thalos-web/src/auth/callbackState.test.ts

import { afterEach, describe, expect, it, vi } from 'vitest';
import { parseOidcCallbackState } from './callbackState';

describe('callback state parser', () => {
  afterEach(() => {
    delete window.__APP_CONFIG__;
    vi.unstubAllEnvs();
  });

  it('returns error state when callback has error query', () => {
    const result = parseOidcCallbackState('?error=access_denied&error_description=User%20cancelled');

    expect(result.kind).toBe('error');
    if (result.kind === 'error') {
      expect(result.message).toBe('User cancelled');
    }
  });

  it('returns success state with sanitized same-origin return path', () => {
    const result = parseOidcCallbackState(`?returnUrl=${encodeURIComponent(`${window.location.origin}/session?tab=profile`)}`);

    expect(result).toEqual({ kind: 'success', returnPath: '/session?tab=profile' });
  });

  it('rejects external return paths and falls back to /session', () => {
    const result = parseOidcCallbackState('?returnUrl=https%3A%2F%2Fevil.example%2Fpwn');

    expect(result).toEqual({ kind: 'success', returnPath: '/session' });
  });
});