@edge-base/server 0.1.1

package/src/__tests__/broadcast.test.ts

@@ -0,0 +1,128 @@
+/**
+ * 서버 단위 테스트 — database-live broadcast 로직
+ * 1-19 broadcast.test.ts — 20개
+ *
+ * 실행: cd packages/server && npx vitest run src/__tests__/broadcast.test.ts
+ *
+ * NOTE: broadcast HTTP API는 database-live.ts에서 Service Key 필수.
+ *       여기서는 broadcast 페이로드 구조 + 서비스 키 가드 로직 검증
+ */
+
+import { describe, it, expect } from 'vitest';
+
+// ── Broadcast 페이로드 검증 로직 (database-live.ts와 동일 패턴) ───────────────────
+
+interface BroadcastBody {
+  channel?: string;
+  event?: string;
+  payload?: Record<string, unknown>;
+}
+
+function validateBroadcastBody(body: BroadcastBody): { valid: boolean; error?: string } {
+  if (!body.channel || typeof body.channel !== 'string') {
+    return { valid: false, error: 'channel is required' };
+  }
+  if (!body.event || typeof body.event !== 'string') {
+    return { valid: false, error: 'event is required' };
+  }
+  return { valid: true };
+}
+
+//: Broadcast requires Service Key
+function checkServiceKey(key: string | undefined): 'missing' | 'invalid' | 'valid' {
+  if (!key) return 'missing';
+  if (!key.startsWith('sk_')) return 'invalid'; // simplified check
+  return 'valid';
+}
+
+// ─── A. 페이로드 검증 ─────────────────────────────────────────────────────────
+
+describe('validateBroadcastBody', () => {
+  it('valid body → valid', () => {
+    const result = validateBroadcastBody({ channel: 'ch-1', event: 'message' });
+    expect(result.valid).toBe(true);
+  });
+
+  it('missing channel → invalid', () => {
+    const result = validateBroadcastBody({ event: 'message' });
+    expect(result.valid).toBe(false);
+    expect(result.error).toContain('channel');
+  });
+
+  it('missing event → invalid', () => {
+    const result = validateBroadcastBody({ channel: 'ch-1' });
+    expect(result.valid).toBe(false);
+    expect(result.error).toContain('event');
+  });
+
+  it('empty channel → invalid', () => {
+    const result = validateBroadcastBody({ channel: '', event: 'msg' });
+    expect(result.valid).toBe(false);
+  });
+
+  it('empty event → invalid', () => {
+    const result = validateBroadcastBody({ channel: 'ch-1', event: '' });
+    expect(result.valid).toBe(false);
+  });
+
+  it('with payload → valid', () => {
+    const result = validateBroadcastBody({
+      channel: 'ch-1',
+      event: 'data',
+      payload: { key: 'value' },
+    });
+    expect(result.valid).toBe(true);
+  });
+
+  it('payload undefined (optional) → valid', () => {
+    const result = validateBroadcastBody({ channel: 'ch', event: 'ev' });
+    expect(result.valid).toBe(true);
+  });
+});
+
+// ─── B. Service Key 가드 ───────────────────────────────
+
+describe('checkServiceKey', () => {
+  it('missing key → missing', () => {
+    expect(checkServiceKey(undefined)).toBe('missing');
+  });
+
+  it('empty string → missing', () => {
+    // falsy
+    expect(checkServiceKey('')).toBe('missing');
+  });
+
+  it('valid sk_ prefix → valid', () => {
+    expect(checkServiceKey('sk_test_valid_key')).toBe('valid');
+  });
+
+  it('invalid format → invalid', () => {
+    expect(checkServiceKey('Bearer my-token')).toBe('invalid');
+  });
+
+  it('random string → invalid', () => {
+    expect(checkServiceKey('random-key-without-prefix')).toBe('invalid');
+  });
+});
+
+// ─── C. Broadcast 이벤트 구조 ─────────────────────────────────────────────────
+
