chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,132 @@
|
||||
/**
|
||||
* Tests for GET /api/services/9router/models
|
||||
*
|
||||
* Uses an isolated in-memory DB and mocks fetch + service registry.
|
||||
*/
|
||||
|
||||
import { describe, it, beforeEach, afterEach } from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import fs from "node:fs";
|
||||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
|
||||
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-9router-models-api-"));
|
||||
process.env.DATA_DIR = TEST_DATA_DIR;
|
||||
process.env.NODE_ENV = "test";
|
||||
process.env.DISABLE_SQLITE_AUTO_BACKUP = "true";
|
||||
process.env.NINEROUTER_PORT = "20130";
|
||||
|
||||
// Must import db core first so the DB is initialised at the test path.
|
||||
const core = await import("../../../../src/lib/db/core.ts");
|
||||
const { saveServiceModels, getServiceModels } =
|
||||
await import("../../../../src/lib/db/serviceModels.ts");
|
||||
|
||||
// Import the route handler under test (after env is set).
|
||||
const { GET } = await import("../../../../src/app/api/services/9router/models/route.ts");
|
||||
|
||||
const originalFetch = globalThis.fetch;
|
||||
|
||||
function resetDb() {
|
||||
core.resetDbInstance();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
|
||||
}
|
||||
|
||||
function makeRequest(url: string): Request {
|
||||
return new Request(url);
|
||||
}
|
||||
|
||||
function makeFetch(status: number, body: unknown): typeof fetch {
|
||||
return async () =>
|
||||
new Response(JSON.stringify(body), {
|
||||
status,
|
||||
headers: { "Content-Type": "application/json" },
|
||||
});
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
resetDb();
|
||||
globalThis.fetch = originalFetch;
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
globalThis.fetch = originalFetch;
|
||||
});
|
||||
|
||||
describe("GET /api/services/9router/models", () => {
|
||||
it("returns { data: [] } when no models are stored", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/models");
|
||||
const res = await GET(req);
|
||||
|
||||
assert.equal(res.status, 200);
|
||||
const body = await res.json();
|
||||
assert.ok("data" in body, "response should have a data property");
|
||||
assert.deepEqual(body.data, []);
|
||||
});
|
||||
|
||||
it("returns stored models as { data: [...] }", async () => {
|
||||
saveServiceModels("9router", [
|
||||
{ id: "9router/cx/gpt-5-mini", name: "GPT-5 mini", available: true },
|
||||
{ id: "9router/auto/sonnet", name: "Sonnet", available: true },
|
||||
]);
|
||||
|
||||
const req = makeRequest("http://localhost/api/services/9router/models");
|
||||
const res = await GET(req);
|
||||
|
||||
assert.equal(res.status, 200);
|
||||
const body = await res.json();
|
||||
assert.equal(body.data.length, 2);
|
||||
assert.equal(body.data[0].id, "9router/cx/gpt-5-mini");
|
||||
assert.equal(body.data[1].id, "9router/auto/sonnet");
|
||||
});
|
||||
|
||||
it("?refresh=true triggers a sync before returning", async () => {
|
||||
// Pre-seed with one model so we can tell that the sync ran.
|
||||
saveServiceModels("9router", [{ id: "9router/old-model", available: true }]);
|
||||
|
||||
let fetchCalled = false;
|
||||
globalThis.fetch = async () => {
|
||||
fetchCalled = true;
|
||||
return new Response(
|
||||
// Upstream returns an unprefixed id — sync should prefix it as "9router/new-model".
|
||||
JSON.stringify({ data: [{ id: "new-model", object: "model" }] }),
|
||||
{ status: 200, headers: { "Content-Type": "application/json" } }
|
||||
);
|
||||
};
|
||||
|
||||
const req = makeRequest("http://localhost/api/services/9router/models?refresh=true");
|
||||
const res = await GET(req);
|
||||
|
||||
assert.equal(res.status, 200);
|
||||
assert.ok(fetchCalled, "?refresh=true should have triggered a fetch to the service");
|
||||
|
||||
const body = await res.json();
|
||||
// After sync, new model should be present prefixed (old model pruned to unavailable).
