@assistkick/create 1.0.0

package/templates/product-system/tests/web_terminal.test.ts

@@ -0,0 +1,572 @@
+/**
+ * Unit tests for Web Terminal (feat_073).
+ * Tests PTY session manager logic, command whitelist validation (dec_029),
+ * command execution model, and WebSocket handler auth checks.
+ */
+import { describe, it, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import { PtySessionManager } from '../packages/backend/src/services/pty_session_manager.js';
+
+// --- Command Whitelist (dec_029) ---
+
+describe('Command Prefix Whitelist (dec_029)', () => {
+  const mockLog = mock.fn();
+  const mockSpawn = mock.fn(() => ({
+    onData: mock.fn(),
+    onExit: mock.fn(),
+    write: mock.fn(),
+    resize: mock.fn(),
+    kill: mock.fn(),
+  }));
+  const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+  it('allows "claude" command', () => {
+    const result = manager.validateCommand('claude');
+    assert.equal(result.valid, true);
+    assert.equal(result.error, undefined);
+  });
+
+  it('allows "claude login" command', () => {
+    const result = manager.validateCommand('claude login');
+    assert.equal(result.valid, true);
+  });
+
+  it('allows "claude --version" command', () => {
+    const result = manager.validateCommand('claude --version');
+    assert.equal(result.valid, true);
+  });
+
+  it('rejects "ls" command', () => {
+    const result = manager.validateCommand('ls');
+    assert.equal(result.valid, false);
+    assert.ok(result.error?.includes('not allowed'));
+  });
+
+  it('rejects "rm -rf /" command', () => {
+    const result = manager.validateCommand('rm -rf /');
+    assert.equal(result.valid, false);
+    assert.ok(result.error?.includes('not allowed'));
+  });
+
+  it('rejects "bash" command', () => {
+    const result = manager.validateCommand('bash');
+    assert.equal(result.valid, false);
+  });
+
+  it('rejects empty command', () => {
+    const result = manager.validateCommand('');
+    assert.equal(result.valid, false);
+    assert.ok(result.error?.includes('Empty'));
+  });
+
+  it('rejects whitespace-only command', () => {
+    const result = manager.validateCommand('   ');
+    assert.equal(result.valid, false);
+    assert.ok(result.error?.includes('Empty'));
+  });
+
+  it('trims leading whitespace before validating', () => {
+    const result = manager.validateCommand('  claude login');
+    assert.equal(result.valid, true);
+  });
+
+  it('rejects "git" command (not in whitelist)', () => {
+    const result = manager.validateCommand('git status');
+    assert.equal(result.valid, false);
+    assert.ok(result.error?.includes('not allowed'));
+  });
+
+  it('rejects "claude-imposter" command (must be exact prefix match)', () => {
+    const result = manager.validateCommand('claude-imposter');
+    assert.equal(result.valid, false);
+  });
+});
+
+// --- PTY Session Manager — session lifecycle ---
+
+describe('PtySessionManager session lifecycle', () => {
+  it('creates a new session in idle state (no shell spawned)', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    const session = manager.createSession('user-1', 80, 24);
+    assert.ok(session);
+    assert.equal(session.userId, 'user-1');
+    assert.equal(session.state, 'idle');
+    assert.equal(session.pty, null);
+    // No shell spawned on session creation
+    assert.equal(mockSpawn.mock.calls.length, 0);
+  });
+
+  it('reuses existing session for same user', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    const session1 = manager.createSession('user-1', 80, 24);
+    const session2 = manager.createSession('user-1', 100, 30);
+    assert.equal(session1, session2);
+    assert.equal(mockSpawn.mock.calls.length, 0);
+  });
+
+  it('creates separate sessions for different users', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    const session1 = manager.createSession('user-1', 80, 24);
+    const session2 = manager.createSession('user-2', 80, 24);
+    assert.notEqual(session1, session2);
+  });
+
+  it('getSession returns undefined for unknown user', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    assert.equal(manager.getSession('unknown'), undefined);
+  });
+
+  it('destroySession removes the session and kills running PTY', () => {
+    const mockLog = mock.fn();
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    // Simulate a running command by sending "claude\r"
+    manager.writeToSession('user-1', 'claude\r');
+    assert.ok(manager.getSession('user-1'));
+
+    manager.destroySession('user-1');
+    assert.equal(manager.getSession('user-1'), undefined);
+    assert.equal(mockPty.kill.mock.calls.length, 1);
+  });
+
+  it('destroyAll removes all sessions', () => {
+    const mockLog = mock.fn();
+    const mockPty1 = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockPty2 = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const ptys = [mockPty1, mockPty2];
+    let idx = 0;
+    const mockSpawn = mock.fn(() => ptys[idx++]);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    manager.createSession('user-2', 80, 24);
+    // Start commands so PTYs exist
+    manager.writeToSession('user-1', 'claude\r');
+    manager.writeToSession('user-2', 'claude\r');
+
+    manager.destroyAll();
