import test from "node:test"; import assert from "node:assert/strict"; // Unit tests for the pure middleware routing policy (web/lib/proxy-policy.ts). // The policy is deliberately decoupled from `next/server`, so it can be // exercised here without booting the Next runtime. proxy.ts itself is a thin // adapter that maps these decisions onto NextResponse. import { classifyToken, isAuthExempt, isBackendPath, } from "../lib/proxy-policy"; function makeToken(payload: Record): string { const encode = (value: unknown) => Buffer.from(JSON.stringify(value)).toString("base64url"); return `${encode({ alg: "HS256" })}.${encode(payload)}.signature`; } test("isBackendPath matches /api and /ws paths only", () => { assert.equal(isBackendPath("/api/v1/knowledge/list"), true); assert.equal(isBackendPath("/ws/chat"), true); assert.equal(isBackendPath("/home"), false); assert.equal(isBackendPath("/apidocs"), false); // no trailing slash → not backend assert.equal(isBackendPath("/logo.png"), false); }); test("isAuthExempt allows public static assets through the auth gate (issue #599)", () => { // The Next image optimizer re-fetches these over a cookie-less loopback; if // the gate blocked them the sidebar logo/banner would render broken. assert.equal(isAuthExempt("/logo.png"), true); assert.equal(isAuthExempt("/banner.png"), true); assert.equal(isAuthExempt("/logo_black.png"), true); assert.equal(isAuthExempt("/apple-touch-icon.png"), true); assert.equal(isAuthExempt("/provider-icons/openai.svg"), true); }); test("isAuthExempt allows auth pages and Next internals", () => { assert.equal(isAuthExempt("/login"), true); assert.equal(isAuthExempt("/register"), true); assert.equal(isAuthExempt("/_next/data/build/home.json"), true); assert.equal(isAuthExempt("/favicon-32x32.png"), true); }); test("isAuthExempt does NOT exempt protected app routes", () => { assert.equal(isAuthExempt("/home"), false); assert.equal(isAuthExempt("/dashboard"), false); assert.equal(isAuthExempt("/space/agents"), false); assert.equal(isAuthExempt("/knowledge"), false); }); test("classifyToken reports missing for absent or empty cookie", () => { const now = 1_000_000_000_000; assert.equal(classifyToken(undefined, now), "missing"); assert.equal(classifyToken("", now), "missing"); }); test("classifyToken reports malformed for non-JWT shapes", () => { const now = 1_000_000_000_000; assert.equal(classifyToken("a.b", now), "malformed"); // 2 segments assert.equal(classifyToken("a.b.c.d", now), "malformed"); // 4 segments // Valid 3-segment shape but the payload is not JSON → malformed. const notJson = `h.${Buffer.from("not-json").toString("base64url")}.s`; assert.equal(classifyToken(notJson, now), "malformed"); }); test("classifyToken honors expiry and accepts unexpired / expiry-less tokens", () => { const now = 1_000_000_000_000; // ms const nowSec = now / 1000; assert.equal(classifyToken(makeToken({ exp: nowSec + 3600 }), now), "valid"); assert.equal(classifyToken(makeToken({ exp: nowSec - 1 }), now), "expired"); assert.equal(classifyToken(makeToken({}), now), "valid"); // no exp claim });