feat(auth): OIDC phase 4a — session persistence for refresh/expiry/oidc metadata

setFallbackSession gains an optional `extra` arg (password call sites unchanged)
persisting cinny_refresh_token, cinny_expires_at (absolute), and
cinny_oidc_{issuer,client_id,redirect_uri,id_token_claims}. getFallbackSession
reads them back (expiry as remaining lifetime); removeFallbackSession + re-save
clear stale OIDC keys. Session type gains `oidc?: OidcSessionMeta`. +2 tests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-30 15:55:30 -04:00
parent 98ad5674a8
commit d3d2f9a448
2 changed files with 121 additions and 0 deletions
+42
View File
@@ -72,3 +72,45 @@ test('removeFallbackSession clears all keys', () => {
assert.equal(store.size, 0);
assert.equal(getFallbackSession(), undefined);
});
test('round-trips an OIDC session (refresh token, expiry, oidc metadata)', () => {
installStorage();
setFallbackSession('tok', 'DEV', '@bob:mozilla.org', 'https://matrix-client.mozilla.org', {
refreshToken: 'refresh-xyz',
expiresInMs: 3_600_000,
oidc: {
issuer: 'https://chat.mozilla.org/',
clientId: 'client-123',
redirectUri: 'https://chat.lotusguild.org/auth/oidc/callback',
idTokenClaims: { sub: '@bob:mozilla.org', aud: 'client-123' },
},
});
const s = getFallbackSession();
assert.ok(s);
assert.equal(s.refreshToken, 'refresh-xyz');
// stored as absolute expiry, read back as remaining lifetime
assert.ok(s.expiresInMs! > 0 && s.expiresInMs! <= 3_600_000);
assert.deepEqual(s.oidc, {
issuer: 'https://chat.mozilla.org/',
clientId: 'client-123',
redirectUri: 'https://chat.lotusguild.org/auth/oidc/callback',
idTokenClaims: { sub: '@bob:mozilla.org', aud: 'client-123' },
});
});
test('a password session carries no OIDC fields, and re-saving clears stale OIDC keys', () => {
installStorage();
// first an OIDC session...
setFallbackSession('tok', 'DEV', '@bob:mozilla.org', 'https://hs', {
refreshToken: 'r',
oidc: { issuer: 'https://i', clientId: 'c', redirectUri: 'https://cb' },
});
assert.ok(getFallbackSession()?.oidc);
// ...overwritten by a plain password session must drop the OIDC state
setFallbackSession('tok2', 'DEV', '@alice:example.org', 'https://hs');
const s = getFallbackSession();
assert.ok(s);
assert.equal(s.oidc, undefined);
assert.equal(s.refreshToken, undefined);
});