Rules tests (#183)

* add rules changes to accessToken

* add changeset

Author: dagda1

.changes/fix-access-token.md

@@ -0,0 +1,4 @@
+---
+"@simulacrum/auth0-simulator": minor
+---
+Apply rules changes to the accessToken

packages/auth0/src/auth/jwt.ts

@@ -14,12 +14,3 @@ export const createJsonWebToken = (
 ): string => {
   return sign(payload, privateKey, options);
 };
-
-export function createAuthJWT(authNamespace: string, audience: string, sub: string): string {
-  return createJsonWebToken({
-    [`${authNamespace}`]: 'decorate token',
-    aud: audience,
-    iss: authNamespace,
-    sub,
-  });
-}

packages/auth0/src/handlers/auth0-handlers.ts

@@ -1,5 +1,5 @@
 import type { HttpHandler, Middleware, Person, Store } from '@simulacrum/server';
-import type { IdTokenData, Options, QueryParams, ResponseModes } from '../types';
+import type { AccessTokenPayload, IdTokenData, Options, QueryParams, ResponseModes } from '../types';
 import { createLoginRedirectHandler } from './login-redirect';
 import { createWebMessageHandler } from './web-message';
 import { loginView } from '../views/login';
@@ -8,7 +8,7 @@ import { stringify } from 'querystring';
 import { decode, encode } from "base64-url";
 import { userNamePasswordForm } from '../views/username-password';
 import { expiresAt } from '../auth/date';
-import { createAuthJWT, createJsonWebToken } from '../auth/jwt';
+import { createJsonWebToken } from '../auth/jwt';
 import { getServiceUrl } from './get-service-url';
 import { createRulesRunner } from '../rules/rules-runner';
 import type { RuleUser } from '../rules/types';
@@ -222,19 +222,24 @@ export const createAuth0Handlers = (options: Options): Record<Routes, HttpHandle
         idTokenData.nonce = nonce;
       }
 
-      let accessToken = {
-        scope,
-      };
-
       let userData = {} as RuleUser;
-      let context = { clientID, accessToken, idToken: idTokenData };
+      let context = { clientID, accessToken: { scope }, idToken: idTokenData };
 
       rulesRunner(userData, context);
 
-      let idToken = createJsonWebToken({ ...userData, ...context.idToken, ...context.accessToken });
+      let idToken = createJsonWebToken({ ...userData, ...context.idToken });
+
+      let accessToken: AccessTokenPayload = {
+        aud: audience,
+        sub: idTokenData.sub,
+        iat: idTokenData.iat,
+        iss: idTokenData.iss,
+        exp: idTokenData.exp,
+        ...context.accessToken
+      };
 
       res.status(200).json({
-        access_token: createAuthJWT(url, audience, idTokenData.sub),
+        access_token: createJsonWebToken(accessToken),
         id_token: idToken,
         expires_in: 86400,
         token_type: "Bearer",

packages/auth0/src/types.ts

@@ -52,3 +52,14 @@ export interface IdTokenData {
   sub: string;
   nonce?: string;
 }
+
+export interface AccessTokenPayload {
+  iss: string;
+  sub: string;
+  aud: string;
+  iat: number;
+  exp: number;
+  scope: string;
+
+  [key: string]: string | number | string[];
+}

packages/auth0/test/auth0.test.ts

@@ -231,9 +231,6 @@ describe('Auth0 simulator', () => {
 
     beforeEach(function* () {
       simulation = yield client.createSimulation("auth0", {
-        options: {
-          rulesDirectory: 'test/rules'
-        },
         services: {
           auth0: { port: 4400 }, frontend: { port: 3000 }
         }
@@ -319,25 +316,6 @@ describe('Auth0 simulator', () => {
 
       expect(res.status).toBe(401);
     });
-
-    it('should have ran the rules', function* () {
-      let res: Response = yield fetch(`${authUrl}/oauth/token`, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify({
-          ...Fields,
-          code
-        })
-      });
-
-      let token = yield res.json();
-
-      let idToken = jwt.decode(token.id_token, { complete: true });
-
-      expect(idToken?.payload.picture).toContain('https://i.pravatar.cc');
-    });
   });
 
   describe('/v2/logout', () => {

packages/auth0/test/fixtures/rules-access-token/add-roles.js

@@ -0,0 +1,18 @@
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+function addRolesAndEmail(user, context, callback) {
+  let namespace = 'https://example.nl';
+  let assignedRoles = ["example"];
+
+  let idTokenClaims = context.idToken || {};
+  let accessTokenClaims = context.accessToken || {};
+
+  idTokenClaims[`${namespace}/roles`] = assignedRoles;
+
+  accessTokenClaims[`${namespace}/roles`] = assignedRoles;
+  accessTokenClaims[`${namespace}/email`] = idTokenClaims.email;
+
+  context.idToken = idTokenClaims;
+  context.accessToken = accessTokenClaims;
+
+  callback(null, user, context);
+}

packages/auth0/test/fixtures/rules-access-token/add-roles.json

@@ -0,0 +1,5 @@
+{
+  "enabled": true,
+  "order": 1,
+  "stage": "login_success"
+}

packages/auth0/test/rules/avatar.js renamed to packages/auth0/test/fixtures/rules-user/avatar.js

