diff --git a/lib/DBSQLClient.ts b/lib/DBSQLClient.ts index 00496463..2c424521 100644 --- a/lib/DBSQLClient.ts +++ b/lib/DBSQLClient.ts @@ -19,6 +19,11 @@ import HiveDriverError from './errors/HiveDriverError'; import { buildUserAgentString, definedOrError } from './utils'; import PlainHttpAuthentication from './connection/auth/PlainHttpAuthentication'; import DatabricksOAuth, { OAuthFlow } from './connection/auth/DatabricksOAuth'; +import { + TokenProviderAuthenticator, + StaticTokenProvider, + ExternalTokenProvider, +} from './connection/auth/tokenProvider'; import IDBSQLLogger, { LogLevel } from './contracts/IDBSQLLogger'; import DBSQLLogger from './DBSQLLogger'; import CloseableCollection from './utils/CloseableCollection'; @@ -143,6 +148,12 @@ export default class DBSQLClient extends EventEmitter implements IDBSQLClient, I }); case 'custom': return options.provider; + case 'token-provider': + return new TokenProviderAuthenticator(options.tokenProvider, this); + case 'external-token': + return new TokenProviderAuthenticator(new ExternalTokenProvider(options.getToken), this); + case 'static-token': + return new TokenProviderAuthenticator(StaticTokenProvider.fromJWT(options.staticToken), this); // no default } } diff --git a/lib/connection/auth/tokenProvider/ExternalTokenProvider.ts b/lib/connection/auth/tokenProvider/ExternalTokenProvider.ts new file mode 100644 index 00000000..ada48038 --- /dev/null +++ b/lib/connection/auth/tokenProvider/ExternalTokenProvider.ts @@ -0,0 +1,52 @@ +import ITokenProvider from './ITokenProvider'; +import Token from './Token'; + +/** + * Type for the callback function that retrieves tokens from external sources. + */ +export type TokenCallback = () => Promise; + +/** + * A token provider that delegates token retrieval to an external callback function. + * Useful for integrating with secret managers, vaults, or other token sources. + */ +export default class ExternalTokenProvider implements ITokenProvider { + private readonly getTokenCallback: TokenCallback; + + private readonly parseJWT: boolean; + + private readonly providerName: string; + + /** + * Creates a new ExternalTokenProvider. + * @param getToken - Callback function that returns the access token string + * @param options - Optional configuration + * @param options.parseJWT - If true, attempt to extract expiration from JWT payload (default: true) + * @param options.name - Custom name for this provider (default: "ExternalTokenProvider") + */ + constructor( + getToken: TokenCallback, + options?: { + parseJWT?: boolean; + name?: string; + }, + ) { + this.getTokenCallback = getToken; + this.parseJWT = options?.parseJWT ?? true; + this.providerName = options?.name ?? 'ExternalTokenProvider'; + } + + async getToken(): Promise { + const accessToken = await this.getTokenCallback(); + + if (this.parseJWT) { + return Token.fromJWT(accessToken); + } + + return new Token(accessToken); + } + + getName(): string { + return this.providerName; + } +} diff --git a/lib/connection/auth/tokenProvider/ITokenProvider.ts b/lib/connection/auth/tokenProvider/ITokenProvider.ts new file mode 100644 index 00000000..a7cd23dc --- /dev/null +++ b/lib/connection/auth/tokenProvider/ITokenProvider.ts @@ -0,0 +1,19 @@ +import Token from './Token'; + +/** + * Interface for token providers that supply access tokens for authentication. + * Token providers can be wrapped with caching and federation decorators. + */ +export default interface ITokenProvider { + /** + * Retrieves an access token for authentication. + * @returns A Promise that resolves to a Token object containing the access token + */ + getToken(): Promise; + + /** + * Returns the name of this token provider for logging and debugging purposes. + * @returns The provider name + */ + getName(): string; +} diff --git a/lib/connection/auth/tokenProvider/StaticTokenProvider.ts b/lib/connection/auth/tokenProvider/StaticTokenProvider.ts new file mode 100644 index 00000000..0a4acead --- /dev/null +++ b/lib/connection/auth/tokenProvider/StaticTokenProvider.ts @@ -0,0 +1,58 @@ +import ITokenProvider from './ITokenProvider'; +import Token from './Token'; + +/** + * A token provider