@edge-base/server 0.1.1

package/src/__tests__/smoke-skip-report.test.ts

@@ -0,0 +1,72 @@
+import { readFileSync } from 'fs';
+import { resolve } from 'path';
+import { describe, expect, it } from 'vitest';
+
+interface SmokeSkipEntry {
+  method: string;
+  path: string;
+  operationId: string;
+  reasonCode: string;
+  reasonDescription: string;
+}
+
+interface SmokeSkipReport {
+  totalRoutes: number;
+  skippedRouteCount: number;
+  summaryByReason: Record<string, number>;
+  skippedRoutes: SmokeSkipEntry[];
+}
+
+const REPORT_PATH = resolve(
+  new URL('../../test/integration/generated/smoke-skip-report.json', import.meta.url).pathname,
+);
+
+function readReport(): SmokeSkipReport {
+  return JSON.parse(readFileSync(REPORT_PATH, 'utf-8')) as SmokeSkipReport;
+}
+
+describe('smoke skip report', () => {
+  it('tracks the current skip budget by reason', () => {
+    const report = readReport();
+
+    expect({
+      totalRoutes: report.totalRoutes,
+      skippedRouteCount: report.skippedRouteCount,
+      summaryByReason: report.summaryByReason,
+    }).toMatchInlineSnapshot(`
+      {
+        "skippedRouteCount": 0,
+        "summaryByReason": {},
+        "totalRoutes": 192,
+      }
+    `);
+  });
+
+  it('keeps skipped routes sorted and unique', () => {
+    const report = readReport();
+    const serialize = (entry: SmokeSkipEntry) => (
+      `${entry.reasonCode}:${entry.path}:${entry.method}:${entry.operationId}`
+    );
+    const sortedEntries = [...report.skippedRoutes].sort((a, b) => (
+      a.reasonCode.localeCompare(b.reasonCode)
+      || a.path.localeCompare(b.path)
+      || a.method.localeCompare(b.method)
+      || a.operationId.localeCompare(b.operationId)
+    ));
+
+    expect(report.skippedRoutes).toEqual(sortedEntries);
+    expect(new Set(report.skippedRoutes.map(serialize)).size).toBe(report.skippedRoutes.length);
+  });
+
+  it('requires every skipped route to explain itself', () => {
+    const report = readReport();
+
+    for (const entry of report.skippedRoutes) {
+      expect(entry.reasonCode.trim().length, `${entry.operationId} is missing reasonCode.`).toBeGreaterThan(0);
+      expect(
+        entry.reasonDescription.trim().length,
+        `${entry.operationId} is missing reasonDescription.`,
+      ).toBeGreaterThan(0);
+    }
+  });
+});

package/src/__tests__/sms-provider.test.ts

@@ -0,0 +1,39 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { createSmsProvider } from '../lib/sms-provider.js';
+
+const originalFetch = globalThis.fetch;
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+  vi.restoreAllMocks();
+});
+
+describe('createSmsProvider', () => {
+  it('returns a mock sms provider when EDGEBASE_SMS_API_URL is set', async () => {
+    const fetchMock = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ sid: 'mock-sid-1' }), {
+        status: 200,
+        headers: { 'content-type': 'application/json' },
+      }),
+    );
+    vi.stubGlobal('fetch', fetchMock);
+
+    const provider = createSmsProvider(undefined, {
+      EDGEBASE_SMS_API_URL: 'https://mock.example/sms',
+    });
+    expect(provider).not.toBeNull();
+
+    const result = await provider!.send({
+      to: '+821012341234',
+      body: 'Your code is: 123456',
+    });
+
+    expect(result).toEqual({ success: true, messageId: 'mock-sid-1' });
+    expect(fetchMock).toHaveBeenCalledWith(
+      'https://mock.example/sms/send',
+      expect.objectContaining({
+        method: 'POST',
+      }),
+    );
+  });
+});

