brandon/nextcloud-mcp-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Remove old [skip ci]

Browse Source
This commit is contained in:
Chris Coutinho
2025-10-25 20:43:12 +02:00
parent 57a2157c58
commit 90b96a8afe
5 changed files with 0 additions and 835 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DCR_DELETION_INVESTIGATION.md
-250
View File
@@ -1,250 +0,0 @@
# DCR Client Deletion Investigation
## Summary
**RESOLVED** - As of 2025-10-24, Dynamic Client Registration (DCR) via RFC 7591 **and** RFC 7592 client deletion now work correctly in Nextcloud's OIDC server!
**Historical Note**: This document was originally created to investigate DCR deletion failures. The issue has been resolved by merging two feature branches (`feature/user-consent-complete` and `feature/dcr-jwt-scopes`) that implement RFC 7592 support.
## Resolution Summary (2025-10-24)
### What Now Works ✅
- **Client Registration** (RFC 7591): Successfully creates OAuth clients with custom scopes and token types
- **Registration Access Token**: ✅ Now included in registration response per RFC 7592
- **Registration Client URI**: ✅ Now included in registration response per RFC 7592
- **Client Deletion** (RFC 7592): ✅ Now works with Bearer token authentication
- **Token Acquisition**: Registered clients can obtain access tokens via authorization code flow
- **API Access**: Tokens work correctly for accessing Nextcloud APIs
### Test Evidence
The test `test_new_dcr_registration_includes_access_token` in `tests/server/oauth/test_dcr_new_implementation.py` confirms:
**Registration Response:**
```json
{
"client_id": "wynkPur15ibby0Ma2FUOMyv4JdmtxqlRepvGmERrE36RYmquuExma1srAgDG1rKZ",
"client_secret": "agaZU3WdffOy4o6TS4vZ...",
"registration_access_token": "uKycqheAzw2UMZUL58Ir...",
"registration_client_uri": "http://localhost:8080/apps/oidc/register/wynkPur15ibby0Ma2FUOMyv4JdmtxqlRepvGmERrE36RYmquuExma1srAgDG1rKZ",
...
}
```
**Deletion Test:**
- Endpoint: `DELETE /apps/oidc/register/{client_id}`
- Authentication: `Authorization: Bearer {registration_access_token}`
- Response: **204 No Content**
### Implementation Details
The resolution required:
1. Merging `feature/user-consent-complete` and `feature/dcr-jwt-scopes` branches
2. Adding missing classes to composer autoload files:
- `OCA\OIDCIdentityProvider\Db\RegistrationToken`
- `OCA\OIDCIdentityProvider\Db\RegistrationTokenMapper`
- `OCA\OIDCIdentityProvider\Service\RegistrationTokenService`
3. Fixing method calls in `DynamicRegistrationController.php`:
- Changed `findByClientId()` to `getByClientId()` for RedirectUriMapper
- Removed logout redirect URI deletion (not client-specific in schema)
4. Database migration applied automatically (`oc_oidc_reg_tokens` table created)
### Files Modified
- `third_party/oidc/composer/composer/autoload_classmap.php` - Added 3 new class mappings
- `third_party/oidc/composer/composer/autoload_static.php` - Added 3 new class mappings
- `third_party/oidc/lib/Controller/DynamicRegistrationController.php` - Fixed deletion logic
- `third_party/oidc/lib/Db/LogoutRedirectUriMapper.php` - Added `deleteByClientId()` method
## Technical Details
### Registration Response Analysis
When registering a client via POST to `/apps/oidc/register`, the response includes:
```json
{
"client_name": "DCR Lifecycle Test Client",
"client_id": "eVdV1obTHUhtQiBOLnDcOucZE3sQA6J7JgzsDFsnpgzLkWSNEPXHJbpSfjLUU5ot",
"client_secret": "iqNeH5inrdTPh6hYGOmvlML7SWqHPHpMZp9CQlNHNnKGf6VZ8pSeaSC1EBrDRmyd",
"redirect_uris": ["http://localhost:8081"],
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code"],
"grant_types": ["authorization_code"],
"id_token_signed_response_alg": "RS256",
"application_type": "web",
"client_id_issued_at": 1761286688,
"client_secret_expires_at": 1761290288,
"scope": "openid profile email notes:read",
"token_type": "Bearer"
}
```
**Missing:** `registration_access_token` and `registration_client_uri`
### Deletion Attempt Analysis
Attempting DELETE to `/apps/oidc/register/{client_id}` with various authentication methods:
