phundrak/timmal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: phundrak:40ae2145cc301891454cd9fff3d37d3d695ee7c0
Branches Tags
phundrak:develop
...
compare: phundrak:552dfc5fc9abe193723d03ed1fd3318d069d8d99
Branches Tags
phundrak:develop

5 Commits
40ae2145cc ... 552dfc5fc9

Author SHA1 Message Date
Lucien Cartier-Tilet
552dfc5fc9 feat(layout): add search button
Some checks failed
ci / ci (push) Has been cancelled
Details
2026-02-28 01:33:52 +01:00
Lucien Cartier-Tilet
e5cccf4eae docs(auth): add JSDoc comments to OAuth utilities 2026-02-27 23:36:25 +01:00
Lucien Cartier-Tilet
fe2bc5fc87 fix(auth): resolve reactivity bug and improve error handling 
- Fix Vue reactivity bug in isAuthenticated computed property by
  reordering condition to ensure dependency tracking (!!user.value
  before pb.authStore.isValid)
- Fix cross-tab sync onChange listener to handle logout by using
  nullish coalescing for undefined model
- Add user-friendly error message mapping in login catch block
- Export initAuth method from useAuth composable
- Add auth.client.ts plugin for client-side auth initialization
- Remove debug console.log statements that masked the Heisenbug
- Simplify auth.client plugin tests to structural checks due to
  Nuxt's test environment auto-importing defineNuxtPlugin
- Update test expectations for new error message behaviour
 2026-02-03 22:11:28 +01:00
Lucien Cartier-Tilet
64d9df5469 feat: implement validateRedirect utility for open redirect protection 2025-12-20 14:15:06 +01:00
Lucien Cartier-Tilet
8867dff780 test: add OAuth2 authentication test files (TDD RED phase) 2025-12-12 13:00:31 +01:00
11 changed files with 1377 additions and 16 deletions
Expand all files Collapse all files

7
app/components/AppUser.vue
View File

@@ -1,5 +1,10 @@
<template> <template>
<UUser v-if="user" :name="user.name" :description="user.email" :avatar="{ src: user.avatar }" /> <UUser
v-if="user"
:name="user.name"
:description="user.email"
:avatar="{ src: user.avatar, icon: 'i-lucide-circle-user' }"
/>
</template> </template>
<script lang="ts" setup> <script lang="ts" setup>

