docs: enterprise refactor plan with ralph specs
This commit is contained in:
debian
75
tests/server/auth.test.ts
Normal file
75
tests/server/auth.test.ts
Normal file
@@ -0,0 +1,75 @@
|
||||
/**
|
||||
* Tests for API key authentication middleware and security features.
|
||||
*/
|
||||
|
||||
import request from 'supertest';
|
||||
import { createApp } from '../../src/server/index';
|
||||
import { SessionStore } from '../../src/server/SessionStore';
|
||||
|
||||
function makeApp(apiKey?: string) {
|
||||
if (apiKey !== undefined) {
|
||||
process.env['ABE_API_KEY'] = apiKey;
|
||||
} else {
|
||||
delete process.env['ABE_API_KEY'];
|
||||
}
|
||||
const store = new SessionStore('./reports');
|
||||
return createApp(store);
|
||||
}
|
||||
|
||||
afterEach(() => {
|
||||
delete process.env['ABE_API_KEY'];
|
||||
});
|
||||
|
||||
describe('Auth middleware', () => {
|
||||
it('allows all requests in dev mode (no ABE_API_KEY set)', async () => {
|
||||
const app = makeApp(undefined);
|
||||
const res = await request(app).get('/api/sessions');
|
||||
expect(res.status).not.toBe(401);
|
||||
});
|
||||
|
||||
it('returns 401 when API key is missing', async () => {
|
||||
const app = makeApp('my-secret-key');
|
||||
const res = await request(app).get('/api/sessions');
|
||||
expect(res.status).toBe(401);
|
||||
});
|
||||
|
||||
it('returns 401 when wrong API key provided', async () => {
|
||||
const app = makeApp('my-secret-key');
|
||||
const res = await request(app).get('/api/sessions').set('x-abe-api-key', 'wrong-key');
|
||||
expect(res.status).toBe(401);
|
||||
});
|
||||
|
||||
it('allows request with correct API key', async () => {
|
||||
const app = makeApp('my-secret-key');
|
||||
const res = await request(app).get('/api/sessions').set('x-abe-api-key', 'my-secret-key');
|
||||
expect(res.status).toBe(200);
|
||||
});
|
||||
});
|
||||
|
||||
describe('Health endpoints (no auth)', () => {
|
||||
it('GET /health requires no auth', async () => {
|
||||
const app = makeApp('super-secret');
|
||||
const res = await request(app).get('/health');
|
||||
expect(res.status).toBe(200);
|
||||
expect(res.body.status).toBe('ok');
|
||||
});
|
||||
|
||||
it('GET /ready requires no auth', async () => {
|
||||
const app = makeApp('super-secret');
|
||||
const res = await request(app).get('/ready');
|
||||
expect(res.status).toBe(200);
|
||||
});
|
||||
});
|
||||
|
||||
describe('Concurrent session limit', () => {
|
||||
it('returns 429 when limit exceeded', async () => {
|
||||
delete process.env['ABE_API_KEY'];
|
||||
const store = new SessionStore('./reports', undefined, undefined, 0);
|
||||
const app = createApp(store);
|
||||
const res = await request(app)
|
||||
.post('/api/sessions')
|
||||
.send({ url: 'http://localhost:3000' });
|
||||
expect(res.status).toBe(429);
|
||||
expect(res.body.error).toMatch(/Max concurrent/i);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user