"""Tests for GAuthClient.""" from gnexus_gauth.client import GAuthClient from gnexus_gauth.config import GAuthConfig from gnexus_gauth.contracts import ( RuntimeUserProviderInterface, TokenEndpointInterface, WebhookParserInterface, WebhookVerifierInterface, ) from gnexus_gauth.dto import ( AuthenticatedUser, AuthorizationRequest, TokenSet, VerifiedWebhook, WebhookEvent, ) from gnexus_gauth.support import InMemoryPkceStore, InMemoryStateStore class FakeTokenEndpoint(TokenEndpointInterface): def __init__(self) -> None: self.exchanged = False self.refreshed = False self.revoked = False def exchange_authorization_code(self, code: str, pkce_verifier: str) -> TokenSet: self.exchanged = True return TokenSet("access", "refresh", "Bearer", 900) def refresh_token(self, refresh_token: str) -> TokenSet: self.refreshed = True return TokenSet("new_access", "new_refresh", "Bearer", 900) def revoke_token(self, token: str, token_type_hint: str | None = None) -> None: self.revoked = True class FakeRuntimeUserProvider(RuntimeUserProviderInterface): def fetch_user(self, access_token: str) -> AuthenticatedUser: return AuthenticatedUser("1", "user@example.test", True) class FakeWebhookVerifier(WebhookVerifierInterface): def verify(self, raw_body: str, headers: dict, secret: str) -> VerifiedWebhook: return VerifiedWebhook(raw_body, {}, "evt_1", __import__("datetime").datetime.now(__import__("datetime").timezone.utc)) class FakeWebhookParser(WebhookParserInterface): def parse(self, raw_body: str) -> WebhookEvent: return WebhookEvent("evt_1", "webhook.test") class TestGAuthClient: def _make_client(self) -> tuple[GAuthClient, FakeTokenEndpoint, InMemoryStateStore, InMemoryPkceStore]: state_store = InMemoryStateStore() pkce_store = InMemoryPkceStore() token_endpoint = FakeTokenEndpoint() config = GAuthConfig( base_url="https://auth.example.test", client_id="billing", client_secret="secret", redirect_uri="https://billing.example.test/callback", ) client = GAuthClient( config=config, token_endpoint=token_endpoint, runtime_user_provider=FakeRuntimeUserProvider(), webhook_verifier=FakeWebhookVerifier(), webhook_parser=FakeWebhookParser(), state_store=state_store, pkce_store=pkce_store, ) return client, token_endpoint, state_store, pkce_store def test_build_authorization_request(self) -> None: client, _, state_store, pkce_store = self._make_client() request = client.build_authorization_request("/dashboard", ["openid", "profile"]) assert isinstance(request, AuthorizationRequest) assert request.state assert request.pkce_verifier assert request.pkce_challenge assert state_store.has(request.state) assert pkce_store.get(request.state) == request.pkce_verifier assert "response_type=code" in request.authorization_url assert "client_id=billing" in request.authorization_url assert "scope=openid%20profile" in request.authorization_url assert "return_to=%2Fdashboard" in request.authorization_url def test_exchange_authorization_code(self) -> None: client, token_endpoint, state_store, pkce_store = self._make_client() auth = client.build_authorization_request() token_set = client.exchange_authorization_code("code_123", auth.state) assert token_set.access_token == "access" assert token_endpoint.exchanged assert not state_store.has(auth.state) assert pkce_store.get(auth.state) is None def test_refresh_token(self) -> None: client, token_endpoint, _, _ = self._make_client() token_set = client.refresh_token("old_refresh") assert token_set.access_token == "new_access" assert token_endpoint.refreshed def test_revoke_token(self) -> None: client, token_endpoint, _, _ = self._make_client() client.revoke_token("token_123") assert token_endpoint.revoked def test_fetch_user(self) -> None: client, _, _, _ = self._make_client() user = client.fetch_user("access_token") assert user.user_id == "1" assert user.email == "user@example.test" def test_verify_and_parse_webhook(self) -> None: client, _, _, _ = self._make_client() event = client.verify_and_parse_webhook('{"type":"test"}', {}, "secret") assert event.event_type == "webhook.test"