package/src/__tests__/sql-route.test.ts

@@ -0,0 +1,218 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { OpenAPIHono, type HonoEnv } from '../lib/hono.js';
+import { sqlRoute } from '../routes/sql.js';
+import { setConfig } from '../lib/do-router.js';
+import { defineConfig } from '@edge-base/shared';
+import type { Env } from '../types.js';
+import { executeDoSql } from '../lib/do-sql.js';
+
+function createApp() {
+  const app = new OpenAPIHono<HonoEnv>();
+  app.route('/api/sql', sqlRoute);
+  return app;
+}
+
+describe('sql route', () => {
+  afterEach(() => {
+    setConfig({});
+  });
+
+  it('rejects unconfigured shared namespace instead of treating it as implicit', async () => {
+    setConfig(defineConfig({
+      databases: {
+        app: {
+          tables: {
+            posts: { schema: { title: { type: 'string' } } },
+          },
+        },
+      },
+    }));
+
+    const app = createApp();
+    const response = await app.request('/api/sql', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ namespace: 'shared', sql: 'SELECT 1' }),
+    }, {} as Env);
+
+    expect(response.status).toBe(404);
+    await expect(response.json()).resolves.toMatchObject({
+      code: 404,
+      message: "Namespace 'shared' not found in config",
+    });
+  });
+
+  it('retries dynamic DO SQL after create handshake and forwards the DO name', async () => {
+    setConfig(defineConfig({
+      databases: {
+        workspace: {
+          instance: true,
+          tables: {
+            members: { schema: { userId: { type: 'string' } } },
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'root',
+            tier: 'root',
+            scopes: ['*'],
+            secretSource: 'inline',
+            inlineSecret: 'sk-root',
+          },
+        ],
+      },
+    }));
+
+    const stub = {
+      fetch: vi.fn()
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify({ needsCreate: true, namespace: 'workspace', id: 'ws-1' }), {
+            status: 201,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        )
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify({ rows: [{ total: 1 }] }), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        ),
+    };
+    const env = {
+      DATABASE: {
+        idFromName: vi.fn().mockReturnValue('do-id'),
+        get: vi.fn().mockReturnValue(stub),
+      },
+    } as unknown as Env;
+
+    const app = createApp();
+    const response = await app.request('/api/sql', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-EdgeBase-Service-Key': 'sk-root',
+      },
+      body: JSON.stringify({
+        namespace: 'workspace',
+        id: 'ws-1',
+        sql: 'SELECT COUNT(*) AS total FROM members',
+        params: [],
+      }),
+    }, env);
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toMatchObject({
+      rows: [{ total: 1 }],
+      items: [{ total: 1 }],
+      results: [{ total: 1 }],
+    });
+    expect(stub.fetch).toHaveBeenCalledTimes(2);
+    const firstRequest = stub.fetch.mock.calls[0]?.[0] as Request;
+    const secondRequest = stub.fetch.mock.calls[1]?.[0] as Request;
+    expect(firstRequest.headers.get('X-DO-Name')).toBe('workspace:ws-1');
+    expect(firstRequest.headers.get('X-DO-Create-Authorized')).toBeNull();
+    await expect(firstRequest.json()).resolves.toEqual({
+      query: 'SELECT COUNT(*) AS total FROM members',
+      params: [],
+    });
+    expect(secondRequest.headers.get('X-DO-Name')).toBe('workspace:ws-1');
+    expect(secondRequest.headers.get('X-DO-Create-Authorized')).toBe('1');
+  });
+
+  it('uses D1 run() for non-SELECT SQL so schema mutations actually execute', async () => {
+    setConfig(defineConfig({
+      databases: {
+        shared: {
+          tables: {
+            posts: { schema: { title: { type: 'string' } } },
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'root',
+            tier: 'root',
+            scopes: ['*'],
+            secretSource: 'inline',
+            inlineSecret: 'sk-root',
+          },
+        ],
+      },
+    }));
+
+    const stmt: {
+      bind: ReturnType<typeof vi.fn>;
+      all: ReturnType<typeof vi.fn>;
+      run: ReturnType<typeof vi.fn>;
+    } = {
+      bind: vi.fn(() => stmt),
+      all: vi.fn().mockResolvedValue({ results: [] }),
+      run: vi.fn().mockResolvedValue({ meta: { changes: 0 } }),
+    };
+    const env = {
+      DB_D1_SHARED: {
+        prepare: vi.fn(() => stmt),
+      },
+    } as unknown as Env;
+
+    const app = createApp();
+    const response = await app.request('/api/sql', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-EdgeBase-Service-Key': 'sk-root',
+      },
+      body: JSON.stringify({
+        namespace: 'shared',
+        sql: 'ALTER TABLE "posts" RENAME TO "articles"',
+      }),
+    }, env);
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toMatchObject({
+      rows: [],
+      rowCount: 0,
+    });
+    expect((env as unknown as { DB_D1_SHARED: { prepare: ReturnType<typeof vi.fn> } }).DB_D1_SHARED.prepare).toHaveBeenCalledWith(
+      'ALTER TABLE "posts" RENAME TO "articles"',
+    );
+    expect(stmt.run).toHaveBeenCalledTimes(1);
+    expect(stmt.all).not.toHaveBeenCalled();
+  });
+
+  it('executeDoSql retries the create handshake before returning rows', async () => {
+    const stub = {
+      fetch: vi.fn()
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify({ needsCreate: true, namespace: 'workspace', id: 'ws-2' }), {
+            status: 201,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        )
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify({ rows: [{ total: 2 }] }), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        ),
+    };
+
+    const rows = await executeDoSql({
+      databaseNamespace: {
+        idFromName: vi.fn().mockReturnValue('do-id'),
+        get: vi.fn().mockReturnValue(stub),
+      } as unknown as DurableObjectNamespace,
+      namespace: 'workspace',
+      id: 'ws-2',
+      query: 'SELECT COUNT(*) AS total FROM members',
+      params: [],
+      internal: true,
+    });
+
+    expect(rows).toEqual([{ total: 2 }]);
+    expect(stub.fetch).toHaveBeenCalledTimes(2);
+  });
+});

