85 lines
2.4 KiB
TypeScript
85 lines
2.4 KiB
TypeScript
import assert from "node:assert/strict";
|
|
import { describe, it, beforeEach, after } from "node:test";
|
|
|
|
import { DASHBOARD_CSRF_HEADER } from "@/shared/constants/dashboardCsrf";
|
|
import { issueDashboardCsrfToken, validateDashboardCsrfToken } from "@/server/authz/csrf";
|
|
|
|
const ORIGINAL_JWT_SECRET = process.env.JWT_SECRET;
|
|
|
|
beforeEach(() => {
|
|
process.env.JWT_SECRET = "csrf-test-secret";
|
|
});
|
|
|
|
after(() => {
|
|
if (ORIGINAL_JWT_SECRET === undefined) delete process.env.JWT_SECRET;
|
|
else process.env.JWT_SECRET = ORIGINAL_JWT_SECRET;
|
|
});
|
|
|
|
function request(path: string, cookie = "auth_token=session-a", token?: string): Request {
|
|
return new Request(`http://127.0.0.1:20128${path}`, {
|
|
method: "POST",
|
|
headers: {
|
|
cookie,
|
|
...(token ? { [DASHBOARD_CSRF_HEADER]: token } : {}),
|
|
},
|
|
});
|
|
}
|
|
|
|
describe("dashboard CSRF tokens", () => {
|
|
it("accepts a valid token for dashboard management mutation paths", () => {
|
|
const issued = issueDashboardCsrfToken(request("/api/auth/csrf"), 1_000);
|
|
|
|
assert.ok(issued);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/models/test", undefined, issued.token), 1_000),
|
|
true
|
|
);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/models/test-all", undefined, issued.token), 1_000),
|
|
true
|
|
);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/combos/test", undefined, issued.token), 1_000),
|
|
true
|
|
);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/keys", undefined, issued.token), 1_000),
|
|
true
|
|
);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/settings", undefined, issued.token), 1_000),
|
|
true
|
|
);
|
|
});
|
|
|
|
it("binds tokens to the dashboard auth cookie", () => {
|
|
const issued = issueDashboardCsrfToken(
|
|
request("/api/auth/csrf", "auth_token=session-a"),
|
|
1_000
|
|
);
|
|
|
|
assert.ok(issued);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(
|
|
request("/api/models/test", "auth_token=session-b", issued.token),
|
|
1_000
|
|
),
|
|
false
|
|
);
|
|
});
|
|
|
|
it("rejects expired and tampered tokens", () => {
|
|
const issued = issueDashboardCsrfToken(request("/api/auth/csrf"), 1_000);
|
|
|
|
assert.ok(issued);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/models/test", undefined, issued.token), 700_000),
|
|
false
|
|
);
|
|
assert.equal(
|
|
validateDashboardCsrfToken(request("/api/models/test", undefined, `${issued.token}x`), 1_000),
|
|
false
|
|
);
|
|
});
|
|
});
|