+    assert.equal(manager.getSession('user-1'), undefined);
+    assert.equal(manager.getSession('user-2'), undefined);
+  });
+
+  it('resizeSession updates stored dimensions and forwards to running PTY', () => {
+    const mockLog = mock.fn();
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    manager.writeToSession('user-1', 'claude\r'); // start a command so PTY exists
+    manager.resizeSession('user-1', 120, 40);
+
+    assert.equal(mockPty.resize.mock.calls.length, 1);
+    assert.deepEqual(mockPty.resize.mock.calls[0].arguments, [120, 40]);
+
+    const session = manager.getSession('user-1');
+    assert.equal(session?.cols, 120);
+    assert.equal(session?.rows, 40);
+  });
+});
+
+// --- Command execution model (dec_029 enforcement) ---
+
+describe('Command execution — whitelist enforced on every command', () => {
+  it('rejects disallowed command typed character-by-character', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+
+    // Type "ls" and press Enter
+    manager.writeToSession('user-1', 'l');
+    manager.writeToSession('user-1', 's');
+    manager.writeToSession('user-1', '\r');
+
+    // No PTY should have been spawned
+    assert.equal(mockSpawn.mock.calls.length, 0);
+
+    // Output should contain the error message
+    const fullOutput = output.join('');
+    assert.ok(fullOutput.includes('not allowed'));
+  });
+
+  it('allows whitelisted command and spawns PTY', () => {
+    const mockLog = mock.fn();
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    manager.writeToSession('user-1', 'claude login\r');
+
+    // PTY should have been spawned with "claude" and ["login"]
+    assert.equal(mockSpawn.mock.calls.length, 1);
+    assert.equal(mockSpawn.mock.calls[0].arguments[0], 'claude');
+    assert.deepEqual(mockSpawn.mock.calls[0].arguments[1], ['login']);
+
+    // Session should be in running state
+    const session = manager.getSession('user-1');
+    assert.equal(session?.state, 'running');
+  });
+
+  it('forwards raw input to running PTY process', () => {
+    const mockLog = mock.fn();
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    manager.writeToSession('user-1', 'claude\r');
+
+    // Now send input while command is running
+    manager.writeToSession('user-1', 'hello');
+    assert.equal(mockPty.write.mock.calls.length, 1);
+    assert.equal(mockPty.write.mock.calls[0].arguments[0], 'hello');
+  });
+
+  it('returns to idle state and shows prompt when command exits', () => {
+    const mockLog = mock.fn();
+    let exitHandler: (info: { exitCode: number; signal?: number }) => void = () => {};
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn((handler: (info: { exitCode: number; signal?: number }) => void) => {
+        exitHandler = handler;
+      }),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+    manager.writeToSession('user-1', 'claude --version\r');
+
+    // Simulate command exit
+    exitHandler({ exitCode: 0 });
+
+    const session = manager.getSession('user-1');
+    assert.equal(session?.state, 'idle');
+    assert.equal(session?.pty, null);
+
+    // Should show prompt again
+    const fullOutput = output.join('');
+    assert.ok(fullOutput.includes('$'));
+  });
+
+  it('prevents arbitrary shell commands even after a valid command exits', () => {
+    const mockLog = mock.fn();
+    let exitHandler: (info: { exitCode: number; signal?: number }) => void = () => {};
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn((handler: (info: { exitCode: number; signal?: number }) => void) => {
+        exitHandler = handler;
+      }),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+
+    // Execute a valid command
+    manager.writeToSession('user-1', 'claude --version\r');
+    exitHandler({ exitCode: 0 });
+
+    // Clear output to check next command
+    output.length = 0;
+
+    // Try to execute a disallowed command after returning to idle
+    manager.writeToSession('user-1', 'rm -rf /\r');
+
+    // Should NOT spawn a new PTY
+    assert.equal(mockSpawn.mock.calls.length, 1); // only the first valid command
+    const fullOutput = output.join('');
+    assert.ok(fullOutput.includes('not allowed'));
+  });
+
+  it('handles backspace in idle mode', () => {
+    const mockLog = mock.fn();
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+
+    // Type "ls", backspace twice, type "claude"
+    manager.writeToSession('user-1', 'ls');
+    manager.writeToSession('user-1', '\x7f\x7f'); // two backspaces
+    manager.writeToSession('user-1', 'claude\r');
+
+    // Should have spawned claude (not ls)
+    assert.equal(mockSpawn.mock.calls.length, 1);
+    assert.equal(mockSpawn.mock.calls[0].arguments[0], 'claude');
+  });
+
+  it('handles Ctrl+C in idle mode (clears input)', () => {
+    const mockLog = mock.fn();
+    const mockPty = {
+      onData: mock.fn(),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+
+    // Type "rm" then Ctrl+C
+    manager.writeToSession('user-1', 'rm');
+    manager.writeToSession('user-1', '\x03');
+
+    // Then type a valid command
+    manager.writeToSession('user-1', 'claude\r');
+
+    // Should have spawned claude (Ctrl+C cleared "rm")
+    assert.equal(mockSpawn.mock.calls.length, 1);
+    assert.equal(mockSpawn.mock.calls[0].arguments[0], 'claude');