+describe('Broadcast event structure', () => {
+  it('fire-and-forget: no return value expected', () => {
+    // Broadcast는 fire-and-forget → 반환값 없음, ok: true만
+    const broadcastResult = { ok: true };
+    expect(broadcastResult.ok).toBe(true);
+  });
+
+  it('broadcast payload merged with defaults', () => {
+    const payload = undefined;
+    const normalizedPayload = payload ?? {};
+    expect(normalizedPayload).toEqual({});
+  });
+
+  it('broadcast event name is preserved', () => {
+    const event = 'game:scored';
+    // event는 그대로 전달
+    expect(event).toBe('game:scored');
+  });
+});

package/src/__tests__/cli.test.ts

@@ -0,0 +1,178 @@
+/**
+ * 서버 단위 테스트 — CLI keys.ts + service-key.ts
+ * 1-24 cli.test.ts — 40개
+ *
+ * 실행: cd packages/server && npx vitest run src/__tests__/cli.test.ts
+ *
+ * NOTE:
+ *   - CLI 명령 실행 없이 순수 함수만 테스트
+ *   - generateServiceKey / maskKey → keys.ts에서 export
+ *   - matchesScope / buildConstraintCtx → service-key.ts에서 export
+ */
+
+import { describe, it, expect } from 'vitest';
+import { generateServiceKey, maskKey } from '../../../cli/src/commands/keys.js';
+import {
+  matchesScope,
+  buildConstraintCtx,
+} from '../lib/service-key.js';
+import type { ServiceKeyEntry } from '@edge-base/shared';
+
+// ─── A. generateServiceKey ────────────────────────────────────────────────────
+
+describe('generateServiceKey', () => {
+  it('returns 64-character hex string', () => {
+    const key = generateServiceKey();
+    expect(key).toHaveLength(64);
+    expect(key).toMatch(/^[0-9a-f]+$/);
+  });
+
+  it('generates unique keys each call', () => {
+    const a = generateServiceKey();
+    const b = generateServiceKey();
+    expect(a).not.toBe(b);
+  });
+
+  it('is cryptographically unpredictable (entropy check via uniqueness)', () => {
+    const set = new Set<string>();
+    for (let i = 0; i < 20; i++) set.add(generateServiceKey());
+    expect(set.size).toBe(20);
+  });
+});
+
+// ─── B. maskKey ──────────────────────────────────────────────────────────────
+
+describe('maskKey', () => {
+  it('short key (<=8) → ****', () => {
+    expect(maskKey('abc')).toBe('****');
+    expect(maskKey('12345678')).toBe('****');
+  });
+
+  it('long key → sk_***...{last4}', () => {
+    const key = '0'.repeat(60) + 'abcd';
+    const masked = maskKey(key);
+    expect(masked).toMatch(/^sk_\*+abcd$/);
+  });
+
+  it('shows last 4 characters', () => {
+    const key = generateServiceKey();
+    const masked = maskKey(key);
+    expect(masked.endsWith(key.slice(-4))).toBe(true);
+  });
+
+  it('always starts with sk_', () => {
+    const key = generateServiceKey();
+    expect(maskKey(key).startsWith('sk_')).toBe(true);
+  });
+
+  it('does not reveal full key', () => {
+    const key = generateServiceKey();
+    expect(maskKey(key)).not.toBe(key);
+  });
+});
+
+// ─── C. matchesScope ─────────────────────────────────────────────────────────
+
+describe('matchesScope', () => {
+  const rootEntry: ServiceKeyEntry = {
+    kid: 'root-1',
+    tier: 'root',
+    scopes: [],
+    secretSource: 'inline',
+    inlineSecret: 'sk',
+  };
+
+  const scopedEntry: ServiceKeyEntry = {
+    kid: 'scoped-1',
+    tier: 'scoped',
+    scopes: ['storage:bucket:avatars:write'],
+    secretSource: 'inline',
+    inlineSecret: 'sk',
+  };
+
+  const wildcardEntry: ServiceKeyEntry = {
+    kid: 'wild-1',
+    tier: 'scoped',
