accounts-frontend/tests-e2e/cypress/integration/auth/oauth.test.ts

import { account1 } from '../../fixtures/accounts.json';

const defaults = {
    client_id: 'ely',
    redirect_uri: 'https://dev.ely.by/authorization/oauth',
    response_type: 'code',
    scope: 'account_info,account_email',
};

describe('OAuth', () => {
    it('should complete oauth', () => {
        cy.login({ accounts: ['default'] });

        cy.visit(`/oauth2/v1/ely?${new URLSearchParams(defaults)}`);

        cy.url().should('equal', 'https://dev.ely.by/');
    });

    it('should restore previous oauthData if any', () => {
        localStorage.setItem(
            'oauthData',
            JSON.stringify({
                timestamp: Date.now() - 3600,
                payload: {
                    clientId: 'ely',
                    redirectUrl: 'https://dev.ely.by/authorization/oauth',
                    responseType: 'code',
                    description: null,
                    scope: 'account_info account_email',
                    loginHint: null,
                    state: null,
                },
            }),
        );
        cy.login({ accounts: ['default'] });

        cy.visit('/');

        cy.url().should('equal', 'https://dev.ely.by/');
    });

    it('should ask to choose an account if user has multiple', () => {
        cy.login({ accounts: ['default', 'default2'] }).then(({ accounts: [account] }) => {
            cy.visit(`/oauth2/v1/ely?${new URLSearchParams(defaults)}`);

            cy.url().should('include', '/oauth/choose-account');

            cy.findByTestId('auth-header').should('contain', 'Choose an account');

            cy.findByTestId('auth-body').contains(account.email).click();

            cy.url().should('equal', 'https://dev.ely.by/');
        });
    });

    // TODO: remove api mocks, when we will be able to revoke permissions
    it('should prompt for permissions', () => {
        cy.server();

        cy.route({
            method: 'POST',
            // NOTE: can not use cypress glob syntax, because it will break due to
            // '%2F%2F' (//) in redirect_uri
            // url: '/api/oauth2/v1/complete/*',
            url: new RegExp('/api/oauth2/v1/complete'),
            response: {
                statusCode: 401,
                error: 'accept_required',
            },
            status: 401,
        }).as('complete');

        cy.login({ accounts: ['default'] });

        cy.visit(
            `/oauth2/v1/ely?${new URLSearchParams({
                ...defaults,
                client_id: 'tlauncher',
                redirect_uri: 'http://localhost:8080',
            })}`,
        );

        cy.wait('@complete');

        assertPermissions();

        cy.server({ enable: false });

        cy.findByTestId('auth-controls').contains('Approve').click();

        cy.url().should('match', /^http:\/\/localhost:8080\/?\?code=[^&]+&state=$/);
    });

    it('should allow sign in during oauth (guest oauth)', () => {
        cy.visit(`/oauth2/v1/ely?${new URLSearchParams(defaults)}`);

        cy.url().should('include', '/login');

        cy.get('[name=login]').type(`${account1.login}{enter}`);

        cy.url().should('include', '/password');

        cy.get('[name=password]').type(`${account1.password}{enter}`);

        cy.url().should('equal', 'https://dev.ely.by/');
    });

    // TODO: enable, when backend api will return correct response on auth decline
    xit('should redirect to error page, when permission request declined', () => {
        cy.server();

        cy.route({
            method: 'POST',
            // NOTE: can not use cypress glob syntax, because it will break due to
            // '%2F%2F' (//) in redirect_uri
            // url: '/api/oauth2/v1/complete/*',
            url: new RegExp('/api/oauth2/v1/complete'),
            response: {
                statusCode: 401,
                error: 'accept_required',
            },
            status: 401,
        }).as('complete');

        cy.login({ accounts: ['default'] });

        cy.visit(
            `/oauth2/v1/ely?${new URLSearchParams({
                ...defaults,
                client_id: 'tlauncher',
                redirect_uri: 'http://localhost:8080',
            })}`,
        );

        cy.wait('@complete');

        assertPermissions();

        cy.server({ enable: false });

        cy.findByTestId('auth-controls-secondary').contains('Decline').click();

        cy.url().should('include', 'error=access_denied');
    });

    describe('login_hint', () => {
        it('should automatically choose account, when id in login_hint is present', () => {
            cy.login({ accounts: ['default', 'default2'] }).then(({ accounts: [account] }) => {
                cy.visit(
                    `/oauth2/v1/ely?${new URLSearchParams({
                        ...defaults,
                        // suggest preferred username
                        // https://docs.ely.by/ru/oauth.html#id3
                        login_hint: String(account.id),
                    }).toString()}`,
                );

                cy.url().should('equal', 'https://dev.ely.by/');
            });
        });

        it('should automatically choose account, when email in login_hint is present', () => {
            cy.login({ accounts: ['default', 'default2'] }).then(({ accounts: [account] }) => {
                cy.visit(
                    `/oauth2/v1/ely?${new URLSearchParams({
                        ...defaults,
                        // suggest preferred username
                        // https://docs.ely.by/ru/oauth.html#id3
                        login_hint: account.email,
                    })}`,
                );

                cy.url().should('equal', 'https://dev.ely.by/');
            });
        });

        it('should automatically choose account, when username in login_hint is present and it is not an active account', () => {
            cy.login({ accounts: ['default2', 'default'] }).then(
                ({
                    // try to authenticate with an account, that is not currently active one
                    accounts: [, account],
                }) => {
                    cy.visit(
                        `/oauth2/v1/ely?${new URLSearchParams({
                            ...defaults,
                            // suggest preferred username
                            // https://docs.ely.by/ru/oauth.html#id3
                            login_hint: account.username,
                        })}`,
                    );

