Merge branch 'main' into cb/expiresAt-check

src/server/auth/middleware/bearerAuth.test.ts

@@ -56,9 +56,10 @@ describe("requireBearerAuth middleware", () => {
   });
 
   it.each([
-    [Math.floor(Date.now() / 1000) - 100], // Token expired 100 seconds ago
-    [Math.floor(Date.now() / 1000)], // Token expires at the same time as now
-  ])("should reject expired tokens (expiresAt: %s)", async (expiresAt: number) => {
+    [100], // Token expired 100 seconds ago
+    [0], // Token expires at the same time as now
+  ])("should reject expired tokens (expired %s seconds ago)", async (expiredSecondsAgo: number) => {
+    const expiresAt = Math.floor(Date.now() / 1000) - expiredSecondsAgo;
     const expiredAuthInfo: AuthInfo = {
       token: "expired-token",
       clientId: "client-123",
@@ -334,4 +335,125 @@ describe("requireBearerAuth middleware", () => {
     );
     expect(nextFunction).not.toHaveBeenCalled();
   });
+
+  describe("with resourceMetadataUrl", () => {
+    const resourceMetadataUrl = "https://api.example.com/.well-known/oauth-protected-resource";
+
+    it("should include resource_metadata in WWW-Authenticate header for 401 responses", async () => {
+      mockRequest.headers = {};
+
+      const middleware = requireBearerAuth({ verifier: mockVerifier, resourceMetadataUrl });
+      await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(401);
+      expect(mockResponse.set).toHaveBeenCalledWith(
+        "WWW-Authenticate",
+        `Bearer error="invalid_token", error_description="Missing Authorization header", resource_metadata="${resourceMetadataUrl}"`
+      );
+      expect(nextFunction).not.toHaveBeenCalled();
+    });
+
+    it("should include resource_metadata in WWW-Authenticate header when token verification fails", async () => {
+      mockRequest.headers = {
+        authorization: "Bearer invalid-token",
+      };
+
+      mockVerifyAccessToken.mockRejectedValue(new InvalidTokenError("Token expired"));
+
+      const middleware = requireBearerAuth({ verifier: mockVerifier, resourceMetadataUrl });
+      await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(401);
+      expect(mockResponse.set).toHaveBeenCalledWith(
+        "WWW-Authenticate",
+        `Bearer error="invalid_token", error_description="Token expired", resource_metadata="${resourceMetadataUrl}"`
+      );
+      expect(nextFunction).not.toHaveBeenCalled();
+    });
+
+    it("should include resource_metadata in WWW-Authenticate header for insufficient scope errors", async () => {
+      mockRequest.headers = {
+        authorization: "Bearer valid-token",
+      };
+
+      mockVerifyAccessToken.mockRejectedValue(new InsufficientScopeError("Required scopes: admin"));
+
+      const middleware = requireBearerAuth({ verifier: mockVerifier, resourceMetadataUrl });
+      await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(403);
+      expect(mockResponse.set).toHaveBeenCalledWith(
+        "WWW-Authenticate",
+        `Bearer error="insufficient_scope", error_description="Required scopes: admin", resource_metadata="${resourceMetadataUrl}"`
+      );
+      expect(nextFunction).not.toHaveBeenCalled();
+    });
+
+    it("should include resource_metadata when token is expired", async () => {
+      const expiredAuthInfo: AuthInfo = {
+        token: "expired-token",
+        clientId: "client-123",
+        scopes: ["read", "write"],
+        expiresAt: Math.floor(Date.now() / 1000) - 100,
+      };
+      mockVerifyAccessToken.mockResolvedValue(expiredAuthInfo);
+
+      mockRequest.headers = {
+        authorization: "Bearer expired-token",
+      };
+
+      const middleware = requireBearerAuth({ verifier: mockVerifier, resourceMetadataUrl });
+      await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(401);
+      expect(mockResponse.set).toHaveBeenCalledWith(
+        "WWW-Authenticate",
+        `Bearer error="invalid_token", error_description="Token has expired", resource_metadata="${resourceMetadataUrl}"`
+      );
+      expect(nextFunction).not.toHaveBeenCalled();
+    });
+
+    it("should include resource_metadata when scope check fails", async () => {
+      const authInfo: AuthInfo = {
+        token: "valid-token",
+        clientId: "client-123",
+        scopes: ["read"],
+      };
+      mockVerifyAccessToken.mockResolvedValue(authInfo);
+
+      mockRequest.headers = {
+        authorization: "Bearer valid-token",
+      };
+
+      const middleware = requireBearerAuth({
+        verifier: mockVerifier,
+        requiredScopes: ["read", "write"],
+        resourceMetadataUrl
+      });
+
+      await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(403);
+      expect(mockResponse.set).toHaveBeenCalledWith(
+        "WWW-Authenticate",
+        `Bearer error="insufficient_scope", error_description="Insufficient scope", resource_metadata="${resourceMetadataUrl}"`
+      );
+      expect(nextFunction).not.toHaveBeenCalled();
+    });
+
+    it("should not affect server errors (no WWW-Authenticate header)", async () => {
+      mockRequest.headers = {
+        authorization: "Bearer valid-token",
+      };
+
+      mockVerifyAccessToken.mockRejectedValue(new ServerError("Internal server issue"));
+
+      const middleware = requireBearerAuth({ verifier: mockVerifier, resourceMetadataUrl });
+      await middleware(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(500);
+      expect(mockResponse.set).not.toHaveBeenCalledWith("WWW-Authenticate", expect.anything());
+      expect(nextFunction).not.toHaveBeenCalled();
+    });
+  });
 });