46 lines
2.0 KiB
TypeScript
46 lines
2.0 KiB
TypeScript
/**
|
|
* Security regression (#4694 sibling-path gate parity): the compression
|
|
* run-telemetry route MUST authenticate before disclosing telemetry, mirroring
|
|
* its sibling `settings/compression/route.ts`. A behavioral 401 test would need
|
|
* full DB/settings bootstrap (isAuthenticated reads settings), so this is a
|
|
* source guard that fails if the auth gate is removed or reordered after the
|
|
* data call — the same wiring-guard pattern used elsewhere in the suite.
|
|
*/
|
|
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import { readFileSync } from "node:fs";
|
|
import { fileURLToPath } from "node:url";
|
|
import { dirname, join } from "node:path";
|
|
|
|
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
const ROUTE = join(
|
|
__dirname,
|
|
"../../src/app/api/settings/compression/run-telemetry/route.ts"
|
|
);
|
|
|
|
test("run-telemetry GET imports isAuthenticated from the shared auth util", () => {
|
|
const src = readFileSync(ROUTE, "utf8");
|
|
assert.match(src, /import\s*\{[^}]*\bisAuthenticated\b[^}]*\}\s*from\s*["']@\/shared\/utils\/apiAuth["']/);
|
|
});
|
|
|
|
test("run-telemetry GET gates on auth and returns 401 before reading telemetry", () => {
|
|
const src = readFileSync(ROUTE, "utf8");
|
|
|
|
const authIdx = src.indexOf("isAuthenticated(request)");
|
|
const unauthorizedIdx = src.search(/status:\s*401/);
|
|
const dataIdx = src.indexOf("getCompressionRunTelemetrySummary(");
|
|
|
|
assert.ok(authIdx > 0, "must call isAuthenticated(request)");
|
|
assert.ok(unauthorizedIdx > 0, "must return a 401 on failed auth");
|
|
assert.ok(dataIdx > 0, "must call getCompressionRunTelemetrySummary");
|
|
|
|
// The auth check and its 401 must come BEFORE the telemetry read.
|
|
assert.ok(authIdx < dataIdx, "auth check must precede the telemetry read");
|
|
assert.ok(unauthorizedIdx < dataIdx, "401 response must precede the telemetry read");
|
|
});
|
|
|
|
test("run-telemetry GET receives the request object (so auth can read it)", () => {
|
|
const src = readFileSync(ROUTE, "utf8");
|
|
assert.match(src, /export\s+async\s+function\s+GET\s*\(\s*request\s*:/);
|
|
});
|