                    cy.url().should('equal', 'https://dev.ely.by/');
                },
            );
        });
    });

    describe('prompts', () => {
        it('should prompt for account', () => {
            cy.login({ accounts: ['default'] }).then(({ accounts: [account] }) => {
                cy.visit(
                    `/oauth2/v1/ely?${new URLSearchParams({
                        ...defaults,
                        prompt: 'select_account',
                    })}`,
                );

                cy.url().should('include', '/oauth/choose-account');

                cy.findByTestId('auth-header').should('contain', 'Choose an account');

                cy.findByTestId('auth-body').contains(account.email).click();

                cy.url().should('equal', 'https://dev.ely.by/');
            });
        });

        it('should allow sign in with another account', () => {
            cy.login({ accounts: ['default2'] });

            cy.visit(
                `/oauth2/v1/ely?${new URLSearchParams({
                    ...defaults,
                    prompt: 'select_account',
                })}`,
            );

            cy.url().should('include', '/oauth/choose-account');

            cy.findByTestId('auth-controls').contains('another account').click();

            cy.url().should('include', '/login');

            cy.get('[name=login]').type(`${account1.login}{enter}`);

            cy.url().should('include', '/password');

            cy.get('[name=password]').type(`${account1.password}{enter}`);

            cy.url().should('equal', 'https://dev.ely.by/');
        });

        it('should prompt for permissions', () => {
            cy.login({ accounts: ['default'] });

            cy.visit(
                `/oauth2/v1/ely?${new URLSearchParams({
                    ...defaults,
                    client_id: 'tlauncher',
                    redirect_uri: 'http://localhost:8080',
                    prompt: 'consent',
                })}`,
            );

            assertPermissions();

            cy.findByTestId('auth-controls').contains('Approve').click();

            cy.url().should('match', /^http:\/\/localhost:8080\/?\?code=[^&]+&state=$/);
        });

        // TODO: enable, when backend api will return correct response on auth decline
        xit('should redirect to error page, when permission request declined', () => {
            cy.login({ accounts: ['default'] });

            cy.visit(
                `/oauth2/v1/ely?${new URLSearchParams({
                    ...defaults,
                    client_id: 'tlauncher',
                    redirect_uri: 'http://localhost:8080',
                    prompt: 'consent',
                })}`,
            );

            cy.url().should('include', '/oauth/permissions');

            cy.findByTestId('auth-controls-secondary').contains('Decline').click();

            cy.url().should('include', 'error=access_denied');
        });

        it('should prompt for both account and permissions', () => {
            cy.login({ accounts: ['default'] }).then(({ accounts: [account] }) => {
                cy.visit(
                    `/oauth2/v1/ely?${new URLSearchParams({
                        ...defaults,
                        client_id: 'tlauncher',
                        redirect_uri: 'http://localhost:8080',
                        prompt: 'select_account,consent',
                    })}`,
                );

                cy.url().should('include', '/oauth/choose-account');

                cy.findByTestId('auth-header').should('contain', 'Choose an account');

                cy.findByTestId('auth-body').contains(account.email).click();

                assertPermissions();

                cy.findByTestId('auth-controls').contains('Approve').click();

                cy.url().should('match', /^http:\/\/localhost:8080\/?\?code=[^&]+&state=$/);
            });
        });

        it('should allow sign in during oauth (guest oauth)', () => {
            cy.visit(
                `/oauth2/v1/ely?${new URLSearchParams({
                    ...defaults,
                    client_id: 'tlauncher',
                    redirect_uri: 'http://localhost:8080',
                    prompt: 'select_account,consent',
                })}`,
            );

            cy.url().should('include', '/login');

            cy.get('[name=login]').type(`${account1.login}{enter}`);

            cy.url().should('include', '/password');

            cy.get('[name=password]').type(`${account1.password}{enter}`);

            assertPermissions();

            cy.findByTestId('auth-controls').contains('Approve').click();

            cy.url().should('match', /^http:\/\/localhost:8080\/?\?code=[^&]+&state=$/);
        });
    });

    describe('static pages', () => {
        it('should authenticate using static page', () => {
            cy.server();
            cy.route({
                method: 'POST',
                url: '/api/oauth2/v1/complete**',
            }).as('complete');

            cy.login({ accounts: ['default'] });

            cy.visit(
                `/oauth2/v1/ely?${new URLSearchParams({
                    ...defaults,
                    client_id: 'tlauncher',
                    redirect_uri: 'static_page',
                })}`,
            );

            cy.wait('@complete');

            cy.url().should('include', 'oauth/finish#{%22auth_code%22:');
        });

        it('should authenticate using static page with code', () => {
            cy.server();
            cy.route({
                method: 'POST',
                url: '/api/oauth2/v1/complete**',
            }).as('complete');

            cy.login({ accounts: ['default'] });

            cy.visit(
                `/oauth2/v1/ely?${new URLSearchParams({
                    ...defaults,
                    client_id: 'tlauncher',
                    redirect_uri: 'static_page_with_code',
                })}`,
            );

            cy.wait('@complete');

            cy.url().should('include', 'oauth/finish#{%22auth_code%22:');

            cy.findByTestId('oauth-code-container').should('contain', 'provide the following code');

            // just click on copy, but we won't assert if the string was copied
            // because it is a little bit complicated
            // https://github.com/cypress-io/cypress/issues/2752
            cy.findByTestId('oauth-code-container').contains('Copy').click();
        });
    });
});

function assertPermissions() {
    cy.url().should('include', '/oauth/permissions');

    cy.findByTestId('auth-header').should('contain', 'Application permissions');
    cy.findByTestId('auth-body').should('contain', 'Access to your profile data (except E‑mail)');
    cy.findByTestId('auth-body').should('contain', 'Access to your E‑mail address');
}