@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/operator-token.test.ts

@@ -1,19 +1,24 @@
 import { describe, expect, test } from "bun:test";
-import { mkdtempSync, rmSync, statSync } from "node:fs";
+import { chmodSync, mkdtempSync, rmSync, statSync } from "node:fs";
 import { readFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
-import { validateAccessToken } from "../jwt-sign.ts";
+import { signAccessToken, validateAccessToken } from "../jwt-sign.ts";
 import {
   OPERATOR_TOKEN_AUDIENCE,
+  OPERATOR_TOKEN_AUTO_ROTATE_THRESHOLD_SECONDS,
+  OPERATOR_TOKEN_CLIENT_ID,
   OPERATOR_TOKEN_FILENAME,
   OPERATOR_TOKEN_SCOPES,
+  OPERATOR_TOKEN_SCOPE_SETS,
+  OPERATOR_TOKEN_SCOPE_SET_CLAIM,
   OPERATOR_TOKEN_TTL_SECONDS,
   issueOperatorToken,
   mintOperatorToken,
   operatorTokenPath,
   readOperatorTokenFile,
+  useOperatorTokenWithAutoRotate,
   writeOperatorTokenFile,
 } from "../operator-token.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
@@ -58,10 +63,19 @@ describe("mintOperatorToken", () => {
     }
   });
 
-  test("scopes include hub:admin + parachute:host:admin + vault:admin + scribe:admin + channel:send", () => {
+  test("admin scope-set includes hub:admin + parachute:host:* + vault/scribe/channel admins (#213)", () => {
+    // OPERATOR_TOKEN_SCOPES === OPERATOR_TOKEN_SCOPE_SETS.admin (back-compat
+    // alias). The pre-#213 set was 5 scopes; #213 added the fine-grained
+    // parachute:host:install/start/expose/auth/vault scopes to the admin
+    // superset (admin is "everything", per the scope-set vocabulary).
     expect(OPERATOR_TOKEN_SCOPES).toEqual([
       "hub:admin",
       "parachute:host:admin",
+      "parachute:host:install",
+      "parachute:host:start",
+      "parachute:host:expose",
+      "parachute:host:auth",
+      "parachute:host:vault",
       "vault:admin",
       "scribe:admin",
       "channel:send",
@@ -138,3 +152,365 @@ describe("issueOperatorToken", () => {
     }
   });
 });
+
+describe("operator token defaults (#213)", () => {
+  test("default lifetime is 90d (was 365d through 0.5.7)", () => {
+    expect(OPERATOR_TOKEN_TTL_SECONDS).toBe(90 * 24 * 60 * 60);
+  });
+
+  test("auto-rotate threshold is 7d", () => {
+    expect(OPERATOR_TOKEN_AUTO_ROTATE_THRESHOLD_SECONDS).toBe(7 * 24 * 60 * 60);
+  });
+});
+
+describe("mintOperatorToken scope-sets (#213)", () => {
+  test("default scope-set is admin and embeds the pa_scope_set claim", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const minted = await mintOperatorToken(db, "user-abc", { issuer: TEST_ISSUER });
+        expect(minted.scopeSet).toBe("admin");
+        const validated = await validateAccessToken(db, minted.token, TEST_ISSUER);
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("admin");
+        expect(validated.payload.scope).toBe(OPERATOR_TOKEN_SCOPE_SETS.admin.join(" "));
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("--scope-set=start mints with parachute:host:start only", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const minted = await mintOperatorToken(db, "user-abc", {
+          issuer: TEST_ISSUER,
+          scopeSet: "start",
+        });
+        expect(minted.scopeSet).toBe("start");
+        const validated = await validateAccessToken(db, minted.token, TEST_ISSUER);
+        expect(validated.payload.scope).toBe("parachute:host:start");
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("start");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("install scope-set carries vault:read for new-vault discovery", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const minted = await mintOperatorToken(db, "u", {
+          issuer: TEST_ISSUER,
+          scopeSet: "install",
+        });
+        const validated = await validateAccessToken(db, minted.token, TEST_ISSUER);
+        const scopes = String(validated.payload.scope ?? "").split(" ");
+        expect(scopes).toContain("parachute:host:install");
+        expect(scopes).toContain("vault:read");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("admin set is the superset of all narrow sets", () => {
+    const admin = new Set(OPERATOR_TOKEN_SCOPE_SETS.admin);
+    for (const setName of ["install", "start", "expose", "auth", "vault"] as const) {
+      for (const scope of OPERATOR_TOKEN_SCOPE_SETS[setName]) {
+        // vault:read is in `install` but not (directly) in admin — admin
+        // carries vault:admin which subsumes :read at the resource server.
