add revoke

id.saladeaula.digital/tests/conftest.py

@@ -24,7 +24,6 @@ def pytest_configure():
     os.environ['OAUTH2_SCOPES_SUPPORTED'] = (
         'openid profile email offline_access read:users'
     )
-    # os.environ['POWERTOOLS_LOGGER_LOG_EVENT'] = 'true'
 
 
 @dataclass

id.saladeaula.digital/tests/routes/test_authorize.py

@@ -6,7 +6,6 @@ from routes.session import new_session
 
 from ..conftest import HttpApiProxy, LambdaContext
 
-CLIENT_ID = 'd72d4005-1fa7-4430-9754-80d5e2487bb6'
 USER_ID = '357db1c5-7442-4075-98a3-fbe5c938a419'
 
 
@@ -17,7 +16,7 @@ def test_authorize(
     http_api_proxy: HttpApiProxy,
     lambda_context: LambdaContext,
 ):
-    session_id = new_session(USER_ID, 'read:users')
+    session_id = new_session(USER_ID)
 
     r = app.lambda_handler(
         http_api_proxy(
@@ -25,7 +24,7 @@ def test_authorize(
             method=HTTPMethod.GET,
             query_string_parameters={
                 'response_type': 'code',
-                'client_id': CLIENT_ID,
+                'client_id': 'd72d4005-1fa7-4430-9754-80d5e2487bb6',
                 'redirect_uri': 'https://localhost/callback',
                 'scope': 'openid offline_access read:users',
                 'nonce': '123',
@@ -61,7 +60,7 @@ def test_unauthorized(
     http_api_proxy: HttpApiProxy,
     lambda_context: LambdaContext,
 ):
-    session_id = new_session(USER_ID, 'read:enrollments')
+    session_id = new_session(USER_ID)
 
     r = app.lambda_handler(
         http_api_proxy(
@@ -69,7 +68,7 @@ def test_unauthorized(
             method=HTTPMethod.GET,
             query_string_parameters={
                 'response_type': 'code',
-                'client_id': CLIENT_ID,
+                'client_id': '6ebe1709-0831-455c-84c0-d4c753bf33c6',
                 'redirect_uri': 'https://localhost/callback',
                 'scope': 'openid email offline_access',
                 'nonce': '123',
@@ -100,7 +99,7 @@ def test_authorize_revoked(
             method=HTTPMethod.GET,
             query_string_parameters={
                 'response_type': 'code',
-                'client_id': CLIENT_ID,
+                'client_id': 'd72d4005-1fa7-4430-9754-80d5e2487bb6',
                 'redirect_uri': 'https://localhost/callback',
                 'scope': 'openid offline_access',
                 'nonce': '123',

