pocketenv.io / pocketenv
the universal sandbox runtime for agents and humans. pocketenv.io
sandbox openclaw agent claude-code vercel-sandbox deno-sandbox cloudflare-sandbox atproto sprites daytona
7
fork

Configure Feed

Select the types of activity you want to include in your feed.

pocketenv / apps / api / src / __tests__ / lib / authVerifier.test.ts
at main 112 lines 3.4 kB view raw
Tsiry Sandratraina test: add unit tests and CI workflows for api, cli, and cf-sandbox
c574e504
1import type { Request } from "express"; 2import { beforeEach, describe, expect, it, vi } from "vitest"; 3 4vi.mock("../../lib/env", () => ({ 5 env: { 6 JWT_SECRET: "test-secret", 7 }, 8})); 9 10vi.mock("../../lib/turnstile", () => ({ 11 default: vi.fn(), 12})); 13 14vi.mock("jsonwebtoken", () => ({ 15 default: { 16 verify: vi.fn(), 17 }, 18})); 19 20const { default: authVerifier } = await import("../../lib/authVerfifier"); 21const { default: validateTurnstile } = await import("../../lib/turnstile"); 22const jwt = await import("jsonwebtoken"); 23 24function makeReq( 25 overrides: Partial<Request["headers"]> = {}, 26 authorization?: string, 27): { req: Partial<Request> } { 28 return { 29 req: { 30 headers: { 31 ...overrides, 32 ...(authorization !== undefined ? { authorization } : {}), 33 }, 34 } as unknown as Request, 35 }; 36} 37 38describe("authVerifier", () => { 39 beforeEach(() => { 40 vi.mocked(validateTurnstile).mockReset(); 41 vi.mocked(jwt.default.verify).mockReset(); 42 }); 43 44 it("returns empty artifacts when no challenge and no authorization", async () => { 45 const result = await authVerifier(makeReq()); 46 expect(result).toEqual({ artifacts: false }); 47 }); 48 49 it("validates turnstile when x-challenge header is present", async () => { 50 vi.mocked(validateTurnstile).mockResolvedValue({ success: true }); 51 52 const result = await authVerifier( 53 makeReq({ "x-challenge": "token", "cf-connecting-ip": "1.2.3.4" }), 54 ); 55 56 expect(validateTurnstile).toHaveBeenCalledWith("token", "1.2.3.4"); 57 expect(result.artifacts).toBe(true); 58 }); 59 60 it("falls back to x-forwarded-for when cf-connecting-ip is absent", async () => { 61 vi.mocked(validateTurnstile).mockResolvedValue({ success: true }); 62 63 await authVerifier( 64 makeReq({ "x-challenge": "token", "x-forwarded-for": "5.6.7.8" }), 65 ); 66 67 expect(validateTurnstile).toHaveBeenCalledWith("token", "5.6.7.8"); 68 }); 69 70 it("uses 'unknown' as ip when no ip header is present", async () => { 71 vi.mocked(validateTurnstile).mockResolvedValue({ success: false }); 72 73 await authVerifier(makeReq({ "x-challenge": "token" })); 74 75 expect(validateTurnstile).toHaveBeenCalledWith("token", "unknown"); 76 }); 77 78 it("sets artifacts to false when turnstile validation fails", async () => { 79 vi.mocked(validateTurnstile).mockResolvedValue({ success: false }); 80 81 const result = await authVerifier( 82 makeReq({ "x-challenge": "token", "cf-connecting-ip": "1.1.1.1" }), 83 ); 84 85 expect(result.artifacts).toBe(false); 86 }); 87 88 it("extracts credentials from a valid bearer token", async () => { 89 const fakeCredentials = { sub: "did:plc:abc", iat: 123 }; 90 vi.mocked(jwt.default.verify).mockReturnValue(fakeCredentials as never); 91 92 const result = await authVerifier(makeReq({}, "Bearer valid-token")); 93 94 expect(jwt.default.verify).toHaveBeenCalledWith( 95 "valid-token", 96 "test-secret", 97 { ignoreExpiration: true }, 98 ); 99 expect(result.credentials).toEqual(fakeCredentials); 100 }); 101 102 it("returns no credentials when authorization header is absent", async () => { 103 const result = await authVerifier(makeReq()); 104 expect(result.credentials).toBeUndefined(); 105 }); 106 107 it("returns no credentials when bearer token is the string 'null'", async () => { 108 const result = await authVerifier(makeReq({}, "Bearer null")); 109 expect(result.credentials).toBeUndefined(); 110 expect(jwt.default.verify).not.toHaveBeenCalled(); 111 }); 112});