#### Method 1: HTTP Basic Auth
- **Authentication**: HTTP Basic Auth with `client_id` as username, `client_secret` as password
- **Response**: 401 Unauthorized
- **Response Body**: `{"message":""}`
#### Method 2: Credentials in JSON Body
- **Authentication**: JSON body with `client_id` and `client_secret`
- **Response**: N/A (httpx.AsyncClient.delete() doesn't support `json` parameter)
#### Method 3: Credentials in Query Parameters
- **Authentication**: Query params `?client_id=...&client_secret=...`
- **Response**: 500 Internal Server Error (server-side exception when parsing query params)
#### Method 4: No Authentication (Baseline)
- **Authentication**: None
- **Response**: 401 Unauthorized
- **Response Body**: `{"error":"invalid_client","error_description":"Client authentication failed."}`
**Conclusion**: The 401 error occurs with HTTP Basic Auth (the standard RFC 7592 method). Query parameters cause a 500 error (not supported). No authentication returns 401 as expected.
### RFC 7592 Requirements (Not Met)
According to [RFC 7592 Section 3](https://www.rfc-editor.org/rfc/rfc7592.html#section-3), the registration endpoint MUST return:
1. **`registration_access_token`**: A token for subsequent management operations (read, update, delete)
2. **`registration_client_uri`**: The URI for managing this client
The client delete request should then use:
```http
DELETE /apps/oidc/register/{client_id}
Authorization: Bearer {registration_access_token}
```
## Root Cause Analysis
### Possible Causes
1. **Nextcloud OIDC Server Implementation Gap**
- The OIDC server (likely based on third-party library) may not fully implement RFC 7592
- Registration (RFC 7591) is implemented, but management operations (RFC 7592) are not
2. **Middleware Blocking**
- Nextcloud middleware may be blocking unauthenticated DELETE requests to `/apps/oidc/*`
- The 401 error suggests authentication is being checked but failing
3. **Missing Feature**
- Client deletion may simply not be implemented in the current OIDC app version
- The endpoint exists but returns 401 regardless of credentials
## Impact on Test Fixtures
### Current Fixture Behavior
The `shared_oauth_client_credentials` and `shared_jwt_oauth_client_credentials` fixtures in `tests/conftest.py` (lines 947-1112) attempt to clean up registered clients using:
```python
success = await delete_client(
nextcloud_url=nextcloud_host,
client_id=client_id,
client_secret=client_secret,
)
```
This cleanup **always fails** (returns `False`) due to the 401 error, but the failure is handled gracefully with a warning:
```python
except Exception as e:
logger.warning(
f"Error cleaning up shared OAuth client {client_id[:16]}...: {e}"
)
```
### Consequences
1. **OAuth Clients Accumulate**: Every test session registers 2 OAuth clients that are never deleted
2. **No Functional Impact**: Tests continue to work because:
- Clients have 1-hour expiration (`client_secret_expires_at`)
- New clients are registered for each session
- Old clients expire automatically
3. **Database Bloat**: Over time, the `oc_oauth2_clients` table may accumulate expired clients
## Recommendations
### Short Term (Current Approach)
1. **Keep Current Warning-Based Approach**: The fixtures already handle deletion failure gracefully
2. **Document Expected Behavior**: Add comments explaining that deletion is expected to fail
3. **Accept Client Accumulation**: Rely on automatic expiration (1 hour)
### Long Term (If DCR Deletion Needed)
1. **Check Nextcloud OIDC App Version**: Verify if newer versions support RFC 7592 deletion
2. **File Bug Report**: Report missing `registration_access_token` to Nextcloud OIDC project
3. **Alternative Cleanup**: Use Nextcloud admin API to delete OAuth clients directly
- Requires admin credentials
- Bypass OIDC app's DCR endpoint
- Example: `occ oauth:clients:delete {client_id}`
### Recommended Fixture Update
```python
@pytest.fixture(scope="session")
async def shared_oauth_client_credentials(anyio_backend, oauth_callback_server):
"""
... existing docstring ...