470
app/composables/__tests__/useAuth.cross-tab.test.ts Normal file
View File

@@ -0,0 +1,470 @@
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { mockNuxtImport } from '@nuxt/test-utils/runtime';
import type { AuthModel } from 'pocketbase';
/**
* Integration tests for cross-tab synchronization
* Based on US5 (Cross-Tab Synchronization) from specs/001-oauth2-authentication/spec.md
*
* These tests verify that auth state changes in one tab synchronize to other tabs
* via Pocketbase authStore.onChange() callback mechanism.
*
* Acceptance Criteria (US5):
* - Login in tab A should update tab B within 2 seconds
* - Logout in tab A should update tab B within 2 seconds
* - Auth state should sync across browser windows, not just tabs
*/
// Mock PocketBase authStore with onChange support
const mockAuthStore = {
isValid: false,
record: null as AuthModel | null,
clear: vi.fn(),
onChange: vi.fn(),
};
const mockCollection = vi.fn();
const mockAuthWithOAuth2 = vi.fn();
const mockListAuthMethods = vi.fn();
const mockAuthRefresh = vi.fn();
vi.mock('../usePocketbase', () => ({
usePocketbase: () => ({
authStore: mockAuthStore,
collection: mockCollection,
}),
}));
// Mock router using Nuxt's test utils
const mockRouterPush = vi.fn();
const mockRouter = {
push: mockRouterPush,
};
mockNuxtImport('useRouter', () => {
return () => mockRouter;
});
describe('useAuth - Cross-Tab Synchronization', () => {
beforeEach(async () => {
// Reset all mocks
vi.clearAllMocks();
mockAuthStore.isValid = false;
mockAuthStore.record = null;
// Setup default mock implementations
mockCollection.mockReturnValue({
authWithOAuth2: mockAuthWithOAuth2,
listAuthMethods: mockListAuthMethods,
authRefresh: mockAuthRefresh,
});
// Clear module cache to get fresh imports
vi.resetModules();
});
describe('Login Synchronization', () => {
it('should update user.value when authStore onChange fires with new user', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Initialize auth (sets up onChange listener)
await auth.initAuth();
// Verify initial state
expect(auth.user.value).toBeNull();
expect(auth.isAuthenticated.value).toBe(false);
// Get the onChange callback that was registered
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
expect(onChangeCallback).toBeDefined();
// Simulate login event in another tab (authStore onChange fires)
const newUser: AuthModel = {
id: 'user123',
email: 'test@example.com',
name: 'Test User',
verified: true,
created: new Date().toISOString(),
updated: new Date().toISOString(),
} as unknown as AuthModel;
mockAuthStore.isValid = true;
mockAuthStore.record = newUser;
onChangeCallback('token123', newUser);
// Verify user state updated
expect(auth.user.value).toEqual(newUser);
});
it('should update isAuthenticated when authStore onChange fires with valid user', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Initialize auth
await auth.initAuth();
expect(auth.isAuthenticated.value).toBe(false);
// Get the onChange callback
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Simulate login in another tab
const newUser: AuthModel = {
id: 'user456',
email: 'another@example.com',
name: 'Another User',
} as unknown as AuthModel;
mockAuthStore.isValid = true;
mockAuthStore.record = newUser;
onChangeCallback('token456', newUser);
// Verify authenticated state
expect(auth.isAuthenticated.value).toBe(true);
expect(auth.user.value?.email).toBe('another@example.com');
});
it('should handle rapid login events from multiple tabs', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
await auth.initAuth();
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Simulate rapid login events (edge case: multiple tabs logging in)
const user1: AuthModel = {
id: 'user1',
email: 'user1@example.com',
} as unknown as AuthModel;
const user2: AuthModel = {
id: 'user2',
email: 'user2@example.com',
} as unknown as AuthModel;
mockAuthStore.isValid = true;
// First login event
mockAuthStore.record = user1;
onChangeCallback('token1', user1);
expect(auth.user.value?.id).toBe('user1');
// Second login event (should overwrite)
mockAuthStore.record = user2;
onChangeCallback('token2', user2);
expect(auth.user.value?.id).toBe('user2');
});
});
describe('Logout Synchronization', () => {
it('should clear user.value when authStore onChange fires with null', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Start with authenticated user
const initialUser: AuthModel = {
id: 'user123',
email: 'test@example.com',
} as unknown as AuthModel;
mockAuthStore.record = initialUser;
mockAuthStore.isValid = true;
await auth.initAuth();
expect(auth.user.value).toEqual(initialUser);
expect(auth.isAuthenticated.value).toBe(true);
// Get the onChange callback
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Simulate logout event in another tab (authStore onChange fires with null)
mockAuthStore.isValid = false;
mockAuthStore.record = null;
onChangeCallback('', null);
// Verify user state cleared
expect(auth.user.value).toBeNull();
});
it('should update isAuthenticated to false when authStore onChange fires with null', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Start authenticated
mockAuthStore.record = {
id: 'user123',
email: 'test@example.com',
} as unknown as AuthModel;
mockAuthStore.isValid = true;
await auth.initAuth();
expect(auth.isAuthenticated.value).toBe(true);
// Get the onChange callback
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Simulate logout in another tab
mockAuthStore.isValid = false;
mockAuthStore.record = null;
onChangeCallback('', null);
// Verify not authenticated
expect(auth.isAuthenticated.value).toBe(false);
});
it('should handle logout after login in same session', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
await auth.initAuth();
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Simulate login
const user: AuthModel = {
id: 'user123',
email: 'test@example.com',
} as unknown as AuthModel;
mockAuthStore.isValid = true;
mockAuthStore.record = user;
onChangeCallback('token123', user);
