Files
diegosouzapw--omniroute/tests/unit/api-key-reveal-route.test.ts
2026-07-13 13:39:12 +08:00

167 lines
5.6 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-api-key-reveal-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.API_KEY_SECRET = "test-api-key-secret";
const core = await import("../../src/lib/db/core.ts");
const apiKeysDb = await import("../../src/lib/db/apiKeys.ts");
const featureFlagsDb = await import("../../src/lib/db/featureFlags.ts");
const listRoute = await import("../../src/app/api/keys/route.ts");
const revealRoute = await import("../../src/app/api/keys/[id]/reveal/route.ts");
const MACHINE_ID = "1234567890abcdef";
async function resetStorage() {
delete process.env.ALLOW_API_KEY_REVEAL;
delete process.env.INITIAL_PASSWORD;
core.resetDbInstance();
apiKeysDb.resetApiKeyState();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
}
function maskKey(key) {
return key.slice(0, 8) + "****" + key.slice(-4);
}
test.beforeEach(async () => {
await resetStorage();
});
test.after(async () => {
delete process.env.ALLOW_API_KEY_REVEAL;
core.resetDbInstance();
apiKeysDb.resetApiKeyState();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
});
test("GET /api/keys stays masked even when reveal is enabled", async () => {
process.env.ALLOW_API_KEY_REVEAL = "true";
const created = await apiKeysDb.createApiKey("Primary Key", MACHINE_ID);
const response = await listRoute.GET(new Request("http://localhost/api/keys"));
const body = (await response.json()) as any;
assert.equal(response.status, 200);
assert.equal(body.allowKeyReveal, true);
assert.equal(Array.isArray(body.keys), true);
assert.equal(body.keys[0].key, maskKey(created.key));
});
test("GET /api/keys falls back to default pagination for invalid query params", async () => {
await apiKeysDb.createApiKey("Alpha", MACHINE_ID);
await apiKeysDb.createApiKey("Beta", MACHINE_ID);
const response = await listRoute.GET(
new Request("http://localhost/api/keys?limit=abc&offset=xyz")
);
const body = (await response.json()) as any;
assert.equal(response.status, 200);
assert.equal(body.allowKeyReveal, false);
assert.equal(body.total, 2);
assert.equal(body.keys.length, 2);
assert.equal(
body.keys.every((entry) => entry.key.includes("****")),
true
);
});
test("GET /api/keys returns 500 when key loading fails unexpectedly", async () => {
await apiKeysDb.createApiKey("Primary Key", MACHINE_ID);
const db = core.getDbInstance();
const originalPrepare = db.prepare.bind(db);
db.prepare = (sql, ...args) => {
if (typeof sql === "string" && sql.includes("SELECT * FROM api_keys")) {
throw new Error("db exploded");
}
return originalPrepare(sql, ...args);
};
apiKeysDb.resetApiKeyState();
try {
const response = await listRoute.GET(new Request("http://localhost/api/keys"));
const body = (await response.json()) as any;
assert.equal(response.status, 500);
assert.equal(body.error, "Failed to fetch keys");
} finally {
db.prepare = originalPrepare;
apiKeysDb.resetApiKeyState();
}
});
test("GET /api/keys/[id]/reveal rejects requests when reveal is disabled", async () => {
const created = await apiKeysDb.createApiKey("Primary Key", MACHINE_ID);
const request = new Request(`http://localhost/api/keys/${created.id}/reveal`);
const response = await revealRoute.GET(request, {
params: Promise.resolve({ id: created.id }),
});
const body = (await response.json()) as any;
assert.equal(response.status, 403);
assert.equal(body.error, "API key reveal is disabled");
});
test("GET /api/keys/[id]/reveal returns the full key when reveal is enabled", async () => {
process.env.ALLOW_API_KEY_REVEAL = "true";
const created = await apiKeysDb.createApiKey("Primary Key", MACHINE_ID);
const request = new Request(`http://localhost/api/keys/${created.id}/reveal`);
const response = await revealRoute.GET(request, {
params: Promise.resolve({ id: created.id }),
});
const body = (await response.json()) as any;
assert.equal(response.status, 200);
assert.equal(body.key, created.key);
});
test("GET /api/keys/[id]/reveal honors the ALLOW_API_KEY_REVEAL feature flag override", async () => {
featureFlagsDb.setFeatureFlagOverride("ALLOW_API_KEY_REVEAL", "true");
const created = await apiKeysDb.createApiKey("Primary Key", MACHINE_ID);
const request = new Request(`http://localhost/api/keys/${created.id}/reveal`);
const response = await revealRoute.GET(request, {
params: Promise.resolve({ id: created.id }),
});
const body = (await response.json()) as any;
assert.equal(response.status, 200);
assert.equal(body.key, created.key);
});
test("GET /api/keys/[id]/reveal returns 404 for unknown keys even when reveal is enabled", async () => {
process.env.ALLOW_API_KEY_REVEAL = "true";
const request = new Request("http://localhost/api/keys/missing/reveal");
const response = await revealRoute.GET(request, {
params: Promise.resolve({ id: "missing" }),
});
const body = (await response.json()) as any;
assert.equal(response.status, 404);
assert.equal(body.error, "Key not found");
});
test("GET /api/keys/[id]/reveal returns 500 when params resolution fails", async () => {
process.env.ALLOW_API_KEY_REVEAL = "true";
const request = new Request("http://localhost/api/keys/broken/reveal");
const response = await revealRoute.GET(request, {
params: Promise.reject(new Error("params exploded")),
});
const body = (await response.json()) as any;
assert.equal(response.status, 500);
assert.equal(body.error, "Failed to reveal key");
});