@networkpro/web 1.7.9 → 1.9.0

package/tests/unit/csp-report.test.js

@@ -0,0 +1,81 @@
+/* ==========================================================================
+tests/unit/csp-report.test.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * Tests the edge-functions/csp-report.js CSP reporting endpoint
+ *
+ * @module tests/unit
+ * @author SunDevil311
+ * @updated 2025-05-31
+ */
+
+/** @file Unit tests for edge-functions/csp-report.js using Vitest */
+/** @typedef {import('vitest').TestContext} TestContext */
+
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import handler from "../../netlify/edge-functions/csp-report.js";
+
+// 🧪 Mock fetch used by sendToNtfy inside the Edge Function
+global.fetch = vi.fn(() =>
+  Promise.resolve({ ok: true, status: 200, text: () => "OK" }),
+);
+
+describe("csp-report.js", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should handle a valid CSP report", async () => {
+    const req = new Request("http://localhost/api/csp-report", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        "csp-report": {
+          "document-uri": "https://example.com",
+          "violated-directive": "script-src",
+          "blocked-uri": "https://malicious.site",
+        },
+      }),
+    });
+
+    const res = await handler(req, {});
+    expect(res.status).toBe(204);
+  });
+
+  it("should reject non-POST requests", async () => {
+    const req = new Request("http://localhost/api/csp-report", {
+      method: "GET",
+    });
+
+    const res = await handler(req, {});
+    const text = await res.text();
+    expect(res.status).toBe(405);
+    expect(text).toContain("Method Not Allowed");
+  });
+
+  it("should handle malformed JSON", async () => {
+    const badJson = "{ invalid json }";
+    const req = new Request("http://localhost/api/csp-report", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: badJson,
+    });
+
+    const res = await handler(req, {});
+    expect(res.status).toBe(204); // The current handler swallows errors silently
+  });
+
+  it("should handle missing body", async () => {
+    const req = new Request("http://localhost/api/csp-report", {
+      method: "POST",
+    });
+
+    const res = await handler(req, {});
+    expect(res.status).toBe(204); // No body is also treated silently
+  });
+});

package/tests/unit/lib/utils/purify.test.js

@@ -0,0 +1,50 @@
+/* ==========================================================================
+tests/unit/lib/utils/purify.test.js
+
+Copyright © 2025 Network Pro Strategies (Network Pro™)
+SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+This file is part of Network Pro.
+========================================================================== */
+
+/**
+ * @file purify.test.js
+ * @description Unit test for src/lib/utils/purify.js
+ * @module tests/unit/lib/util
+ * @author SunDevil311
+ * @updated 2025-06-01
+ */
+
+import { describe, expect, it } from "vitest";
+import { sanitizeHtml } from "../../../../src/lib/utils/purify.js";
+
+describe("sanitizeHtml", () => {
+  it("removes dangerous tags like <script>", async () => {
+    const dirty = `<div>Hello <script>alert("XSS")</script> world!</div>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe("<div>Hello  world!</div>");
+  }); // timeout in ms
+
+  it("preserves safe markup like <strong>", async () => {
+    const dirty = `<p>This is <strong>important</strong>.</p>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe("<p>This is <strong>important</strong>.</p>");
+  });
+
+  it("removes dangerous attributes like onerror", async () => {
+    const dirty = `<img src="x" onerror="alert(1)">`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe('<img src="x">');
+  });
+
+  it("keeps valid external links", async () => {
+    const dirty = `<a href="https://example.com">Click</a>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe('<a href="https://example.com">Click</a>');
+  });
+
+  it("blocks javascript: URLs", async () => {
+    const dirty = `<a href="javascript:alert('XSS')">bad</a>`;
+    const clean = await sanitizeHtml(dirty);
+    expect(clean).toBe("<a>bad</a>");
+  });
+});

package/vitest.config.client.js

@@ -26,10 +26,14 @@ export default defineConfig({
     name: "client",
     environment: "jsdom",
     clearMocks: true,
-    include: ["tests/unit/**/*.svelte.test.{js,mjs}"],
+    include: [
+      "tests/unit/**/*.test.{js,mjs,svelte}",
+      "tests/internal/**/*.test.{js,mjs,svelte}",
+    ],
     exclude: [],
     setupFiles: ["./vitest-setup-client.js"],
     reporters: ["default", "json"],
+    testTimeout: 10000,
     outputFile: {
       json: "./reports/client/results.json",
     },

package/vitest.config.server.js

@@ -26,6 +26,7 @@ export default defineConfig({
     include: ["tests/unit/**/*.test.{js,mjs}"],
     exclude: ["tests/unit/**/*.svelte.test.{js,mjs}"],
     reporters: ["default", "json"],
+    testTimeout: 10000,
     outputFile: {
       json: "./reports/server/results.json",
     },

