companion-oauth-pkce-data-integrity.test.mjs
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd
feat(calendar): enforce agent context tiers in retrieval AP…
Human
minor
⚠ breaking
1 day ago
| 1 | /** |
| 2 | * Tier 5 — DATA INTEGRITY: determinism, purity, and non-mutation of inputs. The protocol core |
| 3 | * must be a pure function of its arguments (no env, no clock, no hidden state) so its behavior is |
| 4 | * reproducible and auditable. |
| 5 | */ |
| 6 | import { describe, it } from 'node:test'; |
| 7 | import assert from 'node:assert/strict'; |
| 8 | import { |
| 9 | computeCodeChallenge, |
| 10 | buildAuthorizationUrl, |
| 11 | buildTokenRequest, |
| 12 | validateAuthorizationResponse, |
| 13 | validateTokenResponse, |
| 14 | decideTokenRefresh, |
| 15 | createPkcePair, |
| 16 | } from '../lib/companion-oauth-pkce.mjs'; |
| 17 | |
| 18 | const AUTH_EP = 'https://knowtation.store/authorize'; |
| 19 | const TOKEN_EP = 'https://knowtation.store/token'; |
| 20 | const CLIENT_ID = 'companion-public-client'; |
| 21 | const REDIRECT = 'http://127.0.0.1:49321/callback'; |
| 22 | const SCOPES = ['vault:read', 'vault:write']; |
| 23 | |
| 24 | describe('Data integrity — determinism', () => { |
| 25 | it('computeCodeChallenge is a pure function of the verifier', () => { |
| 26 | const v = createPkcePair().codeVerifier; |
| 27 | const a = computeCodeChallenge(v); |
| 28 | for (let i = 0; i < 1000; i++) assert.equal(computeCodeChallenge(v), a); |
| 29 | }); |
| 30 | it('buildAuthorizationUrl is deterministic given identical inputs', () => { |
| 31 | const args = { authorizationEndpoint: AUTH_EP, clientId: CLIENT_ID, redirectUri: REDIRECT, scopes: SCOPES, state: 's', codeChallenge: 'c' }; |
| 32 | assert.equal(buildAuthorizationUrl(args), buildAuthorizationUrl(args)); |
| 33 | }); |
| 34 | it('decideTokenRefresh is deterministic', () => { |
| 35 | const args = { expiresAt: 5000, now: 4000, skewMs: 500 }; |
| 36 | const first = decideTokenRefresh(args); |
| 37 | for (let i = 0; i < 100; i++) assert.equal(decideTokenRefresh(args), first); |
| 38 | }); |
| 39 | }); |
| 40 | |
| 41 | describe('Data integrity — inputs are never mutated', () => { |
| 42 | it('buildAuthorizationUrl does not mutate the params object or the scopes array', () => { |
| 43 | const scopes = [...SCOPES]; |
| 44 | const params = { authorizationEndpoint: AUTH_EP, clientId: CLIENT_ID, redirectUri: REDIRECT, scopes, state: 's', codeChallenge: 'c', extraParams: { prompt: 'consent' } }; |
| 45 | const snapshot = JSON.stringify(params); |
| 46 | buildAuthorizationUrl(params); |
| 47 | assert.equal(JSON.stringify(params), snapshot); |
| 48 | assert.deepEqual(scopes, SCOPES); |
| 49 | }); |
| 50 | it('buildTokenRequest does not mutate its params', () => { |
| 51 | const verifier = createPkcePair().codeVerifier; |
| 52 | const params = { tokenEndpoint: TOKEN_EP, clientId: CLIENT_ID, code: 'c', codeVerifier: verifier, redirectUri: REDIRECT }; |
| 53 | const snapshot = JSON.stringify(params); |
| 54 | buildTokenRequest(params); |
| 55 | assert.equal(JSON.stringify(params), snapshot); |
| 56 | }); |
| 57 | it('validateAuthorizationResponse does not mutate the params it inspects', () => { |
| 58 | const params = { code: 'c', state: 's', iss: 'https://knowtation.store' }; |
| 59 | const snapshot = JSON.stringify(params); |
| 60 | validateAuthorizationResponse({ params, expectedState: 's', expectedIssuer: 'https://knowtation.store' }); |
| 61 | assert.equal(JSON.stringify(params), snapshot); |
| 62 | }); |
| 63 | it('validateTokenResponse does not mutate its input', () => { |
| 64 | const json = { access_token: 'jwt', token_type: 'Bearer', expires_in: 60, refresh_token: 'r' }; |
| 65 | const snapshot = JSON.stringify(json); |
| 66 | validateTokenResponse(json); |
| 67 | assert.equal(JSON.stringify(json), snapshot); |
| 68 | }); |
| 69 | }); |
| 70 | |
| 71 | describe('Data integrity — environment independence', () => { |
| 72 | it('behavior does not depend on process.env', () => { |
| 73 | const v = createPkcePair().codeVerifier; |
| 74 | const before = computeCodeChallenge(v); |
| 75 | process.env.KNOWTATION_PKCE_TEST_FLAG = 'tampered'; |
| 76 | const after = computeCodeChallenge(v); |
| 77 | delete process.env.KNOWTATION_PKCE_TEST_FLAG; |
| 78 | assert.equal(before, after); |
| 79 | }); |
| 80 | }); |
| 81 | |
| 82 | describe('Data integrity — verdict shapes are stable', () => { |
| 83 | it('a success verdict has exactly { ok, code }', () => { |
| 84 | const r = validateAuthorizationResponse({ params: { code: 'c', state: 's' }, expectedState: 's' }); |
| 85 | assert.deepEqual(Object.keys(r).sort(), ['code', 'ok']); |
| 86 | }); |
| 87 | it('a token success verdict has the documented fields', () => { |
| 88 | const r = validateTokenResponse({ access_token: 'jwt', token_type: 'Bearer', expires_in: 60 }); |
| 89 | assert.deepEqual(Object.keys(r).sort(), ['accessToken', 'expiresIn', 'ok', 'refreshToken', 'scope', 'tokenType']); |
| 90 | }); |
| 91 | }); |
File History
2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd
feat(calendar): enforce agent context tiers in retrieval AP…
Human
minor
⚠
1 day ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6
docs: accept Calendar Events v0 spec with Phase 0 security …
Human
1 day ago