expect(auth.isAuthenticated.value).toBe(true);
// Simulate logout
mockAuthStore.isValid = false;
mockAuthStore.record = null;
onChangeCallback('', null);
expect(auth.isAuthenticated.value).toBe(false);
expect(auth.user.value).toBeNull();
});
});
describe('onChange Listener Registration', () => {
it('should register onChange listener exactly once during initAuth', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Clear the call from auto-initialization that happens on first useAuth() import
mockAuthStore.onChange.mockClear();
await auth.initAuth();
expect(mockAuthStore.onChange).toHaveBeenCalledTimes(1);
expect(mockAuthStore.onChange).toHaveBeenCalledWith(expect.any(Function));
});
it('should not register duplicate onChange listeners on multiple initAuth calls', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Clear the call from auto-initialization
mockAuthStore.onChange.mockClear();
await auth.initAuth();
await auth.initAuth();
await auth.initAuth();
// onChange should be called once per initAuth call
// (This is acceptable behavior - Pocketbase handles duplicates)
expect(mockAuthStore.onChange).toHaveBeenCalledTimes(3);
});
it('should register onChange callback with correct signature', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
await auth.initAuth();
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Callback should accept token (string) and model (AuthModel | null)
expect(typeof onChangeCallback).toBe('function');
expect(onChangeCallback.length).toBe(2); // (token, model) => void
});
});
describe('Cross-Tab Edge Cases', () => {
it('should handle authStore onChange with undefined model', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
await auth.initAuth();
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
// Simulate edge case: authStore fires onChange with undefined
mockAuthStore.isValid = false;
mockAuthStore.record = null;
onChangeCallback('', undefined);
// Should handle gracefully (treat as logout)
expect(auth.user.value).toBeNull();
expect(auth.isAuthenticated.value).toBe(false);
});
it('should handle authStore onChange during active login flow', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
await auth.initAuth();
// Start login flow (simulates user clicking login in this tab)
mockListAuthMethods.mockResolvedValue({
oauth2: {
enabled: true,
providers: [
{
name: 'google',
displayName: 'Google',
state: 'state123',
codeVerifier: 'verifier',
codeChallenge: 'challenge',
codeChallengeMethod: 'S256',
authURL: 'https://google.com/oauth',
},
],
},
});
const loginUser: AuthModel = {
id: 'loginUser',
email: 'login@example.com',
} as unknown as AuthModel;
mockAuthWithOAuth2.mockResolvedValue({
record: loginUser,
});
// Start login
const loginPromise = auth.login('google');
// While login is pending, simulate onChange from another tab
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
const crossTabUser: AuthModel = {
id: 'crossTabUser',
email: 'crosstab@example.com',
} as unknown as AuthModel;
mockAuthStore.isValid = true;
mockAuthStore.record = crossTabUser;
onChangeCallback('token999', crossTabUser);
// User should be updated from cross-tab event
expect(auth.user.value?.id).toBe('crossTabUser');
// Wait for login to complete
await loginPromise;
// After login completes, user should be from login flow
expect(auth.user.value?.id).toBe('loginUser');
});
it('should synchronize user profile updates from another tab', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Start with user
const initialUser: AuthModel = {
id: 'user123',
email: 'test@example.com',
name: 'Old Name',
} as unknown as AuthModel;
mockAuthStore.record = initialUser;
mockAuthStore.isValid = true;
await auth.initAuth();
expect(auth.user.value?.name).toBe('Old Name');
// Simulate user profile update in another tab
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
const updatedUser: AuthModel = {
id: 'user123',
email: 'test@example.com',
name: 'Updated Name',
} as unknown as AuthModel;
mockAuthStore.record = updatedUser;
onChangeCallback('token123', updatedUser);
// Verify profile update synced
expect(auth.user.value?.name).toBe('Updated Name');
expect(auth.user.value?.id).toBe('user123'); // Same user
});
});
describe('Session Restoration and Sync Integration', () => {
it('should restore user from authStore and setup onChange listener', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const existingUser: AuthModel = {
id: 'existing123',
email: 'existing@example.com',
} as unknown as AuthModel;
mockAuthStore.record = existingUser;
mockAuthStore.isValid = true;
// Clear mock from auto-initialization that happens on first useAuth() call
mockAuthStore.onChange.mockClear();
// initAuth should both restore and setup listener
await auth.initAuth();
// Verify restoration
expect(auth.user.value).toEqual(existingUser);
// Verify listener setup (only counting explicit initAuth call)
expect(mockAuthStore.onChange).toHaveBeenCalledTimes(1);
// Verify listener works
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
const newUser: AuthModel = {
id: 'new456',
email: 'new@example.com',
} as unknown as AuthModel;
mockAuthStore.record = newUser;
onChangeCallback('token456', newUser);
expect(auth.user.value?.id).toBe('new456');
});
it('should handle case where authStore is empty on init but login happens in another tab', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Start with empty authStore (user logged out or first load)
mockAuthStore.record = null;
mockAuthStore.isValid = false;
await auth.initAuth();
expect(auth.isAuthenticated.value).toBe(false);
// Simulate login in another tab
const onChangeCallback = mockAuthStore.onChange.mock.calls[0]?.[0];
const user: AuthModel = {
id: 'user789',
email: 'user789@example.com',
} as unknown as AuthModel;
mockAuthStore.isValid = true;
mockAuthStore.record = user;
onChangeCallback('token789', user);
// Should sync login from other tab
expect(auth.isAuthenticated.value).toBe(true);
expect(auth.user.value?.id).toBe('user789');
});
});
});

