import test from "node:test"; import assert from "node:assert/strict"; import crypto from "node:crypto"; test("cliToken.mjs pode ser importado sem erro", async () => { const mod = await import("../../bin/cli/utils/cliToken.mjs"); assert.equal(typeof mod.getCliToken, "function"); assert.equal(typeof mod.CLI_TOKEN_HEADER, "string"); assert.equal(mod.CLI_TOKEN_HEADER, "x-omniroute-cli-token"); }); test("getCliToken retorna string de 32 chars ou string vazia", async () => { const { getCliToken } = await import("../../bin/cli/utils/cliToken.mjs"); const token = await getCliToken(); assert.ok(typeof token === "string"); // Pode ser "" se node-machine-id falhar, ou 32 chars se funcionar. assert.ok(token === "" || token.length === 32, `expected 0 or 32 chars, got ${token.length}`); }); test("getCliToken retorna mesmo valor em chamadas repetidas (cache)", async () => { const { getCliToken } = await import("../../bin/cli/utils/cliToken.mjs"); const t1 = await getCliToken(); const t2 = await getCliToken(); assert.equal(t1, t2); }); test("getCliToken produz apenas hex lowercase se não-vazio", async () => { const { getCliToken } = await import("../../bin/cli/utils/cliToken.mjs"); const token = await getCliToken(); if (token.length > 0) { assert.match(token, /^[0-9a-f]{32}$/); } }); test("OMNIROUTE_CLI_TOKEN env sobrescreve token gerado em apiFetch", async () => { const orig = process.env.OMNIROUTE_CLI_TOKEN; process.env.OMNIROUTE_CLI_TOKEN = "test-override-token-12345"; try { // Re-import api.mjs não funciona por cache ESM — validamos apenas que env é lido. assert.equal(process.env.OMNIROUTE_CLI_TOKEN, "test-override-token-12345"); } finally { if (orig === undefined) delete process.env.OMNIROUTE_CLI_TOKEN; else process.env.OMNIROUTE_CLI_TOKEN = orig; } }); // --- testes server-side: isLoopback --- test("isLoopback aceita 127.0.0.1", async () => { const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth"); assert.ok(isLoopback("127.0.0.1")); }); test("isLoopback aceita ::1", async () => { const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth"); assert.ok(isLoopback("::1")); }); test("isLoopback aceita ::ffff:127.0.0.1 (IPv4-mapped)", async () => { const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth"); assert.ok(isLoopback("::ffff:127.0.0.1")); }); test("isLoopback rejeita IP público", async () => { const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth"); assert.ok(!isLoopback("192.168.1.100")); assert.ok(!isLoopback("10.0.0.1")); assert.ok(!isLoopback("8.8.8.8")); }); test("token derivado de machine-id diferente produz hash diferente", () => { const SALT = "omniroute-cli-auth-v1"; const hash = (mid: string) => crypto .createHash("sha256") .update(mid + SALT) .digest("hex") .substring(0, 32); const t1 = hash("machine-id-host-A"); const t2 = hash("machine-id-host-B"); assert.notEqual(t1, t2); assert.match(t1, /^[0-9a-f]{32}$/); assert.match(t2, /^[0-9a-f]{32}$/); }); test("OMNIROUTE_DISABLE_CLI_TOKEN desabilita auth (estrutura verificada)", async () => { const { readFileSync } = await import("node:fs"); const { join, dirname } = await import("node:path"); const { fileURLToPath } = await import("node:url"); const dir = dirname(fileURLToPath(import.meta.url)); const src = readFileSync(join(dir, "../../src/lib/middleware/cliTokenAuth.ts"), "utf8"); assert.ok(src.includes("OMNIROUTE_DISABLE_CLI_TOKEN")); }); test("cliTokenAuth must NOT derive loopback from the spoofable Host header", async () => { const { readFileSync } = await import("node:fs"); const { join, dirname } = await import("node:path"); const { fileURLToPath } = await import("node:url"); const dir = dirname(fileURLToPath(import.meta.url)); const src = readFileSync(join(dir, "../../src/lib/middleware/cliTokenAuth.ts"), "utf8"); // Regression guard: a remote caller with a stolen CLI token could send // Host: 127.0.0.1 if locality came from new URL(request.url).hostname. assert.ok( !/isLoopback\(\s*new URL\(request\.url\)\.hostname/.test(src), "must not call isLoopback(new URL(request.url).hostname)" ); assert.ok( src.includes("AUTHZ_HEADER_PEER_LOCALITY"), "must trust the middleware-stamped locality verdict instead" ); });