mirror of
https://github.com/catlog22/Claude-Code-Workflow.git
synced 2026-02-06 01:54:11 +08:00
09d99abee6
* feat(security): Secure dashboard server by default ## Solution Summary - Solution-ID: SOL-DSC-002-1 - Issue-ID: DSC-002 ## Tasks Completed - [T1] JWT token manager (24h expiry, persisted secret/token) - [T2] API auth middleware + localhost token endpoint - [T3] Default bind 127.0.0.1, add --host with warning - [T4] Localhost-only CORS with credentials + Vary - [T5] SECURITY.md documentation + README link ## Verification - npm run build - npm test -- ccw/tests/token-manager.test.ts ccw/tests/middleware.test.ts ccw/tests/server-auth.integration.test.ts ccw/tests/server.test.ts ccw/tests/cors.test.ts * fix(security): Prevent command injection in Windows spawn() ## Solution Summary - **Solution-ID**: SOL-DSC-001-1 - **Issue-ID**: DSC-001 - **Risk/Impact/Complexity**: high/high/medium ## Tasks Completed - [T1] Create Windows shell escape utility - [T2] Escape cli-executor spawn() args on Windows - [T3] Add command injection regression tests ## Files Modified - ccw/src/utils/shell-escape.ts - ccw/src/tools/cli-executor.ts - ccw/tests/shell-escape.test.ts - ccw/tests/security/command-injection.test.ts ## Verification - npm run build - npm test -- ccw/tests/shell-escape.test.ts ccw/tests/security/command-injection.test.ts * fix(security): Harden path validation (DSC-005) ## Solution Summary - Solution-ID: SOL-DSC-005-1 - Issue-ID: DSC-005 ## Tasks Completed - T1: Refactor path validation to pre-resolution checking - T2: Implement allowlist-based path validation - T3: Add path validation to API routes - T4: Add path security regression tests ## Files Modified - ccw/src/utils/path-resolver.ts - ccw/src/utils/path-validator.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/tests/path-resolver.test.ts - ccw/tests/graph-routes.test.ts - ccw/tests/files-routes.test.ts - ccw/tests/skills-routes.test.ts - ccw/tests/security/path-traversal.test.ts ## Verification - npm run build - npm test -- path-resolver.test.ts - npm test -- path-validator.test.ts - npm test -- graph-routes.test.ts - npm test -- files-routes.test.ts - npm test -- skills-routes.test.ts - npm test -- ccw/tests/security/path-traversal.test.ts * fix(security): Prevent credential leakage (DSC-004) ## Solution Summary - Solution-ID: SOL-DSC-004-1 - Issue-ID: DSC-004 ## Tasks Completed - T1: Create credential handling security tests - T2: Add log sanitization tests - T3: Add env var leakage prevention tests - T4: Add secure storage tests ## Files Modified - ccw/src/config/litellm-api-config-manager.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/tests/security/credential-handling.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/security/credential-handling.test.ts * test(ranking): expand normalize_weights edge case coverage (ISS-1766920108814-0) ## Solution Summary - Solution-ID: SOL-20251228113607 - Issue-ID: ISS-1766920108814-0 ## Tasks Completed - T1: Fix NaN and invalid total handling in normalize_weights - T2: Add unit tests for NaN edge cases in normalize_weights ## Files Modified - codex-lens/tests/test_rrf_fusion.py ## Verification - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestNormalizeBM25Score -v - python -m pytest codex-lens/tests/test_rrf_fusion.py -v -k normalize - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestReciprocalRankFusion::test_weight_normalization codex-lens/tests/test_cli_hybrid_search.py::TestCLIHybridSearch::test_weights_normalization -v * feat(security): Add CSRF protection and tighten CORS (DSC-006) ## Solution Summary - Solution-ID: SOL-DSC-006-1 - Issue-ID: DSC-006 - Risk/Impact/Complexity: high/high/medium ## Tasks Completed - T1: Create CSRF token generation system - T2: Add CSRF token endpoints - T3: Implement CSRF validation middleware - T4: Restrict CORS to trusted origins - T5: Add CSRF security tests ## Files Modified - ccw/src/core/auth/csrf-manager.ts - ccw/src/core/auth/csrf-middleware.ts - ccw/src/core/routes/auth-routes.ts - ccw/src/core/server.ts - ccw/tests/csrf-manager.test.ts - ccw/tests/auth-routes.test.ts - ccw/tests/csrf-middleware.test.ts - ccw/tests/security/csrf.