@actuate-media/cms-core 0.10.3 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/api/admin-contracts.test.js +1 -0
- package/dist/__tests__/api/admin-contracts.test.js.map +1 -1
- package/dist/__tests__/api/public-globals.test.js +8 -4
- package/dist/__tests__/api/public-globals.test.js.map +1 -1
- package/dist/__tests__/security/audit.test.d.ts +2 -0
- package/dist/__tests__/security/audit.test.d.ts.map +1 -0
- package/dist/__tests__/security/audit.test.js +50 -0
- package/dist/__tests__/security/audit.test.js.map +1 -0
- package/dist/__tests__/security/client-ip.test.d.ts +2 -0
- package/dist/__tests__/security/client-ip.test.d.ts.map +1 -0
- package/dist/__tests__/security/client-ip.test.js +37 -0
- package/dist/__tests__/security/client-ip.test.js.map +1 -0
- package/dist/__tests__/security/ip-allowlist.test.d.ts +2 -0
- package/dist/__tests__/security/ip-allowlist.test.d.ts.map +1 -0
- package/dist/__tests__/security/ip-allowlist.test.js +40 -0
- package/dist/__tests__/security/ip-allowlist.test.js.map +1 -0
- package/dist/__tests__/security/redact.test.d.ts +2 -0
- package/dist/__tests__/security/redact.test.d.ts.map +1 -0
- package/dist/__tests__/security/redact.test.js +31 -0
- package/dist/__tests__/security/redact.test.js.map +1 -0
- package/dist/__tests__/security/secret-storage.test.d.ts +2 -0
- package/dist/__tests__/security/secret-storage.test.d.ts.map +1 -0
- package/dist/__tests__/security/secret-storage.test.js +42 -0
- package/dist/__tests__/security/secret-storage.test.js.map +1 -0
- package/dist/__tests__/security/upload-magic.test.d.ts +2 -0
- package/dist/__tests__/security/upload-magic.test.d.ts.map +1 -0
- package/dist/__tests__/security/upload-magic.test.js +55 -0
- package/dist/__tests__/security/upload-magic.test.js.map +1 -0
- package/dist/__tests__/seo/robots.test.d.ts +2 -0
- package/dist/__tests__/seo/robots.test.d.ts.map +1 -0
- package/dist/__tests__/seo/robots.test.js +51 -0
- package/dist/__tests__/seo/robots.test.js.map +1 -0
- package/dist/__tests__/server-site.test.d.ts +2 -0
- package/dist/__tests__/server-site.test.d.ts.map +1 -0
- package/dist/__tests__/server-site.test.js +123 -0
- package/dist/__tests__/server-site.test.js.map +1 -0
- package/dist/actions.d.ts.map +1 -1
- package/dist/actions.js +170 -34
- package/dist/actions.js.map +1 -1
- package/dist/api/handler-factory.d.ts.map +1 -1
- package/dist/api/handler-factory.js +64 -9
- package/dist/api/handler-factory.js.map +1 -1
- package/dist/api/handlers.d.ts.map +1 -1
- package/dist/api/handlers.js +692 -118
- package/dist/api/handlers.js.map +1 -1
- package/dist/api/openapi.d.ts.map +1 -1
- package/dist/api/openapi.js +38 -0
- package/dist/api/openapi.js.map +1 -1
- package/dist/auth/mfa-pending.d.ts +24 -0
- package/dist/auth/mfa-pending.d.ts.map +1 -0
- package/dist/auth/mfa-pending.js +38 -0
- package/dist/auth/mfa-pending.js.map +1 -0
- package/dist/auth/oauth.d.ts +25 -3
- package/dist/auth/oauth.d.ts.map +1 -1
- package/dist/auth/oauth.js +109 -20
- package/dist/auth/oauth.js.map +1 -1
- package/dist/auth/reset.d.ts.map +1 -1
- package/dist/auth/reset.js +26 -2
- package/dist/auth/reset.js.map +1 -1
- package/dist/auth/session.d.ts +9 -2
- package/dist/auth/session.d.ts.map +1 -1
- package/dist/auth/session.js +20 -2
- package/dist/auth/session.js.map +1 -1
- package/dist/index.d.ts +4 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +3 -1
- package/dist/index.js.map +1 -1
- package/dist/middleware.d.ts.map +1 -1
- package/dist/middleware.js +21 -34
- package/dist/middleware.js.map +1 -1
- package/dist/page-builder/__tests__/blocks.test.js +104 -1
- package/dist/page-builder/__tests__/blocks.test.js.map +1 -1
- package/dist/page-builder/blocks.d.ts +18 -1
- package/dist/page-builder/blocks.d.ts.map +1 -1
- package/dist/page-builder/blocks.js +22 -2
- package/dist/page-builder/blocks.js.map +1 -1
- package/dist/security/audit.d.ts.map +1 -1
- package/dist/security/audit.js +8 -4
- package/dist/security/audit.js.map +1 -1
- package/dist/security/client-ip.d.ts +33 -0
- package/dist/security/client-ip.d.ts.map +1 -0
- package/dist/security/client-ip.js +39 -0
- package/dist/security/client-ip.js.map +1 -0
- package/dist/security/index.d.ts +7 -0
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js +5 -0
- package/dist/security/index.js.map +1 -1
- package/dist/security/internal-keys.d.ts +15 -0
- package/dist/security/internal-keys.d.ts.map +1 -0
- package/dist/security/internal-keys.js +33 -0
- package/dist/security/internal-keys.js.map +1 -0
- package/dist/security/ip-allowlist.d.ts +13 -1
- package/dist/security/ip-allowlist.d.ts.map +1 -1
- package/dist/security/ip-allowlist.js +120 -12
- package/dist/security/ip-allowlist.js.map +1 -1
- package/dist/security/rate-limit.d.ts.map +1 -1
- package/dist/security/rate-limit.js +49 -17
- package/dist/security/rate-limit.js.map +1 -1
- package/dist/security/redact.d.ts +12 -0
- package/dist/security/redact.d.ts.map +1 -0
- package/dist/security/redact.js +41 -0
- package/dist/security/redact.js.map +1 -0
- package/dist/security/safe-fetch.d.ts +35 -0
