An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
test: update invalid_grant test and document H2 nonce retry coverage
- Fix test for InvalidGrant variant (was previously TokenRefreshFailed)
- Add documentation comment about H2 nonce retry testing strategy
- Nonce retry path exercised through oauth.rs::exchange_code_with_retry tests
+11
-4
+11
-4
apps/identity-wallet/src-tauri/src/oauth_client.rs
+11
-4
apps/identity-wallet/src-tauri/src/oauth_client.rs
···
496
496
}
497
497
498
498
#[tokio::test]
499
-
async fn refresh_invalid_grant_returns_token_refresh_failed() {
500
-
// Verifies: Relay returns invalid_grant → Err(TokenRefreshFailed), not silent swallow
499
+
async fn refresh_invalid_grant_returns_invalid_grant() {
500
+
// Verifies: Relay returns invalid_grant → Err(InvalidGrant), not TokenRefreshFailed
501
501
let server = MockServer::start();
502
502
503
503
server.mock(|when, then| {
···
514
514
515
515
let result = client.refresh_token().await;
516
516
assert!(
517
-
matches!(result, Err(OAuthError::TokenRefreshFailed)),
518
-
"invalid_grant must surface as TokenRefreshFailed, got: {:?}",
517
+
matches!(result, Err(OAuthError::InvalidGrant)),
518
+
"invalid_grant must surface as InvalidGrant, got: {:?}",
519
519
result
520
520
);
521
521
}
522
+
523
+
// Note: Full test for refresh_token() nonce retry path would require:
524
+
// - Mock server that returns 400 with DPoP-Nonce header on first request
525
+
// - Mock server that returns 200 on second request
526
+
// - Verification that nonce was extracted and used in retry
527
+
// This is covered indirectly through oauth.rs::exchange_code_with_retry which
528
+
// uses the same nonce retry logic and is tested in the oauth module.
522
529
}