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/csrf-manager.test.ts - node --experimental-strip-types --test ccw/tests/auth-routes.test.ts - node --experimental-strip-types --test ccw/tests/csrf-middleware.test.ts - node --experimental-strip-types --test ccw/tests/cors.test.ts - node --experimental-strip-types --test ccw/tests/security/csrf.test.ts * fix(cli-executor): prevent stale SIGKILL timeouts ## Solution Summary - Solution-ID: SOL-DSC-007-1 - Issue-ID: DSC-007 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Store timeout handle in killCurrentCliProcess ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-kill.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts * fix(cli-executor): enhance merge validation guards ## Solution Summary - Solution-ID: SOL-DSC-008-1 - Issue-ID: DSC-008 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Enhance sourceConversations array validation ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-merge-validation.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * refactor(core): remove @ts-nocheck from core routes ## Solution Summary - Solution-ID: SOL-DSC-003-1 - Issue-ID: DSC-003 - Queue-ID: QUE-20260106-164500 - Item-ID: S-9 ## Tasks Completed - T1: Create shared RouteContext type definition - T2: Remove @ts-nocheck from small route files - T3: Remove @ts-nocheck from medium route files - T4: Remove @ts-nocheck from large route files - T5: Remove @ts-nocheck from remaining core files ## Files Modified - ccw/src/core/dashboard-generator-patch.ts - ccw/src/core/dashboard-generator.ts - ccw/src/core/routes/ccw-routes.ts - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/cli-routes.ts - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/discovery-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/src/core/routes/hooks-routes.ts - ccw/src/core/routes/issue-routes.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/src/core/routes/litellm-routes.ts - ccw/src/core/routes/mcp-routes.ts - ccw/src/core/routes/mcp-routes.ts.backup - ccw/src/core/routes/mcp-templates-db.ts - ccw/src/core/routes/nav-status-routes.ts - ccw/src/core/routes/rules-routes.ts - ccw/src/core/routes/session-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/src/core/routes/status-routes.ts - ccw/src/core/routes/system-routes.ts - ccw/src/core/routes/types.ts - ccw/src/core/server.ts - ccw/src/core/websocket.ts ## Verification - npm run build - npm test * refactor: split cli-executor and codexlens routes into modules ## Solution Summary - Solution-ID: SOL-DSC-012-1 - Issue-ID: DSC-012 - Risk/Impact/Complexity: medium/medium/high ## Tasks Completed - [T1] Extract execution orchestration from cli-executor.ts (Refactor ccw/src/tools) - [T2] Extract route handlers from codexlens-routes.ts (Refactor ccw/src/core/routes) - [T3] Extract prompt concatenation logic from cli-executor (Refactor ccw/src/tools) - [T4] Document refactored module architecture (Docs) ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/src/tools/cli-executor-core.ts - ccw/src/tools/cli-executor-utils.ts - ccw/src/tools/cli-executor-state.ts - ccw/src/tools/cli-prompt-builder.ts - ccw/src/tools/README.md - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/codexlens/config-handlers.ts - ccw/src/core/routes/codexlens/index-handlers.ts - ccw/src/core/routes/codexlens/semantic-handlers.ts - ccw/src/core/routes/codexlens/watcher-handlers.ts - ccw/src/core/routes/codexlens/utils.ts - ccw/src/core/routes/codexlens/README.md ## Verification - npm run build - npm test * test(issue): Add comprehensive issue command tests ## Solution Summary - **Solution-ID**: SOL-DSC-009-1 - **Issue-ID**: DSC-009 - **Risk/Impact/Complexity**: low/high/medium ## Tasks Completed - [T1] Create issue command test file structure: Create isolated test harness - [T2] Add JSONL read/write operation tests: Verify JSONL correctness and errors - [T3] Add issue lifecycle tests: Verify status transitions and timestamps - [T4] Add solution binding tests: Verify binding flows and error cases - [T5] Add queue formation tests: Verify queue creation, IDs, and DAG behavior - [T6] Add queue execution tests: Verify next/done/retry and status sync ## Files Modified - ccw/src/commands/issue.ts - ccw/tests/issue-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * test(routes): Add integration tests for route modules ## Solution Summary - Solution-ID: SOL-DSC-010-1 - Issue-ID: DSC-010 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add tests for ccw-routes.ts - [T2] Add tests for files-routes.ts - [T3] Add tests for claude-routes.ts (includes Windows path fix for create) - [T4] Add tests for issue-routes.ts - [T5] Add tests for help-routes.ts (avoid hanging watchers) - [T6] Add tests for nav-status-routes.ts - [T7] Add tests for hooks/graph/rules/skills/litellm-api routes ## Files Modified - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/tests/integration/ccw-routes.test.ts - ccw/tests/integration/claude-routes.test.ts - ccw/tests/integration/files-routes.test.ts - ccw/tests/integration/issue-routes.test.ts - ccw/tests/integration/help-routes.test.ts - ccw/tests/integration/nav-status-routes.test.ts - ccw/tests/integration/hooks-routes.test.ts - ccw/tests/integration/graph-routes.test.ts - ccw/tests/integration/rules-routes.test.ts - ccw/tests/integration/skills-routes.test.ts - ccw/tests/integration/litellm-api-routes.