Files
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

125 lines
4.3 KiB
TypeScript

/**
* @vitest-environment node
*/
import { createEnvMock } from '@sim/testing'
import type { NextRequest } from 'next/server'
import { describe, expect, it, vi } from 'vitest'
vi.mock('@/lib/core/config/env', () =>
createEnvMock({ NEXT_PUBLIC_APP_URL: 'https://app.sim.test' })
)
import { resolveApiCorsPolicy } from '@/proxy'
function makeRequest(pathname: string, origin?: string): NextRequest {
return {
nextUrl: { pathname },
headers: {
get: (name: string) => (name.toLowerCase() === 'origin' ? (origin ?? null) : null),
},
} as unknown as NextRequest
}
describe('resolveApiCorsPolicy', () => {
it('serves OAuth2 routes with wildcard origin and no credentials', () => {
expect(resolveApiCorsPolicy(makeRequest('/api/auth/oauth2/token'))).toEqual({
origin: '*',
credentials: false,
methods: 'GET, POST, OPTIONS',
headers: 'Content-Type, Authorization, Accept',
})
})
it('serves MCP copilot with DELETE in allowed methods', () => {
const policy = resolveApiCorsPolicy(makeRequest('/api/mcp/copilot'))
expect(policy.origin).toBe('*')
expect(policy.methods).toContain('DELETE')
expect(policy.headers).toContain('X-API-Key')
})
it('reflects origin for chat embeds with credentials enabled', () => {
const paths = ['/api/chat/abc', '/api/chat/abc/otp', '/api/chat/abc/sso']
for (const path of paths) {
const policy = resolveApiCorsPolicy(makeRequest(path, 'https://customer.example'))
expect(policy).toEqual({
origin: 'https://customer.example',
credentials: true,
methods: 'GET, POST, PUT, OPTIONS',
headers: 'Content-Type, X-Requested-With',
})
}
})
it('drops credentials on embed policy when Origin header is absent (CORS spec invariant)', () => {
const policy = resolveApiCorsPolicy(makeRequest('/api/chat/abc'))
expect(policy.origin).toBe('*')
expect(policy.credentials).toBe(false)
})
it('allows PUT on the embed policy (used by OTP verification on /[identifier]/otp)', () => {
const policy = resolveApiCorsPolicy(
makeRequest('/api/chat/abc/otp', 'https://customer.example')
)
expect(policy.methods).toContain('PUT')
})
it('applies the embed policy to future identifier subroutes (not just /otp, /sso)', () => {
const policy = resolveApiCorsPolicy(
makeRequest('/api/chat/abc/transcript', 'https://customer.example')
)
expect(policy.origin).toBe('https://customer.example')
expect(policy.credentials).toBe(true)
})
it('uses the default credentialed policy for workspace-internal chat routes', () => {
const paths = ['/api/chat', '/api/chat/manage/abc', '/api/chat/validate']
for (const path of paths) {
const policy = resolveApiCorsPolicy(makeRequest(path, 'https://customer.example'))
expect(policy.origin).toBe('https://app.sim.test')
expect(policy.credentials).toBe(true)
}
})
it('serves workflow execute with wildcard origin and PUT method', () => {
const policy = resolveApiCorsPolicy(
makeRequest('/api/workflows/workflow-123/execute', 'https://other.example')
)
expect(policy.origin).toBe('*')
expect(policy.credentials).toBe(false)
expect(policy.methods).toContain('PUT')
})
it('does not match the workflow execute rule for nested paths', () => {
const policy = resolveApiCorsPolicy(
makeRequest('/api/workflows/workflow-123/execute/extra', 'https://other.example')
)
expect(policy.origin).toBe('https://app.sim.test')
})
it('returns default policy with APP_URL and credentials for other API routes', () => {
const policy = resolveApiCorsPolicy(makeRequest('/api/files/upload'))
expect(policy).toEqual({
origin: 'https://app.sim.test',
credentials: true,
methods: 'GET,POST,OPTIONS,PUT,DELETE',
headers: expect.stringContaining('Authorization'),
})
})
it('never pairs wildcard origin with credentials (CORS spec invariant)', () => {
const paths = [
'/api/auth/oauth2/token',
'/api/mcp/copilot',
'/api/chat/abc',
'/api/workflows/wf/execute',
'/api/files/upload',
]
for (const path of paths) {
const policy = resolveApiCorsPolicy(makeRequest(path))
if (policy.origin === '*') {
expect(policy.credentials).toBe(false)
}
}
})
})