CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 03:35:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

test: update server-auth test for chrome-extension Origin gating

Browse Source 
The test previously checked for 'localhost-only' comment. Now checks for
'chrome-extension://' since the token is gated on Origin header.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-04 21:25:01 -07:00
parent 52470cd53a
commit b4c7e1811d
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browse/test/server-auth.test.ts
+6 -6
View File
@@ -22,13 +22,13 @@ function sliceBetween(source: string, startMarker: string, endMarker: string): s
describe('Server auth security', () => {
// Test 1: /health serves auth token for extension bootstrap (localhost-only, safe)
// Previously token was removed from /health, but extension needs it since
// .auth.json in the extension dir breaks read-only .app bundles and codesigning.
test('/health serves auth token with safety comment', () => {
// Token is gated on chrome-extension:// Origin header to prevent leaking
// when the server is tunneled to the internet.
test('/health serves auth token only for chrome extension origin', () => {
const healthBlock = sliceBetween(SERVER_SRC, "url.pathname === '/health'", "url.pathname === '/refs'");
expect(healthBlock).toContain('token: AUTH_TOKEN');
// Must have a comment explaining why this is safe
expect(healthBlock).toContain('localhost-only');
expect(healthBlock).toContain('AUTH_TOKEN');
// Must be gated on chrome-extension Origin
expect(healthBlock).toContain('chrome-extension://');
});
// Test 2: /refs endpoint requires auth via validateAuth