Merge pull request #46 from sacha-development-stuff/codex/fix-coverage-threshold-failure-1pomsh

SoldierSacha · web-flow · commit 5bb333875c73 · 2025-11-11T23:33:07.000-05:00
Add coverage for OAuth discovery redirects and refresh tokens
diff --git a/tests/unit/client/test_oauth2_providers.py b/tests/unit/client/test_oauth2_providers.py
@@ -539,6 +539,32 @@ async def test_client_credentials_request_token_stops_on_server_error(
     assert provider._metadata is None
 
 
+@pytest.mark.anyio
+async def test_client_credentials_request_token_stops_on_redirect(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    storage = InMemoryStorage()
+    client_metadata = OAuthClientMetadata(redirect_uris=_redirect_uris(), scope="alpha")
+    provider = ClientCredentialsProvider("https://api.example.com/service", client_metadata, storage)
+
+    metadata_responses = [_make_response(302)]
+    registration_response = _make_response(200, json_data=_registration_json())
+    token_response = _make_response(200, json_data=_token_json("alpha"))
+
+    clients = [
+        DummyAsyncClient(send_responses=metadata_responses),
+        DummyAsyncClient(send_responses=[registration_response]),
+        DummyAsyncClient(post_responses=[token_response]),
+    ]
+    monkeypatch.setattr("mcp.client.auth.oauth2.httpx.AsyncClient", AsyncClientFactory(clients))
+
+    await provider._request_token()
+
+    assert storage.tokens is not None
+    assert storage.tokens.scope == "alpha"
+    assert provider._metadata is None
+
+
 @pytest.mark.anyio
 async def test_client_credentials_ensure_token_returns_when_valid() -> None:
     storage = InMemoryStorage()
diff --git a/tests/unit/server/auth/test_token_handler.py b/tests/unit/server/auth/test_token_handler.py
@@ -256,6 +256,33 @@ async def test_handle_route_refresh_token_branch() -> None:
     assert payload["access_token"] == "refreshed-token"
 
 
+@pytest.mark.anyio
+async def test_handle_route_refresh_token_without_scope() -> None:
+    provider = RefreshTokenProvider()
+    client_info = OAuthClientInformationFull(
+        client_id="client",
+        grant_types=["refresh_token"],
+        scope="alpha",
+    )
+    handler = TokenHandler(
+        provider=cast(OAuthAuthorizationServerProvider[Any, Any, Any], provider),
+        client_authenticator=cast(ClientAuthenticator, DummyAuthenticator(client_info)),
+    )
+
+    request_data = {
+        "grant_type": "refresh_token",
+        "refresh_token": "refresh-token",
+        "client_id": "client",
+        "client_secret": "secret",
+    }
+
+    response = await handler.handle(cast(Request, DummyRequest(request_data)))
+
+    assert response.status_code == 200
+    payload = json.loads(bytes(response.body).decode())
+    assert payload["access_token"] == "refreshed-token"
+
+
 @pytest.mark.anyio
 async def test_handle_route_refresh_token_invalid_scope() -> None:
     provider = RefreshTokenProvider()
