Added some initial test coverage

geelen · geelen · commit 419465eeb914 · 2025-05-30T15:31:31.000+10:00
diff --git a/src/client/sse.test.ts b/src/client/sse.test.ts
@@ -4,6 +4,7 @@ import { JSONRPCMessage } from "../types.js";
 import { SSEClientTransport } from "./sse.js";
 import { OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { OAuthTokens } from "../shared/auth.js";
+import { InvalidClientError, InvalidGrantError, UnauthorizedClientError } from "../server/auth/errors.js";
 
 describe("SSEClientTransport", () => {
   let server: Server;
@@ -310,6 +311,7 @@ describe("SSEClientTransport", () => {
         redirectToAuthorization: jest.fn(),
         saveCodeVerifier: jest.fn(),
         codeVerifier: jest.fn(),
+        invalidateCredentials: jest.fn(),
       };
     });
 
@@ -721,5 +723,179 @@ describe("SSEClientTransport", () => {
       await expect(() => transport.start()).rejects.toThrow(UnauthorizedError);
       expect(mockAuthProvider.redirectToAuthorization).toHaveBeenCalled();
     });
+
+    it("invalidates all credentials on InvalidClientError during token refresh", async () => {
+      // Mock tokens() to return token with refresh token
+      mockAuthProvider.tokens.mockResolvedValue({
+        access_token: "expired-token",
+        token_type: "Bearer",
+        refresh_token: "refresh-token"
+      });
+
+      // Create server that returns InvalidClientError on token refresh
+      await server.close();
+
+      server = createServer((req, res) => {
+        lastServerRequest = req;
+
+        // Handle OAuth metadata discovery
+        if (req.url === "/.well-known/oauth-authorization-server" && req.method === "GET") {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            issuer: baseUrl.href,
+            authorization_endpoint: `${baseUrl.href}authorize`,
+            token_endpoint: `${baseUrl.href}token`,
+            response_types_supported: ["code"],
+            code_challenge_methods_supported: ["S256"],
+          }));
+          return;
+        }
+
+        if (req.url === "/token" && req.method === "POST") {
+          // Handle token refresh request - return InvalidClientError
+          const error = new InvalidClientError("Client authentication failed");
+          res.writeHead(400, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify(error.toResponseObject()));
+          return;
+        }
+
+        if (req.url !== "/") {
+          res.writeHead(404).end();
+          return;
+        }
+        res.writeHead(401).end();
+      });
+
+      await new Promise<void>(resolve => {
+        server.listen(0, "127.0.0.1", () => {
+          const addr = server.address() as AddressInfo;
+          baseUrl = new URL(`http://127.0.0.1:${addr.port}`);
+          resolve();
+        });
+      });
+
+      transport = new SSEClientTransport(baseUrl, {
+        authProvider: mockAuthProvider,
+      });
+
+      await expect(() => transport.start()).rejects.toThrow(InvalidClientError);
+      expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+    });
+
+    it("invalidates all credentials on UnauthorizedClientError during token refresh", async () => {
+      // Mock tokens() to return token with refresh token
+      mockAuthProvider.tokens.mockResolvedValue({
+        access_token: "expired-token",
+        token_type: "Bearer",
+        refresh_token: "refresh-token"
+      });
+
+      // Create server that returns UnauthorizedClientError on token refresh
+      await server.close();
+
+      server = createServer((req, res) => {
+        lastServerRequest = req;
+
+        // Handle OAuth metadata discovery
+        if (req.url === "/.well-known/oauth-authorization-server" && req.method === "GET") {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            issuer: baseUrl.href,
+            authorization_endpoint: `${baseUrl.href}authorize`,
+            token_endpoint: `${baseUrl.href}token`,
+            response_types_supported: ["code"],
+            code_challenge_methods_supported: ["S256"],
+          }));
+          return;
+        }
+
+        if (req.url === "/token" && req.method === "POST") {
