chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,231 @@
|
||||
import test from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import fs from "node:fs";
|
||||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
|
||||
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-command-code-auth-"));
|
||||
process.env.DATA_DIR = TEST_DATA_DIR;
|
||||
process.env.STORAGE_ENCRYPTION_KEY = "test-command-code-auth-encryption-key";
|
||||
delete process.env.INITIAL_PASSWORD;
|
||||
|
||||
const core = await import("../../src/lib/db/core.ts");
|
||||
const startRoute = await import("../../src/app/api/providers/command-code/auth/start/route.ts");
|
||||
const callbackRoute =
|
||||
await import("../../src/app/api/providers/command-code/auth/callback/route.ts");
|
||||
const statusRoute = await import("../../src/app/api/providers/command-code/auth/status/route.ts");
|
||||
const applyRoute = await import("../../src/app/api/providers/command-code/auth/apply/route.ts");
|
||||
const providersDb = await import("../../src/lib/db/providers.ts");
|
||||
|
||||
function resetDb() {
|
||||
core.resetDbInstance();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
|
||||
}
|
||||
|
||||
function jsonRequest(url: string, body: unknown, headers: HeadersInit = {}) {
|
||||
return new Request(url, {
|
||||
method: "POST",
|
||||
headers: { "content-type": "application/json", ...headers },
|
||||
body: JSON.stringify(body),
|
||||
});
|
||||
}
|
||||
|
||||
test.beforeEach(() => {
|
||||
delete process.env.OMNIROUTE_PUBLIC_BASE_URL;
|
||||
delete process.env.OMNIROUTE_BASE_URL;
|
||||
delete process.env.BASE_URL;
|
||||
delete process.env.NEXT_PUBLIC_BASE_URL;
|
||||
delete process.env.COMMAND_CODE_CALLBACK_PORT;
|
||||
resetDb();
|
||||
});
|
||||
|
||||
test.after(() => {
|
||||
core.resetDbInstance();
|
||||
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
||||
});
|
||||
|
||||
test("Command Code auth assist start/callback/status/apply keeps state hash and key private", async () => {
|
||||
const startResponse = await startRoute.POST(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/start", {
|
||||
method: "POST",
|
||||
headers: { origin: "http://localhost:20128" },
|
||||
})
|
||||
);
|
||||
assert.equal(startResponse.status, 200);
|
||||
assert.equal(startResponse.headers.get("cache-control"), "no-store");
|
||||
const startBody = await startResponse.json();
|
||||
assert.equal(typeof startBody.state, "string");
|
||||
assert.ok(startBody.authUrl.startsWith("https://commandcode.ai/studio/auth/cli?"));
|
||||
assert.ok(!("stateHash" in startBody));
|
||||
|
||||
const authUrl = new URL(startBody.authUrl);
|
||||
const callbackUrl = authUrl.searchParams.get("callback");
|
||||
assert.ok(callbackUrl);
|
||||
assert.equal(callbackUrl, startBody.callbackUrl);
|
||||
assert.equal(callbackUrl, "http://localhost:5959/callback");
|
||||
assert.equal(startBody.mode, "manual");
|
||||
|
||||
const optionsResponse = await callbackRoute.OPTIONS(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/callback", {
|
||||
method: "OPTIONS",
|
||||
headers: {
|
||||
origin: "https://commandcode.ai",
|
||||
"access-control-request-headers": "content-type, x-command-code",
|
||||
},
|
||||
})
|
||||
);
|
||||
assert.equal(optionsResponse.status, 204);
|
||||
assert.equal(
|
||||
optionsResponse.headers.get("access-control-allow-origin"),
|
||||
"https://commandcode.ai"
|
||||
);
|
||||
assert.equal(optionsResponse.headers.get("access-control-allow-methods"), "POST, OPTIONS");
|
||||
assert.equal(optionsResponse.headers.get("access-control-allow-private-network"), "true");
|
||||
assert.equal(
|
||||
optionsResponse.headers.get("access-control-allow-headers"),
|
||||
"content-type, x-command-code"
|
||||
);
|
||||
|
||||
const callbackResponse = await callbackRoute.POST(
|
||||
jsonRequest(
|
||||
"http://localhost:20128/api/providers/command-code/auth/callback",
|
||||
{
|
||||
apiKey: "cc_test_secret",
|
||||
state: startBody.state,
|
||||
userId: "user-1",
|
||||
userName: "Ada",
|
||||
keyName: "Studio Key",
|
||||
},
|
||||
{ origin: "https://commandcode.ai" }
|
||||
)
|
||||
);
|
||||
assert.equal(callbackResponse.status, 200);
|
||||
const callbackBody = await callbackResponse.json();
|
||||
assert.equal(callbackBody.success, true);
|
||||
|
||||
const statusResponse = await statusRoute.GET(
|
||||
new Request(
|
||||
`http://localhost:20128/api/providers/command-code/auth/status?state=${encodeURIComponent(
|
||||
startBody.state
|
||||
)}`
|
||||
)
|
||||
);
|
||||
assert.equal(statusResponse.status, 200);
|
||||
const statusBody = await statusResponse.json();
|
||||
assert.equal(statusBody.status, "received");
|
||||
assert.equal(statusBody.metadata.userName, "Ada");
|
||||
assert.ok(!JSON.stringify(statusBody).includes("cc_test_secret"));
