feat: add test for revoke refresh token on logout (#3716)

ImmutableJeffrey · ImmutableJeffrey · commit a7afeb8cf4fe · 2025-06-06T15:43:43.000+10:00
diff --git a/packages/passport/sdk/src/authManager.test.ts b/packages/passport/sdk/src/authManager.test.ts
@@ -94,6 +94,7 @@ describe('AuthManager', () => {
   let mockStoreUser: jest.Mock;
   let mockOverlayAppend: jest.Mock;
   let mockOverlayRemove: jest.Mock;
+  let mockRevokeTokens: jest.Mock;
 
   beforeEach(() => {
     mockSigninPopup = jest.fn();
@@ -106,6 +107,7 @@ describe('AuthManager', () => {
     mockStoreUser = jest.fn();
     mockOverlayAppend = jest.fn();
     mockOverlayRemove = jest.fn();
+    mockRevokeTokens = jest.fn();
     (UserManager as jest.Mock).mockReturnValue({
       signinPopup: mockSigninPopup,
       signinCallback: mockSigninCallback,
@@ -115,6 +117,9 @@ describe('AuthManager', () => {
       getUser: mockGetUser,
       signinSilent: mockSigninSilent,
       storeUser: mockStoreUser,
+      removeUser: jest.fn(),
+      clearStaleState: jest.fn(),
+      revokeTokens: mockRevokeTokens,
     });
     (Overlay as jest.Mock).mockReturnValue({
       append: mockOverlayAppend,
@@ -140,11 +145,13 @@ describe('AuthManager', () => {
           userinfo_endpoint: `${config.authenticationDomain}/userinfo`,
           end_session_endpoint: `${config.authenticationDomain}${logoutEndpoint}`
             + `?client_id=${config.oidcConfiguration.clientId}`,
+          revocation_endpoint: `${config.authenticationDomain}/oauth/revoke`,
         },
         popup_redirect_uri: config.oidcConfiguration.popupRedirectUri,
         redirect_uri: config.oidcConfiguration.redirectUri,
         scope: config.oidcConfiguration.scope,
         userStore: expect.any(WebStorageStateStore),
+        revokeTokenTypes: ['refresh_token'],
       });
     });
 
@@ -383,53 +390,91 @@ describe('AuthManager', () => {
   });
 
   describe('logout', () => {
-    it('should call redirect logout if logout mode is redirect', async () => {
-      const configuration = getConfig({
-        logoutMode: 'redirect',
-      });
-      const manager = new AuthManager(configuration);
-
-      await manager.logout();
-
-      expect(mockSignoutRedirect).toBeCalled();
+    it('should revoke refresh token and call signoutRedirect by default', async () => {
+      mockGetUser.mockResolvedValue(mockOidcUser);
+      await authManager.logout();
+      expect(mockGetUser).toHaveBeenCalledTimes(1);
+      expect(mockRevokeTokens).toHaveBeenCalledWith(['refresh_token']);
+      expect(mockSignoutRedirect).toHaveBeenCalledTimes(1);
+      expect(mockSignoutSilent).not.toHaveBeenCalled();
     });
 
-    it('should call redirect logout if logout mode is not set', async () => {
-      const configuration = getConfig({
-        logoutMode: undefined,
-      });
-      const manager = new AuthManager(configuration);
+    it('should call signoutSilent when logoutMode is silent', async () => {
+      const silentLogoutConfig = getConfig({ logoutMode: 'silent' });
+      authManager = new AuthManager(silentLogoutConfig);
+      mockGetUser.mockResolvedValue(mockOidcUser);
 
-      await manager.logout();
+      await authManager.logout();
 
-      expect(mockSignoutRedirect).toBeCalled();
+      expect(mockGetUser).toHaveBeenCalledTimes(1);
+      expect(mockRevokeTokens).toHaveBeenCalledWith(['refresh_token']);
+      expect(mockSignoutSilent).toHaveBeenCalledTimes(1);
+      expect(mockSignoutRedirect).not.toHaveBeenCalled();
     });
 