+          // Handle token refresh request - return UnauthorizedClientError
+          const error = new UnauthorizedClientError("Client not authorized");
+          res.writeHead(400, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify(error.toResponseObject()));
+          return;
+        }
+
+        if (req.url !== "/") {
+          res.writeHead(404).end();
+          return;
+        }
+        res.writeHead(401).end();
+      });
+
+      await new Promise<void>(resolve => {
+        server.listen(0, "127.0.0.1", () => {
+          const addr = server.address() as AddressInfo;
+          baseUrl = new URL(`http://127.0.0.1:${addr.port}`);
+          resolve();
+        });
+      });
+
+      transport = new SSEClientTransport(baseUrl, {
+        authProvider: mockAuthProvider,
+      });
+
+      await expect(() => transport.start()).rejects.toThrow(UnauthorizedClientError);
+      expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+    });
+
+    it("invalidates tokens on InvalidGrantError during token refresh", async () => {
+      // Mock tokens() to return token with refresh token
+      mockAuthProvider.tokens.mockResolvedValue({
+        access_token: "expired-token",
+        token_type: "Bearer",
+        refresh_token: "refresh-token"
+      });
+
+      // Create server that returns InvalidGrantError on token refresh
+      await server.close();
+
+      server = createServer((req, res) => {
+        lastServerRequest = req;
+
+        // Handle OAuth metadata discovery
+        if (req.url === "/.well-known/oauth-authorization-server" && req.method === "GET") {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            issuer: baseUrl.href,
+            authorization_endpoint: `${baseUrl.href}authorize`,
+            token_endpoint: `${baseUrl.href}token`,
+            response_types_supported: ["code"],
+            code_challenge_methods_supported: ["S256"],
+          }));
+          return;
+        }
+
+        if (req.url === "/token" && req.method === "POST") {
+          // Handle token refresh request - return InvalidGrantError
+          const error = new InvalidGrantError("Invalid refresh token");
+          res.writeHead(400, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify(error.toResponseObject()));
+          return;
+        }
+
+        if (req.url !== "/") {
+          res.writeHead(404).end();
+          return;
+        }
+        res.writeHead(401).end();
+      });
+
+      await new Promise<void>(resolve => {
+        server.listen(0, "127.0.0.1", () => {
+          const addr = server.address() as AddressInfo;
+          baseUrl = new URL(`http://127.0.0.1:${addr.port}`);
+          resolve();
+        });
+      });
+
+      transport = new SSEClientTransport(baseUrl, {
+        authProvider: mockAuthProvider,
+      });
+
+      await expect(() => transport.start()).rejects.toThrow(InvalidGrantError);
+      expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('tokens');
+    });
   });
 });
diff --git a/src/client/streamableHttp.test.ts b/src/client/streamableHttp.test.ts
@@ -1,6 +1,7 @@
 import { StreamableHTTPClientTransport, StreamableHTTPReconnectionOptions } from "./streamableHttp.js";
 import { OAuthClientProvider, UnauthorizedError } from "./auth.js";
 import { JSONRPCMessage } from "../types.js";
+import { InvalidClientError, InvalidGrantError, UnauthorizedClientError } from "../server/auth/errors.js";
 
 
 describe("StreamableHTTPClientTransport", () => {
@@ -17,6 +18,7 @@ describe("StreamableHTTPClientTransport", () => {
       redirectToAuthorization: jest.fn(),
       saveCodeVerifier: jest.fn(),
       codeVerifier: jest.fn(),
+      invalidateCredentials: jest.fn(),
     };
     transport = new StreamableHTTPClientTransport(new URL("http://localhost:1234/mcp"), { authProvider: mockAuthProvider });
     jest.spyOn(global, "fetch");
@@ -532,4 +534,148 @@ describe("StreamableHTTPClientTransport", () => {
     await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
     expect(mockAuthProvider.redirectToAuthorization.mock.calls).toHaveLength(1);
   });
+
+  it("invalidates all credentials on InvalidClientError during auth", async () => {
