fix(s4): add shared secret socket authentication — proper tests#215
Merged
fix(s4): add shared secret socket authentication — proper tests#215
Conversation
elazarcoh
force-pushed
the
fix/s4-socket-auth
branch
from
31a1e4f to
b338fa2
Compare
An error occurred while trying to automatically change base from
ci/vitest-framework
to
main
March 7, 2026 21:32
elazarcoh
force-pushed
the
fix/s4-socket-auth
branch
from
b338fa2 to
78ca494
Compare
elazarcoh
force-pushed
the
fix/s4-socket-auth
branch
from
78ca494 to
0fe9445
Compare
✅ CI Results🧪 Tests
📦 Artifactsscreenshots-ubuntu-latest · test-results · extension-vsix · ts-unit-test-results · python-unit-test-results |
elazarcoh
force-pushed
the
fix/s4-socket-auth
branch
from
0fe9445 to
1996c10
Compare
Server generates a random 32-byte secret on startup. The secret hex is passed to the Python client via constructOpenSendAndCloseCode. Python sends the raw secret bytes as the first 32 bytes on each connection. Server validates using crypto.timingSafeEqual before processing any messages. Invalid connections are destroyed immediately. This prevents unauthorized local processes from injecting data into the socket even if they discover the port number. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Delete hand-rolled test_socket_auth.js (plain Node runner) - Add socket-auth.test.ts using vitest with real SocketServer imports - Unit tests: secretHex is non-empty hex, length = AUTH_SECRET_LENGTH*2, only 0-9a-f chars, different instances have different secrets - Integration tests: wrong secret → socket destroyed; correct secret → accepted - Mock typedi and vscode-extensions-json-generator/utils to avoid vscode host deps - Python tests already pass without importlib migration (use raw sockets) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…spy, fix error handler Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Socket tests now require AUTH_SECRET_LENGTH (32 bytes) sent as the first message on connection for authentication. Updated response-timeout and max-msg-size integration tests to send the server's secret hex before sending message payloads. Also added missing 'vi' import to max-msg-size.test.ts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
elazarcoh
force-pushed
the
fix/s4-socket-auth
branch
from
f74459e to
b3c291c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rebased on ci/vitest-framework. Replaced hand-rolled JS test with vitest socket-auth.test.ts. Integration tests verify wrong-secret rejection and correct-secret acceptance. Python test uses importlib.util.