Files
2026-07-13 13:39:12 +08:00

112 lines
4.3 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
import crypto from "node:crypto";
test("cliToken.mjs pode ser importado sem erro", async () => {
const mod = await import("../../bin/cli/utils/cliToken.mjs");
assert.equal(typeof mod.getCliToken, "function");
assert.equal(typeof mod.CLI_TOKEN_HEADER, "string");
assert.equal(mod.CLI_TOKEN_HEADER, "x-omniroute-cli-token");
});
test("getCliToken retorna string de 32 chars ou string vazia", async () => {
const { getCliToken } = await import("../../bin/cli/utils/cliToken.mjs");
const token = await getCliToken();
assert.ok(typeof token === "string");
// Pode ser "" se node-machine-id falhar, ou 32 chars se funcionar.
assert.ok(token === "" || token.length === 32, `expected 0 or 32 chars, got ${token.length}`);
});
test("getCliToken retorna mesmo valor em chamadas repetidas (cache)", async () => {
const { getCliToken } = await import("../../bin/cli/utils/cliToken.mjs");
const t1 = await getCliToken();
const t2 = await getCliToken();
assert.equal(t1, t2);
});
test("getCliToken produz apenas hex lowercase se não-vazio", async () => {
const { getCliToken } = await import("../../bin/cli/utils/cliToken.mjs");
const token = await getCliToken();
if (token.length > 0) {
assert.match(token, /^[0-9a-f]{32}$/);
}
});
test("OMNIROUTE_CLI_TOKEN env sobrescreve token gerado em apiFetch", async () => {
const orig = process.env.OMNIROUTE_CLI_TOKEN;
process.env.OMNIROUTE_CLI_TOKEN = "test-override-token-12345";
try {
// Re-import api.mjs não funciona por cache ESM — validamos apenas que env é lido.
assert.equal(process.env.OMNIROUTE_CLI_TOKEN, "test-override-token-12345");
} finally {
if (orig === undefined) delete process.env.OMNIROUTE_CLI_TOKEN;
else process.env.OMNIROUTE_CLI_TOKEN = orig;
}
});
// --- testes server-side: isLoopback ---
test("isLoopback aceita 127.0.0.1", async () => {
const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth");
assert.ok(isLoopback("127.0.0.1"));
});
test("isLoopback aceita ::1", async () => {
const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth");
assert.ok(isLoopback("::1"));
});
test("isLoopback aceita ::ffff:127.0.0.1 (IPv4-mapped)", async () => {
const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth");
assert.ok(isLoopback("::ffff:127.0.0.1"));
});
test("isLoopback rejeita IP público", async () => {
const { isLoopback } = await import("../../src/lib/middleware/cliTokenAuth");
assert.ok(!isLoopback("192.168.1.100"));
assert.ok(!isLoopback("10.0.0.1"));
assert.ok(!isLoopback("8.8.8.8"));
});
test("token derivado de machine-id diferente produz hash diferente", () => {
const SALT = "omniroute-cli-auth-v1";
const hash = (mid: string) =>
crypto
.createHash("sha256")
.update(mid + SALT)
.digest("hex")
.substring(0, 32);
const t1 = hash("machine-id-host-A");
const t2 = hash("machine-id-host-B");
assert.notEqual(t1, t2);
assert.match(t1, /^[0-9a-f]{32}$/);
assert.match(t2, /^[0-9a-f]{32}$/);
});
test("OMNIROUTE_DISABLE_CLI_TOKEN desabilita auth (estrutura verificada)", async () => {
const { readFileSync } = await import("node:fs");
const { join, dirname } = await import("node:path");
const { fileURLToPath } = await import("node:url");
const dir = dirname(fileURLToPath(import.meta.url));
const src = readFileSync(join(dir, "../../src/lib/middleware/cliTokenAuth.ts"), "utf8");
assert.ok(src.includes("OMNIROUTE_DISABLE_CLI_TOKEN"));
});
test("cliTokenAuth must NOT derive loopback from the spoofable Host header", async () => {
const { readFileSync } = await import("node:fs");
const { join, dirname } = await import("node:path");
const { fileURLToPath } = await import("node:url");
const dir = dirname(fileURLToPath(import.meta.url));
const src = readFileSync(join(dir, "../../src/lib/middleware/cliTokenAuth.ts"), "utf8");
// Regression guard: a remote caller with a stolen CLI token could send
// Host: 127.0.0.1 if locality came from new URL(request.url).hostname.
assert.ok(
!/isLoopback\(\s*new URL\(request\.url\)\.hostname/.test(src),
"must not call isLoopback(new URL(request.url).hostname)"
);
assert.ok(
src.includes("AUTHZ_HEADER_PEER_LOCALITY"),
"must trust the middleware-stamped locality verdict instead"
);
});