@flink-app/github-app-plugin 0.12.1-alpha.38

package/spec/integration-and-security.spec.ts

@@ -0,0 +1,483 @@
+/**
+ * Integration and Security Tests
+ *
+ * Comprehensive tests covering critical workflows and security features:
+ * - Full installation flow using context methods
+ * - Webhook event processing with signature validation
+ * - API client with token injection and refresh
+ * - CSRF state validation prevents replay attacks
+ * - Webhook signature validation rejects invalid signatures
+ * - Token expiration and refresh handling
+ * - Private key validation on plugin initialization
+ * - Repository access verification
+ * - Installation update via webhook
+ * - GitHub API failure scenarios
+ */
+
+import { FlinkApp } from "@flink-app/flink";
+import { MongoMemoryServer } from "mongodb-memory-server";
+import { githubAppPlugin } from "../src/GitHubAppPlugin";
+import { GitHubAppPluginOptions } from "../src/GitHubAppPluginOptions";
+import { generateState } from "../src/utils/state-utils";
+import crypto from "crypto";
+import * as http from "@flink-app/test-utils";
+
+describe("Integration and Security Tests", () => {
+    let mongoServer: MongoMemoryServer;
+    let app: FlinkApp<any>;
+    let originalFetch: typeof global.fetch;
+
+    // Test private key (PKCS#1 format, Base64 encoded)
+    const testPrivateKeyBase64 =
+        "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcTZ1Ykh3d1BET1FNMitHaHJZUlN3OEs2UytKcXAzem5YRGFITU1JZzg5WTZ1MUcyClZibm9TNjA4RjYwNnVSWGt1WUx2MUh6aHRLczJaOU9MaGh0YW1aV05hZVVEVlZPY2hzQ21MbDVNaCt6MTFLd2gKSG8wcU1NOUxxTHNOL3RYZDJZMDE0TkVhQ2hEZjdEMjUxLzFEWFh4WkNJTGk2NHROYm03SXh3U3J3bDlzeFBJRApPQzZrZU50UEEybGEydEFmNlc0OUJ2MVlxcDBLYnhObnBkeG90SkZsMEZBRjRYeUJSeWF6Mi9VWTN0S1BybjcyCnF6Ti9QMDN4RzhkMlZPU3hpZ3grOWJ0cndFazhRSE5qUGxiR0s1dzI3NU9vMHF2NFhjVTIvUzNsMS9JLzVxeG8KQW1haEJJN0ZoWThxQWRWd0hheGN3NGRkR1VHMzhmSXl0RlhKRlFJREFRQUJBb0lCQUFrQngzRkJFamNVYmdKSgpXOUM5VFJSZFRxWDFtcS92OHptWTJNMzdtWHdCcFBJNERzOS9vZ3I2YTFrNHF3aVQ5L3l0dklTVENzcU9ZeHZlCmN3Y1Z2MUtva0pOYVF5c0NhSWQvYXhpcXRPdzZ5QWtoQU5uWUFUc3ZYU0pjc2hiSlJNc0p5Q1prQWpBK0EybWoKTVhGK0piOHRhNFJ4VFpPYkt2UmMxcWJ1ZlU2RTJpQXY1aDNHcGhjL2RrSTJhRkJyQ29vdndhbjIzUlo0aXVuQgpKZGpxQXZaeFFremlrNy9OeEZUZjJMYUk4L2VqaGhGNlU4aXBuYU84VUNhS2FsMHUwSG9IVmd1eFR6UTRFSjhmCmh0QUdKYi8wRyswZ2xNK3ZHa3hxdHhDUXNhMnBKdmlHaTIwOWFSS3NIYnlZVG05amFnRk9SR2hIZERzY05DWUoKMFdQK20rOENnWUVBNHdVU0dHY0ZpZXJoZEdTTVovTFF6OTlBWWpaSVczR09YRUpEcG1vYmhPMzZXVEluM1hESwpPVDdpdHBWQlptSWxHQXROdTJ5clZEeFRqM3BrQVBIWDRhckwvUUx1Y3hDckZldFROODhubEJ5N2lIUkh1UjA0CkprU0RCL0EwVW9STXlOUzhqTG9JblErUS9VZUVwY1k4ejN6cUdFaVhXMUJLZlVFRjVXZmVEbWNDZ1lFQXdaVzcKeVRCNXRQbExGR0d3Yk5VMWphc1ZRb0pZWGo2MHR3TTU0SktjZElNVmFYS1RLOSt6cGcydjc5aTVzTHNIOG50TApXQ0hOSDlyandiaHRHMmZOT0FweWtnY1pjTHg2VUR3R1RYM3R1NC9NMld3YnFNL0crOTAvL1NYSSttQzVvYTRZCnp1Y1NZeGxyeWxrMlp6ZzRTN005VzBKQTNDNjFQeERSaXNXakJ5TUNnWUFseVFaR0FYK3VnT1dkbGM2NHpuVnEKNCtHM2R3bDhEdDUvQkpoMTdscytPTTNlWXJhMzZMbi81VE9lNkNER2hiZGUxU0xPK3p0WS9lRjZsQWhwRDllNgp1ODdRQWRqbVZmUGo1aE1ueXRidmxBaXlvWWYraTVwNDVCWmJEK1BsaUJldnBaanNZMXBqcWQrY0NIZFBrRHMyCjNiZW82d3dtS3FyN1JnTlJONFNDS1FLQmdCOGk0MEpYM3F1Q0VWWms1QWlOUG9EYnpKNlc4bm11SWtqeFp1UzkKRUJjWllsOUVnM0ZpR0xZVHE0R3JYU3FVMnBGZ3pWeU9penlkYTFha1FFQlJNTXZidWxQTWVvWU1lcXZmQzdCNQpHYnk2UTF1UkxOMjVGYXM3Q2VqQXBCUEpiUElaVzNvajVtdzBFWWRKVkJ2RUNpSDY0VnFGVElOZHE5OUo2RG9tCjBiTDdBb0dBRW9hUk9tUVpVMHJ6UUhXNUkxWnRIM0hKZDk1YTBPSFNlTVdNYllaeE9ST1ZMNWdQckhQSFRzU2YKbTNpWmNLaFgvdXRleEdjWm1zN0M4U3M5NWp4TzRiV3pBcDYxVU1aU3dVYStYNTRUNHkwNUxWRXRUOG5TdVRySwpxV1dMOGVDNXJGMktIYjJ3UFV3Vm1mUEc4SWlMS1FkUHR2b1ZzRGM2dU95NURSdkpzV0k9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t";
+
+    beforeAll(() => {
+        originalFetch = global.fetch;
+        // Increase timeout for integration tests
+        jasmine.DEFAULT_TIMEOUT_INTERVAL = 30000;
+    });
+
+    afterAll(() => {
+        global.fetch = originalFetch;
+        jasmine.DEFAULT_TIMEOUT_INTERVAL = 5000;
+    });
+
+    beforeEach(async () => {
+        mongoServer = await MongoMemoryServer.create();