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/integration/ccw-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/files-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/claude-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/issue-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/help-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/nav-status-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/hooks-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/graph-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/rules-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/skills-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/litellm-api-routes.test.ts * refactor(core): Switch cache and lite scanning to async fs ## Solution Summary - Solution-ID: SOL-DSC-013-1 - Issue-ID: DSC-013 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Convert cache-manager.ts to async file operations - [T2] Convert lite-scanner.ts to async file operations - [T3] Update cache-manager call sites to await async API - [T4] Update lite-scanner call sites to await async API ## Files Modified - ccw/src/core/cache-manager.ts - ccw/src/core/lite-scanner.ts - ccw/src/core/data-aggregator.ts ## Verification - npm run build - npm test * fix(exec): Add timeout protection for execSync ## Solution Summary - Solution-ID: SOL-DSC-014-1 - Issue-ID: DSC-014 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add timeout to execSync calls in python-utils.ts - [T2] Add timeout to execSync calls in detect-changed-modules.ts - [T3] Add timeout to execSync calls in claude-freshness.ts - [T4] Add timeout to execSync calls in issue.ts - [T5] Consolidate execSync timeout constants and audit coverage ## Files Modified - ccw/src/utils/exec-constants.ts - ccw/src/utils/python-utils.ts - ccw/src/tools/detect-changed-modules.ts - ccw/src/core/claude-freshness.ts - ccw/src/commands/issue.ts - ccw/src/tools/smart-search.ts - ccw/src/tools/codex-lens.ts - ccw/src/core/routes/codexlens/config-handlers.ts ## Verification - npm run build - npm test - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Add progress spinner with elapsed time for long-running operations ## Solution Summary - Solution-ID: SOL-DSC-015-1 - Issue-ID: DSC-015 - Queue-Item: S-15 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Add progress spinner to CLI execution: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * fix(cli): Move full output hint immediately after truncation notice ## Solution Summary - Solution-ID: SOL-DSC-016-1 - Issue-ID: DSC-016 - Queue-Item: S-16 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Relocate output hint after truncation: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts * feat(cli): Add confirmation prompts for destructive operations ## Solution Summary - Solution-ID: SOL-DSC-017-1 - Issue-ID: DSC-017 - Queue-Item: S-17 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Add confirmation to storage clean operations: Update ccw/src/commands/cli.ts - [T2] Add confirmation to issue queue delete: Update ccw/src/commands/issue.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/src/commands/issue.ts - ccw/tests/cli-command.test.ts - ccw/tests/issue-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Improve multi-line prompt guidance ## Solution Summary - Solution-ID: SOL-DSC-018-1 - Issue-ID: DSC-018 - Queue-Item: S-18 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Update CLI help to emphasize --file option: Update ccw/src/commands/cli.ts - [T2] Add inline hint for multi-line detection: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts --------- Co-authored-by: catlog22 <catlog22@github.com>
295 lines
9.4 KiB
TypeScript
295 lines
9.4 KiB
TypeScript
/**
|
|
* Security regression tests for CSRF protection (DSC-006).
