feat(auth): OIDC phase 4a — session persistence for refresh/expiry/oidc metadata
setFallbackSession gains an optional `extra` arg (password call sites unchanged)
persisting cinny_refresh_token, cinny_expires_at (absolute), and
cinny_oidc_{issuer,client_id,redirect_uri,id_token_claims}. getFallbackSession
reads them back (expiry as remaining lifetime); removeFallbackSession + re-save
clear stale OIDC keys. Session type gains `oidc?: OidcSessionMeta`. +2 tests.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -72,3 +72,45 @@ test('removeFallbackSession clears all keys', () => {
|
||||
assert.equal(store.size, 0);
|
||||
assert.equal(getFallbackSession(), undefined);
|
||||
});
|
||||
|
||||
test('round-trips an OIDC session (refresh token, expiry, oidc metadata)', () => {
|
||||
installStorage();
|
||||
setFallbackSession('tok', 'DEV', '@bob:mozilla.org', 'https://matrix-client.mozilla.org', {
|
||||
refreshToken: 'refresh-xyz',
|
||||
expiresInMs: 3_600_000,
|
||||
oidc: {
|
||||
issuer: 'https://chat.mozilla.org/',
|
||||
clientId: 'client-123',
|
||||
redirectUri: 'https://chat.lotusguild.org/auth/oidc/callback',
|
||||
idTokenClaims: { sub: '@bob:mozilla.org', aud: 'client-123' },
|
||||
},
|
||||
});
|
||||
|
||||
const s = getFallbackSession();
|
||||
assert.ok(s);
|
||||
assert.equal(s.refreshToken, 'refresh-xyz');
|
||||
// stored as absolute expiry, read back as remaining lifetime
|
||||
assert.ok(s.expiresInMs! > 0 && s.expiresInMs! <= 3_600_000);
|
||||
assert.deepEqual(s.oidc, {
|
||||
issuer: 'https://chat.mozilla.org/',
|
||||
clientId: 'client-123',
|
||||
redirectUri: 'https://chat.lotusguild.org/auth/oidc/callback',
|
||||
idTokenClaims: { sub: '@bob:mozilla.org', aud: 'client-123' },
|
||||
});
|
||||
});
|
||||
|
||||
test('a password session carries no OIDC fields, and re-saving clears stale OIDC keys', () => {
|
||||
installStorage();
|
||||
// first an OIDC session...
|
||||
setFallbackSession('tok', 'DEV', '@bob:mozilla.org', 'https://hs', {
|
||||
refreshToken: 'r',
|
||||
oidc: { issuer: 'https://i', clientId: 'c', redirectUri: 'https://cb' },
|
||||
});
|
||||
assert.ok(getFallbackSession()?.oidc);
|
||||
// ...overwritten by a plain password session must drop the OIDC state
|
||||
setFallbackSession('tok2', 'DEV', '@alice:example.org', 'https://hs');
|
||||
const s = getFallbackSession();
|
||||
assert.ok(s);
|
||||
assert.equal(s.oidc, undefined);
|
||||
assert.equal(s.refreshToken, undefined);
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user