std
TESTING.md

OAuth Testing Guide

Test the @std/oauth library using Playwright MCP tools.

Prerequisites

  • Val Town MCP server access
  • Playwright MCP tools (mcp__playwright__*)
  • Test email: stevekrouse-6ca82204b4fa11f0ad790224a6c84d84@valtown.email
  • Login link retrieval: Use @stevekrouse/login-to-val-town-shim val

Find the Demo URL

The example app runs at the endpoint URL for example.tsx in the std/oauth val.

Use Val Town MCP to get it:

mcp__val-town__list_files({
  val: "std/oauth"
});

Look for example.tsx in the results - the endpoint URL in its links object is the demo URL (typically https://std--[id].web.val.run).

Login to Val Town (if needed)

If not already logged in to Val Town in the browser:

  1. Navigate to sign-in:

    mcp__playwright__browser_navigate({
  url: "https://www.val.town/auth/signin/"
});

  2. Enter test email and click Continue

  3. Retrieve login link from SQLite:

    mcp__val-town__sqlite_execute({
  sql: "SELECT text, timestamp FROM login_to_val_town_shim_emails ORDER BY timestamp DESC LIMIT 1"
});

  4. Extract the https://clerk.val.town/v1/verify?... URL from the email text

  5. Navigate to login URL to complete sign-in

Test OAuth Flow

1. Navigate to demo app

mcp__playwright__browser_navigate({
  url: "https://std--91178458b42e11f0b6f30224a6c84d84.web.val.run"
});

Expected: Page shows "Not logged in" with "Log in" link

2. Click "Log in"

mcp__playwright__browser_click({ 
  element: "Log in link", 
  ref: "[ref from snapshot]" 
});

Expected: Redirects to Val Town OAuth authorization page showing requested permissions

3. Click "Allow"

mcp__playwright__browser_click({ 
  element: "Allow button", 
  ref: "[ref from snapshot]" 
});

Expected:

  • Redirects back to demo app
  • Shows "Logged in as: steve_test_claude_code"
  • Shows User ID

4. Verify session persists

Refresh or navigate to home again - should still be logged in.

5. Test logout

mcp__playwright__browser_click({ 
  element: "Log out link", 
  ref: "[ref from snapshot]" 
});

Expected: Returns to "Not logged in" state

What's Being Tested

  • OAuth authorization code flow with PKCE
  • Dynamic client registration
  • Session cookie creation with encrypted data
  • Username fetched from /v1/me API
  • Session persistence across requests
  • Logout functionality

Scopes Required

The default scopes include:

  • openid - Basic OpenID Connect
  • offline_access - Refresh token
  • profile - Profile information
  • user_r - Read user data
  • user_rw - Write user data (needed for /v1/me access)