@@ -0,0 +1,161 @@
+import { describe, it, beforeEach } from '@effection/mocha';
+import expect from 'expect';
+import type { Client, Simulation } from './helpers';
+import { createTestServer } from './helpers';
+import { auth0 } from '../src';
+import fetch from 'cross-fetch';
+import type { Person } from '@simulacrum/server';
+import { createHttpApp } from '@simulacrum/server';
+import { person as personScenario } from '@simulacrum/server';
+import jwt from 'jsonwebtoken';
+import { assert } from 'assert-ts';
+import type { Scenario } from '@simulacrum/client';
+
+let Fields = {
+  audience: "https://example.nl",
+  client_id: "00000000000000000000000000000000",
+  connection: "Username-Password-Authentication",
+  nonce: "aGV6ODdFZjExbF9iMkdYZHVfQ3lYcDNVSldGRDR6dWdvREQwUms1Z0Ewaw==",
+  redirect_uri: "http://localhost:3000",
+  response_type: "token id_token",
+  scope: "openid profile email offline_access",
+  state: "sxmRf2Fq.IMN5SER~wQqbsXl5Hx0JHov",
+  tenant: "localhost:4400",
+};
+
+type FixtureDirectories = 'user' | 'access-token';
+
+type Fixtures = `test/fixtures/rules-${FixtureDirectories}`;
+
+function * createSimulation(client: Client, rulesDirectory: Fixtures) {
+  let simulation: Simulation = yield client.createSimulation("auth0", {
+    options: {
+      rulesDirectory
+    },
+    services: {
+      auth0: { port: 4400 }, frontend: { port: 3000 }
+    }
+  });
+
+  let authUrl = simulation.services[0].url;
+
+  let person: Scenario<Person> = yield client.given(simulation, "person");
+
+  // prime the server with the nonce field
+  yield fetch(`${authUrl}/usernamepassword/login`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({
+      ...Fields,
+      username: person.data.email,
+      password: person.data.password,
+    })
+  });
+
+  let res: Response = yield fetch(`https://localhost:4400/login/callback`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded'
+    },
+    body: `wctx=${encodeURIComponent(JSON.stringify({
+      ...Fields
+    }))}`
+  });
+
+  let code = new URL(res.url).searchParams.get('code') as string;
+
+  return { code, authUrl };
+}
+
+describe('rules', () => {
+  let client: Client;
+
+  it('should', function * () {
+    expect(true).toBe(true);
+  });
+
+  beforeEach(function* () {
+    client = yield createTestServer({
+      simulators: {
+        auth0: (slice, options) => {
+          let { services } = auth0(slice, options);
+
+          return {
+            services: {
+              ...services,
+              frontend: {
+                protocol: 'http',
+                app: createHttpApp().get('/', function* (_, res) {
+                  res.status(200).send('ok');
+                })
+              },
+            },
+            scenarios: { person: personScenario }
+          };
+        }
+      }
+    });
+  });
+
+  describe('accessToken claims', () => {
+    let authUrl: string;
+    let code: string;
+
+    beforeEach(function* () {
+      ({ authUrl, code } = yield createSimulation(client, 'test/fixtures/rules-access-token'));
+    });
+
+    it('should have added the claims', function* () {
+      let res: Response = yield fetch(`${authUrl}/oauth/token`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+          ...Fields,
+          code
+        })
+      });
+
+      let token = yield res.json();
+
+      let accessToken = jwt.decode(token.access_token, { complete: true });
+
+      assert(!!accessToken);
+
+      expect(accessToken.payload['https://example.nl/roles']).toEqual(["example"]);
+
+      expect(accessToken.payload['https://example.nl/email']).toEqual('paulwaters.white@yahoo.com');
+    });
+  });
+
+  describe('augment user', () => {
+    let authUrl: string;
+    let code: string;
+
+    beforeEach(function* () {
+      ({ authUrl, code } = yield createSimulation(client, 'test/fixtures/rules-user'));
+    });
+
+    it('should have added a picture to the payload', function* () {
+      let res: Response = yield fetch(`${authUrl}/oauth/token`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+          ...Fields,
+          code
+        })
+      });
+
+      let token = yield res.json();
+
+      let idToken = jwt.decode(token.id_token, { complete: true });
+
+      expect(idToken?.payload.picture).toContain('https://i.pravatar.cc');
+    });
+  });
+});