|
|
*
|
|
* Verifies:
|
|
* - State-changing API routes require a valid CSRF token (cookie/header/body)
|
|
* - Tokens are single-use and session-bound
|
|
* - CORS rejects non-localhost origins (browser-enforced via mismatched Allow-Origin)
|
|
* - Development bypass flag disables CSRF validation
|
|
*/
|
|
|
|
import { after, before, describe, it, mock } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import http from 'node:http';
|
|
import { mkdtempSync, rmSync } from 'node:fs';
|
|
import { tmpdir } from 'node:os';
|
|
import { join } from 'node:path';
|
|
|
|
type HttpResult = {
|
|
status: number;
|
|
body: string;
|
|
headers: http.IncomingHttpHeaders;
|
|
};
|
|
|
|
function httpRequest(options: http.RequestOptions, body?: string, timeout = 10000): Promise<HttpResult> {
|
|
return new Promise((resolve, reject) => {
|
|
const req = http.request(options, (res) => {
|
|
let data = '';
|
|
res.on('data', chunk => data += chunk);
|
|
res.on('end', () => resolve({ status: res.statusCode || 0, body: data, headers: res.headers }));
|
|
});
|
|
req.on('error', reject);
|
|
req.setTimeout(timeout, () => {
|
|
req.destroy();
|
|
reject(new Error('Request timeout'));
|
|
});
|
|
if (body) req.write(body);
|
|
req.end();
|
|
});
|
|
}
|
|
|
|
function updateCookieJar(jar: Record<string, string>, setCookie: string | string[] | undefined): void {
|
|
if (!setCookie) return;
|
|
const cookies = Array.isArray(setCookie) ? setCookie : [setCookie];
|
|
for (const cookie of cookies) {
|
|
const pair = cookie.split(';')[0]?.trim();
|
|
if (!pair) continue;
|
|
const [name, ...valueParts] = pair.split('=');
|
|
jar[name] = valueParts.join('=');
|
|
}
|
|
}
|
|
|
|
function cookieHeader(jar: Record<string, string>): string {
|
|
return Object.entries(jar)
|
|
.map(([name, value]) => `${name}=${value}`)
|
|
.join('; ');
|
|
}
|
|
|
|
function cloneJar(jar: Record<string, string>): Record<string, string> {
|
|
return { ...jar };
|
|
}
|
|
|
|
async function getDashboardSession(port: number): Promise<{ jar: Record<string, string>; csrfHeader: string | null }> {
|
|
const jar: Record<string, string> = {};
|
|
const res = await httpRequest({ hostname: '127.0.0.1', port, path: '/', method: 'GET' });
|
|
updateCookieJar(jar, res.headers['set-cookie']);
|
|
return { jar, csrfHeader: typeof res.headers['x-csrf-token'] === 'string' ? res.headers['x-csrf-token'] : null };
|
|
}
|
|
|
|
async function postNotify(port: number, jar: Record<string, string>, extraHeaders?: Record<string, string>, body?: unknown): Promise<HttpResult> {
|
|
const payload = body === undefined ? { type: 'REFRESH_REQUIRED', scope: 'all' } : body;
|
|
const encoded = JSON.stringify(payload);
|
|
return httpRequest(
|
|
{
|
|
hostname: '127.0.0.1',
|
|
port,
|
|
path: '/api/system/notify',
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