package/src/__tests__/storage-hook-context.test.ts

@@ -0,0 +1,115 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { defineConfig } from '@edge-base/shared';
+import { setConfig } from '../lib/do-router.js';
+import { OpenAPIHono, type HonoEnv } from '../lib/hono.js';
+import { storageRoute } from '../routes/storage.js';
+import type { Env } from '../types.js';
+
+function createApp() {
+  const app = new OpenAPIHono<HonoEnv>();
+  app.route('/api/storage', storageRoute);
+  return app;
+}
+
+function createEnv(): Env {
+  return {
+    STORAGE: {
+      put: vi.fn().mockResolvedValue({
+        key: 'avatars/notify/upload.txt',
+        size: 5,
+        etag: 'etag-1',
+        uploaded: new Date('2025-01-01T00:00:00.000Z'),
+        httpMetadata: { contentType: 'text/plain' },
+        customMetadata: {},
+      }),
+    },
+  } as unknown as Env;
+}
+
+describe('Storage hook context', () => {
+  afterEach(() => {
+    setConfig({});
+    vi.unstubAllGlobals();
+    vi.clearAllMocks();
+  });
+
+  it('routes push self-calls through the request origin using the root service key', async () => {
+    setConfig(defineConfig({
+      release: true,
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'storage-write',
+            tier: 'scoped',
+            scopes: ['storage:bucket:avatars:write'],
+            secretSource: 'inline',
+            inlineSecret: 'sk-storage-write',
+          },
+          {
+            kid: 'root',
+            tier: 'root',
+            scopes: ['*'],
+            secretSource: 'inline',
+            inlineSecret: 'sk-root',
+          },
+        ],
+      },
+      storage: {
+        buckets: {
+          avatars: {
+            access: {
+              write: () => true,
+            },
+            handlers: {
+              hooks: {
+                beforeUpload: async (_auth, file, ctx) => {
+                  await ctx.push.send('user-123', { body: `Uploaded ${file.key}` });
+                },
+              },
+            },
+          },
+        },
+      },
+    }));
+
+    const fetchMock = vi.fn().mockResolvedValue(new Response(
+      JSON.stringify({ sent: 1, failed: 0, removed: 0 }),
+      {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      },
+    ));
+    vi.stubGlobal('fetch', fetchMock);
+
+    const app = createApp();
+    const form = new FormData();
+    form.append('file', new Blob(['hello'], { type: 'text/plain' }), 'hello.txt');
+    form.append('key', 'notify/upload.txt');
+    const executionCtx = {
+      waitUntil: vi.fn(),
+      passThroughOnException: vi.fn(),
+    } as unknown as ExecutionContext;
+
+    const response = await app.fetch(new Request('https://storage.example.test/api/storage/avatars/upload', {
+      method: 'POST',
+      headers: { 'X-EdgeBase-Service-Key': 'sk-root' },
+      body: form,
+    }), createEnv(), executionCtx);
+
+    expect(response.status).toBe(201);
+    expect(fetchMock).toHaveBeenCalledWith(
+      'https://storage.example.test/api/push/send',
+      expect.objectContaining({
+        method: 'POST',
+        headers: expect.objectContaining({
+          'Content-Type': 'application/json',
+          'X-EdgeBase-Service-Key': 'sk-root',
+        }),
+        body: JSON.stringify({
+          userId: 'user-123',
+          payload: { body: 'Uploaded notify/upload.txt' },
+        }),
+      }),
+    );
+  });
+});