+    scopes: ['storage:*:*:*'],
+    secretSource: 'inline',
+    inlineSecret: 'sk',
+  };
+
+  const globalWildEntry: ServiceKeyEntry = {
+    kid: 'global-1',
+    tier: 'scoped',
+    scopes: ['*'],
+    secretSource: 'inline',
+    inlineSecret: 'sk',
+  };
+
+  it('root tier always passes', () => {
+    expect(matchesScope('storage:bucket:avatars:write', rootEntry)).toBe(true);
+    expect(matchesScope('db:table:posts:read', rootEntry)).toBe(true);
+  });
+
+  it('exact scope match → valid', () => {
+    expect(matchesScope('storage:bucket:avatars:write', scopedEntry)).toBe(true);
+  });
+
+  it('scope mismatch → invalid', () => {
+    expect(matchesScope('storage:bucket:photos:write', scopedEntry)).toBe(false);
+    expect(matchesScope('db:table:posts:read', scopedEntry)).toBe(false);
+  });
+
+  it('wildcard scope matches domain:*:*:*', () => {
+    expect(matchesScope('storage:bucket:avatars:write', wildcardEntry)).toBe(true);
+    expect(matchesScope('storage:bucket:photos:read', wildcardEntry)).toBe(true);
+  });
+
+  it('wildcard does not cross domains', () => {
+    expect(matchesScope('db:table:posts:read', wildcardEntry)).toBe(false);
+  });
+
+  it('global wildcard "*" matches anything', () => {
+    expect(matchesScope('anything:goes:here:now', globalWildEntry)).toBe(true);
+  });
+
+  it('different segment count → no match', () => {
+    const partial: ServiceKeyEntry = {
+      kid: 'partial',
+      tier: 'scoped',
+      scopes: ['storage:bucket'],
+      secretSource: 'inline',
+      inlineSecret: 'sk',
+    };
+    expect(matchesScope('storage:bucket:avatars:write', partial)).toBe(false);
+  });
+});
+
+// ─── E. buildConstraintCtx ────────────────────────────────────────────────────
+
+describe('buildConstraintCtx', () => {
+  it('extracts env from ENVIRONMENT', () => {
+    const ctx = buildConstraintCtx({ ENVIRONMENT: 'production' });
+    expect(ctx.env).toBe('production');
+  });
+
+  it('no env → undefined', () => {
+    const ctx = buildConstraintCtx({});
+    expect(ctx.env).toBeUndefined();
+  });
+
+  it('extracts IP from cf-connecting-ip header', () => {
+    const req = { header: (name: string) => name === 'cf-connecting-ip' ? '1.2.3.4' : undefined };
+    const ctx = buildConstraintCtx({ EDGEBASE_CONFIG: '{}' }, req);
+    expect(ctx.ip).toBe('1.2.3.4');
+  });
+
+  it('ignores x-forwarded-for unless trustSelfHostedProxy is enabled', () => {
+    const req = { header: (name: string) => name === 'x-forwarded-for' ? '5.6.7.8, 9.10.11.12' : undefined };
+    const ctx = buildConstraintCtx({ EDGEBASE_CONFIG: '{}' }, req);
+    expect(ctx.ip).toBeUndefined();
+  });
+
+  it('falls back to x-forwarded-for when trustSelfHostedProxy is enabled', () => {
+    const req = { header: (name: string) => name === 'x-forwarded-for' ? '5.6.7.8, 9.10.11.12' : undefined };
+    const ctx = buildConstraintCtx({ EDGEBASE_CONFIG: JSON.stringify({ trustSelfHostedProxy: true }) }, req);
+    expect(ctx.ip).toBe('5.6.7.8');
+  });
+});

package/src/__tests__/cloudflare-realtime.test.ts

@@ -0,0 +1,113 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import {
+  CloudflareRealtimeClient,
+  assertCloudflareRealtimeConfig,
+  createCloudflareRealtimeClient,
+  hasCloudflareRealtimeConfig,
+} from '../lib/cloudflare-realtime.js';
+
+describe('cloudflare realtime helpers', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+    vi.unstubAllGlobals();
