Files
wehub-resource-sync b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:23:53 +08:00

664 lines
21 KiB
TypeScript

import { beforeEach, describe, it, expect, vi } from "vitest";
vi.mock("astro:middleware", () => ({
defineMiddleware: (handler: unknown) => handler,
}));
// vi.mock factories are hoisted above normal `const` declarations; use
// vi.hoisted so the marker object is available both to the mock factory and
// to assertions below.
const { DB_CONFIG_MARKER } = vi.hoisted(() => ({
DB_CONFIG_MARKER: { binding: "DB", session: "auto" },
}));
const {
MOCK_RUNTIME,
PUBLIC_PLUGIN_RESULT,
mockGetPluginRouteMeta,
mockHandlePluginApiRoute,
mockGetPublicUrl,
} = vi.hoisted(() => {
const publicPluginResult = { success: true, data: { ok: true } };
const ok = async () => ({ success: true });
const getPublicUrl = vi.fn((key: string) => `https://media.example.com/${key}`);
const getPluginRouteMeta = vi.fn((pluginId: string, path: string) => {
if (pluginId !== "emdash-forms") return null;
if (path === "/definition") return { public: true };
if (path === "/private") return { public: false };
return null;
});
const handlePluginApiRoute = vi.fn(async () => publicPluginResult);
return {
MOCK_RUNTIME: {
storage: { getPublicUrl },
db: {},
hooks: {},
email: null,
configuredPlugins: [],
handleContentList: ok,
handleContentGet: ok,
handleContentAuthors: ok,
handleContentCreate: ok,
handleContentUpdate: ok,
handleContentDelete: ok,
handleContentListTrashed: ok,
handleContentRestore: ok,
handleContentPermanentDelete: ok,
handleContentCountTrashed: ok,
handleContentGetIncludingTrashed: ok,
handleContentDuplicate: ok,
handleContentPublish: ok,
handleContentUnpublish: ok,
handleContentSchedule: ok,
handleContentUnschedule: ok,
handleContentCountScheduled: ok,
handleContentDiscardDraft: ok,
handleContentCompare: ok,
handleContentTranslations: ok,
handleMediaList: ok,
handleMediaGet: ok,
handleMediaCreate: ok,
handleMediaUpdate: ok,
handleMediaDelete: ok,
handleRevisionList: ok,
handleRevisionGet: ok,
handleRevisionRestore: ok,
getPluginRouteMeta,
handlePluginApiRoute,
getMediaProvider: () => undefined,
getMediaProviderList: () => [],
collectPageMetadata: async () => [],
collectPageFragments: async () => [],
ensureSearchHealthy: async () => undefined,
getManifest: async () => ({}),
getSandboxRunner: () => null,
isSandboxBypassed: () => false,
syncMarketplacePlugins: async () => undefined,
syncRegistryPlugins: async () => undefined,
setPluginStatus: async () => undefined,
},
PUBLIC_PLUGIN_RESULT: publicPluginResult,
mockGetPluginRouteMeta: getPluginRouteMeta,
mockHandlePluginApiRoute: handlePluginApiRoute,
mockGetPublicUrl: getPublicUrl,
};
});
vi.mock(
"virtual:emdash/config",
() => ({
default: {
database: { config: DB_CONFIG_MARKER },
auth: { mode: "none" },
},
}),
{ virtual: true },
);
vi.mock(
"virtual:emdash/dialect",
() => ({
createDialect: vi.fn(),
createRequestScopedDb: vi.fn().mockReturnValue(null),
// Absent on non-batching backends; the runtime falls back to the singleton.