id.saladeaula.digital/tests/routes/test_revoke.py

@@ -0,0 +1,109 @@
+import json
+import pprint
+from base64 import b64encode
+from http import HTTPMethod, HTTPStatus
+from urllib.parse import urlencode
+
+import pytest
+from layercake.dynamodb import DynamoDBPersistenceLayer
+
+from ..conftest import HttpApiProxy, LambdaContext
+
+CLIENT_ID = '1db63660-063d-4280-b2ea-388aca4a9459'
+CLIENT_SECRET = '1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W'
+AUTH = b64encode(f'{CLIENT_ID}:{CLIENT_SECRET}'.encode()).decode()
+
+
+@pytest.fixture
+def token(
+    app,
+    seeds,
+    dynamodb_persistence_layer: DynamoDBPersistenceLayer,
+    http_api_proxy: HttpApiProxy,
+    lambda_context: LambdaContext,
+):
+    r = app.lambda_handler(
+        http_api_proxy(
+            raw_path='/token',
+            method=HTTPMethod.POST,
+            headers={
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Authorization': f'Basic {AUTH}',
+            },
+            body=urlencode(
+                {
+                    'grant_type': 'authorization_code',
+                    'redirect_uri': 'https://localhost/callback',
+                    'code': 'kyqp3oSuRFTfuBaCmq3XOgGWg67l42Kt3D6xPEj7Yd3MLdi9',
+                    'code_verifier': '9072df2d3709425993e733f38fb27a825b8860e699364ce9abafdf51077c0bdb4e456ddb741147a4bec4eeda782d92cc',
+                }
+            ),
+        ),
+        lambda_context,
+    )
+    return json.loads(r['body'])
+
+
+def test_token(
+    app,
+    token,
+    seeds,
+    dynamodb_persistence_layer: DynamoDBPersistenceLayer,
+    http_api_proxy: HttpApiProxy,
+    lambda_context: LambdaContext,
+):
+    access_token = token['access_token']
+
+    tokens = dynamodb_persistence_layer.query(
+        key_cond_expr='#pk = :pk',
+        expr_attr_name={
+            '#pk': 'id',
+        },
+        expr_attr_values={
+            ':pk': 'OAUTH2#TOKEN',
+        },
+    )
+
+    assert len(tokens['items']) == 2
+
+    r = app.lambda_handler(
+        http_api_proxy(
+            raw_path='/revoke',
+            method=HTTPMethod.POST,
+            headers={
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Authorization': f'Basic {AUTH}',
+            },
+            body=urlencode(
+                {
+                    'token': access_token,
+                    # 'token_type_hint': 'access_token',
+                }
+            ),
+        ),
+        lambda_context,
+    )
+
+    assert r['statusCode'] == HTTPStatus.OK
+
+    tokens = dynamodb_persistence_layer.query(
+        key_cond_expr='#pk = :pk',
+        expr_attr_name={
+            '#pk': 'id',
+        },
+        expr_attr_values={
+            ':pk': 'OAUTH2#TOKEN',
+        },
+    )
+    assert len(tokens['items']) == 0
+
+    sessions = dynamodb_persistence_layer.query(
+        key_cond_expr='#pk = :pk',
+        expr_attr_name={
+            '#pk': 'id',
+        },
+        expr_attr_values={
+            ':pk': 'SESSION',
+        },
+    )
+    assert len(sessions['items']) == 0

id.saladeaula.digital/tests/routes/test_session.py

@@ -27,4 +27,5 @@ def test_session(
     assert len(r['cookies']) == 1
 
     session = dynamodb_persistence_layer.collection.query(PartitionKey('SESSION'))
-    assert len(session['items']) == 1
+    # One seesion if created from seeds
+    assert len(session['items']) == 2

id.saladeaula.digital/tests/routes/test_token.py

@@ -35,50 +35,50 @@ def test_token(
         ),
         lambda_context,
     )
-    auth_token = json.loads(r['body'])
-    print(auth_token)
 
-    # assert r['statusCode'] == HTTPStatus.OK
-    # assert auth_token['expires_in'] == 600
+    # print(r)
 
-    # r = dynamodb_persistence_layer.query(
-    #     key_cond_expr='#pk = :pk',
-    #     expr_attr_name={
-    #         '#pk': 'id',
-    #     },
-    #     expr_attr_values={
-    #         ':pk': 'OAUTH2#TOKEN',
-    #     },
-    # )
-    # assert len(r['items']) == 2
+    assert r['statusCode'] == HTTPStatus.OK
 
-    # r = app.lambda_handler(
-    #     http_api_proxy(
-    #         raw_path='/token',
-    #         method=HTTPMethod.POST,
-    #         headers={
-    #             'Content-Type': 'application/x-www-form-urlencoded',
-    #         },
-    #         body=urlencode(
-    #             {
-    #                 'grant_type': 'refresh_token',
-    #                 'refresh_token': auth_token['refresh_token'],
-    #                 'client_id': client_id,
-    #             }
-    #         ),
-    #     ),
-    #     lambda_context,
-    # )
+    r = json.loads(r['body'])
+    assert r['expires_in'] == 600
 
-    # assert r['statusCode'] == HTTPStatus.OK
+    tokens = dynamodb_persistence_layer.query(
+        key_cond_expr='#pk = :pk',
+        expr_attr_name={
+            '#pk': 'id',
+        },
+        expr_attr_values={
+            ':pk': 'OAUTH2#TOKEN',
+        },
+    )
+    assert len(tokens['items']) == 2
 