-    it('should call silent logout if logout mode is silent', async () => {
-      const configuration = getConfig({
-        logoutMode: 'silent',
-      });
-      const manager = new AuthManager(configuration);
+    it('should not call revokeTokens if user has no refresh token', async () => {
+      const userWithoutRefreshToken = { ...mockOidcUser, refresh_token: undefined };
+      mockGetUser.mockResolvedValue(userWithoutRefreshToken);
+      await authManager.logout();
+      expect(mockGetUser).toHaveBeenCalledTimes(1);
+      expect(mockRevokeTokens).not.toHaveBeenCalled();
+      expect(mockSignoutRedirect).toHaveBeenCalledTimes(1);
+    });
+
+    it('should not call revokeTokens or signout methods if no user is found', async () => {
+      mockGetUser.mockResolvedValue(null);
+      await authManager.logout();
+      expect(mockGetUser).toHaveBeenCalledTimes(1);
+      expect(mockRevokeTokens).not.toHaveBeenCalled();
+      expect(mockSignoutRedirect).not.toHaveBeenCalled();
+      expect(mockSignoutSilent).not.toHaveBeenCalled();
+    });
 
-      await manager.logout();
+    it('should throw PassportError if revokeTokens fails', async () => {
+      mockGetUser.mockResolvedValue(mockOidcUser);
+      const revokeError = new Error('Revoke failed');
+      mockRevokeTokens.mockRejectedValue(revokeError);
 
-      expect(mockSignoutSilent).toBeCalled();
+      await expect(authManager.logout()).rejects.toThrow(
+        new PassportError(
+          revokeError.message,
+          PassportErrorType.LOGOUT_ERROR,
+        ),
+      );
+      expect(mockRevokeTokens).toHaveBeenCalledWith(['refresh_token']);
+      expect(mockSignoutRedirect).not.toHaveBeenCalled();
     });
 
-    it('should throw an error if user is failed to logout', async () => {
-      const configuration = getConfig({
-        logoutMode: 'redirect',
-      });
-      const manager = new AuthManager(configuration);
+    it('should throw PassportError if signoutRedirect fails', async () => {
+      mockGetUser.mockResolvedValue(mockOidcUser);
+      const signOutError = new Error('Signout failed');
+      mockSignoutRedirect.mockRejectedValue(signOutError);
+
+      await expect(authManager.logout()).rejects.toThrow(
+        new PassportError(
+          signOutError.message,
+          PassportErrorType.LOGOUT_ERROR,
+        ),
+      );
+      expect(mockRevokeTokens).toHaveBeenCalledWith(['refresh_token']);
+      expect(mockSignoutRedirect).toHaveBeenCalledTimes(1);
+    });
 
-      mockSignoutRedirect.mockRejectedValue(new Error(mockErrorMsg));
+    it('should throw PassportError if signoutSilent fails', async () => {
+      const silentLogoutConfig = getConfig({ logoutMode: 'silent' });
+      authManager = new AuthManager(silentLogoutConfig);
+      mockGetUser.mockResolvedValue(mockOidcUser);
+      const signOutError = new Error('Signout silent failed');
+      mockSignoutSilent.mockRejectedValue(signOutError);
 
-      await expect(() => manager.logout()).rejects.toThrow(
+      await expect(authManager.logout()).rejects.toThrow(
         new PassportError(
-          mockErrorMsg,
+          signOutError.message,
           PassportErrorType.LOGOUT_ERROR,
         ),
       );
+      expect(mockRevokeTokens).toHaveBeenCalledWith(['refresh_token']);
+      expect(mockSignoutSilent).toHaveBeenCalledTimes(1);
     });
   });
 
@@ -473,7 +518,7 @@ describe('AuthManager', () => {
 
       await expect(() => authManager.getUser()).rejects.toThrow(
         new PassportError(
-          'Failed to refresh token: oops: Failed to remove user: this.userManager.removeUser is not a function',
+          'Failed to refresh token: oops',
           PassportErrorType.AUTHENTICATION_ERROR,
         ),
       );
