/**
* mysql-mcp - OAuth Resource Server Unit Tests
*
* Tests for OAuthResourceServer RFC 9728 compliance including
* metadata generation, scope validation, and configuration.
*/
import { describe, it, expect, beforeEach } from "vitest";
import {
OAuthResourceServer,
createOAuthResourceServer,
} from "../OAuthResourceServer.js";
import type { ResourceServerConfig } from "../types.js";
describe("OAuthResourceServer", () => {
let config: ResourceServerConfig;
let server: OAuthResourceServer;
beforeEach(() => {
config = {
resource: "https://mysql-mcp.example.com",
authorizationServers: ["https://auth.example.com"],
scopesSupported: ["read", "write", "admin"],
};
server = new OAuthResourceServer(config);
});
describe("Construction", () => {
it("should create server with config", () => {
expect(server).toBeInstanceOf(OAuthResourceServer);
});
it("should set default bearer methods when not provided", () => {
const metadata = server.getMetadata();
expect(metadata.bearer_methods_supported).toEqual(["header"]);
});
it("should use provided bearer methods", () => {
const customServer = new OAuthResourceServer({
...config,
bearerMethodsSupported: ["header", "body"],
});
const metadata = customServer.getMetadata();
expect(metadata.bearer_methods_supported).toEqual(["header", "body"]);
});
});
describe("getMetadata()", () => {
it("should return RFC 9728 compliant structure", () => {
const metadata = server.getMetadata();
expect(metadata).toHaveProperty("resource");
expect(metadata).toHaveProperty("authorization_servers");
expect(metadata).toHaveProperty("scopes_supported");
expect(metadata).toHaveProperty("bearer_methods_supported");
expect(metadata).toHaveProperty("resource_documentation");
expect(metadata).toHaveProperty("resource_signing_alg_values_supported");
});
it("should include correct resource identifier", () => {
const metadata = server.getMetadata();
expect(metadata.resource).toBe("https://mysql-mcp.example.com");
});
it("should include authorization servers", () => {
const metadata = server.getMetadata();
expect(metadata.authorization_servers).toEqual([
"https://auth.example.com",
]);
});
it("should include supported scopes", () => {
const metadata = server.getMetadata();
expect(metadata.scopes_supported).toEqual(["read", "write", "admin"]);
});
it("should generate documentation URL", () => {
const metadata = server.getMetadata();
expect(metadata.resource_documentation).toBe(
"https://mysql-mcp.example.com/docs",
);
});
it("should include signing algorithms", () => {
const metadata = server.getMetadata();
expect(metadata.resource_signing_alg_values_supported).toContain("RS256");
expect(metadata.resource_signing_alg_values_supported).toContain("ES256");
});
});
describe("getWellKnownPath()", () => {
it("should return correct well-known path", () => {
expect(server.getWellKnownPath()).toBe(
"/.well-known/oauth-protected-resource",
);
});
});
describe("isScopeSupported()", () => {
it("should return true for explicitly supported scopes", () => {
expect(server.isScopeSupported("read")).toBe(true);
expect(server.isScopeSupported("write")).toBe(true);
expect(server.isScopeSupported("admin")).toBe(true);
});
it("should return false for unsupported scopes", () => {
expect(server.isScopeSupported("delete")).toBe(false);
expect(server.isScopeSupported("unknown")).toBe(false);
});
it("should accept db: prefixed scopes", () => {
expect(server.isScopeSupported("db:mydb")).toBe(true);
expect(server.isScopeSupported("db:testdb:read")).toBe(true);
});
it("should accept table: prefixed scopes", () => {
expect(server.isScopeSupported("table:users")).toBe(true);
expect(server.isScopeSupported("table:orders:write")).toBe(true);
});
it("should reject invalid scope patterns", () => {
expect(server.isScopeSupported("database:mydb")).toBe(false);
expect(server.isScopeSupported("TB:users")).toBe(false);
});
});
describe("getResourceId()", () => {
it("should return resource identifier", () => {
expect(server.getResourceId()).toBe("https://mysql-mcp.example.com");
});
});
describe("getSupportedScopes()", () => {
it("should return copy of scopes array", () => {
const scopes = server.getSupportedScopes();
expect(scopes).toEqual(["read", "write", "admin"]);
// Verify it's a copy
scopes.push("modified");
expect(server.getSupportedScopes()).toEqual(["read", "write", "admin"]);
});
});
describe("getAuthorizationServers()", () => {
it("should return copy of authorization servers", () => {
const servers = server.getAuthorizationServers();
expect(servers).toEqual(["https://auth.example.com"]);
// Verify it's a copy
servers.push("https://auth2.example.com");
expect(server.getAuthorizationServers()).toEqual([
"https://auth.example.com",
]);
});
it("should support multiple authorization servers", () => {
const multiServer = new OAuthResourceServer({
...config,
authorizationServers: [
"https://auth1.example.com",
"https://auth2.example.com",
],
});
expect(multiServer.getAuthorizationServers()).toEqual([
"https://auth1.example.com",
"https://auth2.example.com",
]);
});
});
});
describe("createOAuthResourceServer()", () => {
it("should create OAuthResourceServer instance", () => {
const server = createOAuthResourceServer({
resource: "https://test.example.com",
authorizationServers: ["https://auth.example.com"],
scopesSupported: ["read"],
});
expect(server).toBeInstanceOf(OAuthResourceServer);
});
it("should pass config to server", () => {
const server = createOAuthResourceServer({
resource: "https://custom.example.com",
authorizationServers: ["https://auth.example.com"],
scopesSupported: ["custom-scope"],
});
expect(server.getResourceId()).toBe("https://custom.example.com");
expect(server.getSupportedScopes()).toContain("custom-scope");
});
});
