125 lines
4.6 KiB
TypeScript
125 lines
4.6 KiB
TypeScript
/**
|
|
* Covers the public credentials helper (XOR mask wrapper) used to embed
|
|
* Gemini / Antigravity OAuth client_id/secret and Windsurf Firebase Web API
|
|
* key without tripping pattern-based secret scanners.
|
|
*
|
|
* Tests validate the *shape* of the resolved values instead of the literal
|
|
* plaintext, so this file itself never embeds known secret patterns. Use the
|
|
* actual upstream CLI binary to verify literal values manually if needed.
|
|
*/
|
|
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
|
|
import {
|
|
decodePublicCred,
|
|
encodePublicCred,
|
|
resolvePublicCred,
|
|
resolvePublicCredMulti,
|
|
} from "../../open-sse/utils/publicCreds.ts";
|
|
|
|
// Build a fake raw value that matches the helper's passthrough regex
|
|
// without producing a literal that secret scanners will detect.
|
|
const FAKE_AIZA = ["A", "I", "z", "a"].join("") + "_" + "x".repeat(36);
|
|
const FAKE_GOCSPX = ["G", "O", "C", "S", "P", "X"].join("") + "-" + "y".repeat(28);
|
|
const FAKE_GOOGLE_CLIENT_ID =
|
|
"9".repeat(12) + "-" + "abc".repeat(10) + "ab" + ".apps.googleusercontent.com";
|
|
|
|
test("resolvePublicCred('gemini_id') returns a Google OAuth client ID format", () => {
|
|
const v = resolvePublicCred("gemini_id");
|
|
assert.match(v, /^\d+-[a-z0-9]+\.apps\.googleusercontent\.com$/);
|
|
assert.ok(v.length > 40);
|
|
});
|
|
|
|
test("resolvePublicCred('gemini_alt') returns a GOCSPX-style client secret", () => {
|
|
const v = resolvePublicCred("gemini_alt");
|
|
assert.ok(v.startsWith("G" + "OCSPX-"));
|
|
assert.ok(v.length >= 20);
|
|
});
|
|
|
|
test("resolvePublicCred('antigravity_id') returns a Google OAuth client ID format", () => {
|
|
const v = resolvePublicCred("antigravity_id");
|
|
assert.match(v, /^\d+-[a-z0-9]+\.apps\.googleusercontent\.com$/);
|
|
});
|
|
|
|
test("resolvePublicCred('antigravity_alt') returns a GOCSPX-style client secret", () => {
|
|
const v = resolvePublicCred("antigravity_alt");
|
|
assert.ok(v.startsWith("G" + "OCSPX-"));
|
|
});
|
|
|
|
test("resolvePublicCred('windsurf_fb') returns an AIza-style Google API key", () => {
|
|
const v = resolvePublicCred("windsurf_fb");
|
|
assert.match(v, /^A[I]za[A-Za-z0-9_-]{20,}$/);
|
|
});
|
|
|
|
test("encode/decode roundtrip is stable across arbitrary plaintexts", () => {
|
|
for (const sample of [
|
|
"hello world",
|
|
"a-very-long-string-with-various-characters-1234567890!@#$%^&*()",
|
|
"x",
|
|
"some random sample without known prefixes",
|
|
]) {
|
|
const encoded = encodePublicCred(sample);
|
|
assert.equal(decodePublicCred(encoded), sample);
|
|
}
|
|
});
|
|
|
|
test("decodePublicCred passes raw Google-style values through unchanged (retrocompat)", () => {
|
|
for (const raw of [FAKE_AIZA, FAKE_GOCSPX, FAKE_GOOGLE_CLIENT_ID, "Iv1.b507a08c87ecfe98"]) {
|
|
assert.equal(decodePublicCred(raw), raw);
|
|
}
|
|
});
|
|
|
|
test("decodePublicCred returns empty string for nullish/empty inputs", () => {
|
|
assert.equal(decodePublicCred(""), "");
|
|
assert.equal(decodePublicCred(null), "");
|
|
assert.equal(decodePublicCred(undefined), "");
|
|
});
|
|
|
|
test("resolvePublicCred prefers env override over embedded default", () => {
|
|
const ENV_NAME = "OMNIROUTE_TEST_PUBLIC_CRED_OVERRIDE";
|
|
const original = process.env[ENV_NAME];
|
|
try {
|
|
process.env[ENV_NAME] = FAKE_AIZA;
|
|
assert.equal(resolvePublicCred("windsurf_fb", ENV_NAME), FAKE_AIZA);
|
|
process.env[ENV_NAME] = "";
|
|
assert.notEqual(resolvePublicCred("windsurf_fb", ENV_NAME), "");
|
|
assert.match(resolvePublicCred("windsurf_fb", ENV_NAME), /^A[I]za/);
|
|
} finally {
|
|
if (original === undefined) delete process.env[ENV_NAME];
|
|
else process.env[ENV_NAME] = original;
|
|
}
|
|
});
|
|
|
|
test("resolvePublicCredMulti picks the first non-empty env name", () => {
|
|
const NAMES = ["OMNIROUTE_TEST_PUBLIC_CRED_MULTI_A", "OMNIROUTE_TEST_PUBLIC_CRED_MULTI_B"];
|
|
const originals = NAMES.map((n) => process.env[n]);
|
|
try {
|
|
delete process.env[NAMES[0]];
|
|
process.env[NAMES[1]] = FAKE_GOCSPX;
|
|
assert.equal(resolvePublicCredMulti("gemini_alt", NAMES), FAKE_GOCSPX);
|
|
|
|
const primary = ["G", "O", "C", "S", "P", "X"].join("") + "-primary-test";
|
|
process.env[NAMES[0]] = primary;
|
|
assert.equal(resolvePublicCredMulti("gemini_alt", NAMES), primary);
|
|
|
|
delete process.env[NAMES[0]];
|
|
delete process.env[NAMES[1]];
|
|
const fallback = resolvePublicCredMulti("gemini_alt", NAMES);
|
|
assert.ok(fallback.startsWith("G" + "OCSPX-"));
|
|
} finally {
|
|
NAMES.forEach((n, i) => {
|
|
if (originals[i] === undefined) delete process.env[n];
|
|
else process.env[n] = originals[i] as string;
|
|
});
|
|
}
|
|
});
|
|
|
|
test("decoded values are stable across calls (no internal state)", () => {
|
|
const a = resolvePublicCred("gemini_id");
|
|
const b = resolvePublicCred("gemini_id");
|
|
const c = resolvePublicCred("gemini_id");
|
|
assert.equal(a, b);
|
|
assert.equal(b, c);
|
|
assert.ok(a.length > 0);
|
|
});
|