chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,482 @@
|
||||
import test from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import fs from "node:fs";
|
||||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
import { SignJWT } from "jose";
|
||||
|
||||
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-api-auth-"));
|
||||
process.env.DATA_DIR = TEST_DATA_DIR;
|
||||
process.env.API_KEY_SECRET = "test-api-key-secret";
|
||||
|
||||
const core = await import("../../src/lib/db/core.ts");
|
||||
const localDb = await import("../../src/lib/localDb.ts");
|
||||
const apiKeysDb = await import("../../src/lib/db/apiKeys.ts");
|
||||
const apiAuth = await import("../../src/shared/utils/apiAuth.ts");
|
||||
const { requireManagementAuth } = await import("../../src/lib/api/requireManagementAuth.ts");
|
||||
const { getLegacyCliTokenSync, getMachineTokenSync } =
|
||||
await import("../../src/lib/machineToken.ts");
|
||||
const { CLI_TOKEN_HEADER } = await import("../../src/server/authz/headers.ts");
|
||||
|
||||
const ORIGINAL_JWT_SECRET = process.env.JWT_SECRET;
|
||||
const ORIGINAL_INITIAL_PASSWORD = process.env.INITIAL_PASSWORD;
|
||||
|
||||
async function resetStorage() {
|
||||
core.resetDbInstance();
|
||||
apiKeysDb.resetApiKeyState();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
|
||||
delete process.env.JWT_SECRET;
|
||||
delete process.env.INITIAL_PASSWORD;
|
||||
}
|
||||
|
||||
function makeCookieRequest(token: string) {
|
||||
return {
|
||||
cookies: {
|
||||
get(name: string) {
|
||||
return name === "auth_token" && token ? { value: token } : undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers(),
|
||||
};
|
||||
}
|
||||
|
||||
test.beforeEach(async () => {
|
||||
await resetStorage();
|
||||
});
|
||||
|
||||
test.after(() => {
|
||||
core.resetDbInstance();
|
||||
apiKeysDb.resetApiKeyState();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
|
||||
if (ORIGINAL_JWT_SECRET === undefined) {
|
||||
delete process.env.JWT_SECRET;
|
||||
} else {
|
||||
process.env.JWT_SECRET = ORIGINAL_JWT_SECRET;
|
||||
}
|
||||
|
||||
if (ORIGINAL_INITIAL_PASSWORD === undefined) {
|
||||
delete process.env.INITIAL_PASSWORD;
|
||||
} else {
|
||||
process.env.INITIAL_PASSWORD = ORIGINAL_INITIAL_PASSWORD;
|
||||
}
|
||||
});
|
||||
|
||||
test("isPublicRoute recognizes allowed API prefixes", () => {
|
||||
assert.equal(apiAuth.isPublicRoute("/api/auth/login"), true);
|
||||
assert.equal(apiAuth.isPublicRoute("/api/v1/chat/completions"), true);
|
||||
assert.equal(apiAuth.isPublicRoute("/api/sync/bundle"), true);
|
||||
assert.equal(apiAuth.isPublicRoute("/api/monitoring/health", "GET"), true);
|
||||
assert.equal(apiAuth.isPublicRoute("/api/monitoring/health", "DELETE"), false);
|
||||
assert.equal(apiAuth.isPublicRoute("/api/settings"), false);
|
||||
});
|
||||
|
||||
test("verifyAuth accepts a valid JWT session cookie", async () => {
|
||||
process.env.JWT_SECRET = "jwt-secret-for-tests";
|
||||
const secret = new TextEncoder().encode(process.env.JWT_SECRET);
|
||||
const token = await new SignJWT({ authenticated: true })
|
||||
.setProtectedHeader({ alg: "HS256" })
|
||||
.setIssuedAt()
|
||||
.setExpirationTime("1h")
|
||||
.sign(secret);
|
||||
|
||||
const result = await apiAuth.verifyAuth(makeCookieRequest(token));
|
||||
|
||||
assert.equal(result, null);
|
||||
});
|
||||
|
||||
test("verifyAuth falls back to bearer API key validation after a bad JWT", async () => {
|
||||
process.env.JWT_SECRET = "jwt-secret-for-tests";
|
||||
const key = await apiKeysDb.createApiKey("integration", "machine1234567890");
|
||||
const request = {
|
||||
cookies: {
|
||||
get() {
|
||||
return { value: "definitely-not-a-valid-jwt" };
|
||||
},
|
||||
},
|
||||
headers: new Headers({ authorization: `Bearer ${key.key}` }),
|
||||
url: "https://example.com/api/v1/models",
|
||||
};
|
||||
|
||||
const result = await apiAuth.verifyAuth(request);
|
||||
|
||||
assert.equal(result, null);
|
||||
});
|
||||
|
||||
test("verifyAuth no longer accepts API keys supplied via query string (#3300 follow-up)", async () => {
|
||||
// Query-string token fallbacks were removed (credential-in-URL leaks into logs).
