import { describe, expect, it } from "vitest"; import { buildAdminAuthRedirectUris, canStartBrowserPkceLogin, resolveAdminOidcAuthority, resolveAdminPublicOrigin, } from "./authConfig"; describe("admin auth config", () => { it("uses the explicit public admin origin for staging callback URLs", () => { const publicOrigin = resolveAdminPublicOrigin( "https://sadmin.hmac.kr", "http://127.0.0.1:5173", ); expect(publicOrigin).toBe("https://sadmin.hmac.kr"); expect(buildAdminAuthRedirectUris(publicOrigin)).toEqual({ redirectUri: "https://sadmin.hmac.kr/auth/callback", postLogoutRedirectUri: "https://sadmin.hmac.kr", popupRedirectUri: "https://sadmin.hmac.kr/auth/callback", }); }); it("falls back to the browser origin when no explicit public origin is set", () => { expect(resolveAdminPublicOrigin("", "http://localhost:5173")).toBe( "http://localhost:5173", ); }); it("uses the local OIDC authority for localhost when no explicit authority is set", () => { expect(resolveAdminOidcAuthority(undefined, "http://localhost:5173")).toBe( "http://localhost:5000/oidc", ); }); it("blocks browser PKCE login when WebCrypto is unavailable", () => { expect( canStartBrowserPkceLogin({ isSecureContext: false, origin: "http://localhost:5173", cryptoSubtleAvailable: false, }), ).toBe(false); expect( canStartBrowserPkceLogin({ isSecureContext: true, origin: "https://admin.example.test", cryptoSubtleAvailable: false, }), ).toBe(false); }); it("allows trusted local and private-network origins only when WebCrypto is available", () => { for (const origin of [ "http://localhost:5173", "http://127.0.0.1:5173", "http://host.docker.internal:5173", "http://172.16.9.189:5173", "http://192.168.0.20:5173", ]) { expect( canStartBrowserPkceLogin({ isSecureContext: false, origin, cryptoSubtleAvailable: true, }), ).toBe(true); } }); });