+        if (scope === "vault:read") continue;
+        expect(admin.has(scope)).toBe(true);
+      }
+    }
+  });
+});
+
+describe("readOperatorTokenFile permission warning (#213)", () => {
+  test("does not warn when file is mode 0600", async () => {
+    const h = makeHarness();
+    const origErr = console.error;
+    let stderr = "";
+    console.error = (...a: unknown[]) => {
+      stderr += `${a.map(String).join(" ")}\n`;
+    };
+    try {
+      await writeOperatorTokenFile("token-abc", h.dir);
+      await readOperatorTokenFile(h.dir);
+      expect(stderr).toBe("");
+    } finally {
+      console.error = origErr;
+      h.cleanup();
+    }
+  });
+
+  test("warns (without failing) when file is world-readable", async () => {
+    const h = makeHarness();
+    const origErr = console.error;
+    let stderr = "";
+    console.error = (...a: unknown[]) => {
+      stderr += `${a.map(String).join(" ")}\n`;
+    };
+    try {
+      const path = await writeOperatorTokenFile("token-abc", h.dir);
+      chmodSync(path, 0o644);
+      const round = await readOperatorTokenFile(h.dir);
+      expect(round).toBe("token-abc");
+      expect(stderr).toContain("operator token file");
+      expect(stderr).toContain("0644");
+      expect(stderr).toContain("chmod 0600");
+    } finally {
+      console.error = origErr;
+      h.cleanup();
+    }
+  });
+});
+
+describe("useOperatorTokenWithAutoRotate (#213)", () => {
+  test("returns the token unchanged when remaining lifetime > threshold", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: TEST_ISSUER,
+          // Default 90d, fresh — well above threshold.
+        });
+        const used = await useOperatorTokenWithAutoRotate(db, {
+          configDir: h.dir,
+          issuer: TEST_ISSUER,
+        });
+        expect(used).not.toBeNull();
+        expect(used?.refreshed).toBe(false);
+        expect(used?.rotated).toBeUndefined();
+        expect(used?.token).toBe(issued.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("auto-rotates when within 7d of expiry, preserving scope-set", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint with a 1-day TTL — well below the 7d threshold.
+        const original = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: TEST_ISSUER,
+          scopeSet: "start",
+          ttlSeconds: 24 * 60 * 60,
+        });
+        expect(original.scopeSet).toBe("start");
+
+        const used = await useOperatorTokenWithAutoRotate(db, {
+          configDir: h.dir,
+          issuer: TEST_ISSUER,
+        });
+        expect(used).not.toBeNull();
+        expect(used?.refreshed).toBe(true);
+        expect(used?.rotated?.scopeSet).toBe("start");
+        // The on-disk token is now the rotated one.
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(used!.token);
+        expect(onDisk).not.toBe(original.token);
+        // The rotated token is still scope-set "start".
+        const validated = await validateAccessToken(db, used!.token, TEST_ISSUER);
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("start");
+        expect(validated.payload.scope).toBe("parachute:host:start");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("does NOT auto-rotate a non-operator-audience JWT stashed at the path (privilege guard)", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Hand-sign a narrow JWT with aud=scribe (not "operator") and a
+        // 1-hour TTL. Even though it's within the rotation window, the
+        // helper must not silently upgrade it to a full operator token.
+        const signed = await signAccessToken(db, {
+          sub: "user-abc",
+          scopes: ["scribe:transcribe"],
+          audience: "scribe",
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: TEST_ISSUER,
+          ttlSeconds: 3600,
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const used = await useOperatorTokenWithAutoRotate(db, {
+          configDir: h.dir,
+          issuer: TEST_ISSUER,
+        });
+        expect(used).not.toBeNull();
+        expect(used?.refreshed).toBe(false);
+        expect(used?.rotated).toBeUndefined();
+        expect(used?.token).toBe(signed.token);
+        // On-disk file unchanged.
