Feat: oauth pkce support workspace id

[jackshen310]

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced OAuth token management by introducing a refresh capability for device tokens.
  • Authentication functions now support workspace-specific configurations.

• Bug Fixes

  • Updated device retrieval logic in tests to utilize a new utility for improved accuracy.

• Tests

  • Expanded test coverage for authentication functions to include scenarios with workspace IDs.

[coderabbitai]

Walkthrough

This pull request introduces several modifications across multiple files. The reporter configuration in the Vitest preset is updated to replace certain coverage reporters with new ones. Additionally, OAuth device handling is enhanced by incorporating a token refresh mechanism. Changes to authentication functions allow for the inclusion of workspace IDs, and corresponding tests are added to validate these updates. Lastly, a utility is introduced in device enumeration tests, replacing direct calls with a utility function, while maintaining existing test structures.

Changes

File Path	Change Summary
config/vitest-config/src/preset-default.ts	Updated reporter list in defaultVitestConfig to replace v8 and istanbul with cobertura and json-summary.
examples/coze-js-node/src/auth/auth-oauth-device.ts	Added import for refreshOAuthToken and integrated it into the OAuth device token retrieval process.
packages/coze-js/src/auth.ts	Enhanced authentication functions to include workspaceId in PKCEAuthenticationConfig and DeviceCodeConfig; updated URL construction based on workspace ID presence.
packages/coze-js/test/auth.spec.ts	Added test cases for getPKCEAuthenticationUrl and getDeviceCode to handle workspaceId scenarios.
packages/realtime-api/test/client.spec.ts	Replaced client.getDevices() with RealtimeUtils.getAudioDevices() in the getDevices method and updated related tests.

Possibly related PRs

• feat: add voice api #13: The changes in the main PR regarding the reporter configuration in the coverage object may relate to the overall improvements in the Coze API SDK, which could include enhancements to reporting features.
• perf: Optimize real-time demo #15: This PR introduces functionality to fetch a list of available voices from the API, which may connect with the changes in the main PR if the coverage reporting is related to voice functionalities.
• feat: support audio input and output device selection #21: The addition of audio input and output device selection could be relevant as it may involve coverage reporting for audio functionalities, linking back to the changes in the main PR.
• chore: migrate jest to vitest #22: The migration from Jest to Vitest may impact how coverage reporting is handled, making this PR relevant to the changes in the main PR regarding the coverage configuration.

Suggested reviewers

• jsongo
• Tecvan-fe

Poem

🐇 In the burrow where changes bloom,
New tokens refresh, dispelling gloom.
With workspace IDs, our paths align,
Testing flows like a warren, divine!
Coverage reports now shine so bright,
Hopping forward, all feels just right! 🌼

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between bc5c521 and 4a9b6e3.

📒 Files selected for processing (3)

• examples/coze-js-node/src/auth/auth-oauth-device.ts (2 hunks)
• packages/coze-js/src/auth.ts (4 hunks)
• packages/coze-js/test/auth.spec.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• examples/coze-js-node/src/auth/auth-oauth-device.ts
• packages/coze-js/src/auth.ts
• packages/coze-js/test/auth.spec.ts

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (5)

examples/coze-js-node/src/auth/auth-oauth-device.ts (1)

Line range hint 1-100: Consider adding production-ready features

As this is an example implementation, consider documenting or implementing these production-ready features:

1. Token persistence mechanism
2. Automatic token refresh before expiration
3. Retry strategy for failed refresh attempts
4. Token rotation security best practices

Consider creating a TokenManager class that encapsulates these concerns:

class TokenManager {
  private storage: TokenStorage;
  private refreshTimer: NodeJS.Timeout | null = null;

  constructor(
    private baseURL: string,
    private clientId: string,
    storage: TokenStorage
  ) {
    this.storage = storage;
  }

  async setupTokenRefresh(tokens: OAuthTokens) {
    // Store tokens
    await this.storage.saveTokens(tokens);
    
    // Setup automatic refresh
    const refreshBuffer = 5 * 60 * 1000; // 5 minutes before expiry
    const expiresIn = (tokens.expires_in || 3600) * 1000;
    
    this.scheduleRefresh(expiresIn - refreshBuffer);
  }

  private scheduleRefresh(timeUntilRefresh: number) {
    // Implementation details...
  }
}

packages/coze-js/src/auth.ts (2)

160-165: Improve code quality and reduce duplication

A few suggestions to enhance this code segment:

1. Use const instead of let since the variable is only assigned once
2. Consider extracting the workspace ID URL construction logic into a shared utility function since it's used in multiple places

Consider this refactoring:

-  let apiUrl;
-  if (config.workspaceId) {
-    apiUrl = `/api/permission/oauth2/workspace_id/${config.workspaceId}/device/code`;
-  } else {
-    apiUrl = '/api/permission/oauth2/device/code';
-  }
+  const apiUrl = config.workspaceId
+    ? `/api/permission/oauth2/workspace_id/${config.workspaceId}/device/code`
+    : '/api/permission/oauth2/device/code';

Also, consider creating a utility function for workspace URL construction:

const getWorkspaceUrl = (basePath: string, workspaceId?: string) => {
  if (!workspaceId) return basePath;
  if (!/^[a-zA-Z0-9-_]+$/.test(workspaceId)) {
    throw new Error('Invalid workspace ID format');
  }
  return `/api/permission/oauth2/workspace_id/${workspaceId}${basePath}`;
};

---

278-278: Add JSDoc comments for workspaceId property

Consider adding documentation to explain the purpose and format requirements of the workspaceId property.