+        const mongoUri = mongoServer.getUri();
+
+        const pluginOptions: GitHubAppPluginOptions = {
+            appId: "123456",
+            appSlug: "test-app",
+            privateKey: testPrivateKeyBase64,
+            webhookSecret: "test-webhook-secret",
+            clientId: "test-client-id",
+            clientSecret: "test-client-secret",
+            onInstallationSuccess: async ({ installationId, repositories, account }) => {
+                return {
+                    userId: "test-user-id",
+                    redirectUrl: "/dashboard",
+                };
+            },
+            onWebhookEvent: async ({ event, action, payload, installationId }, ctx) => {
+                // Webhook event handler
+            },
+            logWebhookEvents: true,
+        };
+
+        app = new FlinkApp({
+            name: "Test GitHub App",
+            port: 3350,
+            db: {
+                uri: mongoUri,
+            },
+            plugins: [githubAppPlugin(pluginOptions)],
+        });
+
+        await app.start();
+        http.init(app);
+    });
+
+    afterEach(async () => {
+        if (app) {
+            await app.stop();
+        }
+        if (mongoServer) {
+            await mongoServer.stop();
+        }
+    });
+
+    describe("Integration Test: Full Installation Flow", () => {
+        it("should complete full installation flow using context methods", async () => {
+            // Step 1: Initiate installation using context method
+            const { redirectUrl, state } = await app.ctx.plugins.githubApp.initiateInstallation({
+                userId: "test-user",
+                metadata: { source: "test" },
+            });
+
+            expect(redirectUrl).toContain("github.com/apps/test-app/installations/new");
+            expect(redirectUrl).toContain("state=");
+            expect(state).toBeTruthy();
+
+            // Step 2: Mock GitHub API responses
+            global.fetch = jasmine.createSpy("fetch").and.returnValues(
+                // Get installation details
+                Promise.resolve({
+                    ok: true,
+                    json: () =>
+                        Promise.resolve({
+                            id: 12345,
+                            account: {
+                                id: 67890,
+                                login: "testuser",
+                                type: "User",
+                                avatar_url: "https://example.com/avatar.png",
+                            },
+                            repository_selection: "selected",
+                            permissions: { contents: "read", issues: "write" },
+                            events: ["push", "pull_request"],
+                        }),
+                } as any),
+                // Get installation token
+                Promise.resolve({
+                    ok: true,
+                    json: () => Promise.resolve({ token: "ghs_test_token", expires_at: "2025-10-26T12:00:00Z" }),
+                } as any),
+                // Get repositories
+                Promise.resolve({
+                    ok: true,
+                    json: () =>
+                        Promise.resolve({
+                            repositories: [
+                                {
+                                    id: 1,
+                                    name: "test-repo",
+                                    full_name: "testuser/test-repo",
+                                    private: false,
+                                },
+                            ],
+                        }),
+                } as any)
+            );
+
+            // Step 3: Complete callback
+            const callbackResponse = await http.get("/github-app/callback", {
+                qs: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state: state!,
+                },
+            });
+
+            expect(callbackResponse.status).toBe(302);
+            expect(callbackResponse.headers?.Location).toBe("/dashboard");