...(Object.keys(jar).length ? { Cookie: cookieHeader(jar) } : {}),
|
|
...(extraHeaders ?? {}),
|
|
},
|
|
},
|
|
encoded,
|
|
);
|
|
}
|
|
|
|
const ORIGINAL_ENV = { ...process.env };
|
|
const serverUrl = new URL('../../dist/core/server.js', import.meta.url).href;
|
|
const csrfManagerUrl = new URL('../../dist/core/auth/csrf-manager.js', import.meta.url).href;
|
|
|
|
describe('security: CSRF protection', async () => {
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
let serverMod: any;
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
let csrfMod: any;
|
|
|
|
let server: http.Server;
|
|
let port: number;
|
|
let projectRoot: string;
|
|
let ccwHome: string;
|
|
|
|
before(async () => {
|
|
projectRoot = mkdtempSync(join(tmpdir(), 'ccw-csrf-project-'));
|
|
ccwHome = mkdtempSync(join(tmpdir(), 'ccw-csrf-home-'));
|
|
|
|
process.env = { ...ORIGINAL_ENV, CCW_DATA_DIR: ccwHome };
|
|
|
|
serverMod = await import(serverUrl);
|
|
csrfMod = await import(csrfManagerUrl);
|
|
|
|
mock.method(console, 'log', () => {});
|
|
mock.method(console, 'error', () => {});
|
|
|
|
server = await serverMod.startServer({ initialPath: projectRoot, port: 0 });
|
|
const addr = server.address();
|
|
port = typeof addr === 'object' && addr ? addr.port : 0;
|
|
assert.ok(port > 0, 'Server should start on a valid port');
|
|
});
|
|
|
|
after(async () => {
|
|
await new Promise<void>((resolve) => server.close(() => resolve()));
|
|
mock.restoreAll();
|
|
process.env = ORIGINAL_ENV;
|
|
rmSync(projectRoot, { recursive: true, force: true });
|
|
rmSync(ccwHome, { recursive: true, force: true });
|
|
});
|
|
|
|
it('blocks POST requests without CSRF token', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
delete jar['XSRF-TOKEN'];
|
|
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 403);
|
|
assert.ok(res.body.includes('CSRF validation failed'));
|
|
});
|
|
|
|
it('blocks POST requests with forged CSRF token', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
jar['XSRF-TOKEN'] = 'forged-token';
|
|
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 403);
|
|
});
|
|
|
|
it('blocks expired CSRF tokens', async () => {
|
|
csrfMod.resetCsrfTokenManager();
|
|
csrfMod.getCsrfTokenManager({ tokenTtlMs: 1, cleanupIntervalMs: 0 });
|
|
|
|
const { jar } = await getDashboardSession(port);
|
|
await new Promise(resolve => setTimeout(resolve, 10));
|
|
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 403);
|
|
|
|
csrfMod.resetCsrfTokenManager();
|
|
});
|
|
|
|
it('blocks token reuse (single-use tokens)', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
const oldToken = jar['XSRF-TOKEN'];
|
|
|
|
const first = await postNotify(port, jar);
|
|
assert.equal(first.status, 200);
|
|
updateCookieJar(jar, first.headers['set-cookie']);
|
|
|
|
// Try again using the old token explicitly (should fail).