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("returns null when no operator token file exists", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const used = await useOperatorTokenWithAutoRotate(db, {
+          configDir: h.dir,
+          issuer: TEST_ISSUER,
+        });
+        expect(used).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("validateAccessToken rejects a fully-expired token (jose enforces exp)", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint a token that's already expired.
+        const expiredAt = new Date("2026-01-01T00:00:00Z");
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: TEST_ISSUER,
+          ttlSeconds: 60,
+          now: () => expiredAt,
+        });
+        expect(issued.token.length).toBeGreaterThan(0);
+        await expect(
+          useOperatorTokenWithAutoRotate(db, { configDir: h.dir, issuer: TEST_ISSUER }),
+        ).rejects.toThrow();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});
+
+// closes #212 Phase 1 — operator-mint paths write to the unified token
+// registry so they show up in the revocation list and admin UI alongside
+// OAuth refresh tokens and CLI mints.
+describe("mintOperatorToken registry write (#212)", () => {
+  test("writes a tokens row with created_via='operator_mint', subject='operator', user_id NULL", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const minted = await mintOperatorToken(db, "user-abc", {
+          issuer: TEST_ISSUER,
+          scopeSet: "start",
+        });
+        const row = db
+          .query<
+            {
+              jti: string;
+              user_id: string | null;
+              subject: string | null;
+              created_via: string;
+              scopes: string;
+              expires_at: string;
+            },
+            [string]
+          >(
+            "SELECT jti, user_id, subject, created_via, scopes, expires_at FROM tokens WHERE jti = ?",
+          )
+          .get(minted.jti);
+        expect(row).not.toBeNull();
+        expect(row?.user_id).toBeNull();
+        expect(row?.subject).toBe("operator");
+        expect(row?.created_via).toBe("operator_mint");
+        expect(row?.scopes).toBe("parachute:host:start");
+        expect(row?.expires_at).toBe(minted.expiresAt);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("auto-rotation writes a fresh registry row for the rotated token", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const original = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: TEST_ISSUER,
+          ttlSeconds: 24 * 60 * 60, // within rotation window
+        });
+        const used = await useOperatorTokenWithAutoRotate(db, {
+          configDir: h.dir,
+          issuer: TEST_ISSUER,
+        });
+        expect(used?.refreshed).toBe(true);
+        // The rotated token has a new jti.
+        const newJti = used!.payload.jti as string;
+        expect(newJti).not.toBe(original.jti);
+        const row = db
+          .query<{ jti: string; created_via: string }, [string]>(
+            "SELECT jti, created_via FROM tokens WHERE jti = ?",
+          )
+          .get(newJti);
+        expect(row).not.toBeNull();
+        expect(row?.created_via).toBe("operator_mint");
+        // Both the original and the rotated row exist (the original isn't
+        // auto-revoked — it stays valid until its own exp). Phase 2 may add
+        // a "revoke prior on rotation" toggle; for now we keep both.
+        const origRow = db
+          .query<{ jti: string }, [string]>("SELECT jti FROM tokens WHERE jti = ?")
+          .get(original.jti);
+        expect(origRow).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/origin-check.test.ts

@@ -0,0 +1,220 @@
+import { describe, expect, test } from "bun:test";
+import { buildHubBoundOrigins, isSameOriginRequest } from "../origin-check.ts";
+
+const ISSUER = "https://parachute.taildf9ce2.ts.net";
+const PORT = 1939;
+
+function reqWithHeaders(headers: Record<string, string>): Request {
+  // Bun's Request constructor lower-cases header keys; tests pass whatever
+  // case is conventional in the wild. The URL is irrelevant — only the
+  // headers are inspected by isSameOriginRequest.