+  });
+
+  it('handles empty Enter (shows prompt again)', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+
+    manager.writeToSession('user-1', '\r');
+
+    // No spawn
+    assert.equal(mockSpawn.mock.calls.length, 0);
+
+    // Should show prompt
+    const fullOutput = output.join('');
+    assert.ok(fullOutput.includes('$'));
+  });
+
+  it('handles spawn failure gracefully', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn(() => { throw new Error('spawn failed'); });
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+    const output: string[] = [];
+
+    manager.createSession('user-1', 80, 24);
+    manager.addListener('user-1', (data) => output.push(data));
+
+    manager.writeToSession('user-1', 'claude\r');
+
+    // Session should remain idle
+    const session = manager.getSession('user-1');
+    assert.equal(session?.state, 'idle');
+
+    // Should show error and prompt
+    const fullOutput = output.join('');
+    assert.ok(fullOutput.includes('Failed to execute'));
+    assert.ok(fullOutput.includes('$'));
+  });
+});
+
+// --- Output buffer (dec_030 — session persistence) ---
+
+describe('PTY output buffering (dec_030)', () => {
+  it('buffers output including welcome message and prompt', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+
+    const buffered = manager.getBufferedOutput('user-1');
+    assert.ok(buffered.includes('Restricted terminal'));
+    assert.ok(buffered.includes('$'));
+  });
+
+  it('buffers PTY command output for reconnection', () => {
+    const mockLog = mock.fn();
+    let dataHandler: ((data: string) => void) | null = null;
+    const mockPty = {
+      onData: mock.fn((handler: (data: string) => void) => { dataHandler = handler; }),
+      onExit: mock.fn(),
+      write: mock.fn(),
+      resize: mock.fn(),
+      kill: mock.fn(),
+    };
+    const mockSpawn = mock.fn(() => mockPty);
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    manager.writeToSession('user-1', 'claude --version\r');
+
+    assert.ok(dataHandler);
+    dataHandler!('Claude v1.0.0');
+
+    const buffered = manager.getBufferedOutput('user-1');
+    assert.ok(buffered.includes('Claude v1.0.0'));
+  });
+
+  it('returns empty string for unknown user', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    assert.equal(manager.getBufferedOutput('unknown'), '');
+  });
+
+  it('notifies listeners when output is produced', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    const listener = mock.fn();
+    manager.addListener('user-1', listener);
+
+    // Typing echoes characters
+    manager.writeToSession('user-1', 'c');
+    assert.ok(listener.mock.calls.length > 0);
+    assert.equal(listener.mock.calls[listener.mock.calls.length - 1].arguments[0], 'c');
+  });
+
+  it('removeListener stops notifications', () => {
+    const mockLog = mock.fn();
+    const mockSpawn = mock.fn();
+    const manager = new PtySessionManager({ spawn: mockSpawn as any, log: mockLog });
+
+    manager.createSession('user-1', 80, 24);
+    const listener = mock.fn();
+    manager.addListener('user-1', listener);
+    manager.removeListener('user-1', listener);
+
+    const callsBefore = listener.mock.calls.length;
+    manager.writeToSession('user-1', 'x');
+    assert.equal(listener.mock.calls.length, callsBefore);
+  });
+});
+
+// --- WebSocket auth checks ---
+
+describe('Terminal WebSocket authentication', () => {
+  it('cookie parser extracts access_token from cookie header', () => {
+    const parseCookies = (cookieHeader: string | undefined): Record<string, string> => {
+      if (!cookieHeader) return {};
+      const cookies: Record<string, string> = {};
+      for (const pair of cookieHeader.split(';')) {
+        const [key, ...rest] = pair.trim().split('=');
+        if (key) {
+          cookies[key] = rest.join('=');
+        }
+      }
+      return cookies;
+    };
+
+    const cookies = parseCookies('access_token=jwt123; refresh_token=ref456');
+    assert.equal(cookies['access_token'], 'jwt123');
+    assert.equal(cookies['refresh_token'], 'ref456');
+  });
+
+  it('returns empty object for undefined cookie header', () => {
+    const parseCookies = (cookieHeader: string | undefined): Record<string, string> => {
+      if (!cookieHeader) return {};
+      const cookies: Record<string, string> = {};
+      for (const pair of cookieHeader.split(';')) {
+        const [key, ...rest] = pair.trim().split('=');
+        if (key) {
+          cookies[key] = rest.join('=');
+        }
+      }
+      return cookies;
+    };
+
+    const cookies = parseCookies(undefined);
+    assert.deepEqual(cookies, {});
+  });
+
+  it('admin role check accepts admin users', () => {
+    const payload = { sub: 'user-1', email: 'admin@test.com', role: 'admin' };
+    assert.equal(payload.role === 'admin', true);
+  });
+
+  it('admin role check rejects non-admin users', () => {
+    const payload = { sub: 'user-2', email: 'user@test.com', role: 'user' };
+    assert.equal(payload.role === 'admin', false);
+  });
+
+  it('admin role check rejects missing role', () => {
+    const payload = { sub: 'user-3', email: 'nobody@test.com' };
+    assert.equal((payload as any).role === 'admin', false);
+  });
+});