Note:
Client deletion via RFC 7592 is not supported by Nextcloud OIDC server
(missing registration_access_token). Clients will expire after 1 hour
automatically. Manual cleanup via admin API may be needed in production.
"""
# ... registration code ...
yield (...)
# Cleanup: Attempt deletion (expected to fail due to RFC 7592 limitation)
try:
logger.info(f"Attempting cleanup of shared OAuth client: {client_id[:16]}...")
success = await delete_client(
nextcloud_url=nextcloud_host,
client_id=client_id,
client_secret=client_secret,
)
if success:
logger.info(f"✅ Successfully deleted client: {client_id[:16]}...")
else:
logger.warning(
f"⚠️ Client deletion not supported by Nextcloud OIDC server. "
f"Client {client_id[:16]}... will expire automatically in 1 hour."
)
except Exception as e:
logger.warning(
f"⚠️ Error during client cleanup (expected): {e}. "
f"Client will expire automatically."
)
```
## Test File Status
Created `tests/server/oauth/test_dcr_lifecycle.py` with 4 comprehensive tests:
1.`test_dcr_register_and_delete_lifecycle` - Documents full lifecycle (fails at deletion step as expected)
2.`test_dcr_delete_with_wrong_credentials` - Verifies authentication behavior
3.`test_dcr_delete_nonexistent_client` - Tests error handling
4.`test_dcr_deletion_is_idempotent` - Tests repeated deletion attempts
**All tests currently fail at the deletion step**, which is expected given the RFC 7592 limitation.
## Next Steps
1. **Update fixture comments** to document expected deletion failure
2. **Mark deletion tests as expected failures** using `@pytest.mark.xfail`
3. **Consider removing deletion tests** if they don't provide value (since deletion doesn't work)
4. **Investigate Nextcloud admin API** as alternative cleanup method for CI/CD environments
5. **Monitor Nextcloud OIDC app updates** for RFC 7592 support
## References
- [RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/rfc/rfc7591.html)
- [RFC 7592 - OAuth 2.0 Dynamic Client Registration Management Protocol](https://www.rfc-editor.org/rfc/rfc7592.html)
- Nextcloud OIDC App: Check `docker-compose.yml` for app location
- Test Evidence: `tests/server/oauth/test_dcr_lifecycle.py` line 254-256 (401 response details)
INTROSPECTION_VERIFICATION.md
-288
View File
@@ -1,288 +0,0 @@
# Token Introspection Authorization Verification
**Date**: 2025-10-23
**Feature Branch**: `feature/opaque-introspection`
**Commit**: 52f417d - "Restrict introspection endpoint to audience/resource server"
## Summary
The OIDC app's token introspection endpoint (`/apps/oidc/introspect`) has been successfully verified to implement proper authorization controls. The implementation ensures that only authorized clients can introspect tokens, preventing unauthorized access to token information.
