Skip to content

Commit 6af352f

Browse files
author
andypalmi
committed
test(mcp): authenticate equivalence smokes with the expert-mcp platform token
The instance-config smoke test minted a named personal access token, which has its scope deleted at request time and therefore authenticates as the full user, bypassing the user:expert-mcp allow-list check entirely. Switch to the nameless expert-mcp platform token used in production so the equivalence tests actually exercise the allow-list. The directory used to seed the file-listing test is now created directly through the container driver instead of the authenticated POST route, since no instance-config tool creates files and that route is correctly outside the expert-mcp token's allow-list.
1 parent 165953b commit 6af352f

1 file changed

Lines changed: 9 additions & 11 deletions

File tree

test/unit/forge/ee/lib/mcp/tools/instanceConfig_spec.js

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
const should = require('should') // eslint-disable-line no-unused-vars
22
const sinon = require('sinon')
33

4-
const { expectToolMatchesRoute } = require('../../../../../../lib/mcpToolEquivalence')
4+
const { expectToolMatchesRoute, createExpertMcpToken } = require('../../../../../../lib/mcpToolEquivalence')
55

66
const FF_UTIL = require('flowforge-test-utils')
77

@@ -97,7 +97,7 @@ describe('MCP Tools: instanceConfig', function () {
9797
describe('integration tests', function () {
9898
const setup = require('../../../setup')
9999
let app
100-
let pat
100+
let token
101101
let configInstance
102102
let device
103103

@@ -118,7 +118,7 @@ describe('MCP Tools: instanceConfig', function () {
118118
}
119119
}
120120
})
121-
pat = await app.db.controllers.AccessToken.createPersonalAccessToken(app.user, '', null, 'smoke-pat')
121+
token = await createExpertMcpToken(app)
122122

123123
// customHostnames, protectedInstance and ha are enabled by default (team feature
124124
// defaults to true), but staticAssets and teamHttpSecurity default to false - turn
@@ -165,7 +165,7 @@ describe('MCP Tools: instanceConfig', function () {
165165
...options,
166166
headers: {
167167
...(options.headers || {}),
168-
authorization: `Bearer ${pat.token}`
168+
authorization: `Bearer ${token}`
169169
}
170170
})
171171
}
@@ -183,7 +183,7 @@ describe('MCP Tools: instanceConfig', function () {
183183
})
184184
})
185185

186-
// Each of these proves the tool hits the real route (same PAT-bearing inject) by
186+
// Each of these proves the tool hits the real route (same expert-mcp-token-bearing inject) by
187187
// independently deriving {method, url} from the route registration, rather than
188188
// from the tool's own url-building code - see forge/ee/routes/index.js for the
189189
// mount prefixes and the individual forge/ee/routes/<feature>/index.js files for
@@ -246,12 +246,10 @@ describe('MCP Tools: instanceConfig', function () {
246246
})
247247

248248
it('platform_list_instance_files matches GET /api/v1/projects/:instanceId/files/_/', async function () {
249-
const createDir = await inject({
250-
method: 'POST',
251-
url: `/api/v1/projects/${configInstance.id}/files/_/`,
252-
payload: { path: 'uploads' }
253-
})
254-
createDir.statusCode.should.equal(200)
249+
// Seed the directory directly through the container driver rather than the
250+
// POST route: creating a file is not something any instance-config tool does,
251+
// so it is deliberately outside the expert-mcp token's allow-list.
252+
await app.containers.createDirectory(configInstance, '', 'uploads')
255253

256254
// The stub container driver stamps each listing entry with `new Date()` at
257255
// call time, so freeze the clock while both the tool and the route are called

0 commit comments

Comments
 (0)