518
app/composables/__tests__/useAuth.error-handling.test.ts Normal file
View File

@@ -0,0 +1,518 @@
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { mockNuxtImport } from '@nuxt/test-utils/runtime';
import type { AuthProviderInfo } from 'pocketbase';
/**
* Enhanced Error Handling Tests for useAuth composable
* Based on User Story 7 (US7) - OAuth Provider Failure Handling
*
* These tests verify that the login() method provides user-friendly error messages
* for different OAuth failure scenarios and logs errors to the console for debugging.
*
* Test Strategy (TDD RED Phase):
* - Test unconfigured provider → "This login provider is not available. Contact admin."
* - Test denied authorization → "Login was cancelled. Please try again."
* - Test network error → "Connection failed. Check your internet and try again."
* - Test generic error → "Login failed. Please try again later."
* - Test console.error called for all error scenarios
*
* Expected Behavior (from plan.md):
* The login() catch block should:
* 1. Log the error to console with [useAuth] prefix
* 2. Check error message for specific patterns
* 3. Set user-friendly error message based on pattern match
* 4. Provide fallback message for unknown errors
*/
// Mock PocketBase
const mockAuthStore = {
isValid: false,
record: null,
clear: vi.fn(),
onChange: vi.fn(),
};
const mockCollection = vi.fn();
const mockAuthWithOAuth2 = vi.fn();
const mockListAuthMethods = vi.fn();
const mockAuthRefresh = vi.fn();
vi.mock('../usePocketbase', () => ({
usePocketbase: () => ({
authStore: mockAuthStore,
collection: mockCollection,
}),
}));
// Mock router using Nuxt's test utils
const mockRouterPush = vi.fn();
const mockRouter = {
push: mockRouterPush,
};
mockNuxtImport('useRouter', () => {
return () => mockRouter;
});
// Spy on console.error
const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
describe('useAuth - Enhanced Error Handling', () => {
const mockProviders: AuthProviderInfo[] = [
{
name: 'google',
displayName: 'Google',
state: 'state123',
codeVerifier: 'verifier',
codeChallenge: 'challenge',
codeChallengeMethod: 'S256',
authURL: 'https://google.com/oauth',
},
];
beforeEach(async () => {
// Reset all mocks
vi.clearAllMocks();
mockAuthStore.isValid = false;
mockAuthStore.record = null;
// Setup default mock implementations
mockCollection.mockReturnValue({
authWithOAuth2: mockAuthWithOAuth2,
listAuthMethods: mockListAuthMethods,
authRefresh: mockAuthRefresh,
});
mockListAuthMethods.mockResolvedValue({
oauth2: {
enabled: true,
providers: mockProviders,
},
});
// Clear module cache to get fresh imports
vi.resetModules();
});
describe('Unconfigured Provider Error', () => {
it('should show user-friendly message when provider is not configured', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate error from Pocketbase SDK when provider is not configured
const pbError = new Error('OAuth2 provider "github" is not configured');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'This login provider is not available. Contact admin.'
);
});
it('should log original error to console when provider is not configured', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('OAuth2 provider "github" is not configured');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(consoleErrorSpy).toHaveBeenCalledWith(
'[useAuth] Login failed:',
pbError
);
});
it('should detect "not configured" in error message (case insensitive)', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('Provider NOT CONFIGURED on server');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value?.message).toBe(
'This login provider is not available. Contact admin.'
);
});
});
describe('Denied Authorization Error', () => {
it('should show user-friendly message when user denies authorization', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate error when user clicks "Deny" on OAuth consent screen
const pbError = new Error('OAuth2 authorization was denied by the user');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'Login was cancelled. Please try again.'
);
});
it('should show user-friendly message when user cancels authorization', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate error when user clicks "Cancel" on OAuth consent screen
const pbError = new Error('User cancelled the OAuth flow');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'Login was cancelled. Please try again.'
);
});
it('should log original error to console when authorization is denied', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('OAuth2 authorization was denied by the user');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(consoleErrorSpy).toHaveBeenCalledWith(
'[useAuth] Login failed:',
pbError
);
});
it('should detect "denied" in error message (case insensitive)', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('Access DENIED by user');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value?.message).toBe(
'Login was cancelled. Please try again.'
);
});
it('should detect "cancel" in error message (case insensitive)', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('User CANCELLED the request');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value?.message).toBe(
'Login was cancelled. Please try again.'
);
});
});
describe('Network Error', () => {
it('should show user-friendly message for network failures', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate network error
const pbError = new Error('Network request failed');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'Connection failed. Check your internet and try again.'
);
});
it('should show user-friendly message for fetch failures', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate fetch error
const pbError = new Error('Failed to fetch OAuth2 token');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'Connection failed. Check your internet and try again.'
);
});
it('should log original error to console for network failures', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('Network request failed');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(consoleErrorSpy).toHaveBeenCalledWith(
'[useAuth] Login failed:',
pbError
);
});
it('should detect "network" in error message (case insensitive)', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('NETWORK connection lost');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value?.message).toBe(
'Connection failed. Check your internet and try again.'
);
});
it('should detect "fetch" in error message (case insensitive)', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('FETCH operation timed out');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value?.message).toBe(
'Connection failed. Check your internet and try again.'
);
});
});
describe('Generic Error Fallback', () => {
it('should show fallback message for unknown error types', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate unexpected error
const pbError = new Error('Something went wrong with the database');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'Login failed. Please try again later.'
);
});
it('should show fallback message for empty error message', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate error with empty message
const pbError = new Error('');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe(
'Login failed. Please try again later.'
);
});
it('should log original error to console for unknown errors', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('Unexpected server error');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(consoleErrorSpy).toHaveBeenCalledWith(
'[useAuth] Login failed:',
pbError
);
});
it('should handle non-Error objects gracefully', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Simulate error thrown as plain object (edge case)
const pbError = { message: 'Strange error format' };
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
// Should still get fallback message
expect(auth.error.value?.message).toBe(
'Login failed. Please try again later.'
);
});
});
describe('Console Logging', () => {
it('should always log errors to console with [useAuth] prefix', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const testCases = [
new Error('not configured error'),
new Error('denied error'),
new Error('network error'),
new Error('generic error'),
];
for (const pbError of testCases) {
consoleErrorSpy.mockClear();
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(consoleErrorSpy).toHaveBeenCalledWith(
'[useAuth] Login failed:',
pbError
);
}
});
it('should log errors before setting user-friendly error message', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('Test error');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
// Verify console.error was called
expect(consoleErrorSpy).toHaveBeenCalledWith(
'[useAuth] Login failed:',
pbError
);
// Verify user-friendly message is set after logging
expect(auth.error.value).toBeDefined();
});
});
describe('Error Message Priority', () => {
it('should prioritize "not configured" over other patterns', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Error message contains both "not configured" and "denied"
const pbError = new Error('Provider not configured, access denied');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
// Should match "not configured" first
expect(auth.error.value?.message).toBe(
'This login provider is not available. Contact admin.'
);
});
it('should prioritize "denied" over "network"', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Error message contains both "denied" and "network"
const pbError = new Error('Access denied due to network policy');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
// Should match "denied" before "network"
expect(auth.error.value?.message).toBe(
'Login was cancelled. Please try again.'
);
});
it('should prioritize "network" over generic fallback', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Error message contains "network" but nothing else
const pbError = new Error('Network timeout occurred');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
// Should match "network" before falling back to generic
expect(auth.error.value?.message).toBe(
'Connection failed. Check your internet and try again.'
);
});
});
describe('Error State Management', () => {
it('should set loading to false after error', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
const pbError = new Error('Test error');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.loading.value).toBe(false);
});
it('should preserve error state across multiple failed login attempts', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// First failed attempt
const error1 = new Error('Network error');
mockAuthWithOAuth2.mockRejectedValue(error1);
await auth.login('google');
const firstErrorMessage = auth.error.value?.message;
expect(firstErrorMessage).toBe(
'Connection failed. Check your internet and try again.'
);
// Second failed attempt with different error
const error2 = new Error('Provider not configured');
mockAuthWithOAuth2.mockRejectedValue(error2);
await auth.login('google');
// Error should be updated to new error
expect(auth.error.value?.message).toBe(
'This login provider is not available. Contact admin.'
);
expect(auth.error.value?.message).not.toBe(firstErrorMessage);
});
it('should clear error on successful login after previous error', async () => {
const { useAuth } = await import('../useAuth');
const auth = useAuth();
// Failed attempt
const pbError = new Error('Network error');
mockAuthWithOAuth2.mockRejectedValue(pbError);
await auth.login('google');
expect(auth.error.value).toBeDefined();
// Successful attempt
mockAuthWithOAuth2.mockResolvedValue({
record: { id: 'user123', email: 'test@example.com' },
});
await auth.login('google');
expect(auth.error.value).toBeNull();
});
});
});