|
||||
const ids = body.data.map((m: { id: string }) => m.id);
|
||||
assert.ok(ids.includes("9router/new-model"), "synced model should appear in response");
|
||||
});
|
||||
|
||||
it("?refresh=false (default) does NOT trigger a sync", async () => {
|
||||
saveServiceModels("9router", [{ id: "9router/cached-model", available: true }]);
|
||||
|
||||
let fetchCalled = false;
|
||||
globalThis.fetch = async () => {
|
||||
fetchCalled = true;
|
||||
return new Response(JSON.stringify({ data: [] }), { status: 200 });
|
||||
};
|
||||
|
||||
const req = makeRequest("http://localhost/api/services/9router/models");
|
||||
const res = await GET(req);
|
||||
|
||||
assert.equal(res.status, 200);
|
||||
assert.equal(fetchCalled, false, "GET without ?refresh=true should NOT call fetch");
|
||||
});
|
||||
|
||||
it("response shape always has a data array", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/models");
|
||||
const res = await GET(req);
|
||||
const body = await res.json();
|
||||
|
||||
assert.ok(Array.isArray(body.data), "data must always be an array");
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,100 @@
|
||||
/**
|
||||
* Tests for POST /api/services/9router/provider-expose
|
||||
*/
|
||||
|
||||
import { describe, it, beforeEach } from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import fs from "node:fs";
|
||||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
|
||||
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-9router-provider-expose-"));
|
||||
process.env.DATA_DIR = TEST_DATA_DIR;
|
||||
process.env.NODE_ENV = "test";
|
||||
process.env.DISABLE_SQLITE_AUTO_BACKUP = "true";
|
||||
|
||||
// Initialise DB first.
|
||||
const core = await import("../../../../src/lib/db/core.ts");
|
||||
const { upsertVersionManagerTool, getVersionManagerTool } =
|
||||
await import("../../../../src/lib/db/versionManager.ts");
|
||||
|
||||
// Import route under test.
|
||||
const { POST } = await import("../../../../src/app/api/services/9router/provider-expose/route.ts");
|
||||
|
||||
function resetDb() {
|
||||
core.resetDbInstance();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
|
||||
}
|
||||
|
||||
function makeRequest(body: unknown): Request {
|
||||
return new Request("http://localhost/api/services/9router/provider-expose", {
|
||||
method: "POST",
|
||||
headers: { "Content-Type": "application/json" },
|
||||
body: JSON.stringify(body),
|
||||
});
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
resetDb();
|
||||
});
|
||||
|
||||
describe("POST /api/services/9router/provider-expose", () => {
|
||||
it("returns 400 for invalid JSON body", async () => {
|
||||
const req = new Request("http://localhost/api/services/9router/provider-expose", {
|
||||
method: "POST",
|
||||
body: "not-json",
|
||||
headers: { "Content-Type": "application/json" },
|
||||
});
|
||||
const res = await POST(req);
|
||||
assert.equal(res.status, 400);
|
||||
});
|
||||
|
||||
it("returns 400 when enabled is missing", async () => {
|
||||
const req = makeRequest({});
|
||||
const res = await POST(req);
|
||||
assert.equal(res.status, 400);
|
||||
const body = await res.json();
|
||||
assert.ok(body?.error?.message ?? body?.message, "should have an error message");
|
||||
});
|
||||
|
||||
it("returns 400 when enabled is not a boolean", async () => {
|
||||
const req = makeRequest({ enabled: "yes" });
|
||||
const res = await POST(req);
|
||||
assert.equal(res.status, 400);
|
||||
});
|
||||
|
||||
it("sets providerExpose to true and returns 204", async () => {
|
||||
await upsertVersionManagerTool({ tool: "9router", status: "stopped" });
|
||||
|
||||
const req = makeRequest({ enabled: true });
|
||||
const res = await POST(req);
|
||||
assert.equal(res.status, 204);
|
||||
|
||||
const row = await getVersionManagerTool("9router");
|
||||
assert.equal(row?.providerExpose, true, "providerExpose should be true in DB");
|
||||
});
|
||||
|
||||
it("sets providerExpose to false and returns 204", async () => {
|
||||
await upsertVersionManagerTool({ tool: "9router", status: "stopped" });
|
||||
|
||||
// First enable it.
|
||||
await POST(makeRequest({ enabled: true }));
|
||||
|
||||
// Then disable it.
|
||||
const res = await POST(makeRequest({ enabled: false }));
|
||||
assert.equal(res.status, 204);
|
||||
|
||||
const row = await getVersionManagerTool("9router");
|
||||
assert.equal(row?.providerExpose, false, "providerExpose should be false in DB");
|
||||
});
|
||||
|
||||
it("error response does not leak stack traces", async () => {
|
||||
// Missing body triggers 400 — verify the message doesn't contain stack frames.
