-
-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathproxy.test.ts
More file actions
107 lines (93 loc) · 3.19 KB
/
Copy pathproxy.test.ts
File metadata and controls
107 lines (93 loc) · 3.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import { NextRequest } from "next/server";
import { describe, expect, it, vi } from "vitest";
vi.stubEnv("ALLOWED_ORIGINS", "tail26991.ts.net");
vi.mock("@/lib/auth", () => ({
auth: (callback: (req: NextRequest) => Response | undefined) => {
return (request: NextRequest) =>
callback(Object.assign(request, { auth: null }));
},
}));
const { default: proxy } = (await import("./proxy")) as unknown as {
default: (req: NextRequest) => Promise<Response | undefined>;
};
function makeRequest(
method: string,
url: string,
headers?: Record<string, string>
) {
return new NextRequest(new URL(url, "http://nimble.nexus"), {
method,
headers,
});
}
describe("proxy", () => {
it("rejects POST to page route without Next-Action header", async () => {
const req = makeRequest("POST", "/monsters/abc-123");
const res = await proxy(req);
expect(res?.status).toBe(400);
});
it("allows POST to page route with Next-Action header and valid origin", async () => {
const req = makeRequest("POST", "/monsters/abc-123", {
"next-action": "abc123",
origin: "https://nimble.nexus",
});
const res = await proxy(req);
expect(res?.status).not.toBe(400);
});
it("rejects POST with Next-Action but spoofed origin", async () => {
const req = makeRequest("POST", "/monsters/abc-123", {
"next-action": "abc123",
origin: "https://evil.com",
});
const res = await proxy(req);
expect(res?.status).toBe(400);
});
it("rejects POST with Next-Action but old domain origin", async () => {
const req = makeRequest("POST", "/monsters/abc-123", {
"next-action": "abc123",
origin: "https://nimble.monster",
});
const res = await proxy(req);
expect(res?.status).toBe(400);
});
it("rejects POST with Next-Action but missing origin", async () => {
const req = makeRequest("POST", "/monsters/abc-123", {
"next-action": "abc123",
});
const res = await proxy(req);
expect(res?.status).toBe(400);
});
it("allows POST to /api/ routes", async () => {
const req = makeRequest("POST", "/api/monsters");
const res = await proxy(req);
expect(res?.status).not.toBe(400);
});
it("allows POST with Next-Action and ALLOWED_ORIGINS origin", async () => {
const req = makeRequest("POST", "/monsters/abc-123", {
"next-action": "abc123",
origin: "http://devbox.tail26991.ts.net:3000",
});
const res = await proxy(req);
expect(res?.status).not.toBe(400);
});
it("allows GET requests", async () => {
const req = makeRequest("GET", "/monsters/abc-123");
const res = await proxy(req);
expect(res?.status).toBe(200);
});
it("redirects nimble.monster to nimble.nexus", async () => {
const req = makeRequest("GET", "/monsters", {
host: "nimble.monster",
});
const res = await proxy(req);
expect(res?.status).toBe(308);
expect(res?.headers.get("location")).toContain("nimble.nexus");
});
it("does not redirect nimble.monster nimbrew.json routes", async () => {
const req = makeRequest("GET", "/monsters/abc-123/nimbrew.json", {
host: "nimble.monster",
});
const res = await proxy(req);
expect(res?.status).not.toBe(308);
});
});