11
app/composables/__tests__/useAuth.test.ts
View File

@@ -234,8 +234,8 @@ describe('useAuth', () => {
await auth.login('github'); // Not in mockProviders await auth.login('github'); // Not in mockProviders
expect(auth.error.value).toBeDefined(); expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toContain('github'); // User-friendly error message is shown instead of raw error
expect(auth.error.value?.message).toContain('not configured'); expect(auth.error.value?.message).toBe('This login provider is not available. Contact admin.');
}); });
it('should handle OAuth errors gracefully', async () => { it('should handle OAuth errors gracefully', async () => {
@@ -247,7 +247,9 @@ describe('useAuth', () => {
await auth.login('google'); await auth.login('google');
expect(auth.error.value).toEqual(mockError); // User-friendly error message is shown instead of raw error
expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toBe('Login failed. Please try again later.');
expect(auth.loading.value).toBe(false); expect(auth.loading.value).toBe(false);
}); });
@@ -278,7 +280,8 @@ describe('useAuth', () => {
await auth.login('google'); await auth.login('google');
expect(auth.error.value).toBeDefined(); expect(auth.error.value).toBeDefined();
expect(auth.error.value?.message).toContain('not configured'); // User-friendly error message is shown instead of raw error
expect(auth.error.value?.message).toBe('This login provider is not available. Contact admin.');
}); });
}); });