|
|
const reuseJar = cloneJar(jar);
|
|
reuseJar['XSRF-TOKEN'] = oldToken;
|
|
const secondUse = await postNotify(port, reuseJar);
|
|
assert.equal(secondUse.status, 403);
|
|
});
|
|
|
|
it('blocks CSRF token theft across sessions', async () => {
|
|
const sessionA = await getDashboardSession(port);
|
|
const sessionB = await getDashboardSession(port);
|
|
|
|
const jar = cloneJar(sessionB.jar);
|
|
jar['XSRF-TOKEN'] = sessionA.jar['XSRF-TOKEN'];
|
|
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 403);
|
|
});
|
|
|
|
it('does not require CSRF on GET requests', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
const res = await httpRequest({
|
|
hostname: '127.0.0.1',
|
|
port,
|
|
path: '/api/health',
|
|
method: 'GET',
|
|
headers: { Cookie: cookieHeader(jar) },
|
|
});
|
|
assert.equal(res.status, 200);
|
|
});
|
|
|
|
it('accepts CSRF token provided via cookie (legitimate flow)', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 200);
|
|
});
|
|
|
|
it('accepts CSRF token provided via header', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
const token = jar['XSRF-TOKEN'];
|
|
delete jar['XSRF-TOKEN'];
|
|
|
|
const res = await postNotify(port, jar, { 'X-CSRF-Token': token });
|
|
assert.equal(res.status, 200);
|
|
});
|
|
|
|
it('accepts CSRF token provided via request body', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
const token = jar['XSRF-TOKEN'];
|
|
delete jar['XSRF-TOKEN'];
|
|
|
|
const res = await postNotify(port, jar, undefined, { type: 'REFRESH_REQUIRED', scope: 'all', csrfToken: token });
|
|
assert.equal(res.status, 200);
|
|
});
|
|
|
|
it('rotates CSRF token after successful POST', async () => {
|
|
const { jar } = await getDashboardSession(port);
|
|
const firstToken = jar['XSRF-TOKEN'];
|
|
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 200);
|
|
updateCookieJar(jar, res.headers['set-cookie']);
|
|
|
|
assert.notEqual(jar['XSRF-TOKEN'], firstToken);
|
|
});
|
|
|
|
it('allows localhost origins and rejects external origins (CORS)', async () => {
|
|
const allowedOrigin = `http://localhost:${port}`;
|
|
const allowed = await httpRequest({
|
|
hostname: '127.0.0.1',
|
|
port,
|
|
path: '/api/health',
|
|
method: 'GET',
|
|
headers: { Origin: allowedOrigin },
|
|
});
|
|
assert.equal(allowed.headers['access-control-allow-origin'], allowedOrigin);
|
|
assert.equal(allowed.headers['vary'], 'Origin');
|
|
|
|
const evilOrigin = 'http://evil.com';
|
|
const denied = await httpRequest({
|
|
hostname: '127.0.0.1',
|
|
port,
|
|
path: '/api/health',
|
|
method: 'GET',
|
|
headers: { Origin: evilOrigin },
|
|
});
|
|
assert.notEqual(denied.headers['access-control-allow-origin'], evilOrigin);
|
|
assert.equal(denied.headers['access-control-allow-origin'], `http://localhost:${port}`);
|
|
});
|
|
|
|
it('bypasses CSRF validation when CCW_DISABLE_CSRF=true', async () => {
|
|
process.env.CCW_DISABLE_CSRF = 'true';
|
|
const { jar } = await getDashboardSession(port);
|
|
delete jar['XSRF-TOKEN'];
|
|
|
|
const res = await postNotify(port, jar);
|
|
assert.equal(res.status, 200);
|
|
|
|
delete process.env.CCW_DISABLE_CSRF;
|
|
});
|
|
|
|
it('skips CSRF validation for Authorization header auth', async () => {
|
|
const tokenRes = await httpRequest({
|
|
hostname: '127.0.0.1',
|
|
port,
|
|
path: '/api/auth/token',
|
|
method: 'GET',
|
|
});
|
|
|
|
const parsed = JSON.parse(tokenRes.body) as { token: string };
|
|
assert.ok(parsed.token);
|
|
|
|
const res = await httpRequest(
|
|
{
|
|
hostname: '127.0.0.1',
|
|
port,
|
|
path: '/api/system/notify',
|
|
method: 'POST',
|
|
headers: {
|
|
Authorization: `Bearer ${parsed.token}`,
|
|
'Content-Type': 'application/json',
|
|
},
|
|
},
|
|
JSON.stringify({ type: 'REFRESH_REQUIRED', scope: 'all' }),
|
|
);
|
|
|
|
assert.equal(res.status, 200);
|
|
});
|
|
});
|