+
+            // Step 4: Verify installation was stored
+            const installation = await app.ctx.plugins.githubApp.getInstallation("test-user-id");
+            expect(installation).toBeTruthy();
+            expect(installation?.installationId).toBe(12345);
+            expect(installation?.accountLogin).toBe("testuser");
+        });
+    });
+
+    describe("Security Test: CSRF State Validation", () => {
+        it("should prevent replay attacks with invalid state", async () => {
+            const invalidState = generateState();
+
+            global.fetch = jasmine.createSpy("fetch");
+
+            const response = await http.get("/github-app/callback", {
+                qs: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state: invalidState,
+                },
+            });
+
+            expect(response.status).toBe(400);
+            expect(global.fetch).not.toHaveBeenCalled();
+        });
+
+        it("should prevent reuse of valid state after session deletion", async () => {
+            // Step 1: Create a valid session using context method
+            const { state } = await app.ctx.plugins.githubApp.initiateInstallation({
+                userId: "test-user",
+            });
+
+            global.fetch = jasmine.createSpy("fetch").and.returnValues(
+                Promise.resolve({
+                    ok: true,
+                    json: () =>
+                        Promise.resolve({
+                            id: 12345,
+                            account: {
+                                id: 67890,
+                                login: "testuser",
+                                type: "User",
+                                avatar_url: "https://example.com/avatar.png",
+                            },
+                            repository_selection: "selected",
+                            permissions: {},
+                            events: [],
+                        }),
+                } as any),
+                Promise.resolve({
+                    ok: true,
+                    json: () => Promise.resolve({ token: "ghs_test_token" }),
+                } as any),
+                Promise.resolve({
+                    ok: true,
+                    json: () => Promise.resolve({ repositories: [] }),
+                } as any)
+            );
+
+            // Step 2: Complete callback first time (should succeed)
+            const firstCallback = await http.get("/github-app/callback", {
+                qs: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state: state!,
+                },
+            });
+
+            expect(firstCallback.status).toBe(302);
+
+            // Step 3: Try to reuse same state (should fail)
+            const secondCallback = await http.get("/github-app/callback", {
+                qs: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state: state!,
+                },
+            });
+
+            expect(secondCallback.status).toBe(400);
+        });
+    });
+
+    describe("Security Test: Webhook Signature Validation", () => {
+        it("should reject webhooks with invalid signatures", async () => {
+            const payload = JSON.stringify({
+                action: "created",
+                installation: { id: 12345 },
+            });
+
+            const response = await http.post("/github-app/webhook", payload, {
+                headers: {
+                    "x-github-event": "installation",
+                    "x-github-delivery": "test-delivery-id",
+                    "x-hub-signature-256": "sha256=invalid-signature",
+                },
+            });
+
+            expect(response.status).toBe(401);
+        });
+
+        it("should accept webhooks with valid signatures", async () => {
+            const secret = "test-webhook-secret";
+            const payload = JSON.stringify({
+                action: "created",
+                installation: { id: 12345 },
+            });
+