|
||||
assert.ok(!("stateHash" in statusBody));
|
||||
|
||||
const applyResponse = await applyRoute.POST(
|
||||
jsonRequest("http://localhost:20128/api/providers/command-code/auth/apply", {
|
||||
state: startBody.state,
|
||||
name: "Command Code Studio",
|
||||
setDefault: true,
|
||||
})
|
||||
);
|
||||
assert.equal(applyResponse.status, 200);
|
||||
const applyBody = await applyResponse.json();
|
||||
assert.equal(applyBody.status, "applied");
|
||||
assert.equal(applyBody.connection.provider, "command-code");
|
||||
assert.equal(applyBody.connection.authType, "apikey");
|
||||
assert.ok(!JSON.stringify(applyBody).includes("cc_test_secret"));
|
||||
assert.ok(!("apiKey" in applyBody.connection));
|
||||
assert.ok(!("stateHash" in applyBody));
|
||||
|
||||
const connections = await providersDb.getProviderConnections({ provider: "command-code" });
|
||||
assert.equal(connections.length, 1);
|
||||
assert.equal(connections[0].apiKey, "cc_test_secret");
|
||||
|
||||
const secondApplyResponse = await applyRoute.POST(
|
||||
jsonRequest("http://localhost:20128/api/providers/command-code/auth/apply", {
|
||||
state: startBody.state,
|
||||
})
|
||||
);
|
||||
assert.equal(secondApplyResponse.status, 409);
|
||||
});
|
||||
|
||||
test("Command Code auth assist keeps auth URL callback on CLI localhost contract", async () => {
|
||||
process.env.OMNIROUTE_PUBLIC_BASE_URL = "https://omniroute.example.com/base-path";
|
||||
|
||||
const startResponse = await startRoute.POST(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/start", {
|
||||
method: "POST",
|
||||
headers: { origin: "http://localhost:20128" },
|
||||
})
|
||||
);
|
||||
assert.equal(startResponse.status, 200);
|
||||
const startBody = await startResponse.json();
|
||||
const authUrl = new URL(startBody.authUrl);
|
||||
|
||||
assert.equal(authUrl.searchParams.get("callback"), "http://localhost:5959/callback");
|
||||
assert.equal(startBody.callbackUrl, authUrl.searchParams.get("callback"));
|
||||
});
|
||||
|
||||
test("Command Code auth assist allows only configured CLI callback port range", async () => {
|
||||
process.env.COMMAND_CODE_CALLBACK_PORT = "5962";
|
||||
const configuredPortResponse = await startRoute.POST(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/start", {
|
||||
method: "POST",
|
||||
headers: { origin: "http://localhost:20128" },
|
||||
})
|
||||
);
|
||||
const configuredPortBody = await configuredPortResponse.json();
|
||||
assert.equal(
|
||||
new URL(configuredPortBody.authUrl).searchParams.get("callback"),
|
||||
"http://localhost:5962/callback"
|
||||
);
|
||||
|
||||
resetDb();
|
||||
process.env.COMMAND_CODE_CALLBACK_PORT = "20128";
|
||||
const invalidPortResponse = await startRoute.POST(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/start", {
|
||||
method: "POST",
|
||||
headers: { origin: "http://localhost:20128" },
|
||||
})
|
||||
);
|
||||
const invalidPortBody = await invalidPortResponse.json();
|
||||
assert.equal(
|
||||
new URL(invalidPortBody.authUrl).searchParams.get("callback"),
|
||||
"http://localhost:5959/callback"
|
||||
);
|
||||
|
||||
resetDb();
|
||||
process.env.COMMAND_CODE_CALLBACK_PORT = "5962abc";
|
||||
const partialPortResponse = await startRoute.POST(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/start", {
|
||||
method: "POST",
|
||||
headers: { origin: "http://localhost:20128" },
|
||||
})
|
||||
);
|
||||
const partialPortBody = await partialPortResponse.json();
|
||||
assert.equal(
|
||||
new URL(partialPortBody.authUrl).searchParams.get("callback"),
|
||||
"http://localhost:5959/callback"
|
||||
);
|
||||
});
|
||||
|
||||
test("Command Code callback rejects disallowed origins and oversized bodies", async () => {
|
||||
const disallowed = await callbackRoute.POST(
|
||||
jsonRequest(
|
||||
"http://localhost:20128/api/providers/command-code/auth/callback",
|
||||
{ apiKey: "secret", state: "x".repeat(32) },
|
||||
{ origin: "https://evil.example" }
|
||||
)
|
||||
);
|
||||
assert.equal(disallowed.status, 403);
|
||||
assert.equal((await disallowed.json()).success, false);
|
||||
assert.equal(disallowed.headers.get("access-control-allow-origin"), null);
|
||||
|
||||
const tooLarge = await callbackRoute.POST(
|
||||
new Request("http://localhost:20128/api/providers/command-code/auth/callback", {
|
||||
method: "POST",
|
||||
headers: { "content-type": "application/json", origin: "https://commandcode.ai" },
|
||||
body: JSON.stringify({ apiKey: "x".repeat(11 * 1024), state: "s".repeat(64) }),
|
||||
})
|
||||
);
|
||||
assert.equal(tooLarge.status, 413);
|
||||
assert.equal((await tooLarge.json()).success, false);
|
||||
assert.equal(tooLarge.headers.get("access-control-allow-origin"), "https://commandcode.ai");
|
||||
});
|
||||
Reference in New Issue
Block a user