Files
2026-07-13 13:39:12 +08:00

85 lines
2.4 KiB
TypeScript

import assert from "node:assert/strict";
import { describe, it, beforeEach, after } from "node:test";
import { DASHBOARD_CSRF_HEADER } from "@/shared/constants/dashboardCsrf";
import { issueDashboardCsrfToken, validateDashboardCsrfToken } from "@/server/authz/csrf";
const ORIGINAL_JWT_SECRET = process.env.JWT_SECRET;
beforeEach(() => {
process.env.JWT_SECRET = "csrf-test-secret";
});
after(() => {
if (ORIGINAL_JWT_SECRET === undefined) delete process.env.JWT_SECRET;
else process.env.JWT_SECRET = ORIGINAL_JWT_SECRET;
});
function request(path: string, cookie = "auth_token=session-a", token?: string): Request {
return new Request(`http://127.0.0.1:20128${path}`, {
method: "POST",
headers: {
cookie,
...(token ? { [DASHBOARD_CSRF_HEADER]: token } : {}),
},
});
}
describe("dashboard CSRF tokens", () => {
it("accepts a valid token for dashboard management mutation paths", () => {
const issued = issueDashboardCsrfToken(request("/api/auth/csrf"), 1_000);
assert.ok(issued);
assert.equal(
validateDashboardCsrfToken(request("/api/models/test", undefined, issued.token), 1_000),
true
);
assert.equal(
validateDashboardCsrfToken(request("/api/models/test-all", undefined, issued.token), 1_000),
true
);
assert.equal(
validateDashboardCsrfToken(request("/api/combos/test", undefined, issued.token), 1_000),
true
);
assert.equal(
validateDashboardCsrfToken(request("/api/keys", undefined, issued.token), 1_000),
true
);
assert.equal(
validateDashboardCsrfToken(request("/api/settings", undefined, issued.token), 1_000),
true
);
});
it("binds tokens to the dashboard auth cookie", () => {
const issued = issueDashboardCsrfToken(
request("/api/auth/csrf", "auth_token=session-a"),
1_000
);
assert.ok(issued);
assert.equal(
validateDashboardCsrfToken(
request("/api/models/test", "auth_token=session-b", issued.token),
1_000
),
false
);
});
it("rejects expired and tampered tokens", () => {
const issued = issueDashboardCsrfToken(request("/api/auth/csrf"), 1_000);
assert.ok(issued);
assert.equal(
validateDashboardCsrfToken(request("/api/models/test", undefined, issued.token), 700_000),
false
);
assert.equal(
validateDashboardCsrfToken(request("/api/models/test", undefined, `${issued.token}x`), 1_000),
false
);
});
});