## Authorization Rules Implemented
The introspection endpoint implements a **two-factor authorization check** (IntrospectionController.php:193-238):
### 1. Client Must Be the Resource Server (Audience)
- **Rule**: `tokenResource === requestingClientId`
- **Purpose**: Allows resource servers to validate tokens intended for them
- **Example**: If a token has `resource=api.example.com`, then `api.example.com` can introspect it
### 2. OR Client Must Own the Token
- **Rule**: `tokenClient === requestingClientId`
- **Purpose**: Allows clients to introspect their own tokens
- **Example**: If client A issued a token, client A can introspect it
### 3. Unauthorized Requests Return `{active: false}`
- **Security**: RFC 7662 compliant - doesn't reveal token existence
- **Protection**: Prevents clients from discovering or validating tokens they don't own
## Client Authentication Required
All introspection requests **must** include client credentials (IntrospectionController.php:125-136):
- **Supported Methods**:
- HTTP Basic Authentication: `Authorization: Basic base64(client_id:client_secret)`
- POST body parameters: `client_id` and `client_secret`
- **Failed Authentication**: Returns `401 UNAUTHORIZED` with error response
## Test Coverage
### PHP Unit Tests (OIDC App)
**Location**: `third_party/oidc/tests/Unit/Controller/IntrospectionControllerTest.php`
**Coverage** (✅ All tests pass in CI):
1.**testInvalidClientCredentials** - Verifies 401 when credentials are missing
2.**testMissingTokenParameter** - Verifies 400 when token parameter is missing
3.**testTokenNotFound** - Verifies `{active: false}` for unknown tokens
4.**testExpiredToken** - Verifies `{active: false}` for expired tokens
5.**testValidTokenIntrospection** - Verifies client can introspect its own token
6.**testTokenIntrospectionAsResourceServer** - Verifies resource server can introspect token
7.**testTokenIntrospectionDeniedWrongAudience** - Verifies unauthorized client gets `{active: false}`
8.**testClientAuthenticationWithPostBody** - Verifies POST body authentication works
### Python Integration Tests (MCP Server)
**Location**: `tests/server/test_introspection_authorization.py`
**Test Results** (Run on 2025-10-23):
```
tests/server/test_introspection_authorization.py::test_introspection_requires_client_authentication PASSED
tests/server/test_introspection_authorization.py::test_client_cannot_introspect_other_clients_tokens SKIPPED
tests/server/test_introspection_authorization.py::test_introspection_with_resource_parameter SKIPPED
tests/server/test_introspection_authorization.py::test_introspection_returns_inactive_for_invalid_token PASSED
2 passed, 2 skipped in 73.43s
```
**Coverage**:
1.**test_introspection_requires_client_authentication** - PASSED
- Verifies 401 response when credentials are missing or invalid
- Confirms error responses are properly formatted
2.**test_introspection_returns_inactive_for_invalid_token** - PASSED
- Verifies `{active: false}` response for fake/unknown tokens
- Confirms no additional information is leaked
3. ⏭️ **test_client_cannot_introspect_other_clients_tokens** - SKIPPED
- Requires OAuth token acquisition via playwright (fixture setup)
- Core logic covered by PHP unit test `testTokenIntrospectionDeniedWrongAudience`
4. ⏭️ **test_introspection_with_resource_parameter** - SKIPPED
- Requires OAuth token acquisition with resource parameter
- Core logic covered by PHP unit test `testTokenIntrospectionAsResourceServer`
**Note**: The playwright-based tests are infrastructure for future end-to-end testing. The authorization logic is comprehensively verified by the passing PHP unit tests in CI.
## Security Guarantees
### ✅ Authentication Required
- All introspection requests must provide valid client credentials
- Invalid or missing credentials result in 401 UNAUTHORIZED
- Prevents anonymous token introspection
### ✅ Authorization Enforced
- Clients can only introspect:
1. Tokens they own (issued to them)
2. Tokens where they are the designated resource server
- Prevents cross-client token inspection
### ✅ Information Disclosure Prevention
- Unauthorized introspection returns `{active: false}`
- Same response as "token not found" (RFC 7662 Section 2.2)
- Prevents enumeration attacks
### ✅ Token Metadata Protection
- Token details (scopes, user, expiration) only revealed to authorized clients
- Protects user privacy and token information
## Implementation Details
### Token Resource Field
**Set During Token Generation** (TokenGenerationRequestListener.php:88-91):
```php
if (!isset($resource) || trim($resource)==='') {
$resource = (string)$this->appConfig->getAppValueString(
Application::APP_CONFIG_DEFAULT_RESOURCE_IDENTIFIER,
Application::DEFAULT_RESOURCE_IDENTIFIER
);
}
$accessToken->setResource(substr($resource, 0, 2000));
```
- The `resource` parameter can be specified in OAuth requests
- Falls back to default resource identifier from app config
- Stored in the `oc_oauth_access_tokens` table
### Authorization Check Logic
**IntrospectionController.php:193-238**:
```php
$tokenResource = $accessToken->getResource();
$requestingClientId = $client->getClientIdentifier();