|
||||
const key = await apiKeysDb.createApiKey("query-auth", "machine1234567890");
|
||||
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers(),
|
||||
url: `https://example.com/api/v1/models?token=${encodeURIComponent(key.key)}`,
|
||||
});
|
||||
|
||||
// No usable credential → authentication fails (was incorrectly accepted before).
|
||||
assert.notEqual(result, null);
|
||||
});
|
||||
|
||||
test("isAuthenticated accepts API keys embedded in vscode path aliases", async () => {
|
||||
const key = await apiKeysDb.createApiKey("path-auth", "machine1234567890");
|
||||
const request = new Request(
|
||||
`https://example.com/api/v1/vscode/${encodeURIComponent(key.key)}/models`
|
||||
);
|
||||
|
||||
const result = await apiAuth.isAuthenticated(request);
|
||||
|
||||
assert.equal(result, true);
|
||||
});
|
||||
|
||||
test("verifyAuth never honours a URL-borne token on MANAGEMENT routes (#3300 follow-up)", async () => {
|
||||
// The historical escalation: a credential in the query string on a management
|
||||
// route (/api/* but not /api/v1/*). It must not be extracted at all, so the
|
||||
// failure is "Authentication required" (no credential) — NOT "Invalid
|
||||
// management token" (which the pre-fix code returned, proving the URL token
|
||||
// had been picked up and tried against management validation).
|
||||
const key = await apiKeysDb.createApiKey("mgmt-url", "machine1234567890");
|
||||
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers(),
|
||||
url: `https://example.com/api/providers?token=${encodeURIComponent(key.key)}`,
|
||||
});
|
||||
|
||||
assert.equal(result, "Authentication required");
|
||||
});
|
||||
|
||||
test("verifyAuth rejects bearer API keys on management routes", async () => {
|
||||
const key = await apiKeysDb.createApiKey("integration", "machine1234567890");
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers({ authorization: `Bearer ${key.key}` }),
|
||||
url: "https://example.com/api/providers",
|
||||
});
|
||||
|
||||
assert.equal(result, "Invalid management token");
|
||||
});
|
||||
|
||||
test("verifyAuth rejects requests without valid credentials", async () => {
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers({ authorization: "Bearer sk-invalid" }),
|
||||
url: "https://example.com/api/v1/models",
|
||||
});
|
||||
|
||||
assert.equal(result, "Authentication required");
|
||||
});
|
||||
|
||||
test("isAuthenticated accepts bearer API keys on client-facing routes", async () => {
|
||||
const key = await apiKeysDb.createApiKey("integration", "machine1234567890");
|
||||
const request = new Request("https://example.com/api/v1/models", {
|
||||
headers: { authorization: `Bearer ${key.key}` },
|
||||
});
|
||||
|
||||
const result = await apiAuth.isAuthenticated(request);
|
||||
|
||||
assert.equal(result, true);
|
||||
});
|
||||
|
||||
test("isAuthenticated rejects bearer API keys on management routes", async () => {
|
||||
process.env.INITIAL_PASSWORD = "bootstrap-password";
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const key = await apiKeysDb.createApiKey("integration", "machine1234567890");
|
||||
const request = new Request("https://example.com/api/providers", {
|
||||
headers: { authorization: `Bearer ${key.key}` },
|
||||
});
|
||||
|
||||
const result = await apiAuth.isAuthenticated(request);
|
||||
|
||||
assert.equal(result, false);
|
||||
});
|
||||
|
||||