package/netlify-functions/cspReport.js

@@ -1,76 +0,0 @@
-/* ==========================================================================
-netlify-functions/cspReport.js
-
-Copyright © 2025 Network Pro Strategies (Network Pro™)
-SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-This file is part of Network Pro.
-========================================================================== */
-
-/**
- * @file cspReport.js
- * @description Sets up a CSP reporting endpoint with email notifications, to be deployed as a Netlify function.
- * @module netlify-functions
- * @author SunDevil311
- * @updated 2025-05-29
- */
-
-import nodemailer from "nodemailer";
-
-/**
- * Netlify Function: CSP violation report handler
- *
- * @param {import('@netlify/functions').HandlerEvent} event - Incoming Netlify request
- * @returns {Promise<import('@netlify/functions').HandlerResponse>} - Netlify-compatible HTTP response
- */
-export async function handler(event) {
-  try {
-    if (event.httpMethod !== "POST") {
-      return {
-        statusCode: 405,
-        body: "Method Not Allowed",
-      };
-    }
-
-    if (!event.body) {
-      return {
-        statusCode: 400,
-        body: "No body provided",
-      };
-    }
-
-    /** @type {Record<string, any>} */
-    const report = JSON.parse(event.body);
-    const violation = report["csp-report"] || report;
-
-    const shouldSendEmail =
-      process.env.MAIL_ENABLED !== "false" && process.env.NODE_ENV !== "test";
-
-    if (shouldSendEmail) {
-      const transporter = nodemailer.createTransport({
-        host: process.env.SMTP_HOST,
-        port: 465,
-        secure: true,
-        auth: {
-          user: process.env.SMTP_USER,
-          pass: process.env.SMTP_PASS,
-        },
-      });
-
-      await transporter.sendMail({
-        from: `"CSP Reporter" <${process.env.SMTP_USER}>`,
-        to: process.env.NOTIFY_EMAIL,
-        subject: "🚨 CSP Violation Detected",
-        text: JSON.stringify(violation, null, 2),
-      });
-    }
-
-    return {
-      statusCode: 204,
-    };
-  } catch (error) {
-    return {
-      statusCode: 400,
-      body: `Invalid JSON: ${error instanceof Error ? error.message : "Unknown error"}`,
-    };
-  }
-}

package/tests/unit/auditScripts.test.js

@@ -1,43 +0,0 @@
-/* ==========================================================================
-tests/unit/auditScripts.test.js
-
-Copyright © 2025 Network Pro Strategies (Network Pro™)
-SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-This file is part of Network Pro.
-========================================================================== */
-
-/**
- * Unit test for scripts/auditScripts.js
- */
-
-import fs from "fs";
-import path from "path";
-import { describe, expect, it } from "vitest";
-
-describe("auditScripts.js", () => {
-  it("should identify untested scripts correctly", () => {
-    const scriptsDir = path.resolve("./scripts");
-    const testsDir = path.resolve("./tests");
-
-    const allowList = new Set(["checkNode.js", "auditScripts.js"]);
-
-    const scriptFiles = fs
-      .readdirSync(scriptsDir)
-      .filter((file) => file.endsWith(".js"));
-
-    const testFiles = fs
-      .readdirSync(testsDir)
-      .filter((file) => file.endsWith(".test.js") || file.endsWith(".spec.js"));
-
-    const testedModules = new Set(
-      testFiles.map((f) => f.replace(/\.test\.js$|\.spec\.js$/, "")),
-    );
-
-    const untested = scriptFiles.filter((file) => {
-      const base = file.replace(/\.js$/, "");
-      return !allowList.has(file) && !testedModules.has(base);
-    });
-
-    expect(untested).not.toContain("auditScripts.js");
-  });
-});

package/tests/unit/cspReport.test.js

@@ -1,81 +0,0 @@
-/* ==========================================================================
-tests/unit/cspReport.test.js
-
-Copyright © 2025 Network Pro Strategies (Network Pro™)
-SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-This file is part of Network Pro.
-========================================================================== */
-
-/** @file Unit tests for netlify-functions/cspReport.js using Vitest */
-/** @typedef {import('vitest').TestContext} TestContext */
-
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import { handler } from "../../netlify-functions/cspReport.js";
-
-// 🧪 Force test mode
-process.env.NODE_ENV = "test";
-process.env.MAIL_ENABLED = "true"; // Still ignored due to NODE_ENV === test
-
-// 🧪 Mock nodemailer to prevent real email sending
-vi.mock("nodemailer", async () => {
-  return {
-    default: {
-      createTransport: () => ({
-        sendMail: vi.fn().mockResolvedValue({}),
-      }),
-    },
-  };
-});
-
-describe("cspReport.js", () => {
-  beforeEach(() => {
-    vi.clearAllMocks(); // reset mocks if needed
-  });
-
-  it("should handle valid CSP report", async () => {
-    /** @type {import('netlify/functions').HandlerEvent} */
-    const event = {
-      httpMethod: "POST",
-      body: JSON.stringify({
-        "csp-report": {
-          "document-uri": "https://example.com",
-          "violated-directive": "script-src",
-        },
-      }),
-    };
-
-    const response = await handler(event);
-    expect(response.statusCode).toBe(204);
-  });
-
-  it("should reject GET requests", async () => {
-    /** @type {import('netlify/functions').HandlerEvent} */
-    const event = { httpMethod: "GET" };
-    const response = await handler(event);
-    expect(response.statusCode).toBe(405);
-    expect(response.body).toContain("Method Not Allowed");
-  });
-
-  it("should handle malformed JSON", async () => {
-    /** @type {import('netlify/functions').HandlerEvent} */
-    const event = {
-      httpMethod: "POST",
-      body: "{ bad json }",
-    };
-
-    const response = await handler(event);
-    expect(response.statusCode).toBe(400);
-    expect(response.body).toContain("Invalid JSON");
-  });
-
-  it("should handle missing body", async () => {
-    /** @type {import('netlify/functions').HandlerEvent} */
-    const event = {
-      httpMethod: "POST",
-    };
-
-    const response = await handler(event);
-    expect(response.statusCode).toBe(400);
-    expect(response.body).toContain("No body provided");
-  });
-});