fix: lazily evaluate SUIT signature window for test mocking

Author: maxgfr

packages/app/scripts/generate-suit-signature.js

@@ -83,7 +83,7 @@ function loadPrivateKey() {
 		try {
 			return readFileSync(values["key-file"], "utf-8");
 		} catch (err) {
-			fail(
+			return fail(
 				`Impossible de lire --key-file "${values["key-file"]}" : ${errorMessage(err)}`,
 			);
 		}
@@ -95,11 +95,11 @@ function loadPrivateKey() {
 		try {
 			return Buffer.from(envKey, "base64").toString("utf-8");
 		} catch (err) {
-			fail(`SUIT_PRIVATE_KEY_PEM invalide : ${errorMessage(err)}`);
+			return fail(`SUIT_PRIVATE_KEY_PEM invalide : ${errorMessage(err)}`);
 		}
 	}
 
-	fail(
+	return fail(
 		"Clé privée manquante. Passez --key-file <chemin> ou SUIT_PRIVATE_KEY_PEM (PEM ou base64).",
 	);
 }

packages/app/src/server/services/__tests__/suitApiAuth.test.ts

@@ -319,5 +319,26 @@ describe("verifySuitSignature", () => {
 			const response = result as Response;
 			expect(response.status).toBe(403);
 		});
+
+		it("accepts a timestamp in the future within the 30-day window", async () => {
+			const verifyFn = await importWithDevEnv();
+			const request = makeSignedRequest("/api/v1/export/declarations", {
+				timestamp: Math.floor(Date.now() / 1000) + 60 * 60 * 24, // 1 day ahead
+			});
+			const result = verifyFn(request);
+			expect(result).toBe(true);
+		});
+
+		it("returns 403 when timestamp is more than 30 days in the future", async () => {
+			const verifyFn = await importWithDevEnv();
+			const request = makeSignedRequest("/api/v1/export/declarations", {
+				timestamp: Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 31, // 31 days ahead
+			});
+			const result = verifyFn(request);
+
+			expect(result).not.toBe(true);
+			const response = result as Response;
+			expect(response.status).toBe(403);
+		});
 	});
 });

packages/app/src/server/services/suitApiAuth.ts

@@ -4,12 +4,14 @@ import { createPublicKey, timingSafeEqual, verify } from "node:crypto";
 
 import { env } from "~/env";
 
-// Signature validity window.
+// Signature validity window, evaluated lazily so tests can override env via
+// `vi.doMock('~/env')` without depending on module-load timing.
 // Dev: 30 days — allows reusing a generated signature across a working session
 // without constantly re-signing while debugging locally.
 // Preprod / prod: 30 seconds — tight anti-replay window.
-const SIGNATURE_WINDOW_SECONDS =
-	env.NEXT_PUBLIC_EGAPRO_ENV === "dev" ? 30 * 24 * 60 * 60 : 30;
+function getSignatureWindowSeconds(): number {
+	return env.NEXT_PUBLIC_EGAPRO_ENV === "dev" ? 30 * 24 * 60 * 60 : 30;
+}
 
 // Cache the public key at module level — parsed once, reused on every request.
 const suitPublicKey = (() => {
@@ -65,8 +67,8 @@ export function verifySuitApiKey(request: Request): true | Response {
  * SUIT signs `{timestamp}|{METHOD}|{pathname}` with its RSA private key.
  * The app verifies:
  * 1. The signature matches using SUIT's public key (EGAPRO_SUIT_PUBLIC_KEY_PEM)
- * 2. The timestamp is within `SIGNATURE_WINDOW_SECONDS` (anti-replay — 30s
- *    in preprod/prod, 30d in dev)
+ * 2. The timestamp is within the signature window (anti-replay — 30s in
+ *    preprod/prod, 30d in dev, cf. `getSignatureWindowSeconds`)
  *
  * Only active when `EGAPRO_SUIT_PUBLIC_KEY_PEM` is set. When absent, signature
  * verification is skipped (dev / environments without keys).
@@ -87,7 +89,7 @@ export function verifySuitSignature(request: Request): true | Response {
 	}
 
 	const now = Math.floor(Date.now() / 1000);
-	if (Math.abs(now - ts) > SIGNATURE_WINDOW_SECONDS) {
+	if (Math.abs(now - ts) > getSignatureWindowSeconds()) {
 		return forbiddenResponse();
 	}