Files
2026-07-13 13:39:12 +08:00

52 lines
2.6 KiB
TypeScript

/**
* Regression: Cloud sync must verify the X-Cloud-Sig HMAC and must NOT
* overwrite accessToken / refreshToken unless OMNIROUTE_CLOUD_SYNC_SECRETS=true.
* See docs/security/SOCKET_DEV_FINDINGS.md §5.
*/
import { test } from "node:test";
import assert from "node:assert/strict";
import crypto from "node:crypto";
test("verifyCloudSignature accepts a valid HMAC", async () => {
// Test-only HMAC key derived deterministically — no hardcoded production secret.
const TEST_HMAC_KEY = crypto.createHash("sha256").update("omniroute-test").digest("hex");
process.env.OMNIROUTE_CLOUD_SYNC_SECRET = TEST_HMAC_KEY;
// Re-import so the module re-reads the env.
const mod = await import(
"../../../src/lib/cloudSync.ts?cache=" + Date.now()
).catch(() => import("../../../src/lib/cloudSync.ts"));
const body = JSON.stringify({ data: { providers: {} } });
const sig = crypto.createHmac("sha256", TEST_HMAC_KEY).update(body).digest("hex");
assert.equal((mod as any).verifyCloudSignature(body, sig), true);
});
test("verifyCloudSignature rejects a forged signature", async () => {
// Test-only HMAC key derived deterministically — no hardcoded production secret.
const TEST_HMAC_KEY = crypto.createHash("sha256").update("omniroute-test").digest("hex");
process.env.OMNIROUTE_CLOUD_SYNC_SECRET = TEST_HMAC_KEY;
const mod = await import("../../../src/lib/cloudSync.ts");
const body = JSON.stringify({ data: { providers: {} } });
const forged = "0".repeat(64);
assert.equal((mod as any).verifyCloudSignature(body, forged), false);
});
test("verifyCloudSignature rejects when the secret is set but sig header is missing", async () => {
// Test-only HMAC key derived deterministically — no hardcoded production secret.
const TEST_HMAC_KEY = crypto.createHash("sha256").update("omniroute-test").digest("hex");
process.env.OMNIROUTE_CLOUD_SYNC_SECRET = TEST_HMAC_KEY;
const mod = await import("../../../src/lib/cloudSync.ts");
const body = JSON.stringify({ data: { providers: {} } });
assert.equal((mod as any).verifyCloudSignature(body, null), false);
});
test("verifyCloudSignature falls through (legacy mode) when secret is unset", async () => {
delete process.env.OMNIROUTE_CLOUD_SYNC_SECRET;
// Force re-import so module constants pick up the cleared env.
delete (globalThis as any).__omniroute_cloudSync_cache;
const mod = await import("../../../src/lib/cloudSync.ts");
const body = JSON.stringify({ data: { providers: {} } });
// Behaviour: accept unsigned body but log warning. We assert it doesn't throw.
const result = (mod as any).verifyCloudSignature(body, null);
assert.equal(typeof result, "boolean");
});