokenStrategies.forEach((accessTokenStrategy) => {
+    describe("access_token_strategy=" + accessTokenStrategy, function () {
+      const nc = (extradata) => ({
+        client_secret: prng(),
+        scope: "offline_access openid",
+        subject_type: "public",
+        token_endpoint_auth_method: "client_secret_basic",
+        grant_types: [
+          "urn:ietf:params:oauth:grant-type:device_code",
+          "refresh_token",
+        ],
+        access_token_strategy: accessTokenStrategy,
+        ...extradata,
+      })
+
+      it("should return an Access, Refresh, and ID Token when scope offline_access and openid are granted", function () {
+        const client = nc()
+        cy.deviceAuthFlow(client, {
+          consent: { scope: ["offline_access", "openid"] },
+        })
+
+        cy.postDeviceAuthFlow().then((resp) => {
+          const {
+            result,
+            token: { access_token, id_token, refresh_token },
+          } = resp.body
+
+          expect(result).to.equal("success")
+          expect(access_token).to.not.be.empty
+          expect(id_token).to.not.be.empty
+          expect(refresh_token).to.not.be.empty
+        })
+      })
+
+      it("should return an Access and Refresh Token when scope offline_access is granted", function () {
+        const client = nc()
+        cy.deviceAuthFlow(client, { consent: { scope: ["offline_access"] } })
+
+        cy.postDeviceAuthFlow().then((resp) => {
+          console.log(resp)
+          const {
+            result,
+            token: { access_token, id_token, refresh_token },
+          } = resp.body
+
+          expect(result).to.equal("success")
+          expect(access_token).to.not.be.empty
+          expect(id_token).to.be.undefined
+          expect(refresh_token).to.not.be.empty
+        })
+      })
+
+      it("should return an Access and ID Token when scope offline_access is granted", function () {
+        const client = nc()
+        cy.deviceAuthFlow(client, { consent: { scope: ["openid"] } })
+
+        cy.postDeviceAuthFlow().then((resp) => {
+          console.log(resp)
+          const {
+            result,
+            token: { access_token, id_token, refresh_token },
+          } = resp.body
+
+          expect(result).to.equal("success")
+          expect(access_token).to.not.be.empty
+          expect(id_token).to.not.be.empty
+          expect(refresh_token).to.be.undefined
+        })
+      })
+
+      it("should return an Access Token when no scope is granted", function () {
+        const client = nc()
+        cy.deviceAuthFlow(client, { consent: { scope: [] } })
+
+        cy.postDeviceAuthFlow().then((resp) => {
+          console.log(resp)
+          const {
+            result,
+            token: { access_token, id_token, refresh_token },
+          } = resp.body
+
+          expect(result).to.equal("success")
+          expect(access_token).to.not.be.empty
+          expect(id_token).to.be.undefined
+          expect(refresh_token).to.be.undefined
+        })
+      })
+
+      it("should skip consent if the client is confgured thus", function () {
+        const client = nc({ skip_consent: true })
+        cy.deviceAuthFlow(client, {
+          consent: { scope: ["offline_access", "openid"], skip: true },
+        })
+
+        cy.postDeviceAuthFlow().then((resp) => {
+          console.log(resp)
+          const {
+            result,
+            token: { access_token, id_token, refresh_token },
+          } = resp.body
+
+          expect(result).to.equal("success")
+          expect(access_token).to.not.be.empty
+          expect(id_token).to.not.be.empty
+          expect(refresh_token).to.not.be.empty
+        })
+      })
+    })
+  })
+})

cypress/support/commands.js

@@ -216,3 +216,90 @@ Cypress.Commands.add("refreshTokenBrowser", (client, token) =>
     failOnStatusCode: false,
   }),
 )
+
+Cypress.Commands.add(
+  "deviceAuthFlow",
+  (
+    client,
+    {
+      override: { scope, client_id, client_secret } = {},
+      consent: {
+        accept: acceptConsent = true,
+        skip: skipConsent = false,
+        remember: rememberConsent = false,
+        scope: acceptScope = [],
+      } = {},
+      login: {
+        accept: acceptLogin = true,
+        skip: skipLogin = false,
+        remember: rememberLogin = false,
+        username = "[email protected]",
+        password = "foobar",
+      } = {},
+      prompt = "",
+      createClient: doCreateClient = true,
+    } = {},
+    path = "oauth2",
+  ) => {
+    const run = (client) => {
+      cy.visit(
+        `${Cypress.env("client_url")}/${path}/device?client_id=${
+          client_id || client.client_id
+        }&client_secret=${client_secret || client.client_secret}&scope=${
+          scope || client.scope
+        }`,
+        { failOnStatusCode: false },
+      )
+
+      cy.get("#verify").click()
+
+      if (!skipLogin) {
+        cy.get("#email").type(username, { delay: 1 })
+        cy.get("#password").type(password, { delay: 1 })
+
+        if (rememberLogin) {
+          cy.get("#remember").click()
+        }
+
+        if (acceptLogin) {
+          cy.get("#accept").click()
+        } else {
+          cy.get("#reject").click()
+        }
+      }
+
+      if (!skipConsent) {
+        acceptScope.forEach((s) => {
+          cy.get(`#${s}`).click()
+        })
+
+        if (rememberConsent) {
+          cy.get("#remember").click()
+        }
+
+        if (acceptConsent) {
+          cy.get("#accept").click()
+        } else {
+          cy.get("#reject").click()
+        }
+
+        cy.location().should((loc) => {
+          expect(loc.origin).to.eq(Cypress.env("consent_url"))
+          expect(loc.pathname).to.eq("/oauth2/device/success")
+        })
+      }
+    }
+
+    if (doCreateClient) {
+      createClient(client).should((client) => {
+        run(client)
+      })
+      return
+    }
+    run(client)
+  },
+)
+
+Cypress.Commands.add("postDeviceAuthFlow", (path = "oauth2") =>
+  cy.request(`${Cypress.env("client_url")}/${path}/device/success`),
+)

