auth-splits

Signed-off-by: Adam Setch <adam.setch@outlook.com>

Author: setchy

src/renderer/__mocks__/account-mocks.ts

@@ -8,7 +8,7 @@ import type {
   Token,
 } from '../types';
 
-import { getRecommendedScopeNames } from '../utils/auth/utils';
+import { getRecommendedScopeNames } from '../utils/auth/scopes';
 import { mockGitifyUser } from './user-mocks';
 
 export const mockGitHubAppAccount: Account = {

src/renderer/components/settings/NotificationSettings.tsx

@@ -36,7 +36,7 @@ import { FetchType, GroupBy, Size } from '../../types';
 import {
   hasAlternateScopes,
   hasRecommendedScopes,
-} from '../../utils/auth/utils';
+} from '../../utils/auth/scopes';
 import { openGitHubParticipatingDocs } from '../../utils/system/links';
 
 export const NotificationSettings: FC = () => {

src/renderer/context/App.test.tsx

@@ -19,6 +19,7 @@ import type {
 } from '../types';
 import type { DeviceFlowSession } from '../utils/auth/types';
 
+import * as authFlows from '../utils/auth/flows';
 import * as authUtils from '../utils/auth/utils';
 import * as storage from '../utils/core/storage';
 import * as notifications from '../utils/notifications/notifications';
@@ -230,7 +231,7 @@ describe('renderer/context/App.tsx', () => {
 
     it('loginWithDeviceFlowStart calls startGitHubDeviceFlow', async () => {
       const startGitHubDeviceFlowSpy = vi
-        .spyOn(authUtils, 'startGitHubDeviceFlow')
+        .spyOn(authFlows, 'startGitHubDeviceFlow')
         .mockImplementation(vi.fn());
 
       const getContext = renderWithContext();
@@ -244,7 +245,7 @@ describe('renderer/context/App.tsx', () => {
 
     it('loginWithDeviceFlowPoll calls pollGitHubDeviceFlow', async () => {
       const pollGitHubDeviceFlowSpy = vi
-        .spyOn(authUtils, 'pollGitHubDeviceFlow')
+        .spyOn(authFlows, 'pollGitHubDeviceFlow')
         .mockImplementation(vi.fn());
 
       const getContext = renderWithContext();
@@ -278,7 +279,7 @@ describe('renderer/context/App.tsx', () => {
 
     it('loginWithOAuthApp calls performGitHubWebOAuth', async () => {
       const performGitHubWebOAuthSpy = vi.spyOn(
-        authUtils,
+        authFlows,
         'performGitHubWebOAuth',
       );
 

src/renderer/context/App.tsx

@@ -39,15 +39,17 @@ import type {
 import { fetchAuthenticatedUserDetails } from '../utils/api/client';
 import { clearOctokitClientCache } from '../utils/api/octokit';
 import {
-  addAccount,
   exchangeAuthCodeForAccessToken,
-  getAccountUUID,
-  hasAccounts,
   performGitHubWebOAuth,
   pollGitHubDeviceFlow,
+  startGitHubDeviceFlow,
+} from '../utils/auth/flows';
+import {
+  addAccount,
+  getAccountUUID,
+  hasAccounts,
   refreshAccount,
   removeAccount,
-  startGitHubDeviceFlow,
 } from '../utils/auth/utils';
 import { clearState, loadState, saveState } from '../utils/core/storage';
 import {

src/renderer/routes/AccountScopes.tsx

@@ -23,7 +23,7 @@ import {
   getRecommendedScopeNames,
   getRequiredScopeNames,
   hasRequiredScopes,
-} from '../utils/auth/utils';
+} from '../utils/auth/scopes';
 import { openDeveloperSettings } from '../utils/system/links';
 
 interface LocationState {

src/renderer/routes/Accounts.tsx

@@ -33,12 +33,8 @@ import { Header } from '../components/primitives/Header';
 import { type Account, type GitifyError, IconColor, Size } from '../types';
 
 import { determineFailureType } from '../utils/api/errors';
-import {
-  getAccountUUID,
-  hasAlternateScopes,
-  hasRecommendedScopes,
-  refreshAccount,
-} from '../utils/auth/utils';
+import { hasAlternateScopes, hasRecommendedScopes } from '../utils/auth/scopes';
+import { getAccountUUID, refreshAccount } from '../utils/auth/utils';
 import { Errors } from '../utils/core/errors';
 import { saveState } from '../utils/core/storage';
 import {

src/renderer/routes/LoginWithDeviceFlow.tsx

@@ -32,7 +32,7 @@ import type { DeviceFlowSession } from '../utils/auth/types';
 import {
   getAlternateScopeNames,
   getRecommendedScopeNames,
-} from '../utils/auth/utils';
+} from '../utils/auth/scopes';
 import { rendererLogError } from '../utils/core/logger';
 import { copyToClipboard, openExternalLink } from '../utils/system/comms';
 import { openDeveloperSettings } from '../utils/system/links';

src/renderer/routes/LoginWithPersonalAccessToken.tsx

@@ -30,8 +30,8 @@ import { Header } from '../components/primitives/Header';
 import type { Account, Hostname, Token } from '../types';
 import type { LoginPersonalAccessTokenOptions } from '../utils/auth/types';
 
