@pikku/core 0.12.0 → 0.12.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +24 -0
- package/dist/errors/errors.d.ts +6 -0
- package/dist/errors/errors.js +10 -0
- package/dist/errors/index.d.ts +1 -0
- package/dist/errors/index.js +1 -0
- package/dist/function/function-runner.d.ts +3 -3
- package/dist/function/function-runner.js +66 -44
- package/dist/function/functions.types.d.ts +1 -0
- package/dist/handle-error.d.ts +2 -2
- package/dist/handle-error.js +2 -2
- package/dist/index.d.ts +5 -3
- package/dist/index.js +2 -1
- package/dist/internal.d.ts +3 -0
- package/dist/internal.js +2 -0
- package/dist/middleware/auth-bearer.d.ts +1 -1
- package/dist/middleware/auth-bearer.js +1 -1
- package/dist/middleware/auth-cookie.d.ts +2 -2
- package/dist/middleware/auth-cookie.js +1 -1
- package/dist/middleware/cors.d.ts +2 -2
- package/dist/middleware/cors.js +45 -37
- package/dist/middleware-runner.d.ts +1 -1
- package/dist/permissions.d.ts +2 -2
- package/dist/pikku-state.d.ts +9 -8
- package/dist/pikku-state.js +30 -17
- package/dist/schema.d.ts +4 -4
- package/dist/schema.js +9 -5
- package/dist/services/ai-agent-runner-service.d.ts +22 -3
- package/dist/services/ai-run-state-service.d.ts +1 -1
- package/dist/services/ai-storage-service.d.ts +1 -1
- package/dist/services/content-service.d.ts +6 -0
- package/dist/services/gopass-secrets.d.ts +1 -1
- package/dist/services/gopass-secrets.js +3 -0
- package/dist/services/in-memory-ai-run-state-service.d.ts +15 -0
- package/dist/services/in-memory-ai-run-state-service.js +44 -0
- package/dist/services/in-memory-trigger-service.d.ts +0 -1
- package/dist/services/in-memory-trigger-service.js +6 -8
- package/dist/services/index.d.ts +3 -2
- package/dist/services/index.js +1 -0
- package/dist/services/local-content.d.ts +2 -1
- package/dist/services/local-content.js +6 -1
- package/dist/services/local-secrets.d.ts +2 -2
- package/dist/services/local-variables.d.ts +1 -1
- package/dist/services/logger-console.d.ts +2 -1
- package/dist/services/scheduler-service.d.ts +0 -12
- package/dist/services/scheduler-service.js +0 -6
- package/dist/services/scoped-secret-service.d.ts +1 -1
- package/dist/services/trigger-service.d.ts +0 -7
- package/dist/services/user-session-service.d.ts +3 -3
- package/dist/services/workflow-service.d.ts +2 -3
- package/dist/types/core.types.d.ts +24 -18
- package/dist/types/state.types.d.ts +17 -15
- package/dist/utils.d.ts +5 -5
- package/dist/utils.js +12 -9
- package/dist/wirings/ai-agent/ai-agent-assistant-ui.d.ts +5 -0
- package/dist/wirings/ai-agent/ai-agent-assistant-ui.js +146 -0
- package/dist/wirings/ai-agent/ai-agent-helpers.d.ts +28 -0
- package/dist/wirings/ai-agent/ai-agent-helpers.js +40 -0
- package/dist/wirings/ai-agent/ai-agent-prepare.d.ts +4 -5
- package/dist/wirings/ai-agent/ai-agent-prepare.js +66 -30
- package/dist/wirings/ai-agent/ai-agent-registry.d.ts +1 -1
- package/dist/wirings/ai-agent/ai-agent-runner.js +107 -8
- package/dist/wirings/ai-agent/ai-agent-stream.d.ts +2 -1
- package/dist/wirings/ai-agent/ai-agent-stream.js +246 -87
- package/dist/wirings/ai-agent/ai-agent.types.d.ts +61 -2
- package/dist/wirings/ai-agent/index.d.ts +3 -1
- package/dist/wirings/ai-agent/index.js +2 -0
- package/dist/wirings/channel/channel-common.d.ts +2 -2
- package/dist/wirings/channel/channel-handler.d.ts +3 -3
- package/dist/wirings/channel/channel-handler.js +4 -4
- package/dist/wirings/channel/channel-runner.d.ts +5 -5
- package/dist/wirings/channel/channel-runner.js +3 -2
- package/dist/wirings/channel/channel-store.d.ts +1 -1
- package/dist/wirings/channel/channel.types.d.ts +4 -6
- package/dist/wirings/channel/local/local-channel-runner.d.ts +7 -2
- package/dist/wirings/channel/local/local-channel-runner.js +4 -3
- package/dist/wirings/channel/local/local-eventhub-service.d.ts +2 -2