+            const hmac = crypto.createHmac("sha256", secret);
+            hmac.update(payload);
+            const signature = `sha256=${hmac.digest("hex")}`;
+
+            const response = await http.post("/github-app/webhook", payload, {
+                headers: {
+                    "x-github-event": "installation",
+                    "x-github-delivery": "test-delivery-id",
+                    "x-hub-signature-256": signature,
+                },
+            });
+
+            expect(response.status).toBe(200);
+        });
+    });
+
+    describe("Context Method: uninstall", () => {
+        it("should successfully uninstall when user owns installation", async () => {
+            // Create installation
+            await app.ctx.repos.githubInstallationRepo.create({
+                userId: "test-user",
+                installationId: 12345,
+                accountId: 67890,
+                accountLogin: "testuser",
+                accountType: "User",
+                repositories: [],
+                permissions: {},
+                events: [],
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+
+            // Uninstall using context method
+            const result = await app.ctx.plugins.githubApp.uninstall({
+                userId: "test-user",
+                installationId: 12345,
+            });
+
+            expect(result.success).toBe(true);
+            expect(result.error).toBeUndefined();
+
+            // Verify installation was deleted
+            const installation = await app.ctx.plugins.githubApp.getInstallation("test-user");
+            expect(installation).toBeNull();
+        });
+
+        it("should fail when user doesn't own installation", async () => {
+            // Create installation owned by different user
+            await app.ctx.repos.githubInstallationRepo.create({
+                userId: "other-user",
+                installationId: 12345,
+                accountId: 67890,
+                accountLogin: "testuser",
+                accountType: "User",
+                repositories: [],
+                permissions: {},
+                events: [],
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+
+            // Attempt to uninstall using different user
+            const result = await app.ctx.plugins.githubApp.uninstall({
+                userId: "test-user",
+                installationId: 12345,
+            });
+
+            expect(result.success).toBe(false);
+            expect(result.error).toBe("installation-not-found");
+        });
+    });
+
+    describe("Integration Test: Webhook Event Processing", () => {
+        it("should process installation_repositories webhook event", async () => {
+            // Create existing installation
+            await app.ctx.repos.githubInstallationRepo.create({
+                userId: "test-user",
+                installationId: 12345,
+                accountId: 67890,
+                accountLogin: "testuser",
+                accountType: "User",
+                repositories: [],
+                permissions: {},
+                events: [],
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+
+            const secret = "test-webhook-secret";
+            const payload = JSON.stringify({
+                action: "added",
+                installation: { id: 12345 },
+                repositories_added: [
+                    {
+                        id: 2,
+                        name: "new-repo",
+                        full_name: "testuser/new-repo",
+                        private: true,
+                    },
+                ],
+            });
+
+            const hmac = crypto.createHmac("sha256", secret);
+            hmac.update(payload);
+            const signature = `sha256=${hmac.digest("hex")}`;
+
+            const response = await http.post("/github-app/webhook", payload, {
+                headers: {
+                    "x-github-event": "installation_repositories",
