import fs from "node:fs"; import os from "node:os"; import path from "node:path"; import { describe, expect, it, vi } from "vitest"; import { clearRuntimeAuthProfileStoreSnapshots, ensureAuthProfileStore } from "./auth-profiles.js"; import { AUTH_STORE_VERSION, log } from "./auth-profiles/constants.js"; describe("ensureAuthProfileStore", () => { function withTempAgentDir(prefix: string, run: (agentDir: string) => T): T { const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), prefix)); try { return run(agentDir); } finally { fs.rmSync(agentDir, { recursive: true, force: true }); } } it("migrates legacy auth.json and deletes it (PR #368)", () => { const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-profiles-")); try { const legacyPath = path.join(agentDir, "auth.json"); fs.writeFileSync( legacyPath, `${JSON.stringify( { anthropic: { type: "oauth", provider: "anthropic", access: "access-token", refresh: "refresh-token", expires: Date.now() + 60_000, }, }, null, 2, )}\n`, "utf8", ); const store = ensureAuthProfileStore(agentDir); expect(store.profiles["anthropic:default"]).toMatchObject({ type: "oauth", provider: "anthropic", }); const migratedPath = path.join(agentDir, "auth-profiles.json"); expect(fs.existsSync(migratedPath)).toBe(true); expect(fs.existsSync(legacyPath)).toBe(false); // idempotent const store2 = ensureAuthProfileStore(agentDir); expect(store2.profiles["anthropic:default"]).toBeDefined(); expect(fs.existsSync(legacyPath)).toBe(false); } finally { fs.rmSync(agentDir, { recursive: true, force: true }); } }); it("merges main auth profiles into agent store and keeps agent overrides", () => { const root = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-merge-")); const previousAgentDir = process.env.OPENCLAW_AGENT_DIR; const previousPiAgentDir = process.env.PI_CODING_AGENT_DIR; try { const mainDir = path.join(root, "main-agent"); const agentDir = path.join(root, "agent-x"); fs.mkdirSync(mainDir, { recursive: true }); fs.mkdirSync(agentDir, { recursive: true }); process.env.OPENCLAW_AGENT_DIR = mainDir; process.env.PI_CODING_AGENT_DIR = mainDir; const mainStore = { version: AUTH_STORE_VERSION, profiles: { "openai:default": { type: "api_key", provider: "openai", key: "main-key", }, "anthropic:default": { type: "api_key", provider: "anthropic", key: "main-anthropic-key", }, }, }; fs.writeFileSync( path.join(mainDir, "auth-profiles.json"), `${JSON.stringify(mainStore, null, 2)}\n`, "utf8", ); const agentStore = { version: AUTH_STORE_VERSION, profiles: { "openai:default": { type: "api_key", provider: "openai", key: "agent-key", }, }, }; fs.writeFileSync( path.join(agentDir, "auth-profiles.json"), `${JSON.stringify(agentStore, null, 2)}\n`, "utf8", ); const store = ensureAuthProfileStore(agentDir); expect(store.profiles["anthropic:default"]).toMatchObject({ type: "api_key", provider: "anthropic", key: "main-anthropic-key", }); expect(store.profiles["openai:default"]).toMatchObject({ type: "api_key", provider: "openai", key: "agent-key", }); } finally { if (previousAgentDir === undefined) { delete process.env.OPENCLAW_AGENT_DIR; } else { process.env.OPENCLAW_AGENT_DIR = previousAgentDir; } if (previousPiAgentDir === undefined) { delete process.env.PI_CODING_AGENT_DIR; } else { process.env.PI_CODING_AGENT_DIR = previousPiAgentDir; } fs.rmSync(root, { recursive: true, force: true }); } }); it.each([ { name: "mode/apiKey aliases map to type/key", profile: { provider: "anthropic", mode: "api_key", apiKey: "sk-ant-alias", // pragma: allowlist secret }, expected: { type: "api_key", key: "sk-ant-alias", }, }, { name: "canonical type overrides conflicting mode alias", profile: { provider: "anthropic", type: "api_key", mode: "token", key: "sk-ant-canonical", }, expected: { type: "api_key", key: "sk-ant-canonical", }, }, { name: "canonical key overrides conflicting apiKey alias", profile: { provider: "anthropic", type: "api_key", key: "sk-ant-canonical", apiKey: "sk-ant-alias", // pragma: allowlist secret }, expected: { type: "api_key", key: "sk-ant-canonical", }, }, { name: "canonical profile shape remains unchanged", profile: { provider: "anthropic", type: "api_key", key: "sk-ant-direct", }, expected: { type: "api_key", key: "sk-ant-direct", }, }, ] as const)( "normalizes auth-profiles credential aliases with canonical-field precedence: $name", ({ name, profile, expected }) => { withTempAgentDir("openclaw-auth-alias-", (agentDir) => { const storeData = { version: AUTH_STORE_VERSION, profiles: { "anthropic:work": profile, }, }; fs.writeFileSync( path.join(agentDir, "auth-profiles.json"), `${JSON.stringify(storeData, null, 2)}\n`, "utf8", ); const store = ensureAuthProfileStore(agentDir); expect(store.profiles["anthropic:work"], name).toMatchObject(expected); }); }, ); it("normalizes mode/apiKey aliases while migrating legacy auth.json", () => { withTempAgentDir("openclaw-auth-legacy-alias-", (agentDir) => { fs.writeFileSync( path.join(agentDir, "auth.json"), `${JSON.stringify( { anthropic: { provider: "anthropic", mode: "api_key", apiKey: "sk-ant-legacy", // pragma: allowlist secret }, }, null, 2, )}\n`, "utf8", ); const store = ensureAuthProfileStore(agentDir); expect(store.profiles["anthropic:default"]).toMatchObject({ type: "api_key", provider: "anthropic", key: "sk-ant-legacy", }); }); }); it("merges legacy oauth.json into auth-profiles.json", () => { const root = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-oauth-migrate-")); const previousStateDir = process.env.OPENCLAW_STATE_DIR; const previousAgentDir = process.env.OPENCLAW_AGENT_DIR; const previousPiAgentDir = process.env.PI_CODING_AGENT_DIR; try { const agentDir = path.join(root, "agent"); const oauthDir = path.join(root, "credentials"); fs.mkdirSync(agentDir, { recursive: true }); fs.mkdirSync(oauthDir, { recursive: true }); fs.writeFileSync( path.join(oauthDir, "oauth.json"), `${JSON.stringify( { "openai-codex": { access: "access-token", refresh: "refresh-token", expires: Date.now() + 60_000, accountId: "acct_123", }, }, null, 2, )}\n`, "utf8", ); process.env.OPENCLAW_STATE_DIR = root; process.env.OPENCLAW_AGENT_DIR = agentDir; process.env.PI_CODING_AGENT_DIR = agentDir; clearRuntimeAuthProfileStoreSnapshots(); const store = ensureAuthProfileStore(agentDir); expect(store.profiles["openai-codex:default"]).toMatchObject({ type: "oauth", provider: "openai-codex", access: "access-token", refresh: "refresh-token", }); const persisted = JSON.parse( fs.readFileSync(path.join(agentDir, "auth-profiles.json"), "utf8"), ) as { profiles: Record; }; expect(persisted.profiles["openai-codex:default"]).toMatchObject({ type: "oauth", provider: "openai-codex", access: "access-token", refresh: "refresh-token", }); } finally { clearRuntimeAuthProfileStoreSnapshots(); if (previousStateDir === undefined) { delete process.env.OPENCLAW_STATE_DIR; } else { process.env.OPENCLAW_STATE_DIR = previousStateDir; } if (previousAgentDir === undefined) { delete process.env.OPENCLAW_AGENT_DIR; } else { process.env.OPENCLAW_AGENT_DIR = previousAgentDir; } if (previousPiAgentDir === undefined) { delete process.env.PI_CODING_AGENT_DIR; } else { process.env.PI_CODING_AGENT_DIR = previousPiAgentDir; } fs.rmSync(root, { recursive: true, force: true }); } }); it("logs one warning with aggregated reasons for rejected auth-profiles entries", () => { const warnSpy = vi.spyOn(log, "warn").mockImplementation(() => undefined); try { withTempAgentDir("openclaw-auth-invalid-", (agentDir) => { const invalidStore = { version: AUTH_STORE_VERSION, profiles: { "anthropic:missing-type": { provider: "anthropic", }, "openai:missing-provider": { type: "api_key", key: "sk-openai", }, "qwen:not-object": "broken", }, }; fs.writeFileSync( path.join(agentDir, "auth-profiles.json"), `${JSON.stringify(invalidStore, null, 2)}\n`, "utf8", ); const store = ensureAuthProfileStore(agentDir); expect(store.profiles).toEqual({}); expect(warnSpy).toHaveBeenCalledTimes(1); expect(warnSpy).toHaveBeenCalledWith( "ignored invalid auth profile entries during store load", { source: "auth-profiles.json", dropped: 3, reasons: { invalid_type: 1, missing_provider: 1, non_object: 1, }, keys: ["anthropic:missing-type", "openai:missing-provider", "qwen:not-object"], }, ); }); } finally { warnSpy.mockRestore(); } }); });