Skip to content

test(connect): add regression testing for oauth callback flow#411

Open
VIDYANKSHINI wants to merge 1 commit into
Dev-Card:mainfrom
VIDYANKSHINI:fix/oauth-callback-auth
Open

test(connect): add regression testing for oauth callback flow#411
VIDYANKSHINI wants to merge 1 commit into
Dev-Card:mainfrom
VIDYANKSHINI:fix/oauth-callback-auth

Conversation

@VIDYANKSHINI
Copy link
Copy Markdown

@VIDYANKSHINI VIDYANKSHINI commented May 30, 2026

Summary

This PR introduces comprehensive regression testing for the OAuth connect callback flow to fulfill the Acceptance Criteria for Issue #380. (Note: The core route logic to remove app.authenticate and use the Redis nonce flow was already merged in upstream main during a previous sync, so this PR exclusively adds the missing test coverage to guarantee its security and functionality).

Closes #380

Type of Change

  • Bug fix
  • New feature
  • Refactor (no functional change)
  • UI / Design change
  • Tests only
  • Documentation
  • Infrastructure / DevOps
  • Security

What Changed

  • apps/backend/src/__tests__/connect.test.ts:
    • Replaced the skeleton tests with a fully implemented test suite using vitest, mockRedis, and mockPrisma.
    • Added tests for the Valid Callback Flow, ensuring code exchange via fetch and token upsertion.
    • Added negative tests to handle Missing Params (code or state).
    • Added security regression tests for Invalid/Malformed State and Expired/Invalid Nonce Handling (CSRF protection checks).
    • Validated Replay Attack prevention by ensuring redis.del is strictly called upon nonce verification.

How to Test

  1. Navigate to the apps/backend directory.
  2. Run the test suite using pnpm exec vitest run src/__tests__/connect.test.ts.
  3. Verify that all 7 test cases pass successfully without any 500 or 401 errors.

Checklist

  • My code follows the project's coding style (pnpm -r run lint passes).
  • TypeScript compiles without errors (pnpm -r run typecheck).
  • I have added or updated tests for the changes I made.
  • All tests pass locally (pnpm -r run test).
  • I have updated documentation where necessary.
  • No new console.log or debug statements left in the code.
  • Breaking changes are documented in this PR description.

Screenshots / Recordings

N/A (Tests only)

Additional Context

The mocked test environment utilizes Fastify app.inject requests to simulate browser-level GET redirects. It correctly verifies that the Redis layer mitigates CSRF while keeping the endpoints gracefully redirecting to /settings with specific error query parameters.

Copilot AI review requested due to automatic review settings May 30, 2026 11:15
@Harxhit
Copy link
Copy Markdown
Collaborator

Harxhit commented May 31, 2026

@VIDYANKSHINI Please add tests terminal proof in PR description.

@Harxhit Harxhit added the gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking. label May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] OAuth Connect Callback Blocked by Header-Only Authentication Check

2 participants

@VIDYANKSHINI @Harxhit