Files
hkuds--deeptutor/web/tests/api-auth-redirect.test.ts
wehub-resource-sync e4dcfc49aa
Tests / Import Check (Python 3.13) (push) Has been cancelled
Tests / Import Check (Python 3.14) (push) Has been cancelled
Tests / Python Tests (Python 3.11) (push) Has been cancelled
Tests / Python Tests (Python 3.12) (push) Has been cancelled
Tests / Python Tests (Python 3.14) (push) Has been cancelled
Tests / Test Summary (push) Has been cancelled
Tests / Lint and Format (push) Has been cancelled
Tests / Web Node Tests (push) Has been cancelled
Tests / Import Check (Python 3.11) (push) Has been cancelled
Tests / Import Check (Python 3.12) (push) Has been cancelled
Tests / Python Tests (Python 3.13) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:00:43 +08:00

133 lines
4.7 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
// Auth state is resolved at runtime, not from a build-time env var: apiFetch's
// 401 → /login redirect is gated by a flag set via setRuntimeAuthEnabled (which
// web/lib/auth.ts → fetchAuthStatus calls once the backend reports the real
// state). The frontend uses relative paths; URL forwarding happens in proxy.ts
// at request time, reading DEEPTUTOR_API_BASE_URL set by the launcher / Docker
// entrypoint from data/user/settings.
let apiModulePromise: Promise<typeof import("../lib/api")> | null = null;
async function loadApiModule(): Promise<typeof import("../lib/api")> {
apiModulePromise ??= import("../lib/api");
return apiModulePromise;
}
// Install a fake `window` whose `location.href` assignment is recorded instead
// of triggering a real navigation, so we can assert whether apiFetch redirected.
function installWindow(pathname: string): {
redirectedTo: () => string | null;
} {
let redirect: string | null = null;
const location = { pathname, href: "" };
Object.defineProperty(location, "href", {
get: () => redirect ?? "",
set: (value: string) => {
redirect = value;
},
configurable: true,
});
(globalThis as { window?: unknown }).window = { location };
return { redirectedTo: () => redirect };
}
function clearWindow(): void {
delete (globalThis as { window?: unknown }).window;
}
// Replace global fetch with one that always yields the given response.
function stubFetch(response: Response): () => void {
const original = globalThis.fetch;
(globalThis as { fetch: typeof fetch }).fetch = async () => response;
return () => {
(globalThis as { fetch: typeof fetch }).fetch = original;
};
}
function jsonResponse(status: number, body: unknown): Response {
return new Response(JSON.stringify(body), {
status,
headers: { "Content-Type": "application/json" },
});
}
// Let pending microtasks run so apiFetch's async body reaches the redirect
// branch. The call itself must NOT be awaited there: on redirect apiFetch
// returns a promise that never resolves.
function tick(): Promise<void> {
return new Promise((resolve) => setTimeout(resolve, 0));
}
test("apiFetch redirects to /login on 401 when auth is enabled and no opt-out", async () => {
const { apiFetch, setRuntimeAuthEnabled } = await loadApiModule();
setRuntimeAuthEnabled(true);
const win = installWindow("/dashboard");
const restore = stubFetch(jsonResponse(401, { detail: "unauthorized" }));
try {
// Do not await: apiFetch returns a never-resolving promise once it redirects.
void apiFetch("http://localhost:8001/api/v1/knowledge/list");
await tick();
assert.equal(win.redirectedTo(), "/login?next=%2Fdashboard");
} finally {
restore();
clearWindow();
}
});
test("apiFetch does NOT redirect on 401 when auth is disabled (default)", async () => {
// Regression guard: in the default auth-disabled deployment the runtime flag
// is never turned on, so a stray 401 must NOT bounce the user to /login.
const { apiFetch, setRuntimeAuthEnabled } = await loadApiModule();
setRuntimeAuthEnabled(false);
const win = installWindow("/dashboard");
const restore = stubFetch(jsonResponse(401, { detail: "unauthorized" }));
try {
const res = await apiFetch("http://localhost:8001/api/v1/knowledge/list");
assert.equal(res.status, 401);
assert.equal(win.redirectedTo(), null);
} finally {
restore();
clearWindow();
setRuntimeAuthEnabled(true);
}
});
test("apiFetch does NOT redirect on 401 when skipAuthRedirect is set", async () => {
// Regression guard: the login endpoint returns 401 for wrong credentials, and
// that must reach the caller as an inline error instead of reloading the page.
const { apiFetch } = await loadApiModule();
const win = installWindow("/login");
const restore = stubFetch(
jsonResponse(401, { detail: "Incorrect username or password" }),
);
try {
const res = await apiFetch("http://localhost:8001/api/v1/auth/login", {
method: "POST",
skipAuthRedirect: true,
});
assert.equal(res.status, 401);
assert.equal(win.redirectedTo(), null);
const data = (await res.json()) as { detail?: string };
assert.equal(data.detail, "Incorrect username or password");
} finally {
restore();
clearWindow();
}
});
test("apiFetch passes successful responses through without redirecting", async () => {
const { apiFetch } = await loadApiModule();
const win = installWindow("/dashboard");
const restore = stubFetch(jsonResponse(200, { ok: true }));
try {
const res = await apiFetch("http://localhost:8001/api/v1/auth/status");
assert.equal(res.status, 200);
assert.equal(win.redirectedTo(), null);
} finally {
restore();
clearWindow();
}
});