chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,51 @@
|
||||
/**
|
||||
* Regression: Cloud sync must verify the X-Cloud-Sig HMAC and must NOT
|
||||
* overwrite accessToken / refreshToken unless OMNIROUTE_CLOUD_SYNC_SECRETS=true.
|
||||
* See docs/security/SOCKET_DEV_FINDINGS.md §5.
|
||||
*/
|
||||
import { test } from "node:test";
|
||||
import assert from "node:assert/strict";
|
||||
import crypto from "node:crypto";
|
||||
|
||||
test("verifyCloudSignature accepts a valid HMAC", async () => {
|
||||
// Test-only HMAC key derived deterministically — no hardcoded production secret.
|
||||
const TEST_HMAC_KEY = crypto.createHash("sha256").update("omniroute-test").digest("hex");
|
||||
process.env.OMNIROUTE_CLOUD_SYNC_SECRET = TEST_HMAC_KEY;
|
||||
// Re-import so the module re-reads the env.
|
||||
const mod = await import(
|
||||
"../../../src/lib/cloudSync.ts?cache=" + Date.now()
|
||||
).catch(() => import("../../../src/lib/cloudSync.ts"));
|
||||
const body = JSON.stringify({ data: { providers: {} } });
|
||||
const sig = crypto.createHmac("sha256", TEST_HMAC_KEY).update(body).digest("hex");
|
||||
assert.equal((mod as any).verifyCloudSignature(body, sig), true);
|
||||
});
|
||||
|
||||
test("verifyCloudSignature rejects a forged signature", async () => {
|
||||
// Test-only HMAC key derived deterministically — no hardcoded production secret.
|
||||
const TEST_HMAC_KEY = crypto.createHash("sha256").update("omniroute-test").digest("hex");
|
||||
process.env.OMNIROUTE_CLOUD_SYNC_SECRET = TEST_HMAC_KEY;
|
||||
const mod = await import("../../../src/lib/cloudSync.ts");
|
||||
const body = JSON.stringify({ data: { providers: {} } });
|
||||
const forged = "0".repeat(64);
|
||||
assert.equal((mod as any).verifyCloudSignature(body, forged), false);
|
||||
});
|
||||
|
||||
test("verifyCloudSignature rejects when the secret is set but sig header is missing", async () => {
|
||||
// Test-only HMAC key derived deterministically — no hardcoded production secret.
|
||||
const TEST_HMAC_KEY = crypto.createHash("sha256").update("omniroute-test").digest("hex");
|
||||
process.env.OMNIROUTE_CLOUD_SYNC_SECRET = TEST_HMAC_KEY;
|
||||
const mod = await import("../../../src/lib/cloudSync.ts");
|
||||
const body = JSON.stringify({ data: { providers: {} } });
|
||||
assert.equal((mod as any).verifyCloudSignature(body, null), false);
|
||||
});
|
||||
|
||||
test("verifyCloudSignature falls through (legacy mode) when secret is unset", async () => {
|
||||
delete process.env.OMNIROUTE_CLOUD_SYNC_SECRET;
|
||||
// Force re-import so module constants pick up the cleared env.
|
||||
delete (globalThis as any).__omniroute_cloudSync_cache;
|
||||
const mod = await import("../../../src/lib/cloudSync.ts");
|
||||
const body = JSON.stringify({ data: { providers: {} } });
|
||||
// Behaviour: accept unsigned body but log warning. We assert it doesn't throw.
|
||||
const result = (mod as any).verifyCloudSignature(body, null);
|
||||
assert.equal(typeof result, "boolean");
|
||||
});
|
||||
Reference in New Issue
Block a user