feat(auth): Refactor OAuth2 authentication to support multiple flows and improve token management

Author: flarco

core/dbio/api/api_test.go

@@ -240,83 +240,29 @@ func TestOAuth2Authentication(t *testing.T) {
 		expectError bool
 		errorMsg    string
 	}{
-		{
-			name: "client_credentials_missing_client_id",
-			auth: Authentication{
-				"type":               AuthTypeOAuth2,
-				"flow":               "client_credentials",
-				"client_secret":      "secret123",
-				"authentication_url": "https://api.example.com/oauth/token",
-			},
-			expectError: true,
-			errorMsg:    "client_id is required",
-		},
 		{
 			name: "client_credentials_missing_client_secret",
 			auth: Authentication{
 				"type":               AuthTypeOAuth2,
-				"flow":               "client_credentials",
+				"flow":               OAuthFlowClientCredentials,
 				"client_id":          "client123",
 				"authentication_url": "https://api.example.com/oauth/token",
 			},
 			expectError: true,
 			errorMsg:    "client_secret is required",
 		},
 		{
-			name: "client_credentials_missing_auth_url",
-			auth: Authentication{
-				"type":          AuthTypeOAuth2,
-				"flow":          "client_credentials",
-				"client_id":     "client123",
-				"client_secret": "secret123",
-			},
-			expectError: true,
-			errorMsg:    "authentication_url is required",
-		},
-		{
-			name: "refresh_token_missing_token",
-			auth: Authentication{
-				"type":               AuthTypeOAuth2,
-				"flow":               "refresh_token",
-				"authentication_url": "https://api.example.com/oauth/token",
-			},
-			expectError: true,
-			errorMsg:    "refresh_token is required",
-		},
-		{
-			name: "password_missing_username",
+			name: "authorization_code_missing_auth_url",
 			auth: Authentication{
 				"type":               AuthTypeOAuth2,
-				"flow":               "password",
-				"password":           "pass123",
-				"authentication_url": "https://api.example.com/oauth/token",
-			},
-			expectError: true,
-			errorMsg:    "username is required",
-		},
-		{
-			name: "password_missing_password",
-			auth: Authentication{
-				"type":               AuthTypeOAuth2,
-				"flow":               "password",
-				"username":           "user123",
-				"authentication_url": "https://api.example.com/oauth/token",
-			},
-			expectError: true,
-			errorMsg:    "password is required",
-		},
-		{
-			name: "authorization_code_missing_code",
-			auth: Authentication{
-				"type":               AuthTypeOAuth2,
-				"flow":               "authorization_code",
+				"flow":               OAuthFlowAuthorizationCode,
 				"client_id":          "client123",
 				"client_secret":      "secret123",
 				"redirect_uri":       "https://app.example.com/callback",
-				"authentication_url": "https://api.example.com/oauth/token",
+				"authorization_url":  "https://api.example.com/oauth/authorize",
 			},
 			expectError: true,
-			errorMsg:    "authorization code is required",
+			errorMsg:    "authentication_url is required",
 		},
 		{
 			name: "unsupported_flow",
@@ -347,11 +293,8 @@ func TestOAuth2Authentication(t *testing.T) {
 			assert.NoError(t, err)
 			authOAuth, ok := authenticator.(*AuthenticatorOAuth2)
 			if assert.True(t, ok) {
-				_, err := authOAuth.performOAuth2Flow()
-
-				// We expect this to fail at HTTP request stage, not validation
-				assert.Error(t, err)
-				assert.Contains(t, err.Error(), tt.errorMsg)
+				authOAuth.conn = ac
+				err := authOAuth.Authenticate(ac.Context.Ctx, &ac.State.Auth)
 
 				if tt.expectError {
 					assert.Error(t, err)
@@ -382,7 +325,7 @@ func TestOAuth2FlowValidation(t *testing.T) {
 
 	ac.Spec.Authentication = Authentication{
 		"type":               AuthTypeOAuth2,
-		"flow":               "client_credentials",
+		"flow":               OAuthFlowClientCredentials,
 		"client_id":          "{secrets.CLIENT_ID}",
 		"client_secret":      "{secrets.CLIENT_SECRET}",
 		"authentication_url": "https://api.example.com/oauth/token",
@@ -393,11 +336,13 @@ func TestOAuth2FlowValidation(t *testing.T) {
 	authenticator, _ := ac.MakeAuthenticator()
 	authOAuth, ok := authenticator.(*AuthenticatorOAuth2)
 	if assert.True(t, ok) {
-		_, err := authOAuth.performOAuth2Flow()
+		authOAuth.conn = ac
+		err := authOAuth.Authenticate(ac.Context.Ctx, &ac.State.Auth)
 
 		// We expect this to fail at HTTP request stage, not validation
+		// The new implementation will fail when trying to get token from the oauth2 server
 		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to execute OAuth2 request")
+		assert.Contains(t, err.Error(), "failed to get token")
 	}
 }