-    # r = dynamodb_persistence_layer.query(
-    #     key_cond_expr='#pk = :pk',
-    #     expr_attr_name={
-    #         '#pk': 'id',
-    #     },
-    #     expr_attr_values={
-    #         ':pk': 'OAUTH2#TOKEN',
-    #     },
-    # )
-    # assert len(r['items']) == 3
+    r = app.lambda_handler(
+        http_api_proxy(
+            raw_path='/token',
+            method=HTTPMethod.POST,
+            headers={
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body=urlencode(
+                {
+                    'grant_type': 'refresh_token',
+                    'refresh_token': r['refresh_token'],
+                    'client_id': client_id,
+                }
+            ),
+        ),
+        lambda_context,
+    )
+
+    r = dynamodb_persistence_layer.query(
+        key_cond_expr='#pk = :pk',
+        expr_attr_name={
+            '#pk': 'id',
+        },
+        expr_attr_values={
+            ':pk': 'OAUTH2#TOKEN',
+        },
+    )
+    assert len(r['items']) == 3

id.saladeaula.digital/tests/seeds.jsonl

@@ -1,11 +1,17 @@
 // OAuth2
-{"id": "OAUTH2", "sk": "CLIENT_ID#d72d4005-1fa7-4430-9754-80d5e2487bb6", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access read:users", "token_endpoint_auth_method": "none"}
-{"id": "OAUTH2#CODE", "sk": "CODE#kyqp3oSuRFTfuBaCmq3XOgGWg67l42Kt3D6xPEj7Yd3MLdi9", "client_id": "d72d4005-1fa7-4430-9754-80d5e2487bb6", "redirect_uri": "https://localhost/callback", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419", "nonce": null, "scope": "openid profile email", "response_type": "code", "code_challenge": "ejYEIGKQUgMnNh4eV0sftb0hXdLwkvKm6OHXRYvC--I", "code_challenge_method": "S256", "created_at": "2025-08-07T12:38:26.550431-03:00"}
+{"id": "OAUTH2", "sk": "CLIENT_ID#d72d4005-1fa7-4430-9754-80d5e2487bb6", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 1", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access read:users", "token_endpoint_auth_method": "none"}
+{"id": "OAUTH2", "sk": "CLIENT_ID#6ebe1709-0831-455c-84c0-d4c753bf33c6", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 2", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access", "token_endpoint_auth_method": "none"}
+{"id": "OAUTH2", "sk": "CLIENT_ID#1db63660-063d-4280-b2ea-388aca4a9459", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 3", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access read:users", "token_endpoint_auth_method": "client_secret_basic"}
+{"id": "OAUTH2#CODE", "sk": "CODE#kyqp3oSuRFTfuBaCmq3XOgGWg67l42Kt3D6xPEj7Yd3MLdi9", "client_id": "d72d4005-1fa7-4430-9754-80d5e2487bb6", "redirect_uri": "https://localhost/callback", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419", "nonce": null, "scope": "openid profile email read:users", "response_type": "code", "code_challenge": "ejYEIGKQUgMnNh4eV0sftb0hXdLwkvKm6OHXRYvC--I", "code_challenge_method": "S256", "created_at": "2025-08-07T12:38:26.550431-03:00"}
 
 {"id": "email", "sk": "sergio@somosbeta.com.br", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419"}
 {"id": "cpf", "sk": "07879819908", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419"}
 
+// Session
+{"id": "SESSION", "sk": "36af142e-9f6d-49d3-bfe9-6a6bd6ab2712", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419"}
+
 // User data
 {"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "0", "name": "Sérgio R Siqueira", "email": "sergio@somosbeta.com.br"}
 {"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "PASSWORD", "hash": "$pbkdf2-sha256$29000$IuTcm7M2BiAEgPB.b.3dGw$d8xVCbx8zxg7MeQBrOvCOgniiilsIHEMHzoH/OXftLQ"}
-{"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "SCOPE", "scope": "read:users"}
+{"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "SCOPE", "scope": "read:users read:enrollments"}
+{"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "SESSION#36af142e-9f6d-49d3-bfe9-6a6bd6ab2712", "created_at": "2025-09-17T13:44:34.544491-03:00", "ttl": 1760719474}