Add generate_pkce e2e action and use SPA client in link_oauth tests

generate_pkce produces a code_verifier and code_challenge (S256) so tests
can use the e2e SPA client, which is the realistic client type for settings
action invocations from the SDK.

ref DEV-3595

Author: carmenlau

e2e/pkg/testrunner/models.go

@@ -270,7 +270,8 @@ var _ = TestCaseSchema.Add("Step", `
 			"admin_api_user_import_create",
 			"admin_api_user_import_get",
 			"generate_app_session_token",
-			"generate_refresh_token"
+			"generate_refresh_token",
+			"generate_pkce"
 		]},
 		"sleep_for": { "type": "string", "format": "x_duration_string" },
 		"input": { "type": "string" },
@@ -632,6 +633,7 @@ const (
 	StepActionAdminAPIUserImportGet    StepAction = "admin_api_user_import_get"
 	StepActionGenerateAppSessionToken  StepAction = "generate_app_session_token"
 	StepActionGenerateRefreshToken     StepAction = "generate_refresh_token"
+	StepActionGeneratePKCE             StepAction = "generate_pkce"
 )
 
 var _ = TestCaseSchema.Add("SessionCookie", `

e2e/pkg/testrunner/testcase.go

@@ -20,6 +20,7 @@ import (
 
 	authflowclient "github.com/authgear/authgear-server/e2e/pkg/e2eclient"
 	"github.com/authgear/authgear-server/pkg/graphqlgo/relay"
+	"github.com/authgear/authgear-server/pkg/util/pkce"
 	"github.com/authgear/authgear-server/pkg/util/secretcode"
 )
 
@@ -711,6 +712,16 @@ func (tc *TestCase) executeStep(
 			Error: nil,
 		}
 
+	case StepActionGeneratePKCE:
+		verifier := pkce.GenerateS256Verifier()
+		result = &StepResult{
+			Result: map[string]any{
+				"code_verifier":  verifier.CodeVerifier,
+				"code_challenge": verifier.Challenge(),
+			},
+			Error: nil,
+		}
+
 	default:
 		t.Errorf("unknown action in '%s': %s", step.Name, step.Action)
 		return nil, state, false

e2e/tests/settings_action/link_oauth/link_oauth.test.yaml

@@ -51,6 +51,11 @@ steps:
     action: generate_app_session_token
     generate_app_session_token_refresh_token: '{{ .steps.generate_refresh_token.result.refresh_token }}'
 
+  # ── Generate PKCE pair for the SPA client ──
+
+  - name: pkce
+    action: generate_pkce
+
   # ── Start link_oauth settings action ──
   # Server sets app_session_token cookie and redirects to settings page with x_ref
 
@@ -60,9 +65,11 @@ steps:
     http_request_url: http://127.0.0.1:4000/oauth2/authorize
     http_request_query:
       response_type: "urn:authgear:params:oauth:response-type:settings-action"
-      client_id: e2econfidential
-      redirect_uri: http://localhost
+      client_id: e2e
+      redirect_uri: http://localhost:4000
       scope: openid
+      code_challenge: "{{ .steps.pkce.result.code_challenge }}"
+      code_challenge_method: S256
       x_settings_action: link_oauth
       x_oauth_provider_alias: google
       login_hint: 'https://authgear.com/login_hint?type=app_session_token&app_session_token={{ .steps.generate_app_session_token.result.app_session_token }}'

e2e/tests/settings_action/link_oauth/link_oauth_already_linked.test.yaml

@@ -49,15 +49,20 @@ steps:
     action: generate_app_session_token
     generate_app_session_token_refresh_token: '{{ .steps.generate_refresh_token_1.result.refresh_token }}'
 
+  - name: pkce_1
+    action: generate_pkce
+
   - name: settings_action_authorize_1
     action: http_request
     http_request_method: GET
     http_request_url: http://127.0.0.1:4000/oauth2/authorize
     http_request_query:
       response_type: "urn:authgear:params:oauth:response-type:settings-action"
-      client_id: e2econfidential
-      redirect_uri: http://localhost
+      client_id: e2e
+      redirect_uri: http://localhost:4000
       scope: openid
+      code_challenge: "{{ .steps.pkce_1.result.code_challenge }}"
+      code_challenge_method: S256
       x_settings_action: link_oauth
       x_oauth_provider_alias: google
       login_hint: 'https://authgear.com/login_hint?type=app_session_token&app_session_token={{ .steps.generate_app_session_token_1.result.app_session_token }}'
@@ -105,15 +110,20 @@ steps:
     action: generate_app_session_token
     generate_app_session_token_refresh_token: '{{ .steps.generate_refresh_token_2.result.refresh_token }}'
 
+  - name: pkce_2
+    action: generate_pkce
+
   - name: settings_action_authorize_2
     action: http_request
     http_request_method: GET
     http_request_url: http://127.0.0.1:4000/oauth2/authorize
     http_request_query:
       response_type: "urn:authgear:params:oauth:response-type:settings-action"
-      client_id: e2econfidential
-      redirect_uri: http://localhost
+      client_id: e2e
+      redirect_uri: http://localhost:4000
       scope: openid
+      code_challenge: "{{ .steps.pkce_2.result.code_challenge }}"
+      code_challenge_method: S256
       x_settings_action: link_oauth
       x_oauth_provider_alias: google
       login_hint: 'https://authgear.com/login_hint?type=app_session_token&app_session_token={{ .steps.generate_app_session_token_2.result.app_session_token }}'

e2e/tests/settings_action/link_oauth/link_oauth_conflict.test.yaml

@@ -58,15 +58,20 @@ steps:
     action: generate_app_session_token
     generate_app_session_token_refresh_token: '{{ .steps.generate_refresh_token_a.result.refresh_token }}'
 
+  - name: pkce_a
+    action: generate_pkce
+
   - name: settings_action_authorize_a
     action: http_request
     http_request_method: GET
     http_request_url: http://127.0.0.1:4000/oauth2/authorize
     http_request_query:
       response_type: "urn:authgear:params:oauth:response-type:settings-action"
-      client_id: e2econfidential
-      redirect_uri: http://localhost
+      client_id: e2e
+      redirect_uri: http://localhost:4000
       scope: openid
+      code_challenge: "{{ .steps.pkce_a.result.code_challenge }}"
+      code_challenge_method: S256
       x_settings_action: link_oauth
       x_oauth_provider_alias: google
       login_hint: 'https://authgear.com/login_hint?type=app_session_token&app_session_token={{ .steps.generate_app_session_token_a.result.app_session_token }}'
@@ -114,15 +119,20 @@ steps:
     action: generate_app_session_token
     generate_app_session_token_refresh_token: '{{ .steps.generate_refresh_token_b.result.refresh_token }}'
 
+  - name: pkce_b
+    action: generate_pkce
+
   - name: settings_action_authorize_b
     action: http_request
     http_request_method: GET
     http_request_url: http://127.0.0.1:4000/oauth2/authorize
     http_request_query:
       response_type: "urn:authgear:params:oauth:response-type:settings-action"
-      client_id: e2econfidential
-      redirect_uri: http://localhost
+      client_id: e2e
+      redirect_uri: http://localhost:4000
       scope: openid
+      code_challenge: "{{ .steps.pkce_b.result.code_challenge }}"
+      code_challenge_method: S256
       x_settings_action: link_oauth
       x_oauth_provider_alias: google
       login_hint: 'https://authgear.com/login_hint?type=app_session_token&app_session_token={{ .steps.generate_app_session_token_b.result.app_session_token }}'