createCoalescingDialect: undefined,
}),
{ virtual: true },
);
vi.mock("virtual:emdash/media-providers", () => ({ mediaProviders: [] }), { virtual: true });
vi.mock("virtual:emdash/plugins", () => ({ plugins: [] }), { virtual: true });
vi.mock(
"virtual:emdash/sandbox-runner",
() => ({
createSandboxRunner: null,
sandboxBypassed: false,
sandboxEnabled: false,
}),
{ virtual: true },
);
vi.mock("virtual:emdash/sandboxed-plugins", () => ({ sandboxedPlugins: [] }), { virtual: true });
vi.mock("virtual:emdash/storage", () => ({ createStorage: null }), { virtual: true });
vi.mock("virtual:emdash/wait-until", () => ({ waitUntil: undefined }), { virtual: true });
vi.mock("virtual:emdash/scheduler", () => ({ createScheduler: null }), { virtual: true });
vi.mock("../../../src/emdash-runtime.js", () => ({
DB_INIT_DEADLINE_MS: 30_000,
EmDashRuntime: {
create: async () => MOCK_RUNTIME,
},
}));
vi.mock("../../../src/loader.js", () => ({
getDb: vi.fn(async () => ({
selectFrom: () => ({
selectAll: () => ({
limit: () => ({
execute: async () => [],
}),
}),
}),
})),
}));
import { createRequestScopedDb } from "virtual:emdash/dialect";
import onRequest from "../../../src/astro/middleware.js";
import { getDb } from "../../../src/loader.js";
import { getRequestContext } from "../../../src/request-context.js";
/** Reset the globalThis-backed singletons between tests. */
const SETUP_VERIFIED_KEY = Symbol.for("emdash:setup-verified");
const RUNTIME_HOLDER_KEY = Symbol.for("emdash:runtime-holder");
function resetSetupVerified() {
delete (globalThis as Record<symbol, unknown>)[SETUP_VERIFIED_KEY];
delete (globalThis as Record<symbol, unknown>)[RUNTIME_HOLDER_KEY];
}
/** A getDb stub whose migrations-probe query throws `error`. */
function getDbThatFailsProbe(error: Error) {
return {
selectFrom: () => ({
selectAll: () => ({
limit: () => ({
execute: async () => {
throw error;
},
}),
}),
}),
};
}
function createAnonymousPublicPageContext(locals: Record<string, unknown> = {}) {
const cookies = {
get: vi.fn((name: string) => {
if (name === "astro-session") return undefined;
return undefined;
}),
set: vi.fn(),
};
const sessionGet = vi.fn(async () => null);
const astroSession = { get: sessionGet };
return {
context: {
request: new Request("https://example.com/contact"),
url: new URL("https://example.com/contact"),
cookies,
locals,
redirect: vi.fn(),
isPrerendered: false,
session: astroSession,
} as Record<string, unknown>,
cookies,
sessionGet,
};
}
describe("astro middleware prerendered routes", () => {
beforeEach(() => {
vi.mocked(createRequestScopedDb).mockReset().mockReturnValue(null);
mockGetPluginRouteMeta.mockClear();
mockHandlePluginApiRoute.mockClear();
mockGetPublicUrl.mockClear();
});
it("does not access context.session on prerendered public runtime routes", async () => {
const cookies = {
get: vi.fn(() => undefined),
};
const locals: Record<string, unknown> = {};
const context: Record<string, unknown> = {
request: new Request("https://example.com/robots.txt"),
url: new URL("https://example.com/robots.txt"),
cookies,
locals,
redirect: vi.fn(),
isPrerendered: true,
};
Object.defineProperty(context, "session", {
get() {
throw new Error("context.session should not be accessed during prerender");
},
});
const response = await onRequest(
context as Parameters<typeof onRequest>[0],
async () => new Response("ok"),
);
expect(response.status).toBe(200);
const emdash = locals.emdash as Record<string, unknown>;
expect(typeof emdash.handlePluginApiRoute).toBe("function");
expect(typeof emdash.handlePublicPluginApiRoute).toBe("function");
// Regression for #1462: the author filter route reads
// `locals.emdash.handleContentAuthors`; it must be wired onto the
// runtime helpers object or every `/authors` request 500s.
expect(typeof emdash.handleContentAuthors).toBe("function");
});
it("does not access context.session when prerendering public pages", async () => {
const cookies = {
get: vi.fn(() => undefined),
};
const redirect = vi.fn(
(location: string) => new Response(null, { status: 302, headers: { Location: location } }),
);
const context: Record<string, unknown> = {
request: new Request("https://example.com/"),
url: new URL("https://example.com/"),
cookies,
locals: {},
redirect,
isPrerendered: true,
};
Object.defineProperty(context, "session", {
get() {
throw new Error("context.session should not be accessed during prerender");
},
});
const response = await onRequest(
context as Parameters<typeof onRequest>[0],
async () => new Response("ok"),
);
expect(response.status).toBe(200);
expect(redirect).not.toHaveBeenCalled();
});
});
describe("astro middleware anonymous session reads", () => {
beforeEach(() => {
vi.mocked(createRequestScopedDb).mockReset().mockReturnValue(null);
mockGetPluginRouteMeta.mockClear();
mockHandlePluginApiRoute.mockClear();
mockGetPublicUrl.mockClear();
});
it("does not read the Astro session when no astro-session cookie is present", async () => {
// Regression test for #733: on Cloudflare Workers the Astro session
// backend is KV, so calling session.get() on every anonymous public
// request produces a flood of KV read misses. The middleware must
// skip the session lookup entirely when no astro-session cookie is set.