- package/dist/wirings/channel/log-channels.d.ts +1 -1
- package/dist/wirings/channel/pikku-abstract-channel-handler.d.ts +1 -1
- package/dist/wirings/channel/serverless/serverless-channel-runner.d.ts +4 -4
- package/dist/wirings/channel/serverless/serverless-channel-runner.js +25 -19
- package/dist/wirings/cli/channel/cli-channel-runner.d.ts +1 -1
- package/dist/wirings/cli/cli-runner.d.ts +2 -2
- package/dist/wirings/cli/cli.types.d.ts +3 -3
- package/dist/wirings/cli/command-parser.d.ts +1 -1
- package/dist/wirings/http/http-runner.d.ts +9 -9
- package/dist/wirings/http/http-runner.js +33 -14
- package/dist/wirings/http/http.types.d.ts +2 -6
- package/dist/wirings/http/log-http-routes.d.ts +1 -1
- package/dist/wirings/http/pikku-fetch-http-request.d.ts +1 -1
- package/dist/wirings/http/pikku-fetch-http-response.d.ts +2 -2
- package/dist/wirings/http/pikku-fetch-http-response.js +6 -1
- package/dist/wirings/http/routers/http-router.d.ts +1 -1
- package/dist/wirings/http/routers/path-to-regex.d.ts +2 -2
- package/dist/wirings/mcp/mcp-endpoint-registry.d.ts +1 -1
- package/dist/wirings/mcp/mcp-runner.d.ts +0 -3
- package/dist/wirings/mcp/mcp-runner.js +4 -2
- package/dist/wirings/mcp/mcp.types.d.ts +2 -2
- package/dist/wirings/oauth2/oauth2-client.d.ts +3 -3
- package/dist/wirings/oauth2/wire-oauth2-credential.d.ts +1 -1
- package/dist/wirings/queue/index.d.ts +1 -1
- package/dist/wirings/queue/index.js +1 -1
- package/dist/wirings/queue/queue-runner.d.ts +1 -12
- package/dist/wirings/queue/queue-runner.js +4 -12
- package/dist/wirings/queue/queue.types.d.ts +3 -9
- package/dist/wirings/queue/register-queue-helper.d.ts +2 -2
- package/dist/wirings/queue/register-queue-helper.js +1 -1
- package/dist/wirings/queue/validate-worker-config.d.ts +1 -1
- package/dist/wirings/rpc/index.d.ts +2 -0
- package/dist/wirings/rpc/index.js +1 -0
- package/dist/wirings/rpc/rpc-runner.d.ts +36 -14
- package/dist/wirings/rpc/rpc-runner.js +56 -28
- package/dist/wirings/rpc/rpc-types.d.ts +14 -2
- package/dist/wirings/rpc/wire-addon.d.ts +10 -0
- package/dist/wirings/rpc/wire-addon.js +9 -0
- package/dist/wirings/scheduler/index.d.ts +1 -1
- package/dist/wirings/scheduler/index.js +1 -1
- package/dist/wirings/scheduler/log-schedulers.d.ts +1 -1
- package/dist/wirings/scheduler/scheduler-runner.d.ts +3 -10
- package/dist/wirings/scheduler/scheduler-runner.js +4 -25
- package/dist/wirings/scheduler/scheduler.types.d.ts +2 -2
- package/dist/wirings/trigger/pikku-trigger-service.d.ts +2 -6
- package/dist/wirings/trigger/pikku-trigger-service.js +11 -16
- package/dist/wirings/trigger/trigger-runner.d.ts +1 -5
- package/dist/wirings/trigger/trigger-runner.js +4 -3
- package/dist/wirings/workflow/pikku-workflow-service.d.ts +2 -6
- package/dist/wirings/workflow/pikku-workflow-service.js +20 -29
- package/dist/wirings/workflow/workflow.types.d.ts +2 -2
- package/package.json +2 -1
- package/src/crypto-utils.test.ts +116 -0
- package/src/errors/error.test.ts +143 -2
- package/src/errors/errors.ts +10 -0
- package/src/errors/index.ts +1 -0
- package/src/function/function-runner.test.ts +2 -2
- package/src/function/function-runner.ts +72 -49
- package/src/function/functions.types.ts +1 -0
- package/src/handle-error.test.ts +361 -0
- package/src/handle-error.ts +4 -4
- package/src/index.ts +3 -10
- package/src/internal.ts +6 -0
- package/src/middleware/auth-apikey.test.ts +1 -1
- package/src/middleware/auth-bearer.test.ts +1 -1
- package/src/middleware/auth-bearer.ts +2 -5
- package/src/middleware/auth-cookie.test.ts +1 -1
- package/src/middleware/auth-cookie.ts +3 -5
- package/src/middleware/cors.test.ts +424 -0
- package/src/middleware/cors.ts +14 -6
- package/src/middleware/remote-auth.test.ts +488 -0
- package/src/middleware-runner.test.ts +1 -1
- package/src/middleware-runner.ts +1 -1
- package/src/permissions.test.ts +2 -2
