baron-sso/adminfront/src/lib/authConfig.test.ts

import { describe, expect, it } from "vitest";
import {
  buildAdminAuthRedirectUris,
  canStartBrowserPkceLogin,
  resolveAdminOidcAuthority,
  resolveAdminPublicOrigin,
} from "./authConfig";

describe("admin auth config", () => {
  it("uses the explicit public admin origin for staging callback URLs", () => {
    const publicOrigin = resolveAdminPublicOrigin(
      "https://sadmin.hmac.kr",
      "http://127.0.0.1:5173",
    );

    expect(publicOrigin).toBe("https://sadmin.hmac.kr");
    expect(buildAdminAuthRedirectUris(publicOrigin)).toEqual({
      redirectUri: "https://sadmin.hmac.kr/auth/callback",
      postLogoutRedirectUri: "https://sadmin.hmac.kr",
      popupRedirectUri: "https://sadmin.hmac.kr/auth/callback",
    });
  });

  it("falls back to the browser origin when no explicit public origin is set", () => {
    expect(resolveAdminPublicOrigin("", "http://localhost:5173")).toBe(
      "http://localhost:5173",
    );
  });

  it("uses the local OIDC authority for localhost when no explicit authority is set", () => {
    expect(resolveAdminOidcAuthority(undefined, "http://localhost:5173")).toBe(
      "http://localhost:5000/oidc",
    );
  });

  it("blocks browser PKCE login when WebCrypto is unavailable", () => {
    expect(
      canStartBrowserPkceLogin({
        isSecureContext: false,
        origin: "http://localhost:5173",
        cryptoSubtleAvailable: false,
      }),
    ).toBe(false);
    expect(
      canStartBrowserPkceLogin({
        isSecureContext: true,
        origin: "https://admin.example.test",
        cryptoSubtleAvailable: false,
      }),
    ).toBe(false);
  });

  it("allows trusted local and private-network origins only when WebCrypto is available", () => {
    for (const origin of [
      "http://localhost:5173",
      "http://127.0.0.1:5173",
      "http://host.docker.internal:5173",
      "http://172.16.9.189:5173",
      "http://192.168.0.20:5173",
    ]) {
      expect(
        canStartBrowserPkceLogin({
          isSecureContext: false,
          origin,
          cryptoSubtleAvailable: true,
        }),
      ).toBe(true);
    }
  });
});