phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9135edfe8440417580409a9059400b6dfd626c36
Gondulf/tests/unit/test_metadata.py
Phil Skentelbery 052d3ad3e1 feat(auth): implement response_type=id authentication flow 
Implements both IndieAuth flows per W3C specification:
- Authentication flow (response_type=id): Code redeemed at authorization endpoint, returns only user identity
- Authorization flow (response_type=code): Code redeemed at token endpoint, returns access token

Changes:
- Authorization endpoint GET: Accept response_type=id (default) and code
- Authorization endpoint POST: Handle code verification for authentication flow
- Token endpoint: Validate response_type=code for authorization flow
- Store response_type in authorization code metadata
- Update metadata endpoint: response_types_supported=[code, id], code_challenge_methods_supported=[S256]

The default behavior now correctly defaults to response_type=id when omitted, per IndieAuth spec section 5.2.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 12:23:20 -07:00

135 lines
5.5 KiB
Python
Raw Blame History

"""Tests for metadata endpoint."""
import json
import pytest
from fastapi.testclient import TestClient
class TestMetadataEndpoint:
"""Tests for OAuth 2.0 Authorization Server Metadata endpoint."""
@pytest.fixture
def client(self, monkeypatch):
"""Create test client with valid configuration."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "test-secret-key-must-be-at-least-32-chars-long")
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
# Import app AFTER setting env vars
from gondulf.main import app
return TestClient(app)
def test_metadata_endpoint_returns_200(self, client):
"""Test metadata endpoint returns 200 OK."""
response = client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 200
def test_metadata_content_type_json(self, client):
"""Test metadata endpoint returns JSON content type."""
response = client.get("/.well-known/oauth-authorization-server")
assert response.headers["content-type"] == "application/json"
def test_metadata_cache_control_header(self, client):
"""Test metadata endpoint sets Cache-Control header."""
response = client.get("/.well-known/oauth-authorization-server")
assert "cache-control" in response.headers
assert "public" in response.headers["cache-control"]
assert "max-age=86400" in response.headers["cache-control"]
def test_metadata_all_required_fields_present(self, client):
"""Test metadata response contains all required fields."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
required_fields = [
"issuer",
"authorization_endpoint",
"token_endpoint",
"response_types_supported",
"grant_types_supported",
"code_challenge_methods_supported",
"token_endpoint_auth_methods_supported",
"revocation_endpoint_auth_methods_supported",
"scopes_supported"
]
for field in required_fields:
assert field in data, f"Missing required field: {field}"
def test_metadata_issuer_matches_base_url(self, client):
"""Test issuer field matches BASE_URL configuration."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["issuer"] == "https://auth.example.com"
def test_metadata_authorization_endpoint_correct(self, client):
"""Test authorization_endpoint field is correct."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["authorization_endpoint"] == "https://auth.example.com/authorize"
def test_metadata_token_endpoint_correct(self, client):
"""Test token_endpoint field is correct."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["token_endpoint"] == "https://auth.example.com/token"
def test_metadata_response_types_supported(self, client):
"""Test response_types_supported contains both 'code' and 'id'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["response_types_supported"] == ["code", "id"]
def test_metadata_grant_types_supported(self, client):
"""Test grant_types_supported contains only 'authorization_code'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["grant_types_supported"] == ["authorization_code"]
def test_metadata_code_challenge_methods_supported(self, client):
"""Test code_challenge_methods_supported contains S256."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["code_challenge_methods_supported"] == ["S256"]
def test_metadata_token_endpoint_auth_methods(self, client):
"""Test token_endpoint_auth_methods_supported contains 'none'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["token_endpoint_auth_methods_supported"] == ["none"]
def test_metadata_revocation_endpoint_auth_methods(self, client):
"""Test revocation_endpoint_auth_methods_supported contains 'none'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["revocation_endpoint_auth_methods_supported"] == ["none"]
def test_metadata_scopes_supported_empty(self, client):
"""Test scopes_supported is empty array."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["scopes_supported"] == []
def test_metadata_response_valid_json(self, client):
"""Test metadata response can be parsed as valid JSON."""
response = client.get("/.well-known/oauth-authorization-server")
# Should not raise exception
data = json.loads(response.content)
assert isinstance(data, dict)
def test_metadata_endpoint_no_authentication_required(self, client):
"""Test metadata endpoint is accessible without authentication."""
# No authentication headers
response = client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 200
Reference in New Issue View Git Blame Copy Permalink