+  return new Request("http://placeholder/", { method: "POST", headers });
+}
+
+describe("buildHubBoundOrigins", () => {
+  test("issuer only — single-origin hub", () => {
+    expect(buildHubBoundOrigins({ issuer: ISSUER })).toEqual([ISSUER]);
+  });
+
+  test("issuer + loopback port adds localhost + 127.0.0.1 aliases", () => {
+    const origins = buildHubBoundOrigins({ issuer: ISSUER, loopbackPort: PORT });
+    expect(origins).toContain(ISSUER);
+    expect(origins).toContain(`http://localhost:${PORT}`);
+    expect(origins).toContain(`http://127.0.0.1:${PORT}`);
+    expect(origins.length).toBe(3);
+  });
+
+  test("exposeHubOrigin adds a tailnet/funnel origin when distinct from issuer", () => {
+    // Scenario: hub was started with --issuer http://localhost:1939 (dev),
+    // then `parachute expose tailnet` brought up the tailnet hostname.
+    // exposeHubOrigin captures the post-expose hostname.
+    const origins = buildHubBoundOrigins({
+      issuer: "http://localhost:1939",
+      loopbackPort: PORT,
+      exposeHubOrigin: ISSUER,
+    });
+    expect(origins).toContain("http://localhost:1939");
+    expect(origins).toContain(ISSUER);
+  });
+
+  test("dedups when exposeHubOrigin matches issuer", () => {
+    // Normal case: `parachute expose` set the issuer AND wrote the same
+    // hubOrigin to expose-state.json. The set should still be one entry
+    // for that origin, not two.
+    const origins = buildHubBoundOrigins({
+      issuer: ISSUER,
+      exposeHubOrigin: ISSUER,
+    });
+    expect(origins.filter((o) => o === ISSUER).length).toBe(1);
+  });
+
+  test("malformed inputs are silently dropped", () => {
+    // No URL parser crash — return whatever could be parsed. The caller
+    // (resolveBoundOrigins) keeps the issuer as a baseline anyway.
+    const origins = buildHubBoundOrigins({
+      issuer: ISSUER,
+      exposeHubOrigin: "not a url",
+    });
+    expect(origins).toContain(ISSUER);
+    expect(origins.length).toBe(1);
+  });
+
+  test("normalizes via URL.origin — trailing slash on issuer is stripped", () => {
+    const origins = buildHubBoundOrigins({ issuer: `${ISSUER}/` });
+    expect(origins).toEqual([ISSUER]); // URL.origin drops trailing slash
+  });
+
+  test("non-integer loopbackPort is ignored", () => {
+    // Belt for callers passing through a stringly-typed env var. We don't
+    // want to emit `http://localhost:NaN`.
+    const origins = buildHubBoundOrigins({
+      issuer: ISSUER,
+      loopbackPort: Number.NaN,
+    });
+    expect(origins.every((o) => !o.includes("NaN"))).toBe(true);
+    expect(origins).toContain(ISSUER);
+  });
+});
+
+describe("isSameOriginRequest", () => {
+  const BOUND = buildHubBoundOrigins({ issuer: ISSUER, loopbackPort: PORT });
+
+  describe("Origin header (primary)", () => {
+    test("accepts a request whose Origin matches the issuer", () => {
+      const req = reqWithHeaders({ origin: ISSUER });
+      expect(isSameOriginRequest(req, BOUND)).toBe(true);
+    });
+
+    test("accepts a request whose Origin matches loopback (localhost)", () => {
+      // Closes #245 Case A: operator on http://localhost:1939/login
+      // submitting the approve form — previously rejected because Origin
+      // (localhost) didn't match the configured issuer (tailnet).
+      const req = reqWithHeaders({ origin: `http://localhost:${PORT}` });
+      expect(isSameOriginRequest(req, BOUND)).toBe(true);
+    });
+
+    test("accepts a request whose Origin matches loopback (127.0.0.1)", () => {
+      const req = reqWithHeaders({ origin: `http://127.0.0.1:${PORT}` });
+      expect(isSameOriginRequest(req, BOUND)).toBe(true);
+    });
+
+    test("rejects a real third-party origin", () => {
+      const req = reqWithHeaders({ origin: "https://attacker.example" });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+
+    test("rejects a port-only mismatch", () => {
+      // A request from `http://localhost:1940` (different port) is NOT
+      // the hub — could be a different service on the same box. The
+      // bound set only includes the hub's own port.