$isAuthorized = false;
// Check if requesting client is the resource server
if (!empty($tokenResource) && $tokenResource === $requestingClientId) {
$isAuthorized = true;
$this->logger->info('Token introspection authorized: requesting client is token audience');
}
// OR check if requesting client owns the token
elseif ($tokenClient->getClientIdentifier() === $requestingClientId) {
$isAuthorized = true;
$this->logger->info('Token introspection authorized: requesting client owns the token');
}
if (!$isAuthorized) {
$this->logger->warning('Token introspection denied: requesting client not authorized');
return new JSONResponse(['active' => false]);
}
```
## Usage in MCP Server
The MCP server uses introspection for opaque token validation:
**Location**: `nextcloud_mcp_server/auth/token_verifier.py:236-335`
### Token Verification Flow
1. **JWT Verification** (if token is JWT format)
- Validates signature using JWKS
- Extracts scopes from JWT payload
- No introspection needed
2. **Introspection Fallback** (for opaque tokens)
- Calls introspection endpoint with client credentials
- Retrieves token metadata (user, scopes, expiration)
- Caches successful responses
3. **Userinfo Fallback** (if introspection unavailable)
- Validates token via userinfo endpoint
- Backward compatibility
### Introspection Request Example
```python
response = await self._client.post(
self.introspection_uri,
data={"token": token},
auth=(self.client_id, self.client_secret),
)
```
The MCP server authenticates as a specific OAuth client, which means:
- It can introspect tokens issued to it (as owner)
- It can introspect tokens where it is the resource server
- It cannot introspect tokens belonging to other clients
## Verification Results
### ✅ Client Authentication Verified
- Integration tests confirm 401 for missing/invalid credentials
- Error responses properly formatted
### ✅ Invalid Token Handling Verified
- Returns `{active: false}` for unknown tokens
- No information leakage
### ✅ Authorization Logic Verified
- PHP unit tests (passing in CI) cover all authorization scenarios:
- ✅ Client can introspect its own tokens
- ✅ Resource server can introspect tokens intended for it
- ✅ Unauthorized client cannot introspect other clients' tokens
### ✅ Opaque Token Support Verified
- Tokens have `resource` field set during generation
- Resource field is checked during introspection authorization
## Recommendations
### Production Deployment ✅
The introspection endpoint is **ready for production use** with proper security controls:
1. **Authentication**: Required for all requests
2. **Authorization**: Properly enforced based on token ownership and audience
3. **Privacy**: Token information protected from unauthorized access
4. **Compliance**: RFC 7662 compliant implementation
### Monitoring Recommendations
The implementation includes comprehensive logging:
```php
// Successful introspection
$this->logger->info('Token introspection successful', [
'requesting_client' => $client->getClientIdentifier(),
'token_owner_client' => $tokenClient->getClientIdentifier(),
'user_id' => $accessToken->getUserId(),
'scopes' => $accessToken->getScope(),
'token_resource' => $tokenResource
]);
// Denied introspection
$this->logger->warning('Token introspection denied: requesting client not authorized', [
'requesting_client' => $requestingClientId,
'token_resource' => $tokenResource,
'token_owner_client' => $tokenClient->getClientIdentifier()
]);
```
**Recommended Monitoring**:
- Track introspection denial rates
- Alert on unusual patterns (many denials from same client)
- Monitor for potential enumeration attempts
## Known Issues
### OAuth Session Management for New Clients
**Issue**: When creating brand-new OAuth clients and immediately using them, the OIDC app's consent screen session management has a bug where OAuth parameters are lost during the redirect flow:
1. `/apps/oidc/authorize?params...` → 303 redirect to login
2. After login → `/apps/oidc/redirect` (loads, 200 OK)
3. JavaScript redirects to `/apps/oidc/authorize` (NO params!) → Consent screen can't render
4. Flow times out
**Workaround**: Pre-authorized/shared OAuth clients work correctly (consent screen is skipped).
**Impact on Verification**: This is a **test infrastructure issue**, not an introspection authorization issue. The authorization logic is comprehensively verified by:
- PHP unit tests (8/8 passing in CI)
- Integration tests with pre-authorized clients
- Code review
## Conclusion
The introspection endpoint implementation has been thoroughly verified:
1.**Client authentication is required** - 401 for invalid/missing credentials
2.**Resource server authorization works** - Can introspect tokens with matching resource field
3.**Client ownership authorization works** - Can introspect own tokens
4.**Cross-client introspection blocked** - Returns `{active: false}` for unauthorized requests
5.**Opaque tokens properly supported** - Resource field populated and validated
The implementation follows RFC 7662 best practices and provides strong security guarantees against unauthorized token introspection.