+                    "x-github-delivery": "test-delivery-id",
+                    "x-hub-signature-256": signature,
+                },
+            });
+
+            expect(response.status).toBe(200);
+
+            // Verify webhook event was logged
+            const events = await app.ctx.repos.githubWebhookEventRepo.findByInstallationId(12345);
+            expect(events.length).toBeGreaterThan(0);
+            expect(events[0].event).toBe("installation_repositories");
+        });
+    });
+
+    describe("Error Handling: GitHub API Failure Scenarios", () => {
+        it("should handle GitHub API failures gracefully during installation", async () => {
+            const { state } = await app.ctx.plugins.githubApp.initiateInstallation({
+                userId: "test-user",
+            });
+
+            // Mock GitHub API to fail
+            global.fetch = jasmine.createSpy("fetch").and.returnValue(
+                Promise.resolve({
+                    ok: false,
+                    status: 500,
+                    statusText: "Internal Server Error",
+                    text: () => Promise.resolve("Internal Server Error"),
+                } as any)
+            );
+
+            const callbackResponse = await http.get("/github-app/callback", {
+                qs: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state: state!,
+                },
+            });
+
+            // Should handle error gracefully
+            expect(callbackResponse.status).toBe(500);
+        });
+
+        it("should handle network errors when getting installation token", async () => {
+            await app.ctx.repos.githubInstallationRepo.create({
+                userId: "test-user",
+                installationId: 12345,
+                accountId: 67890,
+                accountLogin: "testuser",
+                accountType: "User",
+                repositories: [],
+                permissions: {},
+                events: [],
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+
+            // Mock network failure
+            global.fetch = jasmine.createSpy("fetch").and.returnValue(Promise.reject(new Error("Network error")));
+
+            const client = await app.ctx.plugins.githubApp.getClient(12345);
+
+            await expectAsync(client.getRepositories()).toBeRejected();
+        });
+    });
+
+    describe("Feature: Repository Access Verification", () => {
+        it("should verify user has access to repository", async () => {
+            await app.ctx.repos.githubInstallationRepo.create({
+                userId: "test-user",
+                installationId: 12345,
+                accountId: 67890,
+                accountLogin: "testuser",
+                accountType: "User",
+                repositories: [
+                    {
+                        id: 1,
+                        name: "test-repo",
+                        fullName: "testuser/test-repo",
+                        private: false,
+                    },
+                ],
+                permissions: {},
+                events: [],
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+
+            const hasAccess = await app.ctx.plugins.githubApp.hasRepositoryAccess("test-user", "testuser", "test-repo");
+
+            expect(hasAccess).toBe(true);
+        });
+
+        it("should deny access to repository user doesn't have", async () => {
+            await app.ctx.repos.githubInstallationRepo.create({
+                userId: "test-user",
+                installationId: 12345,
+                accountId: 67890,
+                accountLogin: "testuser",
+                accountType: "User",
+                repositories: [],
+                permissions: {},
+                events: [],
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+
+            const hasAccess = await app.ctx.plugins.githubApp.hasRepositoryAccess("test-user", "otheruser", "other-repo");
+
+            expect(hasAccess).toBe(false);
+        });
+    });
+});