package/src/__tests__/totp.test.ts

@@ -0,0 +1,200 @@
+/**
+ * 서버 단위 테스트 — lib/totp.ts
+ *
+ * 실행: cd packages/server && npx vitest run src/__tests__/totp.test.ts
+ *
+ * 테스트 대상:
+ *   generateTOTPSecret / generateTOTPUri / verifyTOTP
+ *   generateRecoveryCodes / encryptSecret / decryptSecret
+ */
+
+import { describe, it, expect } from 'vitest';
+import {
+  generateTOTPSecret,
+  generateTOTPUri,
+  verifyTOTP,
+  generateRecoveryCodes,
+  encryptSecret,
+  decryptSecret,
+} from '../lib/totp.js';
+
+// ─── A. generateTOTPSecret ──────────────────────────────────────────────────
+
+describe('generateTOTPSecret', () => {
+  it('returns a base32 string', () => {
+    const secret = generateTOTPSecret();
+    expect(secret).toMatch(/^[A-Z2-7]+$/);
+  });
+
+  it('returns 32 characters (20 bytes → 32 base32 chars)', () => {
+    const secret = generateTOTPSecret();
+    expect(secret.length).toBe(32);
+  });
+
+  it('different calls produce different secrets', () => {
+    const s1 = generateTOTPSecret();
+    const s2 = generateTOTPSecret();
+    expect(s1).not.toBe(s2);
+  });
+});
+
+// ─── B. generateTOTPUri ─────────────────────────────────────────────────────
+
+describe('generateTOTPUri', () => {
+  it('returns otpauth:// URI', () => {
+    const uri = generateTOTPUri('JBSWY3DPEHPK3PXP', 'user@example.com', 'MyApp');
+    expect(uri).toMatch(/^otpauth:\/\/totp\//);
+  });
+
+  it('includes secret parameter', () => {
+    const uri = generateTOTPUri('MYSECRET', 'u@e.com', 'App');
+    expect(uri).toContain('secret=MYSECRET');
+  });
+
+  it('includes issuer parameter', () => {
+    const uri = generateTOTPUri('SECRET', 'u@e.com', 'MyApp');
+    expect(uri).toContain('issuer=MyApp');
+  });
+
+  it('includes algorithm=SHA1', () => {
+    const uri = generateTOTPUri('SECRET', 'u@e.com', 'App');
+    expect(uri).toContain('algorithm=SHA1');
+  });
+
+  it('includes digits=6', () => {
+    const uri = generateTOTPUri('SECRET', 'u@e.com', 'App');
+    expect(uri).toContain('digits=6');
+  });
+
+  it('includes period=30', () => {
+    const uri = generateTOTPUri('SECRET', 'u@e.com', 'App');
+    expect(uri).toContain('period=30');
+  });
+
+  it('encodes special characters in issuer', () => {
+    const uri = generateTOTPUri('SECRET', 'u@e.com', 'My App & Co');
+    expect(uri).toContain('My%20App%20%26%20Co');
+  });
+
+  it('encodes email in label', () => {
+    const uri = generateTOTPUri('SECRET', 'user@example.com', 'App');
+    expect(uri).toContain('user%40example.com');
+  });
+
+  it('label format is issuer:email', () => {
+    const uri = generateTOTPUri('SECRET', 'u@e.com', 'MyApp');
+    expect(uri).toContain('MyApp:u%40e.com');
+  });
+});
+
+// ─── C. verifyTOTP ──────────────────────────────────────────────────────────
+
+describe('verifyTOTP', () => {
+  it('empty code → false', async () => {
+    expect(await verifyTOTP('JBSWY3DPEHPK3PXP', '')).toBe(false);
+  });
+
+  it('wrong length code (5 digits) → false', async () => {
+    expect(await verifyTOTP('JBSWY3DPEHPK3PXP', '12345')).toBe(false);
+  });
+
+  it('wrong length code (7 digits) → false', async () => {
+    expect(await verifyTOTP('JBSWY3DPEHPK3PXP', '1234567')).toBe(false);
+  });
+