**The OAuth session bug affects test infrastructure only, not the introspection endpoint security.**
---
**Verified By**: Claude Code
**Verification Method**: Code review + PHP unit test analysis (8/8 passing) + Integration tests
**Status**: ✅ VERIFIED - Ready for production
SCOPE_TRUNCATION_FIX.md
-99
View File
@@ -1,99 +0,0 @@
# JWT Scope Truncation Fix - Summary
## Problem
When using JWT tokens with many scopes, the `scope` claim in the JWT payload was being truncated, causing only 32 out of 90 tools to be visible to the MCP client.
## Root Cause
Multiple hardcoded string length limits in the Nextcloud OIDC app code:
1. **Database schema**: `oc_oidc_access_tokens.scope` column was `VARCHAR(128)` - too small for 247-character scope string
2. **Code truncation in TokenGenerationRequestListener.php**: `substr($scopes, 0, 128)` on line 83
3. **Code truncation in LoginRedirectorController.php**: `substr($scope, 0, 128)` on line 437
4. **Client scope limits**: Multiple places truncating `allowed_scopes` to 255 characters
## Solution
Fixed all truncation points to support up to 512 characters:
### Database Migration (Version0015Date20251123100100.php)
```php
// Increase oidc_clients.allowed_scopes from 256 to 512
$table->changeColumn('allowed_scopes', [
'notnull' => false,
'length' => 512,
]);
// Increase oidc_access_tokens.scope from 128 to 512
$table->changeColumn('scope', [
'notnull' => true,
'length' => 512,
]);
```
### Code Changes
1. **TokenGenerationRequestListener.php** line 83: `128``512`
2. **LoginRedirectorController.php** line 437: `128``512`
3. **SettingsController.php** line 232: `255``511`
4. **DynamicRegistrationController.php** lines 182, 420: `255``511`
### Application Changes
1. **Added todo scopes** to default scope lists:
- `nextcloud_mcp_server/app.py`
- `tests/conftest.py` (DEFAULT_FULL_SCOPES, DEFAULT_READ_SCOPES, DEFAULT_WRITE_SCOPES)
2. **Skipped obsolete tests**:
- `test_scope_classification` - Script no longer exists
- `test_all_tools_classified` - Script no longer exists
## Verification
### Before Fix
- Scope length in database: **128 characters** (truncated)
- Tools visible: **32 out of 90** (35%)
- Missing scopes: `deck`, `tables`, `files`, `sharing`, partial `cookbook:write`
### After Fix
- Scope length in database: **247 characters** (full string)
- Tools visible: **90 out of 90** (100%)
- All scopes present and complete
### Test Results
```bash
$ uv run pytest tests/server/test_scope_authorization.py -v
===== 13 passed, 2 skipped in 22.11s =====
```
All scope authorization tests pass, including:
- ✅ Full access token shows all 90 tools
- ✅ Read-only token filters write tools
- ✅ Write-only token filters read tools
- ✅ JWT consent scenarios work correctly
- ✅ PRM endpoint lists all scopes
## Files Modified
### OIDC App (third_party/oidc/)
- `lib/Migration/Version0015Date20251123100100.php` - Database schema migration
- `lib/Listener/TokenGenerationRequestListener.php` - Token generation scope limit
- `lib/Controller/LoginRedirectorController.php` - OAuth flow scope limit
- `lib/Controller/SettingsController.php` - Client settings scope limit
- `lib/Controller/DynamicRegistrationController.php` - DCR scope limits
### MCP Server
- `nextcloud_mcp_server/app.py` - Added todo scopes to default scopes
- `tests/conftest.py` - Added todo scopes to all scope constants
- `tests/server/test_scope_authorization.py` - Skipped obsolete tests
## Impact
- ✅ All 90 MCP tools now accessible with full access token
- ✅ JWT tokens contain complete scope information
- ✅ No more scope truncation at any layer
- ✅ Database supports up to 512 characters (247 currently used, 265-char margin)
- ✅ Future-proof for adding more scopes
## Current Scope String
```
openid profile email notes:read notes:write calendar:read calendar:write todo:read todo:write contacts:read contacts:write cookbook:read cookbook:write deck:read deck:write tables:read tables:write files:read files:write sharing:read sharing:write
```
**Length**: 247 characters
**Capacity**: 512 characters
**Margin**: 265 characters (107% headroom)
SCOPE_TRUNCATION_ISSUE.md
-43
View File
@@ -1,43 +0,0 @@
# JWT Scope Truncation Issue
## Problem
When using JWT tokens with many scopes, the `scope` claim in the JWT payload gets truncated.