const cookies = {
get: vi.fn((name: string) => {
if (name === "astro-session") return undefined;
return undefined;
}),
set: vi.fn(),
};
const sessionGet = vi.fn(async () => null);
const astroSession = { get: sessionGet };
const context: Record<string, unknown> = {
request: new Request("https://example.com/"),
url: new URL("https://example.com/"),
cookies,
locals: {},
redirect: vi.fn(),
isPrerendered: false,
session: astroSession,
};
const response = await onRequest(
context as Parameters<typeof onRequest>[0],
async () => new Response("ok"),
);
expect(response.status).toBe(200);
expect(sessionGet).not.toHaveBeenCalled();
});
it("exposes only restricted public runtime helpers to anonymous public pages", async () => {
const locals: Record<string, unknown> = {};
const { context, sessionGet } = createAnonymousPublicPageContext(locals);
const response = await onRequest(
context as Parameters<typeof onRequest>[0],
async () => new Response("ok"),
);
expect(response.status).toBe(200);
expect(sessionGet).not.toHaveBeenCalled();
const emdash = locals.emdash as Record<string, unknown>;
expect(typeof emdash.handlePublicPluginApiRoute).toBe("function");
expect(typeof emdash.collectPageMetadata).toBe("function");
expect(typeof emdash.collectPageFragments).toBe("function");
expect(typeof emdash.getPublicMediaUrl).toBe("function");
expect((emdash.getPublicMediaUrl as (key: string) => string)("01ABC.jpg")).toBe(
"https://media.example.com/01ABC.jpg",
);
expect(mockGetPublicUrl).toHaveBeenCalledWith("01ABC.jpg");
expect("handlePluginApiRoute" in emdash).toBe(false);
expect("getPluginRouteMeta" in emdash).toBe(false);
expect("handleContentList" in emdash).toBe(false);
expect("db" in emdash).toBe(false);
expect("config" in emdash).toBe(false);
});
it("dispatches public plugin API routes through the anonymous public-page helper", async () => {
const locals: Record<string, unknown> = {};
const { context } = createAnonymousPublicPageContext(locals);
await onRequest(context as Parameters<typeof onRequest>[0], async () => new Response("ok"));
const emdash = locals.emdash as Record<string, unknown>;
const request = new Request("https://example.com/_emdash/api/plugins/emdash-forms/definition", {
method: "POST",
body: "{}",
});
await expect(
(
emdash.handlePublicPluginApiRoute as (
pluginId: string,
method: string,
path: string,
request: Request,
) => Promise<unknown>
)("emdash-forms", "POST", "/definition", request),
).resolves.toBe(PUBLIC_PLUGIN_RESULT);
expect(mockGetPluginRouteMeta).toHaveBeenCalledWith("emdash-forms", "/definition");
expect(mockHandlePluginApiRoute).toHaveBeenCalledWith(
"emdash-forms",
"POST",
"/definition",
request,
);
});
it("does not dispatch private plugin API routes through the anonymous public-page helper", async () => {
const locals: Record<string, unknown> = {};
const { context } = createAnonymousPublicPageContext(locals);
await onRequest(context as Parameters<typeof onRequest>[0], async () => new Response("ok"));
const emdash = locals.emdash as Record<string, unknown>;
await expect(
(
emdash.handlePublicPluginApiRoute as (
pluginId: string,
method: string,
path: string,
request: Request,
) => Promise<unknown>
)(
"emdash-forms",
"POST",
"/private",
new Request("https://example.com/_emdash/api/plugins/emdash-forms/private"),
),
).resolves.toEqual({
success: false,