+  it('random 6-digit code with random secret → false (extremely likely)', async () => {
+    const secret = generateTOTPSecret();
+    // A random code should almost never match
+    expect(await verifyTOTP(secret, '999999')).toBe(false);
+  });
+
+  it('window parameter controls step range', async () => {
+    // With window=0, only the current step is checked
+    const secret = generateTOTPSecret();
+    const result = await verifyTOTP(secret, '000000', 0);
+    expect(typeof result).toBe('boolean');
+  });
+});
+
+// ─── D. generateRecoveryCodes ───────────────────────────────────────────────
+
+describe('generateRecoveryCodes', () => {
+  it('default: 8 codes', () => {
+    const codes = generateRecoveryCodes();
+    expect(codes.length).toBe(8);
+  });
+
+  it('custom count', () => {
+    const codes = generateRecoveryCodes(5);
+    expect(codes.length).toBe(5);
+  });
+
+  it('each code is 8 characters', () => {
+    const codes = generateRecoveryCodes();
+    for (const code of codes) {
+      expect(code.length).toBe(8);
+    }
+  });
+
+  it('codes use unambiguous charset (no 0/o/1/l/i)', () => {
+    const codes = generateRecoveryCodes(20);
+    const combined = codes.join('');
+    expect(combined).not.toMatch(/[01ilo]/);
+  });
+
+  it('codes only contain allowed characters', () => {
+    const allowed = /^[abcdefghjkmnpqrstuvwxyz23456789]+$/;
+    const codes = generateRecoveryCodes(10);
+    for (const code of codes) {
+      expect(code).toMatch(allowed);
+    }
+  });
+
+  it('zero count → empty array', () => {
+    const codes = generateRecoveryCodes(0);
+    expect(codes).toEqual([]);
+  });
+});
+
+// ─── E. encryptSecret / decryptSecret ───────────────────────────────────────
+
+describe('encryptSecret / decryptSecret', () => {
+  it('round-trip: encrypt then decrypt returns original', async () => {
+    const original = 'JBSWY3DPEHPK3PXP';
+    const encrypted = await encryptSecret(original, 'my-key-material');
+    const decrypted = await decryptSecret(encrypted, 'my-key-material');
+    expect(decrypted).toBe(original);
+  });
+
+  it('encrypted output is base64', async () => {
+    const encrypted = await encryptSecret('test-secret', 'key');
+    // Base64 characters only
+    expect(encrypted).toMatch(/^[A-Za-z0-9+/=]+$/);
+  });
+
+  it('different keys produce different ciphertexts', async () => {
+    const e1 = await encryptSecret('same', 'key1');
+    const e2 = await encryptSecret('same', 'key2');
+    expect(e1).not.toBe(e2);
+  });
+
+  it('same key + same plaintext → different ciphertexts (random IV)', async () => {
+    const e1 = await encryptSecret('same', 'same-key');
+    const e2 = await encryptSecret('same', 'same-key');
+    expect(e1).not.toBe(e2);
+  });
+
+  it('wrong key → throws (AES-GCM decryption failure)', async () => {
+    const encrypted = await encryptSecret('secret', 'correct-key');
+    await expect(
+      decryptSecret(encrypted, 'wrong-key'),
+    ).rejects.toThrow();
+  });
+
+  it('unicode secret round-trip', async () => {
+    const original = '한글시크릿🔑';
+    const encrypted = await encryptSecret(original, 'key');
+    const decrypted = await decryptSecret(encrypted, 'key');
+    expect(decrypted).toBe(original);
+  });
+});