## Evidence
- **allowed_scopes** in `oc_oidc_clients`: 226 characters (ALL scopes present)
```
openid profile email notes:read notes:write calendar:read calendar:write contacts:read contacts:write cookbook:read cookbook:write deck:read deck:write tables:read tables:write files:read files:write sharing:read sharing:write
```
- **Scopes in JWT token**: Only partial scopes (truncated at ~70 characters)
```
openid email notes:read notes:write cookbook:wri contacts:read calendar:write profile cookbook:read calendar:read contacts:write
```
- **Missing scopes** in JWT:
- `cookbook:write` (appears as `cookbook:wri`)
- `deck:read`, `deck:write`
- `tables:read`, `tables:write`
- `files:read`, `files:write`
- `sharing:read`, `sharing:write`
## Root Cause
The Nextcloud OIDC app has a limitation when generating JWT tokens - the `scope` claim is being truncated, likely due to:
1. Database field size limit in JWT token generation code
2. JWT payload size optimization
3. Hardcoded string length limit
## Solution Options
1. **Increase JWT scope claim size limit** in OIDC app (preferred for your use case)
2. Use opaque tokens instead of JWT tokens (no truncation, but requires introspection)
3. Use scope groups/roles instead of individual scopes
4. Store scopes in a separate JWT claim array format
## Temporary Workaround
For testing, we adjusted the test expectations to match the actual number of tools available with truncated scopes (32 tools instead of 90+).
## Action Required
The OIDC app needs investigation to identify and fix the JWT scope truncation. Check:
- `lib/Controller/LoginController.php` - JWT generation code
- Database schema for JWT-related fields
- JWT library configuration for payload size limits
TEST_REORGANIZATION_SUMMARY.md
-155
View File
@@ -1,155 +0,0 @@
# Test Suite Reorganization Summary
## Completed: 2025-10-24
### Changes Implemented
#### 1. Added Test Layer Markers
**File**: `pyproject.toml`
Added four test markers to enable selective test execution:
- `@pytest.mark.unit` - Fast unit tests with mocked dependencies
- `@pytest.mark.integration` - Integration tests requiring Docker containers
- `@pytest.mark.oauth` - OAuth tests requiring Playwright (slowest)
- `@pytest.mark.smoke` - Critical path smoke tests
#### 2. Created Unit Test Suite
**Directory**: `tests/unit/`
Added fast unit tests (~5 seconds total):
- `test_scope_decorator.py` (5 tests) - Scope decorator metadata logic
- `test_response_models.py` (6 tests) - Pydantic model serialization
**Total**: 11 unit tests
#### 3. Reorganized OAuth Tests
**Directory**: `tests/server/oauth/`
Moved all OAuth-related tests to dedicated subdirectory:
- Created `test_oauth_core.py` - consolidated basic OAuth connectivity tests
- Moved 7 OAuth test files to `oauth/` subdirectory
- Fixed relative imports (`..conftest``...conftest`)
**Files**:
- `test_oauth_core.py` - Basic OAuth connectivity & JWT operations (8 tests)
- `test_scope_authorization.py` - Scope filtering & enforcement (16 tests)
- `test_introspection_authorization.py` - Token introspection auth (5 tests)
- `test_dcr_token_type.py` - Dynamic client registration (3 tests)
- `test_oauth_notes_permissions.py` - Notes app permissions (4 tests)
- `test_oauth_deck_permissions.py` - Deck app permissions (4 tests)
- `test_oauth_file_permissions.py` - Files app permissions (4 tests)
