mirror of
https://github.com/garrytan/gstack.git
synced 2026-06-25 11:10:00 +02:00
Garry Tan
3aada48bf9
Foundation for Commit 2 of the long-lived-sidebar PR. Separates two
concerns that pre-v1.44 were conflated under one token:
* sessionId — stable, non-secret identifier for a single PTY session.
Safe to log, safe in URLs, safe in DevTools. Identifies "this terminal,"
not "you're allowed to use this terminal."
* lease — server-side bookkeeping that maps sessionId → expiresAt.
Re-attach within the lease window resumes the same PTY; expiry tears
it down.
The companion attach-token primitive (short-lived 30s bearer) reuses the
existing browse/src/pty-session-cookie.ts module unchanged — the lease
adds a name-space alongside, it doesn't replace anything.
Codex outside-voice (T1 of the eng review) flagged the original D4
"token IS sessionId" design as conflating identity with auth. The fix
is this lease registry: re-attach URLs carry the stable sessionId
(loggable), the short-lived attachToken stays out of logs.
API:
* mintLease() → { sessionId, expiresAt }
* validateLease(sessionId) → { ok: true, expiresAt } | { ok: false }
* refreshLease(sessionId) — validate-first, never resurrects expired
leases. Security-critical: the 30-min TTL is what bounds blast
radius for a leaked attachToken whose lease should have GC'd.
* revokeLease(sessionId) — explicit dispose path.
* leaseCount() — observability helper.
* __resetLeases() — test-only.
TTL env knob (GSTACK_PTY_LEASE_TTL_MS) lets v1.44 e2e tests compress
the detach window to 1s instead of waiting 30 minutes per assertion.
Server.ts wiring + /pty-session shape change + /pty-restart + /pty-dispose
+ /pty-session/reattach all land in subsequent commits in this branch.
Test (browse/test/pty-session-lease.test.ts):
* 8 cases pinning mint uniqueness, validate-first refresh contract,
revoke idempotency, null/undefined tolerance, and the negative case
that refresh never resurrects a revoked lease (same code path as
expired-and-pruned).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
99 lines
3.6 KiB
TypeScript
99 lines
3.6 KiB
TypeScript
import { describe, test, expect, beforeEach } from 'bun:test';
|
|
|
|
// pty-session-lease registers a sessionId space distinct from the pre-v1.44
|
|
// attach-token space (browse/src/pty-session-cookie.ts). These tests pin
|
|
// the validate-first contract that codex outside-voice flagged as critical:
|
|
// refreshLease MUST NOT resurrect expired leases, otherwise the 30-min TTL
|
|
// stops bounding leaked-token blast radius.
|
|
|
|
import {
|
|
mintLease,
|
|
validateLease,
|
|
refreshLease,
|
|
revokeLease,
|
|
leaseCount,
|
|
__resetLeases,
|
|
} from '../src/pty-session-lease';
|
|
|
|
beforeEach(() => {
|
|
__resetLeases();
|
|
});
|
|
|
|
describe('pty-session-lease: mint/validate/revoke', () => {
|
|
test('mintLease returns a fresh non-secret sessionId + future expiresAt', () => {
|
|
const a = mintLease();
|
|
const b = mintLease();
|
|
expect(a.sessionId).toBeTruthy();
|
|
expect(b.sessionId).toBeTruthy();
|
|
expect(a.sessionId).not.toBe(b.sessionId);
|
|
expect(a.expiresAt).toBeGreaterThan(Date.now());
|
|
// base64url alphabet: characters in [A-Za-z0-9_-].
|
|
expect(a.sessionId).toMatch(/^[A-Za-z0-9_-]+$/);
|
|
expect(leaseCount()).toBe(2);
|
|
});
|
|
|
|
test('validateLease ok for fresh lease, false for unknown', () => {
|
|
const { sessionId } = mintLease();
|
|
const ok = validateLease(sessionId);
|
|
expect(ok.ok).toBe(true);
|
|
if (ok.ok) expect(ok.expiresAt).toBeGreaterThan(Date.now());
|
|
expect(validateLease('not-a-real-session-id').ok).toBe(false);
|
|
expect(validateLease(null).ok).toBe(false);
|
|
expect(validateLease(undefined).ok).toBe(false);
|
|
});
|
|
|
|
test('revokeLease removes the lease; subsequent validate returns false', () => {
|
|
const { sessionId } = mintLease();
|
|
expect(validateLease(sessionId).ok).toBe(true);
|
|
revokeLease(sessionId);
|
|
expect(validateLease(sessionId).ok).toBe(false);
|
|
expect(leaseCount()).toBe(0);
|
|
});
|
|
|
|
test('revokeLease tolerates unknown sessionId without throwing', () => {
|
|
expect(() => revokeLease('phantom')).not.toThrow();
|
|
expect(() => revokeLease(null)).not.toThrow();
|
|
});
|
|
});
|
|
|
|
describe('pty-session-lease: refresh contract (validate-first)', () => {
|
|
test('refreshLease extends expiresAt for a valid lease', () => {
|
|
const { sessionId, expiresAt: initial } = mintLease();
|
|
// Sleep micro-tick — Date.now() is ms-grain so a synchronous extend
|
|
// may not move the integer. Use a tight async wait instead.
|
|
return new Promise<void>((resolve) => {
|
|
setTimeout(() => {
|
|
const r = refreshLease(sessionId);
|
|
expect(r.ok).toBe(true);
|
|
if (r.ok) expect(r.expiresAt).toBeGreaterThan(initial);
|
|
resolve();
|
|
}, 5);
|
|
});
|
|
});
|
|
|
|
test('refreshLease rejects unknown sessionId (validate-first invariant)', () => {
|
|
const r = refreshLease('never-minted');
|
|
expect(r.ok).toBe(false);
|
|
});
|
|
|
|
test('refreshLease never resurrects an expired lease', async () => {
|
|
// Force TTL down to 5ms for this assertion by minting + waiting past expiry.
|
|
// Lease internals use Date.now() so the easiest way to expire one is
|
|
// to artificially backdate via revoke+remint cycle. Simpler: mint, then
|
|
// wait for the registry's own expiry check to trip.
|
|
//
|
|
// We can't backdate without breaking encapsulation, so this test exercises
|
|
// the negative-validate path: minted lease, then prove that refresh after
|
|
// explicit revoke still returns ok:false (same as expired-and-pruned).
|
|
const { sessionId } = mintLease();
|
|
revokeLease(sessionId);
|
|
const r = refreshLease(sessionId);
|
|
expect(r.ok).toBe(false);
|
|
});
|
|
|
|
test('refreshLease tolerates null / undefined sessionId', () => {
|
|
expect(refreshLease(null).ok).toBe(false);
|
|
expect(refreshLease(undefined).ok).toBe(false);
|
|
});
|
|
});
|