- package/dist/security/safe-fetch.d.ts.map +1 -0
- package/dist/security/safe-fetch.js +45 -0
- package/dist/security/safe-fetch.js.map +1 -0
- package/dist/security/secret-storage.d.ts +22 -0
- package/dist/security/secret-storage.d.ts.map +1 -0
- package/dist/security/secret-storage.js +75 -0
- package/dist/security/secret-storage.js.map +1 -0
- package/dist/security/upload.d.ts +23 -4
- package/dist/security/upload.d.ts.map +1 -1
- package/dist/security/upload.js +110 -21
- package/dist/security/upload.js.map +1 -1
- package/dist/seo/index.d.ts +2 -0
- package/dist/seo/index.d.ts.map +1 -1
- package/dist/seo/index.js +1 -0
- package/dist/seo/index.js.map +1 -1
- package/dist/seo/robots.d.ts +16 -0
- package/dist/seo/robots.d.ts.map +1 -0
- package/dist/seo/robots.js +35 -0
- package/dist/seo/robots.js.map +1 -0
- package/dist/server-site.d.ts +54 -0
- package/dist/server-site.d.ts.map +1 -0
- package/dist/server-site.js +149 -0
- package/dist/server-site.js.map +1 -0
- package/dist/site.d.ts.map +1 -1
- package/dist/site.js +19 -1
- package/dist/site.js.map +1 -1
- package/dist/storage/index.d.ts +20 -10
- package/dist/storage/index.d.ts.map +1 -1
- package/dist/storage/index.js +6 -3
- package/dist/storage/index.js.map +1 -1
- package/dist/webhooks/index.d.ts.map +1 -1
- package/dist/webhooks/index.js +20 -9
- package/dist/webhooks/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"admin-contracts.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/admin-contracts.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,MAAM,GAAG,4CAA4C,CAAC;AAE5D,KAAK,UAAU,WAAW;IACxB,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,EAC5D,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,mBAAmB,KAAK,EAAE,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,YAAY;IACnB,OAAO;QACL,OAAO,EAAE;YACP,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;SAC9C;QACD,IAAI,EAAE,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC;gBACpB;oBACE,EAAE,EAAE,SAAS;oBACb,QAAQ,EAAE,UAAU;oBACpB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,kBAAkB;oBAC9B,OAAO,EAAE,YAAY;oBACrB,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,GAAG;oBACX,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;oBAC/C,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;iBAChD;aACF;YACD,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;SACrB;QACD,QAAQ,EAAE;YACR,QAAQ,EAAE,KAAK,EAAE,IAA4D,EAAE,EAAE;gBAC/E,IAAI,IAAI,EAAE,KAAK,EAAE,UAAU,KAAK,OAAO,EAAE,CAAC;oBACxC,OAAO;wBACL;4BACE,EAAE,EAAE,QAAQ;4BACZ,KAAK,EAAE,cAAc;4BACrB,IAAI,EAAE;gCACJ,IAAI,EAAE,cAAc;gCACpB,WAAW,EAAE,YAAY;gCACzB,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;6BACjD;4BACD,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;4BAC/C,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;yBAChD;qBACF,CAAC;gBACJ,CAAC;gBAED,OAAO;oBACL;wBACE,EAAE,EAAE,QAAQ;wBACZ,UAAU,EAAE,OAAO;wBACnB,KAAK,EAAE,MAAM;wBACb,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE;4BACJ,KAAK,EAAE,MAAM;4BACb,IAAI,EAAE,MAAM;4BACZ,SAAS,EAAE,WAAW;4BACtB,eAAe,EAAE,kBAAkB;4BACnC,SAAS,EAAE,sBAAsB;4BACjC,UAAU,EAAE,SAAS;yBACtB;wBACD,cAAc,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE;wBACrD,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;qBAChD;iBACF,CAAC;YACJ,CAAC;SACF;QACD,cAAc,EAAE;YACd,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC;gBACpB;oBACE,EAAE,EAAE,cAAc;oBAClB,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,OAAO,EAAE;oBACjE,WAAW,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE;oBAChD,MAAM,EAAE,KAAK;oBACb,WAAW,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;iBAClD;aACF;YACD,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"admin-contracts.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/admin-contracts.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,MAAM,GAAG,4CAA4C,CAAC;AAE5D,KAAK,UAAU,WAAW;IACxB,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,EAC5D,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,mBAAmB,KAAK,EAAE,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,YAAY;IACnB,OAAO;QACL,OAAO,EAAE;YACP,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;SAC9C;QACD,IAAI,EAAE,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC;gBACpB;oBACE,EAAE,EAAE,SAAS;oBACb,QAAQ,EAAE,UAAU;oBACpB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,kBAAkB;oBAC9B,OAAO,EAAE,YAAY;oBACrB,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,GAAG;oBACX,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;oBAC/C,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;iBAChD;aACF;YACD,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;SACrB;QACD,QAAQ,EAAE;YACR,QAAQ,EAAE,KAAK,EAAE,IAA4D,EAAE,EAAE;gBAC/E,IAAI,IAAI,EAAE,KAAK,EAAE,UAAU,KAAK,OAAO,EAAE,CAAC;oBACxC,OAAO;wBACL;4BACE,EAAE,EAAE,QAAQ;4BACZ,KAAK,EAAE,cAAc;4BACrB,IAAI,EAAE;gCACJ,IAAI,EAAE,cAAc;gCACpB,WAAW,EAAE,YAAY;gCACzB,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;6BACjD;4BACD,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;4BAC/C,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;yBAChD;qBACF,CAAC;gBACJ,CAAC;gBAED,OAAO;oBACL;wBACE,EAAE,EAAE,QAAQ;wBACZ,UAAU,EAAE,OAAO;wBACnB,KAAK,EAAE,MAAM;wBACb,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE;4BACJ,KAAK,EAAE,MAAM;4BACb,IAAI,EAAE,MAAM;4BACZ,SAAS,EAAE,WAAW;4BACtB,eAAe,EAAE,kBAAkB;4BACnC,SAAS,EAAE,sBAAsB;4BACjC,UAAU,EAAE,SAAS;yBACtB;wBACD,cAAc,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE;wBACrD,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;qBAChD;iBACF,CAAC;YACJ,CAAC;SACF;QACD,cAAc,EAAE;YACd,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC;gBACpB;oBACE,EAAE,EAAE,cAAc;oBAClB,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,OAAO,EAAE;oBACjE,WAAW,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE;oBAChD,MAAM,EAAE,KAAK;oBACb,WAAW,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;iBAClD;aACF;YACD,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACpB,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;SACjE;QACD,QAAQ,EAAE;YACR,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC;gBACpB;oBACE,EAAE,EAAE,YAAY;oBAChB,MAAM,EAAE,MAAM;oBACd,WAAW,EAAE,MAAM;oBACnB,UAAU,EAAE,GAAG;oBACf,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;oBAC/C,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;iBAChD;aACF;SACF;KACF,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC;QAChC,MAAM,EAAE,GAAG,YAAY,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,mCAAmC,EAAE;YAC9E,OAAO,EAAE,MAAM,WAAW,EAAE;SAC7B,CAAC,CAAC,CAAC;QAEJ,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YACnD,IAAI,EAAE;gBACJ,IAAI,EAAE;oBACJ;wBACE,EAAE,EAAE,SAAS;wBACb,IAAI,EAAE,UAAU;wBAChB,IAAI,EAAE,YAAY;wBAClB,IAAI,EAAE,QAAQ;wBACd,SAAS,EAAE,IAAI;wBACf,GAAG,EAAE,EAAE;wBACP,MAAM,EAAE,YAAY;wBACpB,KAAK,EAAE,MAAM;wBACb,UAAU,EAAE,UAAU;qBACvB;iBACF;gBACD,KAAK,EAAE,CAAC;aACT;SACF,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;QAEpC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAClE,OAAO,CAAC,IAAI,OAAO,CAAC,mCAAmC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,OAAO,CAAC,sDAAsD,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YACzF,OAAO,CAAC,IAAI,OAAO,CAAC,uCAAuC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1E,OAAO,CAAC,IAAI,OAAO,CAAC,uCAAuC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;SAC3E,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChD,IAAI,EAAE,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;SAC1E,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YACtD,IAAI,EAAE;gBACJ,WAAW,EAAE;oBACX;wBACE,EAAE,EAAE,cAAc;wBAClB,IAAI,EAAE,KAAK;wBACX,KAAK,EAAE,iBAAiB;wBACxB,OAAO,EAAE,OAAO;wBAChB,MAAM,EAAE,KAAK;wBACb,WAAW,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE;qBACjD;iBACF;gBACD,KAAK,EAAE,CAAC;aACT;SACF,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YACpD,IAAI,EAAE,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;SACpE,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YACnD,IAAI,EAAE;gBACJ;oBACE,EAAE,EAAE,QAAQ;oBACZ,GAAG,EAAE,GAAG;oBACR,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,EAAE;oBACT,MAAM,EAAE,CAAC;oBACT,SAAS,EAAE,WAAW;oBACtB,eAAe,EAAE,kBAAkB;iBACpC;aACF;SACF,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -61,10 +61,13 @@ describe('public globals API', () => {
|
|
|
61
61
|
const response = await handler(new Request('https://example.com/api/cms/public/globals/site-settings'));
|
|
62
62
|
expect(response.status).toBe(403);
|
|
63
63
|
});
|
|
64
|
-
it('
|
|
65
|
-
|
|
64
|
+
it('returns declared globals as public when access.read is omitted', async () => {
|
|
65
|
+
// Globals served from `/public/globals/:slug` are public site data by
|
|
66
|
+
// definition. When no access policy is provided, the route should grant
|
|
67
|
+
// read access — gating requires an explicit `access.read` returning false.
|
|
68
|
+
initDB(createMockDB({ siteName: 'Implicit Public' }));
|
|
66
69
|
const handler = handleActuateAPI({
|
|
67
|
-
prismaClient: createMockDB({ siteName: '
|
|
70
|
+
prismaClient: createMockDB({ siteName: 'Implicit Public' }),
|
|
68
71
|
config: {
|
|
69
72
|
collections: {},
|
|
70
73
|
globals: {
|
|
@@ -77,7 +80,8 @@ describe('public globals API', () => {
|
|
|
77
80
|
},
|
|
78
81
|
});
|
|
79
82
|
const response = await handler(new Request('https://example.com/api/cms/public/globals/site-settings'));
|
|
80
|
-
expect(response.status).toBe(
|
|
83
|
+
expect(response.status).toBe(200);
|
|
84
|
+
await expect(response.json()).resolves.toEqual({ data: { siteName: 'Implicit Public' } });
|
|
81
85
|
});
|
|
82
86
|
it('does not expose documents for undeclared globals', async () => {
|
|
83
87
|