+import { formatRecommendedOAuthScopes } from '../utils/auth/scopes';
 import {
-  formatRecommendedOAuthScopes,
   getNewTokenURL,
   isValidHostname,
   isValidToken,

src/renderer/utils/auth/flows.test.ts

@@ -0,0 +1,240 @@
+// Use a hoist-safe mock factory for '@octokit/oauth-methods'
+vi.mock('@octokit/oauth-methods', async () => {
+  const actual = await vi.importActual<typeof import('@octokit/oauth-methods')>(
+    '@octokit/oauth-methods',
+  );
+  return {
+    ...actual,
+    createDeviceCode: vi.fn(),
+    exchangeDeviceCode: vi.fn(),
+    exchangeWebFlowCode: vi.fn(),
+  };
+});
+
+import {
+  createDeviceCode,
+  exchangeDeviceCode,
+  exchangeWebFlowCode,
+} from '@octokit/oauth-methods';
+import { RequestError } from '@octokit/request-error';
+
+import type { MockedFunction } from 'vitest';
+
+import { Constants } from '../../constants';
+
+import type { AuthCode, ClientID, ClientSecret, Hostname } from '../../types';
+import type { DeviceFlowSession, LoginOAuthWebOptions } from './types';
+
+import * as comms from '../../utils/system/comms';
+import * as logger from '../core/logger';
+import * as authUtils from './flows';
+import { getRecommendedScopeNames } from './scopes';
+
+const createDeviceCodeMock = createDeviceCode as unknown as MockedFunction<
+  typeof createDeviceCode
+>;
+
+const exchangeDeviceCodeMock = exchangeDeviceCode as unknown as MockedFunction<
+  typeof exchangeDeviceCode
+>;
+
+const exchangeWebFlowCodeMock =
+  exchangeWebFlowCode as unknown as MockedFunction<typeof exchangeWebFlowCode>;
+
+describe('renderer/utils/auth/flows.ts', () => {
+  vi.spyOn(logger, 'rendererLogInfo').mockImplementation(vi.fn());
+  const openExternalLinkSpy = vi
+    .spyOn(comms, 'openExternalLink')
+    .mockImplementation(vi.fn());
+
+  beforeEach(() => {
+    // Mock OAUTH_DEVICE_FLOW_CLIENT_ID value
+    Constants.OAUTH_DEVICE_FLOW_CLIENT_ID = 'FAKE_CLIENT_ID_123' as ClientID;
+  });
+
+  describe('Gitify GitHub OAuth - Device Code Flow', () => {
+    describe('startGitHubDeviceFlow', () => {
+      it('should request a device code and return a session', async () => {
+        createDeviceCodeMock.mockResolvedValueOnce({
+          data: {
+            device_code: 'device-code-xyz',
+            user_code: 'user-code-xyz',
+            verification_uri: 'https://github.com/login/device',
+            expires_in: 600,
+            interval: 5,
+          },
+        } as unknown as Awaited<ReturnType<typeof createDeviceCode>>);
+
+        const session = await authUtils.startGitHubDeviceFlow();
+
+        expect(createDeviceCodeMock).toHaveBeenCalledWith({
+          clientType: 'oauth-app',
+          clientId: 'FAKE_CLIENT_ID_123',
+          scopes: getRecommendedScopeNames(),
+          request: expect.any(Function),
+        });
+
+        expect(session.deviceCode).toBe('device-code-xyz');
+        expect(session.userCode).toBe('user-code-xyz');
+        expect(session.verificationUri).toBe('https://github.com/login/device');
+        expect(session.intervalSeconds).toBe(5);
+        expect(session.expiresAt).toBeGreaterThan(Date.now());
+      });
+    });
+
+    describe('pollGitHubDeviceFlow', () => {
+      const baseSession = {
+        hostname: 'github.com',
+        clientId: 'FAKE_CLIENT_ID_123',
+        deviceCode: 'device-code',
+        userCode: 'user-code',
+        verificationUri: 'https://github.com/login/device',
+        intervalSeconds: 5,
+        expiresAt: Date.now() + 10000,
+      } as const;
+
+      it('returns token on successful exchange', async () => {
+        exchangeDeviceCodeMock.mockResolvedValueOnce({
+          authentication: { token: 'device-token-xyz' },
+        } as unknown as Awaited<ReturnType<typeof exchangeDeviceCode>>);
+
+        const token = await authUtils.pollGitHubDeviceFlow(
+          baseSession as DeviceFlowSession,
+        );
+
+        expect(exchangeDeviceCodeMock).toHaveBeenCalledWith({
+          clientType: 'oauth-app',
+          clientId: 'FAKE_CLIENT_ID_123',
+          code: 'device-code',
+          request: expect.any(Function),
+        });
+
+        expect(token).toBe('device-token-xyz');
+      });
+
+      it('returns null when authorization is pending or slow_down', async () => {
+        const pendingErr = Object.create(RequestError.prototype);
+        pendingErr.response = { data: { error: 'authorization_pending' } };
+
+        exchangeDeviceCodeMock.mockRejectedValueOnce(pendingErr);
