Files
wehub-resource-sync e4dcfc49aa
Tests / Import Check (Python 3.13) (push) Has been cancelled
Tests / Import Check (Python 3.14) (push) Has been cancelled
Tests / Python Tests (Python 3.11) (push) Has been cancelled
Tests / Python Tests (Python 3.12) (push) Has been cancelled
Tests / Python Tests (Python 3.14) (push) Has been cancelled
Tests / Test Summary (push) Has been cancelled
Tests / Lint and Format (push) Has been cancelled
Tests / Web Node Tests (push) Has been cancelled
Tests / Import Check (Python 3.11) (push) Has been cancelled
Tests / Import Check (Python 3.12) (push) Has been cancelled
Tests / Python Tests (Python 3.13) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:00:43 +08:00

75 lines
3.1 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
// Unit tests for the pure middleware routing policy (web/lib/proxy-policy.ts).
// The policy is deliberately decoupled from `next/server`, so it can be
// exercised here without booting the Next runtime. proxy.ts itself is a thin
// adapter that maps these decisions onto NextResponse.
import {
classifyToken,
isAuthExempt,
isBackendPath,
} from "../lib/proxy-policy";
function makeToken(payload: Record<string, unknown>): string {
const encode = (value: unknown) =>
Buffer.from(JSON.stringify(value)).toString("base64url");
return `${encode({ alg: "HS256" })}.${encode(payload)}.signature`;
}
test("isBackendPath matches /api and /ws paths only", () => {
assert.equal(isBackendPath("/api/v1/knowledge/list"), true);
assert.equal(isBackendPath("/ws/chat"), true);
assert.equal(isBackendPath("/home"), false);
assert.equal(isBackendPath("/apidocs"), false); // no trailing slash → not backend
assert.equal(isBackendPath("/logo.png"), false);
});
test("isAuthExempt allows public static assets through the auth gate (issue #599)", () => {
// The Next image optimizer re-fetches these over a cookie-less loopback; if
// the gate blocked them the sidebar logo/banner would render broken.
assert.equal(isAuthExempt("/logo.png"), true);
assert.equal(isAuthExempt("/banner.png"), true);
assert.equal(isAuthExempt("/logo_black.png"), true);
assert.equal(isAuthExempt("/apple-touch-icon.png"), true);
assert.equal(isAuthExempt("/provider-icons/openai.svg"), true);
});
test("isAuthExempt allows auth pages and Next internals", () => {
assert.equal(isAuthExempt("/login"), true);
assert.equal(isAuthExempt("/register"), true);
assert.equal(isAuthExempt("/_next/data/build/home.json"), true);
assert.equal(isAuthExempt("/favicon-32x32.png"), true);
});
test("isAuthExempt does NOT exempt protected app routes", () => {
assert.equal(isAuthExempt("/home"), false);
assert.equal(isAuthExempt("/dashboard"), false);
assert.equal(isAuthExempt("/space/agents"), false);
assert.equal(isAuthExempt("/knowledge"), false);
});
test("classifyToken reports missing for absent or empty cookie", () => {
const now = 1_000_000_000_000;
assert.equal(classifyToken(undefined, now), "missing");
assert.equal(classifyToken("", now), "missing");
});
test("classifyToken reports malformed for non-JWT shapes", () => {
const now = 1_000_000_000_000;
assert.equal(classifyToken("a.b", now), "malformed"); // 2 segments
assert.equal(classifyToken("a.b.c.d", now), "malformed"); // 4 segments
// Valid 3-segment shape but the payload is not JSON → malformed.
const notJson = `h.${Buffer.from("not-json").toString("base64url")}.s`;
assert.equal(classifyToken(notJson, now), "malformed");
});
test("classifyToken honors expiry and accepts unexpired / expiry-less tokens", () => {
const now = 1_000_000_000_000; // ms
const nowSec = now / 1000;
assert.equal(classifyToken(makeToken({ exp: nowSec + 3600 }), now), "valid");
assert.equal(classifyToken(makeToken({ exp: nowSec - 1 }), now), "expired");
assert.equal(classifyToken(makeToken({}), now), "valid"); // no exp claim
});