Files
2026-07-13 13:39:12 +08:00

111 lines
4.0 KiB
TypeScript

import { test } from "node:test";
import assert from "node:assert";
import { POST } from "../../src/app/api/v1/embeddings/route";
import { extractApiKey, isValidApiKey } from "../../src/sse/services/auth";
test("extractApiKey", async (t) => {
await t.test("should extract bearer token", async () => {
const req = new Request("http://localhost", {
headers: { Authorization: "Bearer my-token" },
});
assert.strictEqual(extractApiKey(req), "my-token");
});
await t.test("should return null if no authorization header", async () => {
const req = new Request("http://localhost");
assert.strictEqual(extractApiKey(req), null);
});
await t.test("should return null if header is not bearer", async () => {
const req = new Request("http://localhost", {
headers: { Authorization: "NotBearer my-token" },
});
assert.strictEqual(extractApiKey(req), null);
});
await t.test("should return null if header is just 'Bearer '", async () => {
const req = new Request("http://localhost", {
headers: { Authorization: "Bearer " },
});
assert.strictEqual(extractApiKey(req), null);
});
});
test("isValidApiKey", async (t) => {
const originalEnv = process.env.OMNIROUTE_API_KEY;
await t.test("should return true if key matches OMNIROUTE_API_KEY", async () => {
process.env.OMNIROUTE_API_KEY = "test-key";
assert.strictEqual(await isValidApiKey("test-key"), true);
delete process.env.OMNIROUTE_API_KEY;
});
await t.test("should return false for unknown key (when not in env)", async () => {
// We assume validateApiKey will return false for a dummy key if the DB is empty.
assert.strictEqual(await isValidApiKey("non-existent-key"), false);
});
// Restore original env in case of failure
process.env.OMNIROUTE_API_KEY = originalEnv;
});
test("POST /v1/embeddings authentication", async (t) => {
const originalRequireApiKey = process.env.REQUIRE_API_KEY;
const originalOmniKey = process.env.OMNIROUTE_API_KEY;
await t.test("should return 401 when an invalid API key is provided", async () => {
process.env.OMNIROUTE_API_KEY = "valid-key";
const req = new Request("http://localhost/v1/embeddings", {
method: "POST",
headers: { Authorization: "Bearer invalid-key" },
body: JSON.stringify({ model: "mistral/mistral-embed", input: "test" }),
});
const res = await POST(req);
assert.strictEqual(res.status, 401);
delete process.env.OMNIROUTE_API_KEY;
});
await t.test(
"should return 401 when no API key is provided and REQUIRE_API_KEY is true",
async () => {
process.env.REQUIRE_API_KEY = "true";
const req = new Request("http://localhost/v1/embeddings", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ model: "mistral/mistral-embed", input: "test" }),
});
const res = await POST(req);
assert.strictEqual(res.status, 401);
delete process.env.REQUIRE_API_KEY;
}
);
await t.test("should NOT return 401 when a valid API key is provided", async () => {
process.env.OMNIROUTE_API_KEY = "valid-key";
const originalFetch = globalThis.fetch;
globalThis.fetch = async () => new Response(JSON.stringify({ data: [] }), { status: 200 });
try {
const req = new Request("http://localhost/v1/embeddings", {
method: "POST",
headers: {
Authorization: "Bearer valid-key",
"Content-Type": "application/json",
},
body: JSON.stringify({ model: "mistral/mistral-embed", input: "test" }),
});
const res = await POST(req);
const body = await res.text();
// It might be 400, 404, etc. because of downstream failure, but NOT 401.
assert.notStrictEqual(res.status, 401, "Should not be 401 Unauthorized");
} finally {
globalThis.fetch = originalFetch;
delete process.env.OMNIROUTE_API_KEY;
}
});
// Restore original env in case of failure
process.env.REQUIRE_API_KEY = originalRequireApiKey;
process.env.OMNIROUTE_API_KEY = originalOmniKey;
});