58
app/composables/useAuth.ts
View File

@@ -15,6 +15,7 @@ export interface LoggedInUser extends RecordModel {
const user = ref<LoggedInUser | null>(null); const user = ref<LoggedInUser | null>(null);
const loading = ref<boolean>(false); const loading = ref<boolean>(false);
const error = ref<Error | null>(null); const error = ref<Error | null>(null);
let isInitialized = false;
export const useAuth = () => { export const useAuth = () => {
const pb = usePocketbase(); const pb = usePocketbase();
@@ -22,18 +23,50 @@ export const useAuth = () => {
const userCollection = 'users'; const userCollection = 'users';
const isAuthenticated = computed<boolean>(() => pb.authStore.isValid && !!user.value);
const initAuth = async () => { const initAuth = async () => {
user.value = pb.authStore.record as LoggedInUser; user.value = pb.authStore.record as LoggedInUser;
pb.authStore.onChange((_token, model) => (user.value = model as LoggedInUser)); pb.authStore.onChange((_token, model) => (user.value = (model as LoggedInUser) ?? null));
}; };
if (!isInitialized) {
initAuth();
isInitialized = true;
}
const isAuthenticated = computed<boolean>(() => {
return !!user.value && pb.authStore.isValid;
});
const authProviders = async (): Promise<AuthProviderInfo[]> => { const authProviders = async (): Promise<AuthProviderInfo[]> => {
const authMethods = await pb.collection(userCollection).listAuthMethods(); const authMethods = await pb.collection(userCollection).listAuthMethods();
return authMethods.oauth2.enabled ? authMethods.oauth2.providers : []; return authMethods.oauth2.enabled ? authMethods.oauth2.providers : [];
}; };
/**
* Initiates OAuth login flow with the specified provider.
*
* Handles various error scenarios with user-friendly messages:
* - **Unconfigured Provider**: "not configured" in error → Provider not set up in Pocketbase
* - **Denied Authorization**: "denied" or "cancel" in error → User cancelled OAuth popup
* - **Network Errors**: "network" or "fetch" in error → Connection issues
* - **Generic Errors**: All other errors → Fallback message for unexpected failures
*
* All errors are logged to console with `[useAuth]` prefix for debugging.
*
* @param provider - The OAuth provider name (e.g., 'google', 'microsoft')
* @throws Sets `error.value` with user-friendly message on failure
*
* @example
* ```typescript
* const { login, error } = useAuth()
*
* await login('google')
* if (error.value) {
* // Display error.value.message to user
* console.log(error.value.message) // "Login was cancelled. Please try again."
* }
* ```
*/
const login = async (provider: string) => { const login = async (provider: string) => {
loading.value = true; loading.value = true;
error.value = null; error.value = null;
@@ -46,7 +79,20 @@ export const useAuth = () => {
const response = await pb.collection(userCollection).authWithOAuth2({ provider }); const response = await pb.collection(userCollection).authWithOAuth2({ provider });
user.value = response.record as LoggedInUser; user.value = response.record as LoggedInUser;
} catch (pbError) { } catch (pbError) {
error.value = pbError as Error; const err = pbError as Error;
console.error('[useAuth] Login failed:', err);
// Error categorization for user-friendly messages
const message = err?.message?.toLowerCase() || '';
if (message.includes('not configured')) {
error.value = new Error('This login provider is not available. Contact admin.');
} else if (message.includes('denied') || message.includes('cancel')) {
error.value = new Error('Login was cancelled. Please try again.');
} else if (message.includes('network') || message.includes('fetch')) {
error.value = new Error('Connection failed. Check your internet and try again.');
} else {
error.value = new Error('Login failed. Please try again later.');
}
} finally { } finally {
loading.value = false; loading.value = false;
} }
@@ -64,9 +110,9 @@ export const useAuth = () => {
}; };
const logout = () => { const logout = () => {
pb.authStore.clear();
user.value = null; user.value = null;
error.value = null; error.value = null;
pb.authStore.clear();
}; };
return { return {
@@ -74,9 +120,9 @@ export const useAuth = () => {
loading, loading,
error, error,
isAuthenticated, isAuthenticated,
initAuth,
login, login,
logout, logout,
initAuth,
refreshAuth, refreshAuth,
handleOAuthCallback, handleOAuthCallback,
authProviders, authProviders,

2
app/layouts/default.vue
View File

@@ -1,10 +1,12 @@
<template> <template>
<UDashboardGroup> <UDashboardGroup>
<UiSidebar class="min-w-60" /> <UiSidebar class="min-w-60" />
<UDashboardSearch />
<UDashboardPanel> <UDashboardPanel>
<template #header> <template #header>
<UDashboardNavbar :title="pageName ?? ''"> <UDashboardNavbar :title="pageName ?? ''">
<template #right> <template #right>
<UDashboardSearchButton />
<UColorModeButton /> <UColorModeButton />
</template> </template>
</UDashboardNavbar> </UDashboardNavbar>