test("verifyAuth accepts bearer API keys with manage scope on management routes", async () => {
|
||||
const key = await apiKeysDb.createApiKey("mcp-management", "machine1234567890", ["manage"]);
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers({ authorization: `Bearer ${key.key}` }),
|
||||
url: "https://example.com/api/providers",
|
||||
});
|
||||
|
||||
assert.equal(result, null);
|
||||
});
|
||||
|
||||
test("verifyAuth accepts bearer API keys with admin scope on management routes", async () => {
|
||||
const key = await apiKeysDb.createApiKey("mcp-admin", "machine1234567890", ["admin"]);
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers({ authorization: `Bearer ${key.key}` }),
|
||||
url: "https://example.com/api/settings",
|
||||
});
|
||||
|
||||
assert.equal(result, null);
|
||||
});
|
||||
|
||||
test("verifyAuth still rejects unscoped bearer API keys on management routes", async () => {
|
||||
const key = await apiKeysDb.createApiKey("integration-no-scope", "machine1234567890");
|
||||
const result = await apiAuth.verifyAuth({
|
||||
cookies: {
|
||||
get() {
|
||||
return undefined;
|
||||
},
|
||||
},
|
||||
headers: new Headers({ authorization: `Bearer ${key.key}` }),
|
||||
url: "https://example.com/api/providers",
|
||||
});
|
||||
|
||||
assert.equal(result, "Invalid management token");
|
||||
});
|
||||
|
||||
test("isAuthenticated accepts bearer API keys with manage scope on management routes", async () => {
|
||||
process.env.INITIAL_PASSWORD = "bootstrap-password";
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const key = await apiKeysDb.createApiKey("mcp-management", "machine1234567890", ["manage"]);
|
||||
const request = new Request("https://example.com/api/providers", {
|
||||
headers: { authorization: `Bearer ${key.key}` },
|
||||
});
|
||||
|
||||
const result = await apiAuth.isAuthenticated(request);
|
||||
|
||||
assert.equal(result, true);
|
||||
});
|
||||
|
||||
test("monitoring health reset route requires dashboard authentication", async () => {
|
||||
process.env.INITIAL_PASSWORD = "bootstrap-password";
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const healthRoute = await import("../../src/app/api/monitoring/health/route.ts");
|
||||
const response = await healthRoute.DELETE(
|
||||
new Request("https://example.com/api/monitoring/health", { method: "DELETE" })
|
||||
);
|
||||
|
||||
assert.equal(response.status, 401);
|
||||
});
|
||||
|
||||
test("isAuthenticated returns false when auth is required without valid credentials", async () => {
|
||||
// Force requireLogin to be active
|
||||
process.env.INITIAL_PASSWORD = "bootstrap-password";
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const request = new Request("https://example.com/api/providers");
|
||||
|
||||
const result = await apiAuth.isAuthenticated(request);
|
||||
|
||||
assert.equal(result, false);
|
||||
});
|
||||
|
||||
test("isAuthRequired is disabled when requireLogin is false", async () => {
|
||||
await localDb.updateSettings({ requireLogin: false });
|
||||
|
||||
const result = await apiAuth.isAuthRequired();
|
||||
|
||||
assert.equal(result, false);
|
||||
});
|
||||
|
||||
test("isAuthRequired is disabled while no password exists", async () => {
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const result = await apiAuth.isAuthRequired();
|
||||
|
||||
assert.equal(result, false);
|
||||
});
|
||||
|
||||
test("isAuthRequired keeps fresh bootstrap open only on loopback", async () => {