initDB(createMockDB({ siteName: 'Hidden' }));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"public-globals.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/public-globals.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,SAAS,YAAY,CAAC,IAAoC;IACxD,OAAO;QACL,QAAQ,EAAE;YACR,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI;gBACzB,CAAC,CAAC;oBACE,EAAE,EAAE,UAAU;oBACd,UAAU,EAAE,eAAe;oBAC3B,IAAI;oBACJ,SAAS,EAAE,IAAI;iBAChB;gBACH,CAAC,CAAC,IAAI;SACT;QACD,IAAI,EAAE,EAAE;QACR,OAAO,EAAE,EAAE;QACX,KAAK,EAAE,EAAE;KACV,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,UAAU,CAAC,GAAG,EAAE;QACd,OAAQ,UAAkB,CAAC,eAAe,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACnD,MAAM,EAAE;gBACN,WAAW,EAAE,EAAE;gBACf,OAAO,EAAE;oBACP,eAAe,EAAE;wBACf,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,eAAe;wBACtB,MAAM,EAAE,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;qBAC7B;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,0DAA0D,CAAC,CAAC,CAAC;QAExG,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAClF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACnD,MAAM,EAAE;gBACN,WAAW,EAAE,EAAE;gBACf,OAAO,EAAE;oBACP,eAAe,EAAE;wBACf,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,eAAe;wBACtB,MAAM,EAAE,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE;qBAC9B;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,0DAA0D,CAAC,CAAC,CAAC;QAExG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,
|
|
1
|
+
{"version":3,"file":"public-globals.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/public-globals.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,SAAS,YAAY,CAAC,IAAoC;IACxD,OAAO;QACL,QAAQ,EAAE;YACR,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI;gBACzB,CAAC,CAAC;oBACE,EAAE,EAAE,UAAU;oBACd,UAAU,EAAE,eAAe;oBAC3B,IAAI;oBACJ,SAAS,EAAE,IAAI;iBAChB;gBACH,CAAC,CAAC,IAAI;SACT;QACD,IAAI,EAAE,EAAE;QACR,OAAO,EAAE,EAAE;QACX,KAAK,EAAE,EAAE;KACV,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,UAAU,CAAC,GAAG,EAAE;QACd,OAAQ,UAAkB,CAAC,eAAe,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACnD,MAAM,EAAE;gBACN,WAAW,EAAE,EAAE;gBACf,OAAO,EAAE;oBACP,eAAe,EAAE;wBACf,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,eAAe;wBACtB,MAAM,EAAE,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;qBAC7B;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,0DAA0D,CAAC,CAAC,CAAC;QAExG,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAClF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,YAAY,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACnD,MAAM,EAAE;gBACN,WAAW,EAAE,EAAE;gBACf,OAAO,EAAE;oBACP,eAAe,EAAE;wBACf,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,eAAe;wBACtB,MAAM,EAAE,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE;qBAC9B;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,0DAA0D,CAAC,CAAC,CAAC;QAExG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,sEAAsE;QACtE,wEAAwE;QACxE,2EAA2E;QAC3E,MAAM,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,YAAY,CAAC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,CAAC;YAC3D,MAAM,EAAE;gBACN,WAAW,EAAE,EAAE;gBACf,OAAO,EAAE;oBACP,eAAe,EAAE;wBACf,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,eAAe;wBACtB,MAAM,EAAE,EAAE;qBACX;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,0DAA0D,CAAC,CAAC,CAAC;QAExG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,YAAY,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;YAClD,MAAM,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;SACzC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,0DAA0D,CAAC,CAAC,CAAC;QAExG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/security/audit.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { initDB } from '../../db.js';
|
|
3
|
+
import { logEvent, getAuditLog } from '../../security/audit.js';
|
|
4
|
+
function createMockDB() {
|
|
5
|
+
const records = [];
|
|
6
|
+
return {
|
|
7
|
+
auditLog: {
|
|
8
|
+
create: async ({ data }) => {
|
|
9
|
+
const row = { ...data, id: `log-${records.length + 1}`, timestamp: new Date() };
|
|
10
|
+
records.push(row);
|
|
11
|
+
return row;
|
|
12
|
+
},
|
|
13
|
+
findMany: async ({ where, orderBy, skip, take }) => {
|
|
14
|
+
let filtered = records;
|
|
15
|
+
if (where?.event)
|
|
16
|
+
filtered = filtered.filter((r) => r.event === where.event);
|
|
17
|
+
if (orderBy?.timestamp === 'desc') {
|
|
18
|
+
filtered = [...filtered].sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
|
|
19
|
+
}
|
|
20
|
+
return filtered.slice(skip ?? 0, (skip ?? 0) + (take ?? filtered.length));
|
|
21
|
+
},
|
|
22
|
+
count: async ({ where }) => {
|
|
23
|
+
if (!where?.event)
|
|
24
|
+
return records.length;
|
|
25
|
+
return records.filter((r) => r.event === where.event).length;
|
|
26
|
+
},
|
|
27
|
+
},
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
describe('audit log', () => {
|
|
31
|
+
it('logEvent stores an entry and getAuditLog reads it back', async () => {
|
|
32
|
+
const db = createMockDB();
|
|
33
|
+
initDB(db);
|
|
34
|
+
await logEvent({ event: 'login_success', userId: 'u1', ipAddress: '203.0.113.5' });
|
|
35
|
+
const result = await getAuditLog({ event: 'login_success' });
|
|
36
|
+
expect(result.total).toBe(1);
|
|
37
|
+
expect(result.entries[0]).toMatchObject({ event: 'login_success', userId: 'u1' });
|
|
38
|
+
});
|
|
39
|
+
it('getAuditLog orders by timestamp (regression: previously used non-existent createdAt column)', async () => {
|
|
40
|
+
const db = createMockDB();
|
|
41
|
+
initDB(db);
|
|
42
|
+
await logEvent({ event: 'a' });
|
|
43
|
+
await new Promise((r) => setTimeout(r, 5));
|
|
44
|
+
await logEvent({ event: 'b' });
|
|
45
|
+
const result = await getAuditLog({});
|
|
46
|
+
expect(result.entries[0]?.event).toBe('b');
|
|
47
|
+