Add JSDoc comments to both interfaces:

 export interface PKCEAuthenticationConfig extends WebAuthenticationConfig {
   code_challenge_method?: string;
+  /** Workspace ID for organization-specific authentication. Must be alphanumeric with hyphens and underscores only. */
   workspaceId?: string;
 }

 export interface DeviceCodeConfig {
   baseURL?: string;
   clientId: string;
+  /** Workspace ID for organization-specific authentication. Must be alphanumeric with hyphens and underscores only. */
   workspaceId?: string;
 }

Also applies to: 307-307

packages/coze-js/test/auth.spec.ts (2)

130-140: LGTM! Consider adding edge cases.

The test correctly validates the PKCE authentication URL construction with workspaceId.

Consider adding test cases for:

• Invalid workspaceId formats
• Empty workspaceId
• Special characters in workspaceId that might need URL encoding

---

200-222: Enhance test coverage and consistency.

While the test correctly validates the workspace-specific endpoint, consider these improvements:

1. Add APIClient initialization verification similar to other tests:

expect(APIClient).toHaveBeenCalledWith({
  token: '',
  baseURL: mockConfig.baseURL,
});

2. Verify the response handling:

const response = await getDeviceCode({...});
expect(response).toEqual({ device_code: 'test-device-code' });

3. Align the test name with other tests in the file (e.g., "should call APIClient.post with correct parameters when workspaceId is provided")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a1de4ee and bc5c521.

⛔ Files ignored due to path filters (1)

• common/config/subspaces/default/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• config/vitest-config/src/preset-default.ts (1 hunks)
• examples/coze-js-node/src/auth/auth-oauth-device.ts (2 hunks)
• packages/coze-js/src/auth.ts (4 hunks)
• packages/coze-js/test/auth.spec.ts (2 hunks)
• packages/realtime-api/test/client.spec.ts (2 hunks)

🔇 Additional comments (4)

examples/coze-js-node/src/auth/auth-oauth-device.ts (1)

10-15: LGTM: Import changes are well-organized

The new refreshOAuthToken import is appropriately grouped with related API functions.

packages/coze-js/src/auth.ts (1)

67-72: Verify test coverage and usage

Please ensure that:

1. Test cases cover both workspace ID and non-workspace ID scenarios
2. All existing code using these functions is updated to handle the new workspace ID parameter

Let's verify the test coverage and usage:

Also applies to: 160-165, 278-278, 307-307

✅ Verification successful

Based on the results, I can now generate the final response:

Test coverage and usage verification completed

The changes are well-covered and properly implemented:

• Test coverage exists for both workspace ID (test/auth.spec.ts) and non-workspace ID scenarios
• All existing usage of getPKCEAuthenticationUrl and getDeviceCode functions are properly handling the optional workspaceId parameter through their config objects
• No instances of direct parameter passing found that would require updates

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check test coverage for workspace ID functionality
echo "Checking test coverage..."
rg -l "workspaceId.*test|test.*workspaceId" --type ts

# Find usage of affected functions
echo -e "\nChecking function usage..."
rg -l "getPKCEAuthenticationUrl|getDeviceCode" --type ts

# Look for potential missed updates in function calls
echo -e "\nChecking for potential missed updates..."
rg "getPKCEAuthenticationUrl\(|getDeviceCode\(" -A 2 --type ts

Length of output: 3504

packages/realtime-api/test/client.spec.ts (2)

3-3: LGTM! Clean import statement.

The import is properly placed and uses appropriate namespace import syntax.

---

100-100: LGTM! Good refactoring of device enumeration logic.

Moving the device enumeration logic to RealtimeUtils improves code maintainability by centralizing this functionality. The test cases properly validate both success and error scenarios.

Let's verify the utility implementation:

Also applies to: 107-107

✅ Verification successful

Let me gather more information about the implementation of getAudioDevices with a different pattern since the previous one didn't match.

---

Verified: Device enumeration is properly centralized in RealtimeUtils

The implementation in utils.ts is clean and follows best practices:

• Single source of truth for device enumeration via VERTC.enumerateDevices()
• Proper filtering of audio input/output devices
• Well-documented with JSDoc comments
• Handles empty device list gracefully

The ripgrep results confirm that all enumerateDevices calls outside of utils.ts are mock implementations in test files, indicating proper encapsulation of this functionality.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the RealtimeUtils implementation and its usage
# Expected: The utility should be the single source of truth for device enumeration

# Check if getAudioDevices is the only method accessing VERTC.enumerateDevices
rg -p "enumerateDevices" --type ts

# Verify the implementation of getAudioDevices
ast-grep --pattern 'export function getAudioDevices() {
  $$$
}'

Length of output: 874

---

Script:

#!/bin/bash
# Check the implementation of getAudioDevices in RealtimeUtils
ast-grep --pattern 'getAudioDevices = async () => {
  $$$
}'

# Also try with static method pattern
ast-grep --pattern 'static getAudioDevices() {
  $$$
}'

# Let's also see the full utils.ts file since we know it's there
cat packages/realtime-api/src/utils.ts

Length of output: 1319