From b4c7e1811dc7392eed82e6aa1db36ed553d589c6 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 4 Apr 2026 21:25:01 -0700 Subject: [PATCH] test: update server-auth test for chrome-extension Origin gating The test previously checked for 'localhost-only' comment. Now checks for 'chrome-extension://' since the token is gated on Origin header. Co-Authored-By: Claude Opus 4.6 (1M context) --- browse/test/server-auth.test.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/browse/test/server-auth.test.ts b/browse/test/server-auth.test.ts index 4c5a57e6..c6f3120f 100644 --- a/browse/test/server-auth.test.ts +++ b/browse/test/server-auth.test.ts @@ -22,13 +22,13 @@ function sliceBetween(source: string, startMarker: string, endMarker: string): s describe('Server auth security', () => { // Test 1: /health serves auth token for extension bootstrap (localhost-only, safe) - // Previously token was removed from /health, but extension needs it since - // .auth.json in the extension dir breaks read-only .app bundles and codesigning. - test('/health serves auth token with safety comment', () => { + // Token is gated on chrome-extension:// Origin header to prevent leaking + // when the server is tunneled to the internet. + test('/health serves auth token only for chrome extension origin', () => { const healthBlock = sliceBetween(SERVER_SRC, "url.pathname === '/health'", "url.pathname === '/refs'"); - expect(healthBlock).toContain('token: AUTH_TOKEN'); - // Must have a comment explaining why this is safe - expect(healthBlock).toContain('localhost-only'); + expect(healthBlock).toContain('AUTH_TOKEN'); + // Must be gated on chrome-extension Origin + expect(healthBlock).toContain('chrome-extension://'); }); // Test 2: /refs endpoint requires auth via validateAuth