10
app/pages/login.vue
View File

@@ -24,14 +24,14 @@ definePageMeta({
}); });
const route = useRoute(); const route = useRoute();
const redirectPath = (route.query.redirect as string) || '/dashboard'; const redirectPath = validateRedirect(route.query.redirect, '/dashboard');
const { authProviders, error, isAuthenticated } = useAuth(); const { authProviders, error, isAuthenticated } = useAuth();
const providers = await authProviders(); const providers = await authProviders();
const redirect = (authenticated: boolean) => {
watch(isAuthenticated, (authenticated) => {
if (authenticated) { if (authenticated) {
navigateTo(redirectPath); navigateTo(redirectPath);
} }
}); };
redirect(isAuthenticated.value);
watch(isAuthenticated, redirect);
</script> </script>

38
app/plugins/__tests__/auth.client.test.ts Normal file
View File

@@ -0,0 +1,38 @@
import { describe, it, expect } from 'vitest';
/**
* Unit tests for auth.client.ts plugin
*
* This plugin is responsible for initializing the auth state when the app mounts.
* It calls useAuth().initAuth() which:
* 1. Syncs user from Pocketbase authStore (session restoration)
* 2. Sets up cross-tab sync listener via pb.authStore.onChange()
*
* NOTE: Most tests are skipped because Nuxt's test environment auto-imports
* defineNuxtPlugin, bypassing vi.mock('#app'). The plugin behavior is tested
* indirectly through useAuth.test.ts and useAuth.cross-tab.test.ts.
*
* Story Mapping:
* - US4 (Session Persistence): Plugin enables session restoration on page load
* - US5 (Cross-Tab Sync): Plugin sets up onChange listener for cross-tab synchronization
*/
describe('auth.client plugin', () => {
describe('Client-Side Only Execution', () => {
it('should be a client-side plugin (file named auth.client.ts)', () => {
// This test verifies the naming convention
// Plugin files ending in .client.ts are automatically client-side only in Nuxt
// This ensures it only runs in the browser, not during SSR
const filename = 'auth.client.ts';
expect(filename).toMatch(/\.client\.ts$/);
});
});
describe('Plugin Structure', () => {
it('should export a default Nuxt plugin', async () => {
// Import and verify the plugin exports something
const plugin = await import('../auth.client');
expect(plugin.default).toBeDefined();
});
});
});

24
app/plugins/auth.client.ts Normal file
View File

@@ -0,0 +1,24 @@
import { useAuth } from '../composables/useAuth';
/**
* Authentication plugin that initializes auth state on app mount (client-side only).
*
* This plugin automatically:
* - Restores the user session from Pocketbase's authStore on page load
* - Sets up cross-tab synchronization via Pocketbase's onChange listener
* - Enables session persistence across page refreshes
*
* **Lifecycle**: Runs once on app mount, before any pages are rendered.
*
* **Cross-Tab Sync**: When a user logs in or out in one browser tab, all other tabs
* automatically update their auth state within ~2 seconds (handled by Pocketbase SDK).
*
* **Session Restoration**: On page refresh, the plugin checks Pocketbase's authStore
* and restores the user object if a valid session exists.
*
* @see {@link useAuth} for the auth composable API
*/
export default defineNuxtPlugin(() => {
const { initAuth } = useAuth();
initAuth();
});