that returns a static token. + * Useful for testing or when the token is obtained through external means. + */ +export default class StaticTokenProvider implements ITokenProvider { + private readonly token: Token; + + /** + * Creates a new StaticTokenProvider. + * @param accessToken - The access token string + * @param options - Optional token configuration (tokenType, expiresAt, refreshToken, scopes) + */ + constructor( + accessToken: string, + options?: { + tokenType?: string; + expiresAt?: Date; + refreshToken?: string; + scopes?: string[]; + }, + ) { + this.token = new Token(accessToken, options); + } + + /** + * Creates a StaticTokenProvider from a JWT string. + * The expiration time will be extracted from the JWT payload. + * @param jwt - The JWT token string + * @param options - Optional token configuration + */ + static fromJWT( + jwt: string, + options?: { + tokenType?: string; + refreshToken?: string; + scopes?: string[]; + }, + ): StaticTokenProvider { + const token = Token.fromJWT(jwt, options); + return new StaticTokenProvider(token.accessToken, { + tokenType: token.tokenType, + expiresAt: token.expiresAt, + refreshToken: token.refreshToken, + scopes: token.scopes, + }); + } + + async getToken(): Promise { + return this.token; + } + + getName(): string { + return 'StaticTokenProvider'; + } +} diff --git a/lib/connection/auth/tokenProvider/Token.ts b/lib/connection/auth/tokenProvider/Token.ts new file mode 100644 index 00000000..911b2bdd --- /dev/null +++ b/lib/connection/auth/tokenProvider/Token.ts @@ -0,0 +1,151 @@ +import { HeadersInit } from 'node-fetch'; + +/** + * Safety buffer in seconds to consider a token expired before its actual expiration time. + * This prevents using tokens that are about to expire during in-flight requests. + */ +const EXPIRATION_BUFFER_SECONDS = 30; + +/** + * Represents an access token with optional metadata and lifecycle management. + */ +export default class Token { + private readonly _accessToken: string; + + private readonly _tokenType: string; + + private readonly _expiresAt?: Date; + + private readonly _refreshToken?: string; + + private readonly _scopes?: string[]; + + constructor( + accessToken: string, + options?: { + tokenType?: string; + expiresAt?: Date; + refreshToken?: string; + scopes?: string[]; + }, + ) { + this._accessToken = accessToken; + this._tokenType = options?.tokenType ?? 'Bearer'; + this._expiresAt = options?.expiresAt; + this._refreshToken = options?.refreshToken; + this._scopes = options?.scopes; + } + + /** + * The access token string. + */ + get accessToken(): string { + return this._accessToken; + } + + /** + * The token type (e.g., "Bearer"). + */ + get tokenType(): string { + return this._tokenType; + } + + /** + * The expiration time of the token, if known. + */ + get expiresAt(): Date | undefined { + return this._expiresAt; + } + + /** + * The refresh token, if available. + */ + get refreshToken(): string | undefined { + return this._refreshToken; + } + + /** + * The scopes associated with this token. + */ + get scopes(): string[] | undefined { + return this._scopes; + } + + /** + * Checks if the token has expired, including a safety buffer. + * Returns false if expiration time is unknown. + */ + isExpired(): boolean { + if (!this._expiresAt) { + return false; + } + const now = new Date(); + const bufferMs = EXPIRATION_BUFFER_SECONDS * 1000; + return this._expiresAt.getTime() - bufferMs <= now.getTime(); + } + + /** + * Sets the Authorization header on the provided headers object. + * @param headers - The headers object to modify + * @returns The modified headers object with Authorization set + */ + setAuthHeader(headers: HeadersInit): HeadersInit { + return { + ...headers, + Authorization: `${this._tokenType} ${this._accessToken}`, + }; + } + + /** + * Creates a Token from a JWT string, extracting the expiration time from the payload. + * If the JWT cannot be decoded, the token is created without expiration info. + * The server will validate the token anyway, so decoding failures are handled gracefully. + * @param jwt - The JWT token string + * @param options - Additional token options (tokenType, refreshToken, scopes) + * @returns A new Token instance with expiration extracted from the JWT (if available) + */ + static fromJWT( + jwt: string, + options?: { + tokenType?: string; + refreshToken?: string; + scopes?: string[]; + }, + ): Token { + let expiresAt: Date | undefined; + + try { + const parts = jwt.split('.'); + if (parts.length >= 2) { + const payload = Buffer.from(parts[1], 'base64').toString('utf8'); + const decoded = JSON.parse(payload); + if (typeof decoded.exp === 'number') { + expiresAt = new Date(decoded.exp * 1000); + } + } + } catch { + // If we can't decode the JWT, we'll proceed without expiration info + // The server will validate the token anyway + } + + return new Token(jwt, { + tokenType: options?.tokenType, + expiresAt, + refreshToken: options?.refreshToken, + scopes: options?.scopes, + }); + } + + /** + * Converts the token to a plain object for serialization. + */ + toJSON(): Record { + return { + accessToken: this._accessToken, + tokenType: this._tokenType, + expiresAt: this._expiresAt?.toISOString(), + refreshToken: this._refreshToken, + scopes: this._scopes, + }; + } +} diff --git a/lib/connection/auth/tokenProvider/TokenProviderAuthenticator.ts b/lib/connection/auth/tokenProvider/TokenProviderAuthenticator.ts new file mode 100644 index 00000000..2c77127b --- /dev/null +++ b/lib/connection/auth/tokenProvider/TokenProviderAuthenticator.ts @@ -0,0 +1,44 @@ +import { HeadersInit } from 'node-fetch'; +import IAuthentication from '../../contracts/IAuthentication'; +import ITokenProvider from './ITokenProvider'; +import IClientContext from '../../../contracts/IClientContext'; +import { LogLevel } from '../../../contracts/IDBSQLLogger'; + +/** + * Adapts an ITokenProvider to the IAuthentication interface used by the driver. + * This allows token providers to be used with the existing authentication system. + */ +export default class TokenProviderAuthenticator implements IAuthentication { + private readonly tokenProvider: ITokenProvider; + + private readonly context: IClientContext; + + private readonly headers: HeadersInit; + + /** + * Creates a new TokenProviderAuthenticator. + * @param tokenProvider - The token provider to use for authentication + * @param context - The client context for logging + * @param headers - Additional headers to include with each request + */ + constructor(tokenProvider: ITokenProvider, context: IClientContext, headers?: HeadersInit) { + this.tokenProvider = tokenProvider; + this.context = context; + this.headers = headers ?? {}; + } + + async authenticate(): Promise { + const logger = this.context.getLogger(); + const providerName = this.tokenProvider.getName(); + + logger.log(LogLevel.debug, `TokenProviderAuthenticator: getting token from ${providerName}`); + + const token = await this.tokenProvider.getToken(); + + if (token.isExpired()) { + logger.log(LogLevel.warn, `TokenProviderAuthenticator: token from ${providerName} is expired`); + } + + return token.setAuthHeader(this.headers); + } +} diff --git a/lib/connection/auth/tokenProvider/index.ts b/lib/connection/auth/tokenProvider/index.ts new file mode 100644 index 00000000..4e844079 --- /dev/null +++ b/lib/connection/auth/tokenProvider/index.ts @@ -0,0 +1,5 @@ +export { default as ITokenProvider } from './ITokenProvider'; +export { default as Token } from './Token'; +export { default as StaticTokenProvider } from './StaticTokenProvider'; +export { default as ExternalTokenProvider, TokenCallback } from './ExternalTokenProvider'; +export { default as TokenProviderAuthenticator } from './TokenProviderAuthenticator'; diff --git a/lib/contracts/IDBSQLClient.ts b/lib/contracts/IDBSQLClient.ts index 26588031..227625d5 100644 --- a/lib/contracts/IDBSQLClient.ts +++ b/lib/contracts/IDBSQLClient.ts @@ -3,6 +3,8 @@ import IDBSQLSession from './IDBSQLSession'; import IAuthentication from '../connection/contracts/IAuthentication'; import { ProxyOptions } from '../connection/contracts/IConnectionOptions'; import OAuthPersistence from '../connection/auth/DatabricksOAuth/OAuthPersistence'; +import ITokenProvider from '../connection/auth/tokenProvider/ITokenProvider'; +import { TokenCallback } from '../connection/auth/tokenProvider/ExternalTokenProvider'; export interface ClientOptions { logger?: IDBSQLLogger; @@ -24,6 +26,18 @@ type AuthOptions = | { authType: 'custom'; provider: IAuthentication; + } + | { + authType: 'token-provider'; + tokenProvider: ITokenProvider; + } + | { + authType: 'external-token'; + getToken: TokenCallback; + } + | { + authType: 'static-token'; + staticToken: string; }; export type ConnectionOptions = { diff --git a/tests/unit/connection/auth/tokenProvider/ExternalTokenProvider.test.ts b/tests/unit/connection/auth/tokenProvider/ExternalTokenProvider.test.ts new file mode 100644 index 00000000..6695040d --- /dev/null +++ b/tests/unit/connection/auth/tokenProvider/ExternalTokenProvider.test.ts @@ -0,0 +1,108 @@ +import { expect } from 'chai'; +import sinon from 'sinon'; +import ExternalTokenProvider from '../../../../../lib/connection/auth/tokenProvider/ExternalTokenProvider'; + +function createJWT(payload: Record): string { + const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64'); + const body = Buffer.from(JSON.stringify(payload)).toString('base64'); + return `${header}.${body}.signature`; +} + +describe('ExternalTokenProvider', () => { + describe('constructor', () => { + it('should create provider with callback', async () => { + const callback = sinon.stub().resolves('my-token'); + const provider = new ExternalTokenProvider(callback); + + await provider.getToken(); + + expect(callback.calledOnce).to.be.true; + }); + + it('should use default name', () => { + const provider = new ExternalTokenProvider(async () => 'token'); + expect(provider.getName()).to.equal('ExternalTokenProvider'); + }); + + it('should use custom name', () => { + const provider = new ExternalTokenProvider(async () => 'token', { name: 'MyCustomProvider' }); + expect(provider.getName()).to.equal('MyCustomProvider'); + }); + }); + + describe('getToken', () => { + it('should call callback and return token', async () => { + const callback = sinon.stub().resolves('my-access-token'); + const provider = new ExternalTokenProvider(callback); + + const token = await provider.getToken(); + + expect(token.accessToken).to.equal('my-access-token'); + expect(token.tokenType).to.equal('Bearer'); + }); + + it('should extract expiration from JWT by default', async () => { + const exp = Math.floor(Date.now() / 1000) + 3600; + const jwt = createJWT({ exp, iss: 'test-issuer' }); + const callback = sinon.stub().resolves(jwt); + const provider = new ExternalTokenProvider(callback); + + const token = await provider.getToken(); + + expect(token.accessToken).to.equal(jwt); + expect(token.expiresAt).to.be.instanceOf(Date); + expect(Math.floor(token.expiresAt!.getTime() / 1000)).to.equal(exp); + }); + + it('should not parse JWT when parseJWT is false', async () => { + const jwt = createJWT({ exp: Math.floor(Date.now() / 1000) + 3600 }); + const callback = sinon.stub().resolves(jwt); + const provider = new ExternalTokenProvider(callback, { parseJWT: false }); + + const token = await provider.getToken(); + + expect(token.accessToken).to.equal(jwt); + expect(token.expiresAt).to.be.undefined; + }); + + it('should call callback on each getToken call', async () => { + let callCount = 0; + const callback = async () => { + callCount += 1; + return `token-${callCount}`; + }; + const provider = new ExternalTokenProvider(callback); + + const token1 = await provider.getToken(); + const token2 = await provider.getToken(); + + expect(token1.accessToken).to.equal('token-1'); + expect(token2.accessToken).to.equal('token-2'); + }); + + it('should propagate errors from callback', async () => { + const error = new Error('Failed to get token'); + const callback = sinon.stub().rejects(error); + const provider = new ExternalTokenProvider(callback); + + try { + await provider.getToken(); + expect.fail('Should have thrown an error'); + } catch (e) { + expect(e).to.equal(error); + } + }); + }); + + describe('getName', () => { + it('should return default name', () => { + const provider = new ExternalTokenProvider(async () => 'token'); + expect(provider.getName()).to.equal('ExternalTokenProvider'); + }); + + it('should return