test(runtime): align token identity regression coverage

ndycode · ndycode · commit 3f225772c78a · 2026-03-20T05:47:08.000+08:00
diff --git a/test/index-retry.test.ts b/test/index-retry.test.ts
@@ -126,12 +126,19 @@ vi.mock("../lib/accounts.js", async () => {
 			storedEmail?: string;
 			accessToken?: string;
 		}) => {
+			const tokenUtilsModule = tokenUtils as typeof import("../lib/auth/token-utils.js");
 			const tokenAccountId = accessToken ? "account-1" : undefined;
+			const tokenEmail = tokenUtilsModule.sanitizeEmail(
+				tokenUtilsModule.extractAccountEmail(accessToken, undefined),
+			);
+			const sanitizedStoredEmail = tokenUtilsModule.sanitizeEmail(storedEmail);
 			return {
-				accountId: (
-					tokenUtils as typeof import("../lib/auth/token-utils.js")
-				).resolveRequestAccountId(storedAccountId, source as never, tokenAccountId),
-				email: storedEmail ?? "user@example.com",
+				accountId: tokenUtilsModule.resolveRequestAccountId(
+					storedAccountId,
+					source as never,
+					tokenAccountId,
+				),
+				email: tokenEmail ?? sanitizedStoredEmail ?? "user@example.com",
 				tokenAccountId,
 			};
 		},
diff --git a/test/token-utils.test.ts b/test/token-utils.test.ts
@@ -755,7 +755,66 @@ describe("Token Utils Module", () => {
 			});
 		});
 
+		it("follows token identities when the binding is id_token-derived", () => {
+			mockedDecodeJWT.mockImplementation((token?: string) => {
+				if (token === "access-token") {
+					return {
+						[JWT_CLAIM_PATH]: {
+							chatgpt_account_id: "acc_id_token",
+						},
+					};
+				}
+				if (token === "id-token") {
+					return {
+						email: "id-token@example.com",
+					};
+				}
+				return null;
+			});
+
+			expect(
+				resolveRuntimeRequestIdentity({
+					storedAccountId: "workspace-alpha",
+					source: "id_token",
+					storedEmail: "stored@example.com",
+					accessToken: "access-token",
+					idToken: "id-token",
+				}),
+			).toEqual({
+				accountId: "acc_id_token",
+				email: "id-token@example.com",
+				tokenAccountId: "acc_id_token",
+			});
+		});
+
+		it("falls back to the token accountId when token-derived routing has no stored accountId", () => {
+			mockedDecodeJWT.mockImplementation((token?: string) => {
+				if (token === "access-token") {
+					return {
+						[JWT_CLAIM_PATH]: {
+							chatgpt_account_id: "acc_live",
+							email: "live@example.com",
+						},
+					};
+				}
+				return null;
+			});
+
+			expect(
+				resolveRuntimeRequestIdentity({
+					source: "token",
+					storedEmail: "stored@example.com",
+					accessToken: "access-token",
+				}),
+			).toEqual({
+				accountId: "acc_live",
+				email: "live@example.com",
+				tokenAccountId: "acc_live",
+			});
+		});
+
 		it("falls back to sanitized stored email when the live token has none", () => {
+			mockedDecodeJWT.mockReturnValue(null);
 			expect(
 				resolveRuntimeRequestIdentity({
 					storedAccountId: "workspace-alpha",