+  });
+
+  it('detects whether the required realtime config is present', () => {
+    expect(hasCloudflareRealtimeConfig({})).toBe(false);
+    expect(hasCloudflareRealtimeConfig({
+      CF_REALTIME_APP_ID: ' app-123 ',
+      CF_REALTIME_APP_SECRET: ' secret-456 ',
+    })).toBe(true);
+  });
+
+  it('normalizes realtime config and defaults the base URL', () => {
+    expect(assertCloudflareRealtimeConfig({
+      CF_REALTIME_APP_ID: ' app-123 ',
+      CF_REALTIME_APP_SECRET: ' secret-456 ',
+      CF_REALTIME_TURN_KEY_ID: ' key-1 ',
+      CF_REALTIME_TURN_API_TOKEN: ' token-1 ',
+    })).toEqual({
+      appId: 'app-123',
+      appSecret: 'secret-456',
+      baseUrl: 'https://rtc.live.cloudflare.com/v1',
+      turnKeyId: 'key-1',
+      turnApiToken: 'token-1',
+    });
+
+    expect(() => assertCloudflareRealtimeConfig({
+      CF_REALTIME_APP_ID: 'missing-secret',
+    })).toThrow('Cloudflare Realtime is not configured');
+  });
+
+  it('creates a realtime client and sends authenticated session requests', async () => {
+    const fetchMock = vi.fn(async (_input: RequestInfo | URL, _init?: RequestInit) =>
+      new Response(JSON.stringify({ sessionId: 'sess-1' }), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      }));
+    vi.stubGlobal('fetch', fetchMock);
+
+    const client = createCloudflareRealtimeClient({
+      CF_REALTIME_APP_ID: 'app-123',
+      CF_REALTIME_APP_SECRET: 'secret-456',
+    } as never);
+
+    expect(client).toBeInstanceOf(CloudflareRealtimeClient);
+    await expect(client.createSession({
+      sessionDescription: {
+        sdp: 'offer-sdp',
+        type: 'offer',
+      },
+    }, {
+      thirdparty: true,
+      correlationId: 'corr-1',
+    })).resolves.toEqual({ sessionId: 'sess-1' });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    expect(fetchMock.mock.calls[0]?.[0]).toBe(
+      'https://rtc.live.cloudflare.com/v1/apps/app-123/sessions/new?thirdparty=true&correlationId=corr-1',
+    );
+    expect(fetchMock.mock.calls[0]?.[1]).toMatchObject({
+      method: 'POST',
+      headers: {
+        Authorization: 'Bearer secret-456',
+        'Content-Type': 'application/json',
+      },
+    });
+  });
+
+  it('uses TURN credentials when generating ICE servers', async () => {
+    const fetchMock = vi.fn(async () =>
+      new Response(JSON.stringify({
+        iceServers: [{ urls: 'turn:global.example.com', username: 'user', credential: 'pass' }],
+      }), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      }));
+    vi.stubGlobal('fetch', fetchMock);
+
+    const client = new CloudflareRealtimeClient({
+      CF_REALTIME_APP_ID: 'app-123',
+      CF_REALTIME_APP_SECRET: 'secret-456',
+      CF_REALTIME_BASE_URL: 'https://rtc.example.com/base/',
+      CF_REALTIME_TURN_KEY_ID: 'turn-key',
+      CF_REALTIME_TURN_API_TOKEN: 'turn-token',
+    });
+
+    await expect(client.generateIceServers(120)).resolves.toEqual({
+      iceServers: [{ urls: 'turn:global.example.com', username: 'user', credential: 'pass' }],
+    });
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      'https://rtc.example.com/base/turn/keys/turn-key/credentials/generate-ice-servers',
+      {
+        method: 'POST',
+        headers: {
+          Authorization: 'Bearer turn-token',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ ttl: 120 }),
+      },
+    );
+  });
+});