error: { code: "NOT_FOUND", message: "Plugin route not found" },
});
expect(mockGetPluginRouteMeta).toHaveBeenCalledWith("emdash-forms", "/private");
expect(mockHandlePluginApiRoute).not.toHaveBeenCalled();
});
it("reads the Astro session when an astro-session cookie is present", async () => {
const cookies = {
get: vi.fn((name: string) => {
if (name === "astro-session") return { value: "abc123" };
return undefined;
}),
set: vi.fn(),
};
const sessionGet = vi.fn(async () => null);
const astroSession = { get: sessionGet };
const context: Record<string, unknown> = {
request: new Request("https://example.com/", {
headers: { cookie: "astro-session=abc123" },
}),
url: new URL("https://example.com/"),
cookies,
locals: {},
redirect: vi.fn(),
isPrerendered: false,
session: astroSession,
};
const response = await onRequest(
context as Parameters<typeof onRequest>[0],
async () => new Response("ok"),
);
expect(response.status).toBe(200);
expect(sessionGet).toHaveBeenCalledWith("user");
});
});
describe("astro middleware request-scoped db", () => {
beforeEach(() => {
vi.mocked(createRequestScopedDb).mockReset().mockReturnValue(null);
mockGetPluginRouteMeta.mockClear();
mockHandlePluginApiRoute.mockClear();
mockGetPublicUrl.mockClear();
});
it("asks the adapter for a scoped db on anonymous public pages and exposes it via ALS", async () => {
const commit = vi.fn();
const scopedDb = { _marker: "scoped" };
vi.mocked(createRequestScopedDb).mockReturnValue({
db: scopedDb as never,
commit,
});
const cookies = {
get: vi.fn(() => undefined),
set: vi.fn(),
};
const astroSession = {
get: vi.fn(async () => null),
};
const context: Record<string, unknown> = {
request: new Request("https://example.com/"),
url: new URL("https://example.com/"),
cookies,
locals: {},
redirect: vi.fn(),
isPrerendered: false,
session: astroSession,
};
let dbSeenByNext: unknown;
const response = await onRequest(context as Parameters<typeof onRequest>[0], async () => {
dbSeenByNext = getRequestContext()?.db;
return new Response("ok");
});
expect(response.status).toBe(200);
expect(createRequestScopedDb).toHaveBeenCalledTimes(1);
const opts = vi.mocked(createRequestScopedDb).mock.calls[0]?.[0];
// Opts shape matches the RequestScopedDbOpts contract declared in
// virtual-modules.d.ts. The `config` field name must match exactly —
// it's what the D1 adapter reads; a rename silently breaks D1 sessions.
expect(opts).toMatchObject({
config: DB_CONFIG_MARKER,
isAuthenticated: false,
isWrite: false,
cookies,
});
expect(dbSeenByNext).toBe(scopedDb);
expect(commit).toHaveBeenCalledTimes(1);
// ALS must be fully torn down after the middleware returns; otherwise
// a refactor to enterWith() could silently leak request state into
// other async work on the same worker.
expect(getRequestContext()).toBeUndefined();
});
it("marks an API-token (Bearer) request as authenticated even without a session cookie", async () => {
// API tokens (ec_pat_*) and OAuth tokens (ec_oat_*) authenticate via the
// Authorization header, not the astro-session cookie, so sessionUser is
// null. They still expect read-your-writes, so the adapter must see
// isAuthenticated: true (keeps them on the primary/uncached connection,
// not a replica or the Hyperdrive query cache). These hit /_emdash/api/*,
// which is the main scoped path (the anonymous fast path is public-only).
