FormMate/test-request-security.ts at main · iice257/FormMate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
import assert from 'node:assert/strict';

import {
  assertTrustedAppSignal,
  resolveSafeRedirect,
  validateSafeHttpUrl,
} from './api/_shared/request-security';
import {
  resolveGoogleFormRedirect,
  validateGoogleFormUrl,
} from './api/proxy/google-form';

function createResponse() {
  return {
    statusCode: 200,
    payload: null as null | Record<string, unknown>,
    status(code: number) {
      this.statusCode = code;
      return this;
    },
    json(payload: Record<string, unknown>) {
      this.payload = payload;
      return this;
    },
  };
}

async function run() {
  assert.equal(validateSafeHttpUrl('https://example.com/form').ok, true);
  assert.equal(validateSafeHttpUrl('http://127.0.0.1/private').ok, false);
  assert.equal(resolveSafeRedirect('https://example.com', '/next').ok, true);
  assert.equal(resolveSafeRedirect('https://example.com', 'http://localhost/internal').ok, false);

  const deniedReq = {
    headers: {
      origin: 'http://127.0.0.1:5174',
      'sec-fetch-site': 'same-origin',
    },
  };
  const deniedRes = createResponse();
  const denied = await assertTrustedAppSignal(deniedReq, deniedRes as never, 'Access denied.');
  assert.equal(denied, false);
  assert.equal(deniedRes.statusCode, 401);
  assert.deepEqual(deniedRes.payload, {
    error: 'AUTH_REQUIRED',
    message: 'Access denied.',
  });

  const devReq = {
    headers: {
      origin: 'http://127.0.0.1:5174',
      'x-formmate-dev-auth': '1',
    },
    socket: {
      remoteAddress: '127.0.0.1',
    },
  };
  const devRes = createResponse();
  const originalFlag = process.env.FORMMATE_ENABLE_DEV_AUTH;
  process.env.FORMMATE_ENABLE_DEV_AUTH = '1';
  const allowed = await assertTrustedAppSignal(devReq, devRes as never, 'Access denied.');
  assert.equal(allowed, true);
  assert.equal(devRes.payload, null);
  process.env.FORMMATE_ENABLE_DEV_AUTH = '0';

  const blockedDevReq = {
    headers: {
      origin: 'https://example.com',
      'x-formmate-dev-auth': '1',
    },
    socket: {
      remoteAddress: '127.0.0.1',
    },
  };
  const blockedDevRes = createResponse();
  const blocked = await assertTrustedAppSignal(blockedDevReq, blockedDevRes as never, 'Access denied.');
  assert.equal(blocked, false);
  assert.equal(blockedDevRes.statusCode, 401);

  if (originalFlag === undefined) {
    delete process.env.FORMMATE_ENABLE_DEV_AUTH;
  } else {
    process.env.FORMMATE_ENABLE_DEV_AUTH = originalFlag;
  }

  assert.equal(validateGoogleFormUrl('https://docs.google.com/forms/d/e/example/viewform').ok, true);
  assert.equal(validateGoogleFormUrl('https://forms.gle/abc123').ok, true);
  assert.equal(validateGoogleFormUrl('https://example.com/forms/d/e/example/viewform').ok, false);
  assert.equal(resolveGoogleFormRedirect('https://docs.google.com/forms/d/e/example/viewform', 'http://localhost/private').ok, false);

  console.log('request-security checks passed');
}

void run();