custom name', () => { + const provider = new ExternalTokenProvider(async () => 'token', { name: 'VaultTokenProvider' }); + expect(provider.getName()).to.equal('VaultTokenProvider'); + }); + }); +}); diff --git a/tests/unit/connection/auth/tokenProvider/StaticTokenProvider.test.ts b/tests/unit/connection/auth/tokenProvider/StaticTokenProvider.test.ts new file mode 100644 index 00000000..976bf84e --- /dev/null +++ b/tests/unit/connection/auth/tokenProvider/StaticTokenProvider.test.ts @@ -0,0 +1,85 @@ +import { expect } from 'chai'; +import StaticTokenProvider from '../../../../../lib/connection/auth/tokenProvider/StaticTokenProvider'; + +function createJWT(payload: Record): string { + const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64'); + const body = Buffer.from(JSON.stringify(payload)).toString('base64'); + return `${header}.${body}.signature`; +} + +describe('StaticTokenProvider', () => { + describe('constructor', () => { + it('should create provider with access token only', async () => { + const provider = new StaticTokenProvider('my-access-token'); + const token = await provider.getToken(); + + expect(token.accessToken).to.equal('my-access-token'); + expect(token.tokenType).to.equal('Bearer'); + }); + + it('should create provider with custom options', async () => { + const expiresAt = new Date('2025-01-01T00:00:00Z'); + const provider = new StaticTokenProvider('my-access-token', { + tokenType: 'CustomType', + expiresAt, + refreshToken: 'refresh-token', + scopes: ['read', 'write'], + }); + const token = await provider.getToken(); + + expect(token.accessToken).to.equal('my-access-token'); + expect(token.tokenType).to.equal('CustomType'); + expect(token.expiresAt).to.deep.equal(expiresAt); + expect(token.refreshToken).to.equal('refresh-token'); + expect(token.scopes).to.deep.equal(['read', 'write']); + }); + }); + + describe('fromJWT', () => { + it('should create provider from JWT and extract expiration', async () => { + const exp = Math.floor(Date.now() / 1000) + 3600; + const jwt = createJWT({ exp, iss: 'test-issuer' }); + + const provider = StaticTokenProvider.fromJWT(jwt); + const token = await provider.getToken(); + + expect(token.accessToken).to.equal(jwt); + expect(token.expiresAt).to.be.instanceOf(Date); + expect(Math.floor(token.expiresAt!.getTime() / 1000)).to.equal(exp); + }); + + it('should create provider from JWT with custom options', async () => { + const jwt = createJWT({ exp: Math.floor(Date.now() / 1000) + 3600 }); + + const provider = StaticTokenProvider.fromJWT(jwt, { + tokenType: 'CustomType', + refreshToken: 'refresh', + scopes: ['sql'], + }); + const token = await provider.getToken(); + + expect(token.tokenType).to.equal('CustomType'); + expect(token.refreshToken).to.equal('refresh'); + expect(token.scopes).to.deep.equal(['sql']); + }); + }); + + describe('getToken', () => { + it('should always return the same token', async () => { + const provider = new StaticTokenProvider('my-token'); + + const token1 = await provider.getToken(); + const token2 = await provider.getToken(); + + expect(token1).to.equal(token2); + expect(token1.accessToken).to.equal('my-token'); + }); + }); + + describe('getName', () => { + it('should return provider name', () => { + const provider = new StaticTokenProvider('my-token'); + expect(provider.getName()).to.equal('StaticTokenProvider'); + }); + }); +}); diff --git a/tests/unit/connection/auth/tokenProvider/Token.test.ts b/tests/unit/connection/auth/tokenProvider/Token.test.ts new file mode 100644 index 00000000..febaf712 --- /dev/null +++ b/tests/unit/connection/auth/tokenProvider/Token.test.ts @@ -0,0 +1,162 @@ +import { expect } from 'chai'; +import Token from '../../../../../lib/connection/auth/tokenProvider/Token'; + +function createJWT(payload: Record): string { + const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64'); + const body = Buffer.from(JSON.stringify(payload)).toString('base64'); + return `${header}.