test/e2e/circle-ci.bash

@@ -38,6 +38,8 @@ fi
 (cd oauth2-client; PORT=5002 HYDRA_ADMIN_URL=http://127.0.0.1:5001 npm run consent > ../login-consent-logout.e2e.log 2>&1 &)
 
 export URLS_SELF_ISSUER=http://127.0.0.1:5004/
+export URLS_DEVICE_VERIFICATION=http://127.0.0.1:5002/device/verify
+export URLS_DEVICE_SUCCESS=http://127.0.0.1:5002/oauth2/device/success
 export URLS_CONSENT=http://127.0.0.1:5002/consent
 export URLS_LOGIN=http://127.0.0.1:5002/login
 export URLS_LOGOUT=http://127.0.0.1:5002/logout

test/e2e/oauth2-client/package.json

@@ -14,7 +14,7 @@
     "express": "^4.21.2",
     "express-session": "^1.17.0",
     "express-winston": "^3.4.0",
-    "hydra-login-consent-logout": "2.0.4-pre.2",
+    "hydra-login-consent-logout": "2.4.0-pre.3",
     "jsonwebtoken": "^8.5.1",
     "jwks-rsa": "^2.1.4",
     "node-fetch": "^2.6.0",

test/e2e/oauth2-client/src/index.js

@@ -152,6 +152,87 @@ app.get("/oauth2/callback", async (req, res) => {
     })
 })
 
+app.get("/oauth2/device", async (req, res) => {
+  const client = {
+    id: req.query.client_id,
+    secret: req.query.client_secret,
+  }
+
+  const state = uuid.v4()
+  const scope = req.query.scope || ""
+
+  req.session.client = client
+  req.session.scope = scope.split(" ")
+
+  const params = new URLSearchParams()
+  params.append("client_id", req.query.client_id)
+  params.append("scope", scope)
+
+  let headers = new Headers()
+  headers.set(
+    "Authorization",
+    "Basic " +
+      Buffer.from(req.query.client_id + ":" + req.query.client_secret).toString(
+        "base64",
+      ),
+  )
+
+  fetch(new URL("/oauth2/device/auth", config.public).toString(), {
+    method: "POST",
+    body: params,
+    headers: headers,
+  })
+    .then(isStatusOk)
+    .then((res) => res.json())
+    .then((body) => {
+      // Store the device_code to use after authentication to get the tokens
+      req.session.device_code = body?.device_code
+      res.redirect(body?.verification_uri_complete)
+    })
+    .catch((err) => {
+      res.send(JSON.stringify({ error: err.toString() }))
+    })
+})
+
+app.get("/oauth2/device/success", async (req, res) => {
+  const clientId = req.session?.client?.id
+  const clientSecret = req.session?.client?.secret
+
+  if (clientId === undefined || clientSecret === undefined) {
+    res.send(
+      JSON.stringify({
+        result: "error",
+        error: "no client credentials in session",
+      }),
+    )
+    return
+  }
+
+  const params = new URLSearchParams()
+  params.append("client_id", clientId)
+  params.append("device_code", req.session?.device_code)
+  params.append("grant_type", "urn:ietf:params:oauth:grant-type:device_code")
+  let headers = new Headers()
+  headers.set(
+    "Authorization",
+    "Basic " + Buffer.from(clientId + ":" + clientSecret).toString("base64"),
+  )
+
+  fetch(new URL("/oauth2/token", config.public).toString(), {
+    method: "POST",
+    body: params,
+    headers: headers,
+  })
+    .then(isStatusOk)
+    .then((resp) => resp.json())
+    .then((data) => {
+      res.send({ result: "success", token: data })
+    })
+    .catch((err) => {
+      res.send(JSON.stringify({ error: err.toString() }))
+    })
+})
+
 app.get("/oauth2/refresh", function (req, res) {
   oauth2
     .create(req.session.credentials)