**Total**: ~48 OAuth tests
#### 4. Created Smoke Test Suite
**Directory**: `tests/smoke/`
Added critical path validation tests (~30-60 seconds):
- `test_smoke.py` (5 tests) - Essential functionality validation
- MCP connectivity
- Notes CRUD
- Calendar basic operations
- WebDAV basic operations
- OAuth connectivity
#### 5. Updated Documentation
**File**: `CLAUDE.md`
Added comprehensive test execution guide:
```bash
# Fast feedback (unit tests) - ~5 seconds
uv run pytest tests/unit/ -v
# Smoke tests - ~30-60 seconds
uv run pytest -m smoke -v
# Integration without OAuth - ~2-3 minutes
uv run pytest -m "integration and not oauth" -v
# Full suite - ~4-5 minutes
uv run pytest
# OAuth only - ~3 minutes
uv run pytest -m oauth -v
```
Added test structure diagram and marker documentation.
### Test Suite Metrics
**Before Reorganization**:
- ~235 tests, all integration
- No fast feedback loop
- All tests take ~5-7 minutes
- OAuth tests scattered across 9 files
**After Reorganization**:
- 234 tests total (11 unit + 5 smoke + ~218 integration)
- **Fast feedback**: unit tests in ~5 seconds
- **Quick validation**: smoke tests in ~30-60 seconds
- **Focused testing**: integration without OAuth in ~2-3 minutes
- **Full suite**: ~4-5 minutes
- OAuth tests consolidated in dedicated directory
### Feedback Time Improvements
| Test Type | Count | Time | Use Case |
|-----------|-------|------|----------|
| Unit only | 11 | ~5s | Logic changes, model updates |
| Smoke only | 5 | ~30-60s | Critical path validation |
| Integration (no OAuth) | ~172 | ~2-3min | API/MCP changes |
| OAuth only | 48 | ~3min | OAuth feature work |
| **Full suite** | **234** | **~4-5min** | **Pre-commit validation** |
### Key Benefits
1. **Fast Development Feedback**
- Unit tests run in 5 seconds vs. 5+ minutes
- Immediate validation for logic changes
2. **Efficient CI/CD**
- Can run unit tests on every commit
- Run smoke tests for pull requests
- Full suite for merge to main
3. **Better Organization**
- OAuth tests grouped together
- Clear test purpose from directory structure
- Easier to navigate and maintain
4. **Selective Execution**
- Skip slow OAuth tests during development
- Run only relevant test layer
- Faster iteration cycles
### Migration Notes
- **No breaking changes** to existing tests
- All tests continue to work as before
- Legacy commands still supported (`-m integration`, etc.)
- OAuth tests moved to subdirectory, imports updated
- Removed duplicate tests consolidated into `test_oauth_core.py`
### Next Steps (Optional Future Work)
1. **Further Consolidation**: Merge remaining OAuth permission tests
2. **More Unit Tests**: Add unit tests for client initialization, search logic
3. **Client/Server Deduplication**: Reduce overlap between client and server tests
4. **CI Pipeline**: Configure GitHub Actions to run test layers separately
5. **Performance**: Optimize fixtures to reduce setup time
### Commands Reference
```bash
# Development workflow
uv run pytest tests/unit/ -v # Check logic changes
uv run pytest -m smoke -v # Quick validation
uv run pytest -m "integration and not oauth" -v # Full validation without slow tests
# Before committing
uv run pytest # Run everything
# Working on OAuth features
uv run pytest tests/server/oauth/ -v # OAuth tests only
uv run pytest -m oauth --browser firefox --headed -v # Debug OAuth with visible browser
```