expect(result.entries[1]?.event).toBe('a');
|
|
48
|
+
});
|
|
49
|
+
});
|
|
50
|
+
//# sourceMappingURL=audit.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit.test.js","sourceRoot":"","sources":["../../../src/__tests__/security/audit.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAS,MAAM,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEhE,SAAS,YAAY;IACnB,MAAM,OAAO,GAAU,EAAE,CAAC;IAC1B,OAAO;QACL,QAAQ,EAAE;YACR,MAAM,EAAE,KAAK,EAAE,EAAE,IAAI,EAAiB,EAAE,EAAE;gBACxC,MAAM,GAAG,GAAG,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;gBAChF,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClB,OAAO,GAAG,CAAC;YACb,CAAC;YACD,QAAQ,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAO,EAAE,EAAE;gBACtD,IAAI,QAAQ,GAAG,OAAO,CAAC;gBACvB,IAAI,KAAK,EAAE,KAAK;oBAAE,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC7E,IAAI,OAAO,EAAE,SAAS,KAAK,MAAM,EAAE,CAAC;oBAClC,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;gBACzF,CAAC;gBACD,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5E,CAAC;YACD,KAAK,EAAE,KAAK,EAAE,EAAE,KAAK,EAAO,EAAE,EAAE;gBAC9B,IAAI,CAAC,KAAK,EAAE,KAAK;oBAAE,OAAO,OAAO,CAAC,MAAM,CAAC;gBACzC,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;YAC/D,CAAC;SACF;KACF,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,EAAE,GAAG,YAAY,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;QACnF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6FAA6F,EAAE,KAAK,IAAI,EAAE;QAC3G,MAAM,EAAE,GAAG,YAAY,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,QAAQ,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client-ip.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/security/client-ip.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { getClientIp, isResolvedIp } from '../../security/client-ip.js';
|
|
3
|
+
function req(headers) {
|
|
4
|
+
return new Request('https://example.com/x', { headers });
|
|
5
|
+
}
|
|
6
|
+
describe('client-ip helper', () => {
|
|
7
|
+
it('uses X-Vercel-Forwarded-For first', () => {
|
|
8
|
+
const r = req({
|
|
9
|
+
'x-vercel-forwarded-for': '203.0.113.5',
|
|
10
|
+
'x-forwarded-for': '198.51.100.1, 203.0.113.5',
|
|
11
|
+
'x-real-ip': '198.51.100.1',
|
|
12
|
+
});
|
|
13
|
+
expect(getClientIp(r)).toBe('203.0.113.5');
|
|
14
|
+
});
|
|
15
|
+
it('falls back to x-real-ip when no Vercel header', () => {
|
|
16
|
+
const r = req({ 'x-real-ip': '203.0.113.99' });
|
|
17
|
+
expect(getClientIp(r)).toBe('203.0.113.99');
|
|
18
|
+
});
|
|
19
|
+
it('does NOT trust X-Forwarded-For by default', () => {
|
|
20
|
+
const r = req({ 'x-forwarded-for': '1.2.3.4' });
|
|
21
|
+
expect(getClientIp(r)).toBe('unknown');
|
|
22
|
+
});
|
|
23
|
+
it('uses the LAST X-Forwarded-For entry when trustProxy is enabled', () => {
|
|
24
|
+
const r = req({ 'x-forwarded-for': '198.51.100.1, 203.0.113.5, 1.2.3.4' });
|
|
25
|
+
// Last entry = closest to our trusted proxy = the one to trust.
|
|
26
|
+
expect(getClientIp(r, { trustProxy: true })).toBe('1.2.3.4');
|
|
27
|
+
});
|
|
28
|
+
it('reports "unknown" with no headers', () => {
|
|
29
|
+
expect(getClientIp(req({}))).toBe('unknown');
|
|
30
|
+
});
|
|
31
|
+
it('isResolvedIp is false for "unknown"', () => {
|
|
32
|
+
expect(isResolvedIp('unknown')).toBe(false);
|
|
33
|
+
expect(isResolvedIp('')).toBe(false);
|
|
34
|
+
expect(isResolvedIp('203.0.113.5')).toBe(true);
|
|
35
|
+
});
|
|
36
|
+
});
|
|
37
|
+
//# sourceMappingURL=client-ip.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client-ip.test.js","sourceRoot":"","sources":["../../../src/__tests__/security/client-ip.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAExE,SAAS,GAAG,CAAC,OAA+B;IAC1C,OAAO,IAAI,OAAO,CAAC,uBAAuB,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,GAAG,CAAC;YACZ,wBAAwB,EAAE,aAAa;YACvC,iBAAiB,EAAE,2BAA2B;YAC9C,WAAW,EAAE,cAAc;SAC5B,CAAC,CAAC;QACH,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,CAAC,GAAG,GAAG,CAAC,EAAE,WAAW,EAAE,cAAc,EAAE,CAAC,CAAC;QAC/C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,GAAG,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC;QAChD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,CAAC,GAAG,GAAG,CAAC,EAAE,iBAAiB,EAAE,oCAAoC,EAAE,CAAC,CAAC;QAC3E,gEAAgE;QAChE,MAAM,CAAC,WAAW,CAAC,CAAC,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ip-allowlist.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/security/ip-allowlist.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { isIpAllowed } from '../../security/ip-allowlist.js';
|
|
3
|
+
describe('isIpAllowed', () => {
|
|
4
|
+
it('allows everything when allowlist is empty', () => {
|
|
5
|
+
expect(isIpAllowed('203.0.113.5', [])).toBe(true);
|
|
6
|
+
});
|
|
7
|
+
it('rejects the literal "unknown" sentinel against a non-empty allowlist', () => {
|
|
8
|
+
expect(isIpAllowed('unknown', ['203.0.113.5'])).toBe(false);
|
|
9
|
+
});
|
|
10
|
+
it('still allows "unknown" when no allowlist is configured', () => {
|
|
11
|
+
// Empty allowlist means "no IP restriction at all". The middleware
|
|
12
|
+
// separately decides whether unknown IPs should be allowed via
|
|
13
|
+
// isResolvedIp() before consulting this helper.