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "test",
+      params: {},
+      id: "test-id"
+    };
+
+    mockAuthProvider.tokens.mockResolvedValue({
+      access_token: "test-token",
+      token_type: "Bearer",
+      refresh_token: "test-refresh"
+    });
+
+    (global.fetch as jest.Mock)
+      .mockResolvedValueOnce({
+        ok: false,
+        status: 401,
+        statusText: "Unauthorized",
+        headers: new Headers()
+      })
+      // OAuth metadata discovery
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          issuer: "http://localhost:1234",
+          authorization_endpoint: "http://localhost:1234/authorize",
+          token_endpoint: "http://localhost:1234/token",
+          response_types_supported: ["code"],
+          code_challenge_methods_supported: ["S256"],
+        }),
+      })
+      // Token refresh fails with InvalidClientError
+      .mockResolvedValueOnce(Response.json(
+        new InvalidClientError("Client authentication failed").toResponseObject(),
+        { status: 400 }
+      ))
+      // Fallback should fail to complete the flow
+      .mockResolvedValue({
+        ok: false,
+        status: 404
+      });
+
+    await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+    expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+  });
+
+  it("invalidates all credentials on UnauthorizedClientError during auth", async () => {
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "test",
+      params: {},
+      id: "test-id"
+    };
+
+    mockAuthProvider.tokens.mockResolvedValue({
+      access_token: "test-token",
+      token_type: "Bearer",
+      refresh_token: "test-refresh"
+    });
+
+    (global.fetch as jest.Mock)
+      .mockResolvedValueOnce({
+        ok: false,
+        status: 401,
+        statusText: "Unauthorized",
+        headers: new Headers()
+      })
+      // OAuth metadata discovery
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          issuer: "http://localhost:1234",
+          authorization_endpoint: "http://localhost:1234/authorize",
+          token_endpoint: "http://localhost:1234/token",
+          response_types_supported: ["code"],
+          code_challenge_methods_supported: ["S256"],
+        }),
+      })
+      // Token refresh fails with UnauthorizedClientError
+      .mockResolvedValueOnce(Response.json(
+        new UnauthorizedClientError("Client not authorized").toResponseObject(),
+        { status: 400 }
+      ))
+      // Fallback should fail to complete the flow
+      .mockResolvedValue({
+        ok: false,
+        status: 404
+      });
+
+    await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+    expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('all');
+  });
+
+  it("invalidates tokens on InvalidGrantError during auth", async () => {
+    const message: JSONRPCMessage = {
+      jsonrpc: "2.0",
+      method: "test",
+      params: {},
+      id: "test-id"
+    };
+
+    mockAuthProvider.tokens.mockResolvedValue({
+      access_token: "test-token",
+      token_type: "Bearer",
+      refresh_token: "test-refresh"
+    });
+
+    (global.fetch as jest.Mock)
+      .mockResolvedValueOnce({
+        ok: false,
+        status: 401,
+        statusText: "Unauthorized",
+        headers: new Headers()
+      })
+      // OAuth metadata discovery
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          issuer: "http://localhost:1234",
+          authorization_endpoint: "http://localhost:1234/authorize",
+          token_endpoint: "http://localhost:1234/token",
+          response_types_supported: ["code"],
+          code_challenge_methods_supported: ["S256"],
+        }),
+      })
+      // Token refresh fails with InvalidGrantError
+      .mockResolvedValueOnce(Response.json(
+        new InvalidGrantError("Invalid refresh token").toResponseObject(),
+        { status: 400 }
+      ))
+      // Fallback should fail to complete the flow
+      .mockResolvedValue({
+        ok: false,
+        status: 404
+      });
+
+    await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+    expect(mockAuthProvider.invalidateCredentials).toHaveBeenCalledWith('tokens');
+  });
 });