+
+        const token = await authUtils.pollGitHubDeviceFlow(
+          baseSession as DeviceFlowSession,
+        );
+
+        expect(token).toBeNull();
+      });
+
+      it('throws on other errors', async () => {
+        const otherErr = new Error('boom');
+
+        exchangeDeviceCodeMock.mockRejectedValueOnce(otherErr);
+
+        await expect(
+          async () =>
+            await authUtils.pollGitHubDeviceFlow(
+              baseSession as DeviceFlowSession,
+            ),
+        ).rejects.toThrow('boom');
+      });
+    });
+  });
+
+  describe('performGitHubWebOAuth', () => {
+    const webAuthOptions: LoginOAuthWebOptions = {
+      hostname: 'github.com' as Hostname,
+      clientId: 'FAKE_CLIENT_ID_123' as ClientID,
+      clientSecret: 'FAKE_CLIENT_SECRET_123' as ClientSecret,
+    };
+
+    it('should call performGitHubWebOAuth using custom oauth app - success oauth flow', async () => {
+      window.gitify.onAuthCallback = vi.fn().mockImplementation((callback) => {
+        callback('gitify://oauth?code=123-456');
+      });
+
+      const res = await authUtils.performGitHubWebOAuth({
+        clientId: 'BYO_CLIENT_ID' as ClientID,
+        clientSecret: 'BYO_CLIENT_SECRET' as ClientSecret,
+        hostname: 'my.git.com' as Hostname,
+      });
+
+      expect(openExternalLinkSpy).toHaveBeenCalledTimes(1);
+      expect(openExternalLinkSpy).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'https://my.git.com/login/oauth/authorize?allow_signup=false&client_id=BYO_CLIENT_ID&scope=notifications%2Cread%3Auser%2Crepo',
+        ),
+      );
+
+      expect(window.gitify.onAuthCallback).toHaveBeenCalledTimes(1);
+      expect(window.gitify.onAuthCallback).toHaveBeenCalledWith(
+        expect.any(Function),
+      );
+
+      expect(res.authMethod).toBe('OAuth App');
+      expect(res.authCode).toBe('123-456');
+    });
+
+    it('should call performGitHubWebOAuth - failure', async () => {
+      window.gitify.onAuthCallback = vi.fn().mockImplementation((callback) => {
+        callback(
+          'gitify://auth?error=invalid_request&error_description=The+redirect_uri+is+missing+or+invalid.&error_uri=https://docs.github.com/en/developers/apps/troubleshooting-oauth-errors',
+        );
+      });
+
+      await expect(
+        async () => await authUtils.performGitHubWebOAuth(webAuthOptions),
+      ).rejects.toEqual(
+        new Error(
+          "Oops! Something went wrong and we couldn't log you in using GitHub. Please try again. Reason: The redirect_uri is missing or invalid. Docs: https://docs.github.com/en/developers/apps/troubleshooting-oauth-errors",
+        ),
+      );
+
+      expect(openExternalLinkSpy).toHaveBeenCalledTimes(1);
+      expect(openExternalLinkSpy).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'https://github.com/login/oauth/authorize?allow_signup=false&client_id=FAKE_CLIENT_ID_123&scope=notifications%2Cread%3Auser%2Crepo',
+        ),
+      );
+
+      expect(window.gitify.onAuthCallback).toHaveBeenCalledTimes(1);
+      expect(window.gitify.onAuthCallback).toHaveBeenCalledWith(
+        expect.any(Function),
+      );
+    });
+
+    describe('exchangeAuthCodeForAccessToken', () => {
+      const authCode = '123-456' as AuthCode;
+
+      it('should exchange auth code for access token', async () => {
+        exchangeWebFlowCodeMock.mockResolvedValueOnce({
+          authentication: {
+            token: 'this-is-a-token',
+          },
+        } as unknown as Awaited<ReturnType<typeof exchangeWebFlowCode>>);
+
+        const res = await authUtils.exchangeAuthCodeForAccessToken(authCode, {
+          ...webAuthOptions,
+        });
+
+        expect(exchangeWebFlowCodeMock).toHaveBeenCalledWith({
+          clientType: 'oauth-app',
+          clientId: 'FAKE_CLIENT_ID_123',
+          clientSecret: 'FAKE_CLIENT_SECRET_123',
+          code: '123-456',
+          request: expect.any(Function),
+        });
+        expect(res).toBe('this-is-a-token');
+      });
+
+      it('should throw when client secret is missing', async () => {
+        await expect(
+          async () =>
+            await authUtils.exchangeAuthCodeForAccessToken(authCode, {
+              ...webAuthOptions,
+              clientSecret: undefined as unknown as ClientSecret,
+            }),
+        ).rejects.toThrow('clientSecret is required to exchange an auth code');
+      });
+    });
+  });
+});