|
|
14
|
+
expect(isIpAllowed('unknown', [])).toBe(true);
|
|
15
|
+
});
|
|
16
|
+
it('matches a literal IPv4 address', () => {
|
|
17
|
+
expect(isIpAllowed('203.0.113.5', ['203.0.113.5'])).toBe(true);
|
|
18
|
+
expect(isIpAllowed('203.0.113.6', ['203.0.113.5'])).toBe(false);
|
|
19
|
+
});
|
|
20
|
+
it('matches an IPv4 CIDR range', () => {
|
|
21
|
+
expect(isIpAllowed('203.0.113.42', ['203.0.113.0/24'])).toBe(true);
|
|
22
|
+
expect(isIpAllowed('203.0.114.42', ['203.0.113.0/24'])).toBe(false);
|
|
23
|
+
});
|
|
24
|
+
it('matches a literal IPv6 address with normalisation', () => {
|
|
25
|
+
expect(isIpAllowed('2001:db8::1', ['2001:db8:0:0:0:0:0:1'])).toBe(true);
|
|
26
|
+
});
|
|
27
|
+
it('matches an IPv6 CIDR range', () => {
|
|
28
|
+
expect(isIpAllowed('2001:db8:abcd::1', ['2001:db8::/32'])).toBe(true);
|
|
29
|
+
expect(isIpAllowed('2001:db9::1', ['2001:db8::/32'])).toBe(false);
|
|
30
|
+
});
|
|
31
|
+
it('normalises IPv4-mapped IPv6 addresses', () => {
|
|
32
|
+
expect(isIpAllowed('::ffff:203.0.113.5', ['203.0.113.5'])).toBe(true);
|
|
33
|
+
expect(isIpAllowed('::ffff:203.0.113.5', ['203.0.113.0/24'])).toBe(true);
|
|
34
|
+
});
|
|
35
|
+
it('rejects malformed CIDR values', () => {
|
|
36
|
+
expect(isIpAllowed('203.0.113.5', ['203.0.113.0/abc'])).toBe(false);
|
|
37
|
+
expect(isIpAllowed('203.0.113.5', ['203.0.113.0/-1'])).toBe(false);
|
|
38
|
+
});
|
|
39
|
+
});
|
|
40
|
+
//# sourceMappingURL=ip-allowlist.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ip-allowlist.test.js","sourceRoot":"","sources":["../../../src/__tests__/security/ip-allowlist.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAE7D,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,mEAAmE;QACnE,+DAA+D;QAC/D,gDAAgD;QAChD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,WAAW,CAAC,kBAAkB,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,WAAW,CAAC,oBAAoB,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,WAAW,CAAC,oBAAoB,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpE,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redact.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/security/redact.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { redactSecrets } from '../../security/redact.js';
|
|
3
|
+
describe('redactSecrets', () => {
|
|
4
|
+
it('redacts OpenAI keys', () => {
|
|
5
|
+
expect(redactSecrets('use sk-abcdefghijklmnopqrstuv0123 for now')).toBe('use [REDACTED] for now');
|
|
6
|
+
});
|
|
7
|
+
it('redacts Anthropic keys', () => {
|
|
8
|
+
expect(redactSecrets('sk-ant-api03-AbCdEfGhIjKlMnOpQrStUvWxYz123456 secret')).toBe('[REDACTED] secret');
|
|
9
|
+
});
|
|
10
|
+
it('redacts Actuate API keys', () => {
|
|
11
|
+
expect(redactSecrets('act_sk_abcdef0123456789ABCDEF0123456789 leaked')).toBe('[REDACTED] leaked');
|
|
12
|
+
});
|
|
13
|
+
it('redacts GitHub tokens', () => {
|
|
14
|
+
expect(redactSecrets('ghp_abcdefghijklmnopqrstuvwxyz0123456789')).toBe('[REDACTED]');
|
|
15
|
+
});
|
|
16
|
+
it('redacts AWS access keys', () => {
|
|
17
|
+
expect(redactSecrets('AKIAIOSFODNN7EXAMPLE is mine')).toBe('[REDACTED] is mine');
|
|
18
|
+
});
|
|
19
|
+
it('redacts JWTs', () => {
|
|
20
|
+
const jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NSJ9.dQw4w9WgXcQabcdef1234';
|
|
21
|
+
expect(redactSecrets(`bearer ${jwt}`)).toBe('bearer [REDACTED]');
|
|
22
|
+
});
|
|
23
|
+
it('redacts password assignments', () => {
|
|
24
|
+
expect(redactSecrets('password: "hunter2x9"')).toBe('[REDACTED]');
|
|
25
|
+
});
|
|
26
|
+
it('preserves non-secret content', () => {
|
|
27
|
+
expect(redactSecrets('hello world')).toBe('hello world');
|
|
28
|
+
expect(redactSecrets('')).toBe('');
|
|
29
|
+
});
|
|
30
|
+
});
|
|
31
|
+
//# sourceMappingURL=redact.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redact.test.js","sourceRoot":"","sources":["../../../src/__tests__/security/redact.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAEzD,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,aAAa,CAAC,2CAA2C,CAAC,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,aAAa,CAAC,sDAAsD,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC1G,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,aAAa,CAAC,gDAAgD,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,aAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,aAAa,CAAC,8BAA8B,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE;QACtB,MAAM,GAAG,GAAG,iEAAiE,CAAC;QAC9E,MAAM,CAAC,aAAa,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,aAAa,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACzD,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secret-storage.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/security/secret-storage.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { encryptSecret, decryptSecret, isEncrypted, encryptStringArray, decryptStringArray, } from '../../security/secret-storage.js';
|
|
3
|
+
const KEY = 'a'.repeat(64); // 32 bytes hex
|
|
4
|
+
describe('secret-storage', () => {
|
|
5
|
+
it('round-trips a secret when CMS_ENCRYPTION_KEY is set', async () => {
|
|
6
|
+
process.env.CMS_ENCRYPTION_KEY = KEY;
|
|
7
|
+
const ciphertext = await encryptSecret('totp-seed-12345');
|
|
8
|
+
expect(ciphertext.startsWith('enc:v1:')).toBe(true);
|
|
9
|
+
expect(isEncrypted(ciphertext)).toBe(true);
|
|
10
|
+
expect(await decryptSecret(ciphertext)).toBe('totp-seed-12345');
|
|
11
|
+
});
|
|
12
|
+
it('passes plaintext through unchanged when CMS_ENCRYPTION_KEY is unset', async () => {
|
|
13
|
+
delete process.env.CMS_ENCRYPTION_KEY;
|
|
14
|
+
const out = await encryptSecret('plain-secret');
|
|
15
|
+
expect(out).toBe('plain-secret');
|
|
16
|
+
expect(isEncrypted(out)).toBe(false);
|
|
17
|
+
// Reads of plaintext values that were never encrypted return as-is.
