forked from jordanlambrecht/tracker-tracker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproxy.test.ts
More file actions
85 lines (70 loc) · 3.1 KB
/
proxy.test.ts
File metadata and controls
85 lines (70 loc) · 3.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
// src/proxy.test.ts
import { NextRequest } from "next/server"
import { describe, expect, it, vi } from "vitest"
import { proxy } from "./proxy"
vi.mock("@/lib/cookie-security", () => ({
shouldSecureCookies: () => false,
}))
describe("auth middleware", () => {
it("allows public auth routes without a session", () => {
const response = proxy(new NextRequest("http://localhost/api/auth/status"))
expect(response.status).toBe(200)
expect(response.headers.get("location")).toBeNull()
})
it("returns 401 for protected API routes without a session", async () => {
const response = proxy(new NextRequest("http://localhost/api/trackers"))
expect(response.status).toBe(401)
await expect(response.json()).resolves.toEqual({ error: "Unauthorized" })
})
it("redirects protected pages to login without a session", () => {
const response = proxy(new NextRequest("http://localhost/settings"))
expect(response.status).toBeGreaterThanOrEqual(300)
expect(response.headers.get("location")).toBe("http://localhost/login")
})
it("refreshes both cookies for authenticated requests with sliding expiration", () => {
const request = new NextRequest("http://localhost/api/trackers", {
headers: {
cookie: "tt_session=session-token; tt_max_age=1800",
},
})
const response = proxy(request)
const setCookie = response.headers.get("set-cookie") ?? ""
expect(response.status).toBe(200)
expect(setCookie).toContain("tt_session=session-token")
expect(setCookie).toContain("tt_max_age=1800")
expect(setCookie).toContain("HttpOnly")
expect(setCookie.toLowerCase()).toContain("samesite=strict")
expect(setCookie).toContain("Max-Age=1800")
// shouldSecureCookies() is mocked to return false — verify Secure is absent
expect(setCookie).not.toContain("Secure")
})
it("does not honor oversized tt_max_age cookie values", () => {
const request = new NextRequest("http://localhost/api/trackers", {
headers: { cookie: "tt_session=token; tt_max_age=99999999" },
})
const response = proxy(request)
const setCookie = response.headers.get("set-cookie") ?? ""
expect(setCookie).not.toContain("Max-Age=99999999")
})
it("passes through when tt_max_age cookie is absent", () => {
const request = new NextRequest("http://localhost/api/trackers", {
headers: { cookie: "tt_session=token" },
})
const response = proxy(request)
// Should pass through without setting refreshed cookies
expect(response.status).toBe(200)
})
it("does not refresh cookies when tt_max_age is zero", () => {
const request = new NextRequest("http://localhost/api/trackers", {
headers: { cookie: "tt_session=token; tt_max_age=0" },
})
const response = proxy(request)
const setCookie = response.headers.get("set-cookie") ?? ""
// maxAge=0 should not trigger refresh (condition: maxAge > 0)
expect(setCookie).not.toContain("tt_session")
})
it("allows health check without authentication", () => {
const response = proxy(new NextRequest("http://localhost/api/health"))
expect(response.status).toBe(200)
})
})