Files
wehub-resource-sync f9447f8e5f
CI / typecheck · build · test · bundle-size (push) Failing after 1s
CI / clean-room dependency closure smoke (push) Failing after 1s
CI / server-runtime e2e (docker · pg + valkey) (push) Failing after 2s
Deploy Install Scripts / deploy (push) Failing after 2s
Windows / build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:07:03 +08:00

76 lines
2.9 KiB
TypeScript

// SPDX-License-Identifier: Apache-2.0
import { describe, expect, it } from 'bun:test';
import express from 'express';
import { isAcceptableRequestId, requestIdMiddleware } from '../../../src/server/middleware/request-id.js';
describe('Phase 12 — request_id middleware', () => {
it('mints a request id when none is provided', async () => {
const app = express();
app.use(requestIdMiddleware());
app.get('/echo', (req, res) => {
res.json({ id: req.requestId ?? null });
});
const server = app.listen(0);
try {
const port = (server.address() as { port: number }).port;
const resp = await fetch(`http://127.0.0.1:${port}/echo`);
expect(resp.headers.get('x-request-id')).toBeTruthy();
const body = await resp.json() as { id: string };
expect(body.id.length).toBeGreaterThan(0);
expect(body.id).toBe(resp.headers.get('x-request-id'));
} finally {
await new Promise<void>(resolve => server.close(() => resolve()));
}
});
it('honors a safe inbound X-Request-Id header', async () => {
const app = express();
app.use(requestIdMiddleware());
app.get('/echo', (req, res) => {
res.json({ id: req.requestId ?? null });
});
const server = app.listen(0);
try {
const port = (server.address() as { port: number }).port;
const resp = await fetch(`http://127.0.0.1:${port}/echo`, {
headers: { 'X-Request-Id': 'abc-123_DEF' },
});
const body = await resp.json() as { id: string };
expect(body.id).toBe('abc-123_DEF');
} finally {
await new Promise<void>(resolve => server.close(() => resolve()));
}
});
it('rejects unsafe inbound request ids by minting a fresh uuid', async () => {
const app = express();
app.use(requestIdMiddleware());
app.get('/echo', (req, res) => {
res.json({ id: req.requestId ?? null });
});
const server = app.listen(0);
try {
const port = (server.address() as { port: number }).port;
const resp = await fetch(`http://127.0.0.1:${port}/echo`, {
headers: { 'X-Request-Id': '<script>alert(1)</script>' },
});
const body = await resp.json() as { id: string };
expect(body.id).not.toBe('<script>alert(1)</script>');
expect(isAcceptableRequestId(body.id)).toBe(true);
} finally {
await new Promise<void>(resolve => server.close(() => resolve()));
}
});
it('isAcceptableRequestId enforces the safe-charset, length contract', () => {
expect(isAcceptableRequestId('abc-123')).toBe(true);
expect(isAcceptableRequestId('A1_B2-C3')).toBe(true);
expect(isAcceptableRequestId('')).toBe(false);
expect(isAcceptableRequestId('a'.repeat(65))).toBe(false);
expect(isAcceptableRequestId('foo bar')).toBe(false);
expect(isAcceptableRequestId('-leading-dash')).toBe(false);
expect(isAcceptableRequestId('with"quote')).toBe(false);
});
});