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
assert.equal(await apiAuth.isAuthRequired(new Request("http://localhost/api/providers")), false);
|
||||
assert.equal(await apiAuth.isAuthRequired(new Request("http://127.0.0.1/api/providers")), false);
|
||||
assert.equal(
|
||||
await apiAuth.isAuthRequired(new Request("https://example.com/api/providers")),
|
||||
true
|
||||
);
|
||||
});
|
||||
|
||||
test("isAuthenticated rejects remote management bootstrap without a configured password", async () => {
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const request = new Request("https://example.com/api/providers");
|
||||
|
||||
assert.equal(await apiAuth.isAuthenticated(request), false);
|
||||
});
|
||||
|
||||
test("isAuthRequired stays enabled when a password exists", async () => {
|
||||
await localDb.updateSettings({ requireLogin: true, password: "hashed-password" });
|
||||
|
||||
const result = await apiAuth.isAuthRequired();
|
||||
|
||||
assert.equal(result, true);
|
||||
});
|
||||
|
||||
test("isAuthRequired stays enabled when INITIAL_PASSWORD is present", async () => {
|
||||
process.env.INITIAL_PASSWORD = "bootstrap-password";
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
|
||||
const result = await apiAuth.isAuthRequired();
|
||||
|
||||
assert.equal(result, true);
|
||||
|
||||
delete process.env.INITIAL_PASSWORD;
|
||||
});
|
||||
|
||||
test("getApiKeyMetadata recognizes OMNIROUTE_API_KEY environment variable", async () => {
|
||||
const envKey = "sk-test-env-key-" + Date.now();
|
||||
process.env.OMNIROUTE_API_KEY = envKey;
|
||||
|
||||
const metadata = await apiKeysDb.getApiKeyMetadata(envKey);
|
||||
|
||||
assert.ok(metadata);
|
||||
assert.equal(metadata.id, "env-key");
|
||||
assert.equal(metadata.name, "Environment Key");
|
||||
|
||||
delete process.env.OMNIROUTE_API_KEY;
|
||||
});
|
||||
|
||||
test("getApiKeyMetadata recognizes ROUTER_API_KEY environment variable", async () => {
|
||||
const envKey = "sk-test-router-key-" + Date.now();
|
||||
process.env.ROUTER_API_KEY = envKey;
|
||||
|
||||
const metadata = await apiKeysDb.getApiKeyMetadata(envKey);
|
||||
|
||||
assert.ok(metadata);
|
||||
assert.equal(metadata.id, "env-key");
|
||||
|
||||
delete process.env.ROUTER_API_KEY;
|
||||
});
|
||||
|
||||
// ──── requireManagementAuth ────
|
||||
|
||||
async function setupAuth() {
|
||||
process.env.INITIAL_PASSWORD = "bootstrap-password";
|
||||
await localDb.updateSettings({ requireLogin: true, password: "" });
|
||||
}
|
||||
|
||||
function managementRequest(bearerKey?: string) {
|
||||
return new Request("https://example.com/api/combos", {
|
||||
headers: bearerKey ? { authorization: `Bearer ${bearerKey}` } : {},
|
||||
});
|
||||
}
|
||||
|
||||
function managementCliRequest(token: string) {
|
||||
const request = new Request("http://localhost:20128/api/combos", {
|
||||
headers: { [CLI_TOKEN_HEADER]: token },
|
||||
});
|
||||
return Object.assign(request, { ip: "127.0.0.1" }) as Request;
|
||||
}
|
||||
|
||||
test("requireManagementAuth returns 401 with no credentials", async () => {
|
||||
await setupAuth();
|
||||
const res = await requireManagementAuth(managementRequest());
|
||||
assert.ok(res);
|
||||
assert.equal(res.status, 401);
|
||||
});
|
||||
|
||||
test("requireManagementAuth returns 403 for an invalid management token", async () => {
|
||||
await setupAuth();
|
||||
const res = await requireManagementAuth(managementRequest("sk-not-a-real-key"));
