Files
diegosouzapw--omniroute/tests/unit/auth-extract-api-key.test.ts
2026-07-13 13:39:12 +08:00

130 lines
5.3 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
const { extractApiKey } = await import("../../src/sse/services/auth.ts");
function makeRequest(headers: Record<string, string>): Request {
return new Request("https://omniroute.test/v1/messages", { headers });
}
const ANTHROPIC = { "anthropic-version": "2023-06-01" } as const;
test("extractApiKey returns Bearer key when Authorization header is set", () => {
const req = makeRequest({ Authorization: "Bearer sk-test-bearer" });
assert.equal(extractApiKey(req), "sk-test-bearer");
});
test("extractApiKey trims surrounding whitespace from Bearer token", () => {
const req = makeRequest({ Authorization: "Bearer sk-padded-token " });
assert.equal(extractApiKey(req), "sk-padded-token");
});
test("extractApiKey is case-insensitive on the Authorization header name", () => {
const req = makeRequest({ authorization: "Bearer sk-lowercase-header" });
assert.equal(extractApiKey(req), "sk-lowercase-header");
});
test("extractApiKey is case-insensitive on the 'bearer' prefix", () => {
const req = makeRequest({ Authorization: "bearer sk-lowercase-prefix" });
assert.equal(extractApiKey(req), "sk-lowercase-prefix");
});
test("extractApiKey falls back to x-api-key when Authorization is absent and anthropic-version is set (#2225)", () => {
const req = makeRequest({ "x-api-key": "sk-anthropic-native", ...ANTHROPIC });
assert.equal(extractApiKey(req), "sk-anthropic-native");
});
test("extractApiKey accepts uppercase X-Api-Key header alongside anthropic-version (#2225)", () => {
const req = makeRequest({ "X-Api-Key": "sk-uppercase-xapikey", ...ANTHROPIC });
assert.equal(extractApiKey(req), "sk-uppercase-xapikey");
});
test("extractApiKey trims surrounding whitespace from x-api-key value", () => {
const req = makeRequest({ "x-api-key": " sk-padded-xapikey ", ...ANTHROPIC });
assert.equal(extractApiKey(req), "sk-padded-xapikey");
});
test("extractApiKey prefers Bearer over x-api-key when both are present (back-compat)", () => {
const req = makeRequest({
Authorization: "Bearer sk-bearer-wins",
"x-api-key": "sk-loser",
...ANTHROPIC,
});
assert.equal(extractApiKey(req), "sk-bearer-wins");
});
test("extractApiKey returns null when neither header is present", () => {
const req = makeRequest({});
assert.equal(extractApiKey(req), null);
});
test("extractApiKey returns null when x-api-key contains only whitespace", () => {
const req = makeRequest({ "x-api-key": " ", ...ANTHROPIC });
assert.equal(extractApiKey(req), null);
});
test("extractApiKey returns null when Authorization is not a Bearer scheme and x-api-key is absent", () => {
const req = makeRequest({ Authorization: "Basic <stub-base64>" });
assert.equal(extractApiKey(req), null);
});
test("extractApiKey falls back to x-api-key when Authorization is a non-Bearer scheme (anthropic-version present)", () => {
const req = makeRequest({
Authorization: "Basic <stub-base64>",
"x-api-key": "stub-fallback-after-basic",
...ANTHROPIC,
});
assert.equal(extractApiKey(req), "stub-fallback-after-basic");
});
test("extractApiKey ignores x-api-key when anthropic-version is missing — protects local-mode non-Anthropic clients", () => {
const req = makeRequest({ "x-api-key": "placeholder-key" });
assert.equal(extractApiKey(req), null);
});
test("extractApiKey accepts Anthropic-Version (TitleCase) header", () => {
const req = makeRequest({
"x-api-key": "sk-titlecase-version",
"Anthropic-Version": "2024-10-22",
});
assert.equal(extractApiKey(req), "sk-titlecase-version");
});
test("extractApiKey extracts a path-scoped token from /api/v1/vscode/<token>/...", () => {
const req = new Request("https://omniroute.test/api/v1/vscode/sk-test-path-token/models");
assert.equal(extractApiKey(req), "sk-test-path-token");
});
test("extractApiKey extracts a path-scoped token from /api/v1/vscode/raw/<token>/...", () => {
const req = new Request(
"https://omniroute.test/api/v1/vscode/raw/sk-test-path-token/api/version"
);
assert.equal(extractApiKey(req), "sk-test-path-token");
});
test("extractApiKey extracts a path-scoped token from /api/v1/vscode/combos/<token>/...", () => {
const req = new Request(
"https://omniroute.test/api/v1/vscode/combos/sk-test-path-token/api/version"
);
assert.equal(extractApiKey(req), "sk-test-path-token");
});
test("extractApiKey does NOT extract a query-string token (#3300 security follow-up)", () => {
// Query-string fallbacks (?token / ?key / ?apiKey / ?api_key) were removed —
// a credential in the query string leaks into access logs / Referer headers.
for (const q of ["token", "key", "apiKey", "api_key"]) {
const req = new Request(`https://omniroute.test/api/v1/models?${q}=sk-test-query-token`);
assert.equal(extractApiKey(req), null, `?${q}= must not be extracted`);
}
});
test("extractApiKey skips the path-scoped token when allowUrl is false (management auth)", () => {
const req = new Request("https://omniroute.test/api/v1/vscode/sk-test-path-token/models");
assert.equal(extractApiKey(req, { allowUrl: false }), null);
// Headers still work regardless of allowUrl.
const withHeader = new Request("https://omniroute.test/api/v1/vscode/sk-test-path-token/models", {
headers: { Authorization: "Bearer sk-header-wins" },
});
assert.equal(extractApiKey(withHeader, { allowUrl: false }), "sk-header-wins");
});