refactor: dedupe OAuth flow handlers

2026-05-09 21:44:32 +00:00 · 2026-01-13 05:13:01 +00:00
parent d8f14078f0
commit 01776e0569
4 changed files with 140 additions and 57 deletions
--- a/src/commands/chutes-oauth.test.ts
+++ b/src/commands/chutes-oauth.test.ts
@@ -109,4 +109,75 @@ describe("loginChutes", () => {
    expect(creds.refresh).toBe("rt_manual");
    expect(creds.email).toBe("manual-user");
  });
+
+  it("does not reuse code_verifier as state", async () => {
+    const fetchFn: typeof fetch = async (input) => {
+      const url = String(input);
+      if (url === CHUTES_TOKEN_ENDPOINT) {
+        return new Response(
+          JSON.stringify({
+            access_token: "at_manual",
+            refresh_token: "rt_manual",
+            expires_in: 3600,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      if (url === CHUTES_USERINFO_ENDPOINT) {
+        return new Response(JSON.stringify({ username: "manual-user" }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+      return new Response("not found", { status: 404 });
+    };
+
+    const createPkce = () => ({
+      verifier: "verifier_123",
+      challenge: "chal_123",
+    });
+    const createState = () => "state_456";
+
+    const creds = await loginChutes({
+      app: {
+        clientId: "cid_test",
+        redirectUri: "http://127.0.0.1:1456/oauth-callback",
+        scopes: ["openid"],
+      },
+      manual: true,
+      createPkce,
+      createState,
+      onAuth: async ({ url }) => {
+        const parsed = new URL(url);
+        expect(parsed.searchParams.get("state")).toBe("state_456");
+        expect(parsed.searchParams.get("state")).not.toBe("verifier_123");
+      },
+      onPrompt: async () => "code_manual",
+      fetchFn,
+    });
+
+    expect(creds.access).toBe("at_manual");
+  });
+
+  it("rejects pasted redirect URLs missing state", async () => {
+    const fetchFn: typeof fetch = async () =>
+      new Response("not found", { status: 404 });
+
+    await expect(
+      loginChutes({
+        app: {
+          clientId: "cid_test",
+          redirectUri: "http://127.0.0.1:1456/oauth-callback",
+          scopes: ["openid"],
+        },
+        manual: true,
+        createPkce: () => ({ verifier: "verifier_123", challenge: "chal_123" }),
+        createState: () => "state_456",
+        onAuth: async () => {},
+        onPrompt: async () =>
+          "http://127.0.0.1:1456/oauth-callback?code=code_only",
+        fetchFn,
+      }),
+    ).rejects.toThrow("Missing 'state' parameter");
+  });
 });