${body}.signature`; +} + +describe('Token', () => { + describe('constructor', () => { + it('should create token with access token only', () => { + const token = new Token('test-access-token'); + expect(token.accessToken).to.equal('test-access-token'); + expect(token.tokenType).to.equal('Bearer'); + expect(token.expiresAt).to.be.undefined; + expect(token.refreshToken).to.be.undefined; + expect(token.scopes).to.be.undefined; + }); + + it('should create token with all options', () => { + const expiresAt = new Date('2025-01-01T00:00:00Z'); + const token = new Token('test-access-token', { + tokenType: 'CustomType', + expiresAt, + refreshToken: 'refresh-token', + scopes: ['read', 'write'], + }); + expect(token.accessToken).to.equal('test-access-token'); + expect(token.tokenType).to.equal('CustomType'); + expect(token.expiresAt).to.deep.equal(expiresAt); + expect(token.refreshToken).to.equal('refresh-token'); + expect(token.scopes).to.deep.equal(['read', 'write']); + }); + }); + + describe('isExpired', () => { + it('should return false when expiration is not set', () => { + const token = new Token('test-token'); + expect(token.isExpired()).to.be.false; + }); + + it('should return true when token is expired', () => { + const expiresAt = new Date(Date.now() - 60000); // 1 minute ago + const token = new Token('test-token', { expiresAt }); + expect(token.isExpired()).to.be.true; + }); + + it('should return false when token is not expired', () => { + const expiresAt = new Date(Date.now() + 300000); // 5 minutes from now + const token = new Token('test-token', { expiresAt }); + expect(token.isExpired()).to.be.false; + }); + + it('should return true when within 30 second safety buffer', () => { + const expiresAt = new Date(Date.now() + 20000); // 20 seconds from now + const token = new Token('test-token', { expiresAt }); + expect(token.isExpired()).to.be.true; + }); + }); + + describe('setAuthHeader', () => { + it('should set Authorization header with default Bearer type', () => { + const token = new Token('my-token'); + const headers = token.setAuthHeader({}); + expect(headers).to.deep.equal({ Authorization: 'Bearer my-token' }); + }); + + it('should set Authorization header with custom type', () => { + const token = new Token('my-token', { tokenType: 'Basic' }); + const headers = token.setAuthHeader({}); + expect(headers).to.deep.equal({ Authorization: 'Basic my-token' }); + }); + + it('should preserve existing headers', () => { + const token = new Token('my-token'); + const headers = token.setAuthHeader({ 'Content-Type': 'application/json' }); + expect(headers).to.deep.equal({ + 'Content-Type': 'application/json', + Authorization: 'Bearer my-token', + }); + }); + }); + + describe('fromJWT', () => { + it('should extract expiration from JWT payload', () => { + const exp = Math.floor(Date.now() / 1000) + 3600; // 1 hour from now + const jwt = createJWT({ exp, iss: 'test-issuer' }); + const token = Token.fromJWT(jwt); + + expect(token.accessToken).to.equal(jwt); + expect(token.tokenType).to.equal('Bearer'); + expect(token.expiresAt).to.be.instanceOf(Date); + expect(Math.floor(token.expiresAt!.getTime() / 1000)).to.equal(exp); + }); + + it('should handle JWT without expiration', () => { + const jwt = createJWT({ iss: 'test-issuer' }); + const token = Token.fromJWT(jwt); + + expect(token.accessToken).to.equal(jwt); + expect(token.expiresAt).to.be.undefined; + }); + + it('should handle malformed JWT gracefully', () => { + const token = Token.fromJWT('not-a-valid-jwt'); + expect(token.accessToken).to.equal('not-a-valid-jwt'); + expect(token.expiresAt).to.be.undefined; + }); + + it('should handle JWT with invalid base64 payload', () => { + const token = Token.fromJWT('header.!!!invalid-base64!!!.signature'); + expect(token.accessToken).to.equal('header.!!!invalid-base64!!!.signature'); + expect(token.expiresAt).to.be.undefined; + }); + + it('should apply custom options', () => { + const jwt = createJWT({ exp: Math.floor(Date.now() / 1000) + 3600 }); + const token = Token.fromJWT(jwt, { + tokenType: 'CustomType', + refreshToken: 'refresh', + scopes: ['sql'], + }); + + expect(token.tokenType).to.equal('CustomType'); + expect(token.refreshToken).to.equal('refresh'); + expect(token.scopes).to.deep.equal(['sql']); + }); + }); + + describe('toJSON', () => { + it('should serialize token to JSON', () => { + const