|
||||
const req = makeRequest({});
|
||||
const res = await POST(req);
|
||||
assert.equal(res.status, 400);
|
||||
const text = await res.text();
|
||||
assert.ok(!text.includes("at /"), "error body must not expose stack trace");
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,127 @@
|
||||
/**
|
||||
* Tests for GET /api/services/9router/status?reveal=key (R-01)
|
||||
*
|
||||
* - Without ?reveal: returns only masked key
|
||||
* - With ?reveal=key but missing X-Reveal-Confirm: returns 403
|
||||
* - With ?reveal=key and X-Reveal-Confirm: yes: returns apiKeyPlain + logs audit
|
||||
*/
|
||||
|
||||
import { describe, it, before, after, beforeEach } from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import fs from "node:fs";
|
||||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
|
||||
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-9router-reveal-"));
|
||||
process.env.DATA_DIR = TEST_DATA_DIR;
|
||||
process.env.NODE_ENV = "test";
|
||||
process.env.DISABLE_SQLITE_AUTO_BACKUP = "true";
|
||||
|
||||
// Bootstrap DB and seed service row
|
||||
const core = await import("../../../../src/lib/db/core.ts");
|
||||
const db = core.getDbInstance();
|
||||
|
||||
db.prepare(
|
||||
`INSERT OR IGNORE INTO version_manager (tool, status, port, auto_start, auto_update, provider_expose)
|
||||
VALUES ('9router', 'stopped', 20130, 0, 1, 1)`
|
||||
).run();
|
||||
|
||||
const { updateVersionManagerTool } = await import("../../../../src/lib/db/versionManager.ts");
|
||||
await updateVersionManagerTool("9router", {
|
||||
installedVersion: "0.4.59",
|
||||
status: "stopped",
|
||||
});
|
||||
|
||||
// Ensure audit_log table exists (compliance init)
|
||||
const { initAuditLog, countAuditLog } = await import("../../../../src/lib/compliance/index.ts");
|
||||
initAuditLog();
|
||||
|
||||
// Import GET after env is set
|
||||
const { GET } =
|
||||
await import("../../../../src/app/api/services/9router/status/route.ts?t=reveal-suite");
|
||||
|
||||
function makeRequest(url: string, headers?: Record<string, string>): Request {
|
||||
return new Request(url, { headers });
|
||||
}
|
||||
|
||||
after(() => {
|
||||
core.resetDbInstance();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
});
|
||||
|
||||
describe("GET /api/services/9router/status", () => {
|
||||
it("without ?reveal returns only masked key (no plain)", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/status");
|
||||
const res = await GET(req);
|
||||
assert.equal(res.status, 200);
|
||||
const body = await res.json();
|
||||
assert.ok("apiKeyMasked" in body, "should have apiKeyMasked");
|
||||
assert.ok(!("apiKeyPlain" in body), "should NOT have apiKeyPlain");
|
||||
});
|
||||
|
||||
it("?reveal=key without X-Reveal-Confirm returns 403", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key");
|
||||
const res = await GET(req);
|
||||
assert.equal(res.status, 403);
|
||||
const body = await res.json();
|
||||
assert.ok(
|
||||
body.error?.message?.toLowerCase().includes("confirm") ||
|
||||
body.error?.message?.toLowerCase().includes("header") ||
|
||||
body.message?.toLowerCase().includes("confirm") ||
|
||||
String(body).toLowerCase().includes("confirm"),
|
||||
`body should mention confirmation: ${JSON.stringify(body)}`
|
||||
);
|
||||
});
|
||||
|
||||
it("?reveal=key with wrong X-Reveal-Confirm value returns 403", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
|
||||
"X-Reveal-Confirm": "no",
|
||||
});
|
||||
const res = await GET(req);
|
||||
assert.equal(res.status, 403);
|
||||
});
|
||||
|
||||
it("?reveal=key with X-Reveal-Confirm: yes returns apiKeyPlain", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
|
||||
"X-Reveal-Confirm": "yes",
|
||||
});
|
||||
const res = await GET(req);
|
||||
assert.equal(res.status, 200);
|
||||
const body = await res.json();
|
||||
assert.ok(typeof body.apiKeyPlain === "string", "should have apiKeyPlain string");
|
||||
assert.ok(body.apiKeyPlain.startsWith("nr_"), "plain key should start with nr_");
|
||||
// masked should also be present
|
||||
assert.ok("apiKeyMasked" in body, "should still have apiKeyMasked");
|
||||
});
|
||||
|
||||
it("reveal logs an audit entry with action=service.reveal_api_key", async () => {
|
||||
const countBefore = countAuditLog({ action: "service.reveal_api_key" });
|
||||
|
||||
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
|
||||
"X-Reveal-Confirm": "yes",
|
||||
});
|
||||
const res = await GET(req);
|
||||
assert.equal(res.status, 200);
|
||||
|
||||
const countAfter = countAuditLog({ action: "service.reveal_api_key" });
|
||||
assert.equal(
|
||||
countAfter,
|
||||
countBefore + 1,
|
||||
`audit entries should increase by 1 (was ${countBefore}, now ${countAfter})`
|
||||
);
|
||||
});
|
||||
|
||||
it("plain key is different from masked key (not trivially masked)", async () => {
|
||||
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
|
||||
"X-Reveal-Confirm": "yes",
|
||||
});
|
||||
const res = await GET(req);
|
||||
const body = await res.json();
|
||||
assert.notEqual(body.apiKeyPlain, body.apiKeyMasked, "plain and masked should differ");
|
||||
assert.ok(
|
||||
body.apiKeyPlain.length > body.apiKeyMasked.length ||
|
||||
!body.apiKeyMasked.includes(body.apiKeyPlain),
|
||||
"masked should not contain the full plain key"
|
||||
);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user