# Test Updates Required for ADR-019 Implementation ## Overview The following tests need to be updated to reflect the PKCE implementation and removal of OAuth metadata/h-app features. ## Changes Made 1. **`_verify_state_token()` now returns `Optional[str]` (code_verifier) instead of `bool`** 2. **`initiate_login()` now generates and stores PKCE parameters** 3. **`handle_callback()` now accepts `iss` parameter and validates PKCE** 4. **OAuth metadata endpoint removed from `/. well-known/oauth-authorization-server`** 5. **H-app microformats removed from templates** 6. **IndieAuth metadata link removed from HTML head** ## Tests That Need Updating ### tests/test_auth.py #### State Token Verification Tests - `test_verify_valid_state_token` - should check for code_verifier string return - `test_verify_invalid_state_token` - should check for None return - `test_verify_expired_state_token` - should check for None return - `test_state_tokens_are_single_use` - should check for code_verifier string return **Fix**: Change assertions from `is True`/`is False` to check for string/None #### Initiate Login Tests - `test_initiate_login_success` - needs to check for PKCE parameters in URL - `test_initiate_login_stores_state` - needs to check code_verifier stored in DB **Fix**: Update assertions to check for `code_challenge` and `code_challenge_method=S256` in URL #### Handle Callback Tests - `test_handle_callback_success` - needs to mock with code_verifier - `test_handle_callback_unauthorized_user` - needs to mock with code_verifier - `test_handle_callback_indielogin_error` - needs to mock with code_verifier - `test_handle_callback_no_identity` - needs to mock with code_verifier - `test_handle_callback_logs_http_details` - needs to check /token endpoint **Fix**: - Add code_verifier to auth_state inserts in test setup - Pass `iss` parameter to handle_callback calls - Check that /token endpoint is called (not /auth) ### tests/test_routes_public.py #### OAuth Metadata Endpoint Tests (ALL SHOULD BE REMOVED) - `test_oauth_metadata_endpoint_exists` - `test_oauth_metadata_content_type` - `test_oauth_metadata_required_fields` - `test_oauth_metadata_optional_fields` - `test_oauth_metadata_field_values` - `test_oauth_metadata_redirect_uris_is_array` - `test_oauth_metadata_cache_headers` - `test_oauth_metadata_valid_json` - `test_oauth_metadata_uses_config_values` **Fix**: Delete entire `TestOAuthMetadataEndpoint` class #### IndieAuth Metadata Link Tests (ALL SHOULD BE REMOVED) - `test_indieauth_metadata_link_present` - `test_indieauth_metadata_link_points_to_endpoint` - `test_indieauth_metadata_link_in_head` **Fix**: Delete entire `TestIndieAuthMetadataLink` class ### tests/test_templates.py #### H-app Microformats Tests (ALL SHOULD BE REMOVED) - `test_h_app_microformats_present` - `test_h_app_contains_url_and_name_properties` - `test_h_app_contains_site_url` - `test_h_app_is_hidden` - `test_h_app_is_aria_hidden` **Fix**: Delete entire `TestIndieAuthClientDiscovery` class ### tests/test_routes_dev_auth.py #### Dev Mode Configuration Test - `test_dev_mode_requires_dev_admin_me` - May need update if it tests auth flow **Fix**: Review and update if it tests the auth callback flow ## New Tests to Add 1. **PKCE Integration Tests** - Test full auth flow with PKCE 2. **Issuer Validation Tests** - Test iss parameter validation 3. **Endpoint Tests** - Verify /authorize and /token endpoints are used 4. **Code Verifier Storage Tests** - Verify code_verifier is stored and retrieved ## Priority **HIGH**: Update core auth tests (state verification, handle_callback) **MEDIUM**: Remove obsolete tests (OAuth metadata, h-app) **LOW**: Add new comprehensive integration tests ## Notes - All PKCE unit tests in `tests/test_auth_pkce.py` are passing - The implementation is correct, just need to update the tests to match new behavior - The failing tests are testing OLD behavior that we intentionally changed ## When to Complete These test updates should be completed before merging to main, but can be done in a follow-up commit on the feature branch.