expiresAt = new Date('2025-01-01T00:00:00Z'); + const token = new Token('test-token', { + tokenType: 'Bearer', + expiresAt, + refreshToken: 'refresh', + scopes: ['read'], + }); + + const json = token.toJSON(); + expect(json).to.deep.equal({ + accessToken: 'test-token', + tokenType: 'Bearer', + expiresAt: '2025-01-01T00:00:00.000Z', + refreshToken: 'refresh', + scopes: ['read'], + }); + }); + + it('should handle undefined optional fields', () => { + const token = new Token('test-token'); + const json = token.toJSON(); + + expect(json.accessToken).to.equal('test-token'); + expect(json.tokenType).to.equal('Bearer'); + expect(json.expiresAt).to.be.undefined; + expect(json.refreshToken).to.be.undefined; + expect(json.scopes).to.be.undefined; + }); + }); +}); diff --git a/tests/unit/connection/auth/tokenProvider/TokenProviderAuthenticator.test.ts b/tests/unit/connection/auth/tokenProvider/TokenProviderAuthenticator.test.ts new file mode 100644 index 00000000..a5a3963e --- /dev/null +++ b/tests/unit/connection/auth/tokenProvider/TokenProviderAuthenticator.test.ts @@ -0,0 +1,108 @@ +import { expect } from 'chai'; +import sinon from 'sinon'; +import TokenProviderAuthenticator from '../../../../../lib/connection/auth/tokenProvider/TokenProviderAuthenticator'; +import ITokenProvider from '../../../../../lib/connection/auth/tokenProvider/ITokenProvider'; +import Token from '../../../../../lib/connection/auth/tokenProvider/Token'; +import ClientContextStub from '../../../.stubs/ClientContextStub'; + +class MockTokenProvider implements ITokenProvider { + private token: Token; + + private name: string; + + constructor(accessToken: string, name: string = 'MockTokenProvider') { + this.token = new Token(accessToken); + this.name = name; + } + + async getToken(): Promise { + return this.token; + } + + getName(): string { + return this.name; + } + + setToken(token: Token): void { + this.token = token; + } +} + +describe('TokenProviderAuthenticator', () => { + let context: ClientContextStub; + + beforeEach(() => { + context = new ClientContextStub(); + }); + + describe('authenticate', () => { + it('should return headers with Authorization', async () => { + const provider = new MockTokenProvider('my-access-token'); + const authenticator = new TokenProviderAuthenticator(provider, context); + + const headers = await authenticator.authenticate(); + + expect(headers).to.deep.equal({ + Authorization: 'Bearer my-access-token', + }); + }); + + it('should include additional headers', async () => { + const provider = new MockTokenProvider('my-access-token'); + const authenticator = new TokenProviderAuthenticator(provider, context, { + 'Content-Type': 'application/json', + 'X-Custom-Header': 'custom-value', + }); + + const headers = await authenticator.authenticate(); + + expect(headers).to.deep.equal({ + 'Content-Type': 'application/json', + 'X-Custom-Header': 'custom-value', + Authorization: 'Bearer my-access-token', + }); + }); + + it('should use token type from token', async () => { + const provider = new MockTokenProvider('my-access-token'); + provider.setToken(new Token('my-token', { tokenType: 'Basic' })); + const authenticator = new TokenProviderAuthenticator(provider, context); + + const headers = await authenticator.authenticate(); + + expect(headers).to.deep.equal({ + Authorization: 'Basic my-token', + }); + }); + + it('should call provider getToken', async () => { + const provider = new MockTokenProvider('my-access-token'); + const getTokenSpy = sinon.spy(provider, 'getToken'); + const authenticator = new TokenProviderAuthenticator(provider, context); + + await authenticator.authenticate(); + + expect(getTokenSpy.calledOnce).to.be.true; + }); + + it('should propagate errors from provider', async () => { + const error = new Error('Failed to get token'); + const provider: ITokenProvider = { + async getToken() { + throw error; + }, + getName() { + return 'ErrorProvider'; + }, + }; + const authenticator = new TokenProviderAuthenticator(provider, context); + + try { + await authenticator.authenticate(); + expect.fail('Should have thrown an error'); + } catch (e) { + expect(e).to.equal(error); + } + }); + }); +});