chore(repo): Add oauth_token type integration test

[wobsoriano]

Description

This PR adds integration test for oauth_token type in auth() helper. This applies to all SDKs as they share the same verification functions.

auth({ acceptsToken: 'oauth_token' })

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Tests
  • Added integration tests for OAuth machine authentication, validating the complete authorization code flow, token exchange, protected endpoint access, and rejection of invalid credentials.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 8371917

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 26, 2025 8:43pm

[coderabbitai]

Walkthrough

A changeset metadata file was added, and a comprehensive integration test suite for OAuth machine authentication using Clerk was introduced, implementing the authorization code flow with setup, teardown, positive and negative test cases.

Changes

Cohort / File(s)	Summary
Changeset metadata .changeset/warm-phones-compete.md	Added changeset declaration file with placeholder content (two lines of dashes).
OAuth machine authentication tests integration/tests/machine-auth/oauth.test.ts	New integration test suite testing Clerk OAuth machine authentication. Includes test user and OAuth application setup, authorization code flow validation, token exchange, protected endpoint access, and negative test cases for missing/invalid tokens. Manages test lifecycle with beforeAll/afterAll hooks.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Test Suite
    participant App as Test App
    participant Clerk as Clerk OAuth Endpoints
    participant ProtectedAPI as Protected API
    
    rect rgb(200, 240, 220)
    Note over Test,Clerk: Authorization Code Flow
    Test->>App: Start test, configure routes
    Test->>Clerk: Create OAuth app & test user
    Test->>Clerk: Build authorization URL
    Test->>App: User signs in via Clerk
    Test->>App: Handle OAuth consent
    Test->>Clerk: Capture authorization code
    Test->>Clerk: Exchange code for access token
    end
    
    rect rgb(240, 220, 200)
    Note over Test,ProtectedAPI: Token Validation
    Test->>ProtectedAPI: Call endpoint with access token
    ProtectedAPI-->>Test: Success response (assertion)
    end
    
    rect rgb(240, 200, 200)
    Note over Test,ProtectedAPI: Negative Cases
    Test->>ProtectedAPI: Request without token
    ProtectedAPI-->>Test: 401 Unauthorized
    Test->>ProtectedAPI: Request with invalid token
    ProtectedAPI-->>Test: 401 Unauthorized
    end
    
    Test->>Clerk: Cleanup (delete OAuth app & user)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• The changeset file is metadata-only with no functional impact.
• The test file is straightforward integration testing using standard patterns (setup/teardown, OAuth flow assertions).
• No modifications to existing production code logic.
• Review focus: Verify test assertions accurately validate the OAuth flow, confirm proper resource cleanup in teardown, and check that all test cases (positive and negative) are comprehensive.

Poem

🐰 A test suite hops through OAuth's maze,
With tokens checked in many ways,
Authorization codes exchanged with care,
Protected routes tested everywhere.
The changeset marks the journey true—
Fresh auth flows, now tested too! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding an integration test for OAuth token functionality. It is specific, concise, and directly related to the primary changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch rob/oauth-token-integration

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7323

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7323

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7323

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7323

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7323

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7323

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7323

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7323

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7323

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7323

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7323

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7323

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7323

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7323

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7323

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7323

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7323

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7323

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7323

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7323

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7323

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7323

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7323

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7323

commit: 8371917

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

integration/tests/machine-auth/oauth.test.ts (2)

61-64: Consider reusing the existing Clerk client.

A Clerk client is already created via createTestUtils on line 57. Consider reusing u.services.clerk instead of creating a new client instance to avoid duplication.

Apply this diff:

-    const clerkClient = createClerkClient({
-      secretKey: app.env.privateVariables.get('CLERK_SECRET_KEY'),
-      publishableKey: app.env.publicVariables.get('CLERK_PUBLISHABLE_KEY'),
-    });
-
     // Create an OAuth application via the BAPI
-    oAuthApp = await clerkClient.oauthApplications.create({
+    oAuthApp = await u.services.clerk.oauthApplications.create({
       name: `Integration Test OAuth App - ${Date.now()}`,
       redirectUris: [`${app.serverUrl}/oauth/callback`],
       scopes: 'profile email',
     });

---

75-78: Consider reusing the existing Clerk client.

Similar to the beforeAll hook, consider storing the Clerk client in a module-scoped variable during setup and reusing it here instead of recreating it.

Example approach:

let clerkClient: ReturnType<typeof createClerkClient>;

test.beforeAll(async () => {
  // ... setup code ...
  const u = createTestUtils({ app });
  clerkClient = u.services.clerk;
  
  oAuthApp = await clerkClient.oauthApplications.create({
    // ...
  });
});

test.afterAll(async () => {
  if (oAuthApp.id) {
    await clerkClient.oauthApplications.delete(oAuthApp.id);
  }
  // ... rest of cleanup ...
});

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3f99742 and 8371917.

📒 Files selected for processing (2)

• .changeset/warm-phones-compete.md (1 hunks)
• integration/tests/machine-auth/oauth.test.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• integration/tests/machine-auth/oauth.test.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• integration/tests/machine-auth/oauth.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Prefer importing types from @clerk/shared/types instead of the deprecated @clerk/types alias

Files:

• integration/tests/machine-auth/oauth.test.ts

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• integration/tests/machine-auth/oauth.test.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• integration/tests/machine-auth/oauth.test.ts

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• integration/tests/machine-auth/oauth.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• integration/tests/machine-auth/oauth.test.ts

🧬 Code graph analysis (1)

integration/tests/machine-auth/oauth.test.ts (3)

integration/models/application.ts (1)

• Application (7-7)

integration/presets/index.ts (1)

• appConfigs (15-32)

integration/testUtils/index.ts (1)

• createTestUtils (24-86)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (29)

• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 15, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 14)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (expo-web, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (elements, chrome)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (3)

integration/tests/machine-auth/oauth.test.ts (3)

1-11: LGTM!

Imports are well-organized with appropriate use of type-only imports and proper separation between external dependencies and internal utilities.

---

13-17: LGTM!

Test suite structure is correct with proper type annotations and parallel mode configuration for independent test execution.

---

165-179: LGTM!

Negative test cases are well-structured and properly validate authentication failure scenarios for missing and invalid OAuth tokens.