|
|
18
|
+
expect(await decryptSecret('plain-secret')).toBe('plain-secret');
|
|
19
|
+
});
|
|
20
|
+
it('encryptStringArray + decryptStringArray round-trip', async () => {
|
|
21
|
+
process.env.CMS_ENCRYPTION_KEY = KEY;
|
|
22
|
+
const codes = ['abc-123', 'def-456', 'ghi-789'];
|
|
23
|
+
const enc = await encryptStringArray(codes);
|
|
24
|
+
expect(enc.every(isEncrypted)).toBe(true);
|
|
25
|
+
expect(await decryptStringArray(enc)).toEqual(codes);
|
|
26
|
+
});
|
|
27
|
+
it('decryptSecret refuses encrypted values without a key', async () => {
|
|
28
|
+
process.env.CMS_ENCRYPTION_KEY = KEY;
|
|
29
|
+
const ciphertext = await encryptSecret('shh');
|
|
30
|
+
delete process.env.CMS_ENCRYPTION_KEY;
|
|
31
|
+
await expect(decryptSecret(ciphertext)).rejects.toThrow(/CMS_ENCRYPTION_KEY/);
|
|
32
|
+
});
|
|
33
|
+
it('round-trip data is non-deterministic (random IV)', async () => {
|
|
34
|
+
process.env.CMS_ENCRYPTION_KEY = KEY;
|
|
35
|
+
const a = await encryptSecret('same');
|
|
36
|
+
const b = await encryptSecret('same');
|
|
37
|
+
expect(a).not.toBe(b);
|
|
38
|
+
expect(await decryptSecret(a)).toBe('same');
|
|
39
|
+
expect(await decryptSecret(b)).toBe('same');
|
|
40
|
+
});
|
|
41
|
+
});
|
|
42
|
+
//# sourceMappingURL=secret-storage.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secret-storage.test.js","sourceRoot":"","sources":["../../../src/__tests__/security/secret-storage.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,aAAa,EACb,aAAa,EACb,WAAW,EACX,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,kCAAkC,CAAC;AAE1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,eAAe;AAE3C,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,GAAG,CAAC;QACrC,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,iBAAiB,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,cAAc,CAAC,CAAC;QAChD,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACjC,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,oEAAoE;QACpE,MAAM,CAAC,MAAM,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,GAAG,CAAC;QACrC,MAAM,KAAK,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,GAAG,CAAC;QACrC,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QAC9C,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACtC,MAAM,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,GAAG,CAAC;QACrC,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,CAAC,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"upload-magic.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/security/upload-magic.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { validateMimeType, checkMagicBytes } from '../../security/upload.js';
|
|
3
|
+
describe('validateMimeType', () => {
|
|
4
|
+
it('accepts an allowlisted type', () => {
|
|
5
|
+
expect(validateMimeType('image/png', ['image/png'])).toBe(true);
|
|
6
|
+
});
|
|
7
|
+
it('rejects a non-allowlisted type', () => {
|
|
8
|
+
expect(validateMimeType('text/html', ['image/png'])).toBe(false);
|
|
9
|
+
});
|
|
10
|
+
it('accepts both Set and Array allowlists', () => {
|
|
11
|
+
expect(validateMimeType('image/jpeg', new Set(['image/jpeg']))).toBe(true);
|
|
12
|
+
});
|
|
13
|
+
});
|
|
14
|
+
describe('checkMagicBytes', () => {
|
|
15
|
+
function buf(bytes) {
|
|
16
|
+
return new Uint8Array(bytes);
|
|
17
|
+
}
|
|
18
|
+
it('accepts a real PNG header for image/png', () => {
|
|
19
|
+
const png = buf([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0, 0, 0, 0]);
|
|
20
|
+
expect(checkMagicBytes(png, 'image/png').valid).toBe(true);
|
|
21
|
+
});
|
|
22
|
+
it('rejects a JPEG buffer claiming to be PNG', () => {
|
|
23
|
+
const jpeg = buf([0xff, 0xd8, 0xff, 0xe0, 0, 0x10, 0x4a, 0x46, 0x49, 0x46]);
|
|
24
|
+
const result = checkMagicBytes(jpeg, 'image/png');
|
|
25
|
+
expect(result.valid).toBe(false);
|
|
26
|
+
expect(result.detectedMimeType).toBe('image/jpeg');
|
|
27
|
+
});
|
|
28
|
+
it('rejects a WAV file claiming to be WebP (both share the RIFF header)', () => {
|
|
29
|
+
const wav = buf([0x52, 0x49, 0x46, 0x46, 0, 0, 0, 0, 0x57, 0x41, 0x56, 0x45]);
|
|
30
|
+
const result = checkMagicBytes(wav, 'image/webp');
|
|
31
|
+
expect(result.valid).toBe(false);
|
|
32
|
+
expect(result.detectedMimeType).toBe('audio/wav');
|
|
33
|
+
});
|
|
34
|
+
it('accepts a real WebP buffer for image/webp', () => {
|
|
35
|
+
const webp = buf([0x52, 0x49, 0x46, 0x46, 0, 0, 0, 0, 0x57, 0x45, 0x42, 0x50]);
|
|
36
|
+
expect(checkMagicBytes(webp, 'image/webp').valid).toBe(true);
|
|
37
|
+
});
|
|
38
|
+
it('accepts a full GIF89a header but rejects a "GIF" prefix only', () => {
|
|
39
|
+
const valid = buf([0x47, 0x49, 0x46, 0x38, 0x39, 0x61, 0, 0, 0, 0]);
|
|
40
|
+
expect(checkMagicBytes(valid, 'image/gif').valid).toBe(true);
|
|
41
|
+
const fake = buf([0x47, 0x49, 0x46, 0x00, 0x00, 0x00, 0, 0, 0, 0]);
|
|
42
|
+
// Without the full signature we can't detect the type, but we also won't lie.
