fix(tests): resolve OAuth token exchange skips and DX-4430 management token scope

aniket-shikhare-cstk · aniket-shikhare-cstk · commit 172f6cbe5239 · 2026-03-17T12:08:57.000+05:30
- oauth-test.js: add before() hook in OAuth Token Exchange to regenerate a fresh
  auth code immediately before exchange; dev-developerhub only allows one active
  auth code per app+user at a time, so the handleRedirect authorize() call was
  invalidating the original authCode
- bulkOperation-test.js: simplify DX-4430 management token scope to content_type
  read-only only (remove branch module which is not universally supported and
  caused token creation to fail silently on some environments)
diff --git a/test/sanity-check/api/bulkOperation-test.js b/test/sanity-check/api/bulkOperation-test.js
@@ -565,11 +565,6 @@ describe('BulkOperation api test', () => {
               {
                 module: 'content_type',
                 acl: { read: true }
-              },
-              {
-                module: 'branch',
-                branches: ['main'],
-                acl: { read: true }
               }
             ],
             expires_on: '',
diff --git a/test/sanity-check/api/oauth-test.js b/test/sanity-check/api/oauth-test.js
@@ -493,6 +493,47 @@ describe('OAuth Authentication API Tests', () => {
   })
 
   describe('OAuth Token Exchange', () => {
+    before(async function () {
+      this.timeout(15000)
+      // Re-generate a fresh auth code right before token exchange.
+      // Some OAuth servers (e.g. dev11 DeveloperHub) only allow one active authorization
+      // code per app+user at a time — the handleRedirect section's second authorize() call
+      // invalidates the original authCode. Regenerating here ensures a valid code.
+      if (!oauthClient || !authtoken || !clientId || !appId || !redirectUri) {
+        return
+      }
+      try {
+        const freshUrl = await oauthClient.authorize()
+        const freshParsed = new URL(freshUrl)
+        const freshChallenge = freshParsed.searchParams.get('code_challenge')
+        const freshMethod = freshParsed.searchParams.get('code_challenge_method')
+        const authorizationEndpoint = oauthClient.axiosInstance.defaults.developerHubBaseUrl
+
+        axios.defaults.headers.common.authtoken = authtoken
+        axios.defaults.headers.common.organization_uid = organizationUid
+
+        const response = await axios.post(
+          `${authorizationEndpoint}/manifests/${appId}/authorize`,
+          {
+            client_id: clientId,
+            redirect_uri: redirectUri,
+            code_challenge: freshChallenge,
+            code_challenge_method: freshMethod,
+            response_type: 'code'
+          }
+        )
+        const redirectUrl = response.data.data.redirect_url
+        const url = new URL(redirectUrl)
+        authCode = url.searchParams.get('code')
+
+        oauthClient.axiosInstance.oauth.appId = appId
+        oauthClient.axiosInstance.oauth.clientId = clientId
+        oauthClient.axiosInstance.oauth.redirectUri = redirectUri
+      } catch (e) {
+        console.log('Token Exchange: fresh auth code warning:', e.message)
+      }
+    })
+
     it('should exchange authorization code for access token', async function () {
       this.timeout(15000)
 

Original file line number	Diff line number	Diff line change
`@@ -565,11 +565,6 @@ describe('BulkOperation api test', () => {`
`565`	`565`	`{`
`566`	`566`	`module: 'content_type',`
`567`	`567`	`acl: { read: true }`
`568`		`- },`
`569`		`- {`
`570`		`- module: 'branch',`
`571`		`- branches: ['main'],`
`572`		`- acl: { read: true }`
`573`	`568`	`}`
`574`	`569`	`],`
`575`	`570`	`expires_on: '',`