const commit = vi.fn();
vi.mocked(createRequestScopedDb).mockReturnValue({
db: { _marker: "scoped" } as never,
commit,
});
const cookies = { get: vi.fn(() => undefined), set: vi.fn() };
const astroSession = { get: vi.fn(async () => null) };
const context: Record<string, unknown> = {
request: new Request("https://example.com/_emdash/api/content/posts", {
headers: { authorization: "Bearer ec_pat_example" },
}),
url: new URL("https://example.com/_emdash/api/content/posts"),
cookies,
locals: {},
redirect: vi.fn(),
isPrerendered: false,
session: astroSession,
};
await onRequest(context as Parameters<typeof onRequest>[0], async () => new Response("ok"));
const opts = vi.mocked(createRequestScopedDb).mock.calls[0]?.[0];
expect(opts).toMatchObject({
config: DB_CONFIG_MARKER,
isAuthenticated: true,
isWrite: false,
});
});
it("forces isWrite true for POST requests on public pages", async () => {
const commit = vi.fn();
vi.mocked(createRequestScopedDb).mockReturnValue({
db: { _marker: "scoped" } as never,
commit,
});
const cookies = { get: vi.fn(() => undefined), set: vi.fn() };
const astroSession = { get: vi.fn(async () => null) };
const context: Record<string, unknown> = {
request: new Request("https://example.com/", { method: "POST" }),
url: new URL("https://example.com/"),
cookies,
locals: {},
redirect: vi.fn(),
isPrerendered: false,
session: astroSession,
};
await onRequest(context as Parameters<typeof onRequest>[0], async () => new Response("ok"));
const opts = vi.mocked(createRequestScopedDb).mock.calls[0]?.[0];
expect(opts).toMatchObject({
config: DB_CONFIG_MARKER,
isAuthenticated: false,
isWrite: true,
});
});
});
describe("astro middleware setup probe", () => {
beforeEach(() => {
// The "setup verified" flag is a globalThis singleton that latches once a
// probe (or runtime init) succeeds. Reset it so each test exercises a
// fresh probe.
resetSetupVerified();
vi.mocked(createRequestScopedDb).mockReset().mockReturnValue(null);
vi.mocked(getDb).mockReset();
});
/** Anonymous GET to a public frontend page (e.g. a category page). */
function anonymousCategoryPageContext() {
const cookies = {
get: vi.fn((name: string) => {
if (name === "astro-session") return undefined;
return undefined;
}),
set: vi.fn(),
};
const redirect = vi.fn(
(location: string) => new Response(null, { status: 302, headers: { Location: location } }),
);
return {
context: {
request: new Request("https://example.com/category/news"),
url: new URL("https://example.com/category/news"),
cookies,
locals: {} as Record<string, unknown>,
redirect,
isPrerendered: false,
session: { get: vi.fn(async () => null) },
} as Record<string, unknown>,
redirect,
};
}
it("redirects to setup when the migrations table is genuinely missing", async () => {
// Fresh, un-migrated database: the probe query reports a missing table.
vi.mocked(getDb).mockResolvedValue(
getDbThatFailsProbe(new Error("no such table: _emdash_migrations")) as never,
);
const { context, redirect } = anonymousCategoryPageContext();
const next = vi.fn(async () => new Response("page"));
const response = await onRequest(context as Parameters<typeof onRequest>[0], next);
expect(redirect).toHaveBeenCalledWith("/_emdash/admin/setup");
expect(response.status).toBe(302);
expect(response.headers.get("Location")).toBe("/_emdash/admin/setup");
expect(next).not.toHaveBeenCalled();
});
it("does NOT redirect to setup on a transient DB error (regression)", async () => {
// A set-up site whose probe hits a transient failure (D1 connection
// loss, replica unavailable, timeout, locked SQLite) must keep serving
// the page — never bounce real visitors to the setup wizard.
vi.mocked(getDb).mockResolvedValue(
getDbThatFailsProbe(new Error("D1_ERROR: Network connection lost")) as never,
);
const { context, redirect } = anonymousCategoryPageContext();
const next = vi.fn(async () => new Response("page"));
const response = await onRequest(context as Parameters<typeof onRequest>[0], next);
expect(redirect).not.toHaveBeenCalled();
expect(next).toHaveBeenCalledTimes(1);
expect(response.status).toBe(200);
});
it("does NOT redirect to setup during prerender even when migrations are missing (regression)", async () => {
// A prerendered route is built to static HTML. If the setup probe ran at
// build time it would see CI's legitimately-empty database, report a
// missing migrations table, and bake context.redirect("/_emdash/admin/setup")
// into every prerendered page -- shipping that redirect to production. The
// probe must be skipped entirely when prerendering.
vi.mocked(getDb).mockResolvedValue(
getDbThatFailsProbe(new Error("no such table: _emdash_migrations")) as never,
);
const { context, redirect } = anonymousCategoryPageContext();
context.isPrerendered = true;
const next = vi.fn(async () => new Response("page"));
const response = await onRequest(context as Parameters<typeof onRequest>[0], next);
expect(redirect).not.toHaveBeenCalled();
expect(getDb).not.toHaveBeenCalled();
expect(next).toHaveBeenCalledTimes(1);
expect(response.status).toBe(200);
});
});