|
||||
assert.ok(res);
|
||||
assert.equal(res.status, 403);
|
||||
const body = await res.json();
|
||||
assert.equal(body.error?.message, "Invalid management token");
|
||||
});
|
||||
|
||||
test("requireManagementAuth returns 403 for valid key without manage scope", async () => {
|
||||
await setupAuth();
|
||||
const key = await apiKeysDb.createApiKey("inference-only", "machine-test");
|
||||
const res = await requireManagementAuth(managementRequest(key.key));
|
||||
assert.ok(res);
|
||||
assert.equal(res.status, 403);
|
||||
const body = await res.json();
|
||||
assert.ok(body.error?.message?.includes("manage"));
|
||||
});
|
||||
|
||||
test("requireManagementAuth returns null for valid key with manage scope", async () => {
|
||||
await setupAuth();
|
||||
const key = await apiKeysDb.createApiKey("admin-key", "machine-test", ["manage"]);
|
||||
const res = await requireManagementAuth(managementRequest(key.key));
|
||||
assert.equal(res, null);
|
||||
});
|
||||
|
||||
test("requireManagementAuth accepts the 64-character local machine token", async () => {
|
||||
await setupAuth();
|
||||
const token = getMachineTokenSync();
|
||||
assert.equal(token.length, 64);
|
||||
const res = await requireManagementAuth(managementCliRequest(token));
|
||||
assert.equal(res, null);
|
||||
});
|
||||
|
||||
test("requireManagementAuth accepts the legacy 32-character local CLI token", async () => {
|
||||
await setupAuth();
|
||||
const token = getLegacyCliTokenSync();
|
||||
assert.equal(token.length, 32);
|
||||
const res = await requireManagementAuth(managementCliRequest(token));
|
||||
assert.equal(res, null);
|
||||
});
|
||||
|
||||
test("requireManagementAuth returns null for OMNIROUTE_API_KEY env passthrough", async () => {
|
||||
await setupAuth();
|
||||
const envKey = "sk-env-root-" + Date.now();
|
||||
process.env.OMNIROUTE_API_KEY = envKey;
|
||||
try {
|
||||
const res = await requireManagementAuth(managementRequest(envKey));
|
||||
assert.equal(res, null);
|
||||
} finally {
|
||||
delete process.env.OMNIROUTE_API_KEY;
|
||||
}
|
||||
});
|
||||
|
||||
test("requireManagementAuth returns 403 for revoked key with manage scope", async () => {
|
||||
await setupAuth();
|
||||
const key = await apiKeysDb.createApiKey("revoked-admin", "machine-test", ["manage"]);
|
||||
await apiKeysDb.revokeApiKey(key.id);
|
||||
const res = await requireManagementAuth(managementRequest(key.key));
|
||||
assert.ok(res);
|
||||
assert.equal(res.status, 403);
|
||||
const body = await res.json();
|
||||
assert.equal(body.error?.message, "Invalid management token");
|
||||
});
|
||||
|
||||
test("requireManagementAuth returns null for valid JWT cookie", async () => {
|
||||
await setupAuth();
|
||||
process.env.JWT_SECRET = "jwt-secret-for-tests";
|
||||
const secret = new TextEncoder().encode(process.env.JWT_SECRET);
|
||||
const token = await new SignJWT({ authenticated: true })
|
||||
.setProtectedHeader({ alg: "HS256" })
|
||||
.setIssuedAt()
|
||||
.setExpirationTime("1h")
|
||||
.sign(secret);
|
||||
|
||||
const request = {
|
||||
cookies: { get: (name: string) => (name === "auth_token" ? { value: token } : undefined) },
|
||||
headers: new Headers(),
|
||||
url: "https://example.com/api/combos",
|
||||
};
|
||||
const res = await requireManagementAuth(request as unknown as Request);
|
||||
assert.equal(res, null);
|
||||
});
|
||||
Reference in New Issue
Block a user