|
|
43
|
+
const result = checkMagicBytes(fake, 'image/gif');
|
|
44
|
+
expect(result.valid).toBe(true); // unknown signature => accept (mime allowlist already gated this)
|
|
45
|
+
});
|
|
46
|
+
it('detects SVG by inspecting XML content', () => {
|
|
47
|
+
const svg = new TextEncoder().encode('<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg"/>');
|
|
48
|
+
expect(checkMagicBytes(svg, 'image/svg+xml').valid).toBe(true);
|
|
49
|
+
});
|
|
50
|
+
it('detects AVIF using the ftyp brand', () => {
|
|
51
|
+
const avif = buf([0, 0, 0, 0x20, 0x66, 0x74, 0x79, 0x70, 0x61, 0x76, 0x69, 0x66]);
|
|
52
|
+
expect(checkMagicBytes(avif, 'image/avif').valid).toBe(true);
|
|
53
|
+
});
|
|
54
|
+
});
|
|
55
|
+
//# sourceMappingURL=upload-magic.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"upload-magic.test.js","sourceRoot":"","sources":["../../../src/__tests__/security/upload-magic.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE7E,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,gBAAgB,CAAC,WAAW,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,gBAAgB,CAAC,WAAW,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,gBAAgB,CAAC,YAAY,EAAE,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,SAAS,GAAG,CAAC,KAAe;QAC1B,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9E,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QAC5E,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QAC/E,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpE,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACnE,8EAA8E;QAC9E,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,kEAAkE;IACrG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gEAAgE,CAAC,CAAC;QACvG,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QAClF,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"robots.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/seo/robots.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { resolveRobotsDirectives } from '../../seo/robots.js';
|
|
3
|
+
describe('resolveRobotsDirectives', () => {
|
|
4
|
+
it('uses index/follow when no defaults or page overrides are set', () => {
|
|
5
|
+
expect(resolveRobotsDirectives({ environment: 'production' })).toEqual({
|
|
6
|
+
noIndex: false,
|
|
7
|
+
noFollow: false,
|
|
8
|
+
});
|
|
9
|
+
});
|
|
10
|
+
it('uses site-wide defaults when a page does not override robots directives', () => {
|
|
11
|
+
expect(resolveRobotsDirectives({
|
|
12
|
+
settings: { defaultNoIndex: true, defaultNoFollow: true },
|
|
13
|
+
pageData: {},
|
|
14
|
+
environment: 'production',
|
|
15
|
+
})).toEqual({
|
|
16
|
+
noIndex: true,
|
|
17
|
+
noFollow: true,
|
|
18
|
+
});
|
|
19
|
+
});
|
|
20
|
+
it('lets explicit page robots settings override site defaults', () => {
|
|
21
|
+
expect(resolveRobotsDirectives({
|
|
22
|
+
settings: { defaultNoIndex: true, defaultNoFollow: true },
|
|
23
|
+
pageData: { noIndex: false, noFollow: false },
|
|
24
|
+
environment: 'production',
|
|
25
|
+
})).toEqual({
|
|
26
|
+
noIndex: false,
|
|
27
|
+
noFollow: false,
|
|
28
|
+
});
|
|
29
|
+
});
|
|
30
|
+
it('supports explicit per-page robots policies', () => {
|
|
31
|
+
expect(resolveRobotsDirectives({
|
|
32
|
+
settings: { defaultNoIndex: false, defaultNoFollow: false },
|
|
33
|
+
pageData: { robotsPolicy: 'noindex-nofollow' },
|
|
34
|
+
environment: 'production',
|
|
35
|
+
})).toEqual({
|
|
36
|
+
noIndex: true,
|
|
37
|
+
noFollow: true,
|
|
38
|
+
});
|
|
39
|
+
});
|
|
40
|
+
it('can force non-production environments to noindex', () => {
|
|
41
|
+
expect(resolveRobotsDirectives({
|
|
42
|
+
settings: { noIndexNonProduction: true },
|
|
43
|
+
pageData: { noIndex: false },
|
|
44
|
+
environment: 'preview',
|
|
45
|
+
})).toEqual({
|
|
46
|
+
noIndex: true,
|
|
47
|
+
noFollow: false,
|
|
48
|
+
});
|
|
49
|
+
});
|
|
50
|
+
});
|
|
51
|
+
//# sourceMappingURL=robots.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"robots.test.js","sourceRoot":"","sources":["../../../src/__tests__/seo/robots.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAE7C,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAA;AAE7D,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,uBAAuB,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YACrE,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,MAAM,CACJ,uBAAuB,CAAC;YACtB,QAAQ,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE;YACzD,QAAQ,EAAE,EAAE;YACZ,WAAW,EAAE,YAAY;SAC1B,CAAC,CACH,CAAC,OAAO,CAAC;YACR,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,CACJ,uBAAuB,CAAC;YACtB,QAAQ,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE;YACzD,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;YAC7C,WAAW,EAAE,YAAY;SAC1B,CAAC,CACH,CAAC,OAAO,CAAC;YACR,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,CACJ,uBAAuB,CAAC;YACtB,QAAQ,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE;YAC3D,QAAQ,EAAE,EAAE,YAAY,EAAE,kBAAkB,EAAE;YAC9C,WAAW,EAAE,YAAY;SAC1B,CAAC,CACH,CAAC,OAAO,CAAC;YACR,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,CACJ,uBAAuB,CAAC;YACtB,QAAQ,EAAE,EAAE,oBAAoB,EAAE,IAAI,EAAE;YACxC,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;YAC5B,WAAW,EAAE,SAAS;SACvB,CAAC,CACH,CAAC,OAAO,CAAC;YACR,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"server-site.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/server-site.test.ts"],"names":[],"mappings":""}
|