+      const req = reqWithHeaders({ origin: "http://localhost:1940" });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+
+    test("rejects scheme mismatch (https://localhost vs http://localhost)", () => {
+      // The bound set has http://localhost:<port>; an https://localhost
+      // request shouldn't match. Less likely in practice (loopback is
+      // typically http) but the URL.origin comparison catches it.
+      const req = reqWithHeaders({ origin: `https://localhost:${PORT}` });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+
+    test("malformed Origin string returns false (does not throw)", () => {
+      const req = reqWithHeaders({ origin: "not a valid url" });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+  });
+
+  describe("Referer header (fallback when Origin is absent)", () => {
+    test("accepts when Referer matches a bound origin", () => {
+      const req = reqWithHeaders({ referer: `${ISSUER}/login` });
+      expect(isSameOriginRequest(req, BOUND)).toBe(true);
+    });
+
+    test("rejects when Referer is third-party", () => {
+      const req = reqWithHeaders({ referer: "https://attacker.example/page" });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+
+    test("Origin takes priority over Referer when both present", () => {
+      // If Origin says cross-origin, even a same-origin Referer doesn't
+      // rescue. Important: an attacker can sometimes spoof Referer (via
+      // a redirect chain) but cannot spoof Origin from a browser.
+      const req = reqWithHeaders({
+        origin: "https://attacker.example",
+        referer: ISSUER,
+      });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+  });
+
+  describe("Host header (last-resort fallback when Origin + Referer both stripped)", () => {
+    // Closes #245 Case B: Tailscale Serve stripped Origin/Referer from a
+    // legitimate same-origin POST, so neither primary nor secondary
+    // signal was available. Host header reflected the tailnet hostname
+    // the browser thought it was talking to.
+
+    test("accepts when Host matches a bound origin's host:port", () => {
+      const req = reqWithHeaders({
+        host: new URL(ISSUER).host,
+      });
+      expect(isSameOriginRequest(req, BOUND)).toBe(true);
+    });
+
+    test("accepts loopback Host match", () => {
+      const req = reqWithHeaders({ host: `localhost:${PORT}` });
+      expect(isSameOriginRequest(req, BOUND)).toBe(true);
+    });
+
+    test("rejects a third-party Host", () => {
+      const req = reqWithHeaders({ host: "attacker.example" });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+
+    test("Origin takes priority over Host — Host-only check fires only when Origin+Referer absent", () => {
+      // Same belt-and-suspenders order: Origin says no → reject, even if
+      // Host happens to match. Otherwise an attacker who could induce a
+      // cross-origin POST without browser Origin (rare but theoretical)
+      // could pass with a manipulated Host. Origin remains the primary.
+      const req = reqWithHeaders({
+        origin: "https://attacker.example",
+        host: new URL(ISSUER).host,
+      });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+
+    test("Referer takes priority over Host", () => {
+      const req = reqWithHeaders({
+        referer: "https://attacker.example/page",
+        host: new URL(ISSUER).host,
+      });
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+  });
+
+  describe("no headers at all", () => {
+    test("rejects when Origin, Referer, AND Host are all absent", () => {
+      // Bun synthesizes a Host header from the URL, so we use new Headers()
+      // directly to clear it. The function's contract: with no signal, reject.
+      const req = new Request("http://placeholder/", {
+        method: "POST",
+        headers: new Headers(),
+      });
+      // Bun will still inject Host from the URL, so simulate the stripped
+      // case by passing an explicit empty Host. If Bun adds the URL host,
+      // the check returns true for matching placeholder — but our bound
+      // origins don't include placeholder, so we still return false.
+      expect(isSameOriginRequest(req, BOUND)).toBe(false);
+    });
+  });
+
+  describe("empty bound-origin set (defense fails closed)", () => {
+    test("returns false regardless of headers when no origins are bound", () => {
+      // Mis-wired hub (no issuer, no exposeState, no port) — the function
+      // should reject everything rather than accept everything. Fail-closed
+      // is the right default for a CSRF defense.
+      const req = reqWithHeaders({ origin: ISSUER });
+      expect(isSameOriginRequest(req, [])).toBe(false);
+    });
+  });
+});