loopauth 0.5.0

OAuth 2.0 Authorization Code + PKCE flow for CLI applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

#![expect(
    clippy::unwrap_used,
    reason = "tests do not need to meet production lint standards"
)]

use async_trait::async_trait;
use loopauth::{
    CliTokenClient, PageContext, RequestScope, SuccessPageRenderer, test_support::FakeOAuthServer,
};
use std::sync::{Arc, Mutex};

/// Captures the scopes from `PageContext` during rendering.
struct ScopeCapturingRenderer {
    captured_scopes: Arc<Mutex<Vec<String>>>,
}

#[async_trait]
impl SuccessPageRenderer for ScopeCapturingRenderer {
    async fn render_success(&self, ctx: &PageContext<'_>) -> String {
        let scopes: Vec<String> = ctx.scopes().iter().map(ToString::to_string).collect();
        *self.captured_scopes.lock().unwrap() = scopes;
        "ok".to_string()
    }
}

/// When the provider returns a narrower scope than requested, `PageContext.scopes()`
/// should reflect the provider-granted scopes, not the builder-configured scopes.
///
/// RFC 6749 §5.1: "If the scope of the access token is identical to the scope
/// requested by the client, the authorization server MAY omit the scope
/// response parameter. If the issued scope differs, the authorization server
/// MUST include the scope response parameter."
#[tokio::test]
async fn page_context_shows_response_granted_scopes_not_builder_scopes() {
    // Server grants only "read", even though client requests "read" and "write"
    let fake = FakeOAuthServer::start_with_scope("tok", "read").await;
    tokio::task::yield_now().await;

    let captured_scopes: Arc<Mutex<Vec<String>>> = Arc::new(Mutex::new(vec![]));
    let renderer_scopes = Arc::clone(&captured_scopes);

    let (url_tx, url_rx) = std::sync::mpsc::channel::<String>();

    tokio::spawn(async move {
        if let Ok(url) = url_rx.recv() {
            let _ = reqwest::get(url).await;
        }
    });

    let client = CliTokenClient::builder()
        .client_id("test-client")
        .auth_url(fake.auth_url())
        .token_url(fake.token_url())
        .add_scopes([
            RequestScope::Custom("read".into()),
            RequestScope::Custom("write".into()),
        ])
        .open_browser(false)
        .success_renderer(ScopeCapturingRenderer {
            captured_scopes: renderer_scopes,
        })
        .on_url(move |url| {
            let _ = url_tx.send(url.to_string());
        })
        .build();

    let tokens = client.run_authorization_flow().await.unwrap();

    // TokenSet.scopes() should reflect the response-granted scope
    let token_scopes: Vec<String> = tokens.scopes().iter().map(ToString::to_string).collect();
    assert_eq!(
        token_scopes,
        vec!["read"],
        "TokenSet should have response-granted scopes"
    );

    // PageContext.scopes() should ALSO reflect the response-granted scope,
    // not the builder-configured ["read", "write"]
    let page_scopes = captured_scopes.lock().unwrap().clone();
    assert_eq!(
        page_scopes,
        vec!["read"],
        "PageContext should show response-granted scopes, not builder-configured scopes"
    );
}

/// When the provider omits scope from the response, `PageContext.scopes()` should
/// fall back to the requested scopes per RFC 6749 §5.1.
#[tokio::test]
async fn page_context_falls_back_to_requested_scopes_when_response_omits_scope() {
    // Server returns no scope field — standard FakeOAuthServer behavior
    let fake = FakeOAuthServer::start("tok").await;
    tokio::task::yield_now().await;

    let captured_scopes: Arc<Mutex<Vec<String>>> = Arc::new(Mutex::new(vec![]));
    let renderer_scopes = Arc::clone(&captured_scopes);

    let (url_tx, url_rx) = std::sync::mpsc::channel::<String>();

    tokio::spawn(async move {
        if let Ok(url) = url_rx.recv() {
            let _ = reqwest::get(url).await;
        }
    });

    let client = CliTokenClient::builder()
        .client_id("test-client")
        .auth_url(fake.auth_url())
        .token_url(fake.token_url())
        .add_scopes([
            RequestScope::Custom("read".into()),
            RequestScope::Custom("write".into()),
        ])
        .open_browser(false)
        .success_renderer(ScopeCapturingRenderer {
            captured_scopes: renderer_scopes,
        })
        .on_url(move |url| {
            let _ = url_tx.send(url.to_string());
        })
        .build();

    let tokens = client.run_authorization_flow().await.unwrap();

    // When provider omits scope, TokenSet uses the requested scopes
    let token_scopes: Vec<String> = tokens.scopes().iter().map(ToString::to_string).collect();
    assert!(
        token_scopes.contains(&"read".to_string()),
        "TokenSet should fall back to requested scopes"
    );
    assert!(
        token_scopes.contains(&"write".to_string()),
        "TokenSet should fall back to requested scopes"
    );

    // PageContext should match TokenSet — both use response-granted (or fallback) scopes
    let page_scopes = captured_scopes.lock().unwrap().clone();
    assert_eq!(
        page_scopes, token_scopes,
        "PageContext scopes should match TokenSet scopes"
    );
}