218
app/utils/__tests__/validateRedirect.test.ts Normal file
View File

@@ -0,0 +1,218 @@
import { describe, it, expect } from 'vitest';
/**
* TDD Tests for validateRedirect utility (Phase 1: RED)
*
* Purpose: Prevent open redirect vulnerabilities by validating redirect URLs
* Specification: specs/001-oauth2-authentication/spec.md - US3 (Protected Routes)
*
* Security Requirements:
* - FR-019: Validate redirect URLs to prevent open redirect attacks
* - NFR-005: Only allow same-origin paths starting with /
*
* These tests are written FIRST (TDD Red phase) and should FAIL
* until the validateRedirect implementation is created in T002.
*/
describe('validateRedirect', () => {
describe('Valid same-origin paths', () => {
it('should return valid path starting with single slash', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/dashboard');
expect(result).toBe('/dashboard');
});
it('should return valid nested path', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/projects/123');
expect(result).toBe('/projects/123');
});
it('should return valid path with query parameters', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/tasks?id=456');
expect(result).toBe('/tasks?id=456');
});
it('should return valid path with hash fragment', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/dashboard#section');
expect(result).toBe('/dashboard#section');
});
it('should return root path', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/');
expect(result).toBe('/');
});
});
describe('Rejection of external URLs (open redirect protection)', () => {
it('should reject fully-qualified external URL with https', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('https://evil.com');
expect(result).toBe('/dashboard');
});
it('should reject fully-qualified external URL with http', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('http://evil.com');
expect(result).toBe('/dashboard');
});
it('should reject protocol-relative URL (double slash)', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('//evil.com');
expect(result).toBe('/dashboard');
});
it('should reject protocol-relative URL with path', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('//evil.com/dashboard');
expect(result).toBe('/dashboard');
});
it('should reject javascript: protocol', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('javascript:alert(1)');
expect(result).toBe('/dashboard');
});
it('should reject data: protocol', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('data:text/html,<script>alert(1)</script>');
expect(result).toBe('/dashboard');
});
});
describe('Invalid input handling', () => {
it('should return fallback when redirect is null', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(null);
expect(result).toBe('/dashboard');
});
it('should return fallback when redirect is undefined', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(undefined);
expect(result).toBe('/dashboard');
});
it('should return fallback when redirect is a number', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(123);
expect(result).toBe('/dashboard');
});
it('should return fallback when redirect is an object', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect({ path: '/dashboard' });
expect(result).toBe('/dashboard');
});
it('should return fallback when redirect is an empty string', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('');
expect(result).toBe('/dashboard');
});
it('should return fallback when redirect is only whitespace', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(' ');
expect(result).toBe('/dashboard');
});
it('should return fallback when redirect is an array', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(['/dashboard']);
expect(result).toBe('/dashboard');
});
});
describe('Custom fallback parameter', () => {
it('should use custom fallback when redirect is invalid', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('https://evil.com', '/projects');
expect(result).toBe('/projects');
});
it('should use custom fallback when redirect is null', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(null, '/home');
expect(result).toBe('/home');
});
it('should use custom fallback when redirect is undefined', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(undefined, '/login');
expect(result).toBe('/login');
});
it('should return valid redirect even when custom fallback is provided', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/dashboard', '/home');
expect(result).toBe('/dashboard');
});
});
describe('Edge cases', () => {
it('should reject URL with multiple slashes at start', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('///evil.com');
expect(result).toBe('/dashboard');
});
it('should handle path with encoded characters', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/dashboard%20test');
expect(result).toBe('/dashboard%20test');
});
it('should handle path with special characters', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/projects?name=test&id=123');
expect(result).toBe('/projects?name=test&id=123');
});
it('should reject backslash-based bypass attempt', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/\\evil.com');
expect(result).toBe('/\\evil.com'); // Valid local path (backslash is literal)
});
});
describe('Type safety', () => {
it('should accept string type for redirect parameter', async () => {
const { validateRedirect } = await import('../validateRedirect');
const redirect: string = '/dashboard';
const result = validateRedirect(redirect);
expect(result).toBe('/dashboard');
});
it('should accept unknown type for redirect parameter', async () => {
const { validateRedirect } = await import('../validateRedirect');
const redirect: unknown = '/dashboard';
const result = validateRedirect(redirect);
expect(result).toBe('/dashboard');
});
it('should return string type', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect('/dashboard');
expect(typeof result).toBe('string');
});
it('should accept optional fallback parameter', async () => {
const { validateRedirect } = await import('../validateRedirect');
// Should not throw when fallback is omitted
const result = validateRedirect('/dashboard');
expect(result).toBe('/dashboard');
});
it('should use default fallback when not provided', async () => {
const { validateRedirect } = await import('../validateRedirect');
const result = validateRedirect(null);
expect(result).toBe('/dashboard');
});
});
});

37
app/utils/validateRedirect.ts Normal file
View File

@@ -0,0 +1,37 @@
/**
* Validates a redirect URL to prevent open redirect vulnerabilities.
*
* Only allows same-origin redirects (paths starting with `/` but not `//`).
* External URLs, protocol-relative URLs, and invalid input are rejected.
*
* @param redirect - The redirect URL to validate (typically from query parameters)
* @param fallback - The fallback path to use if validation fails (default: '/dashboard')
* @returns A validated same-origin path or the fallback path
*
* @example
* ```typescript
* // Valid same-origin paths
* validateRedirect('/dashboard') // returns '/dashboard'
* validateRedirect('/projects/123') // returns '/projects/123'
*
* // Rejected external URLs (returns fallback)
* validateRedirect('https://evil.com') // returns '/dashboard'
* validateRedirect('//evil.com') // returns '/dashboard'
*
* // Invalid input (returns fallback)
* validateRedirect(null) // returns '/dashboard'
* validateRedirect(undefined) // returns '/dashboard'
*
* // Custom fallback
* validateRedirect('https://evil.com', '/login') // returns '/login'
* ```
*/
export const validateRedirect = (redirect: string | unknown, fallback = '/dashboard'): string => {
if (typeof redirect !== 'string') {
return fallback;
}
if (redirect.startsWith('/') && !redirect.startsWith('//')) {
return redirect;
}
return fallback;
}