- package/src/permissions.ts +2 -2
- package/src/pikku-state.test.ts +224 -0
- package/src/pikku-state.ts +40 -28
- package/src/schema.test.ts +198 -6
- package/src/schema.ts +11 -7
- package/src/services/ai-agent-runner-service.ts +15 -3
- package/src/services/ai-run-state-service.ts +1 -1
- package/src/services/ai-storage-service.ts +1 -1
- package/src/services/content-service.ts +7 -0
- package/src/services/gopass-secrets.ts +4 -1
- package/src/services/in-memory-ai-run-state-service.ts +73 -0
- package/src/services/in-memory-trigger-service.ts +6 -10
- package/src/services/in-memory-workflow-service.test.ts +351 -0
- package/src/services/index.ts +2 -1
- package/src/services/local-content.ts +9 -3
- package/src/services/local-secrets.test.ts +80 -0
- package/src/services/local-secrets.ts +2 -2
- package/src/services/local-variables.test.ts +61 -0
- package/src/services/local-variables.ts +1 -1
- package/src/services/logger-console.test.ts +118 -0
- package/src/services/logger-console.ts +2 -1
- package/src/services/scheduler-service.ts +0 -18
- package/src/services/scoped-secret-service.test.ts +74 -0
- package/src/services/scoped-secret-service.ts +1 -1
- package/src/services/trigger-service.ts +0 -21
- package/src/services/typed-secret-service.test.ts +93 -0
- package/src/services/typed-variables-service.test.ts +73 -0
- package/src/services/user-session-service.test.ts +113 -0
- package/src/services/user-session-service.ts +3 -3
- package/src/services/workflow-service.ts +2 -12
- package/src/time-utils.test.ts +1 -1
- package/src/types/core.types.ts +25 -19
- package/src/types/state.types.ts +24 -15
- package/src/utils.test.ts +350 -0
- package/src/utils.ts +14 -13
- package/src/wirings/ai-agent/ai-agent-assistant-ui.test.ts +363 -0
- package/src/wirings/ai-agent/ai-agent-assistant-ui.ts +214 -0
- package/src/wirings/ai-agent/ai-agent-helpers.test.ts +152 -0
- package/src/wirings/ai-agent/ai-agent-helpers.ts +76 -0
- package/src/wirings/ai-agent/ai-agent-model-config.test.ts +115 -0
- package/src/wirings/ai-agent/ai-agent-prepare.ts +79 -45
- package/src/wirings/ai-agent/ai-agent-registry.ts +1 -1
- package/src/wirings/ai-agent/ai-agent-runner.test.ts +245 -3
- package/src/wirings/ai-agent/ai-agent-runner.ts +121 -7
- package/src/wirings/ai-agent/ai-agent-stream.test.ts +430 -24
- package/src/wirings/ai-agent/ai-agent-stream.ts +377 -102
- package/src/wirings/ai-agent/ai-agent.types.ts +57 -2
- package/src/wirings/ai-agent/index.ts +11 -0
- package/src/wirings/channel/channel-common.ts +2 -2
- package/src/wirings/channel/channel-handler.ts +13 -9
- package/src/wirings/channel/channel-runner.ts +6 -6
- package/src/wirings/channel/channel-store.ts +1 -1
- package/src/wirings/channel/channel.types.ts +4 -8
- package/src/wirings/channel/local/local-channel-runner.test.ts +19 -12
- package/src/wirings/channel/local/local-channel-runner.ts +18 -13
- package/src/wirings/channel/local/local-eventhub-service.test.ts +2 -2
- package/src/wirings/channel/local/local-eventhub-service.ts +2 -2
- package/src/wirings/channel/log-channels.ts +1 -1
- package/src/wirings/channel/pikku-abstract-channel-handler.ts +1 -1
- package/src/wirings/channel/serverless/serverless-channel-runner.ts +37 -32
- package/src/wirings/cli/channel/cli-channel-runner.ts +1 -1
- package/src/wirings/cli/cli-runner.test.ts +1 -1
- package/src/wirings/cli/cli-runner.ts +11 -4
- package/src/wirings/cli/cli.types.ts +3 -3
- package/src/wirings/cli/command-parser.test.ts +1 -1
- package/src/wirings/cli/command-parser.ts +1 -1
- package/src/wirings/http/http-routes.test.ts +1 -1
- package/src/wirings/http/http-runner.test.ts +9 -17
- package/src/wirings/http/http-runner.ts +43 -27
- package/src/wirings/http/http.types.ts +1 -14
- package/src/wirings/http/log-http-routes.ts +1 -1
- package/src/wirings/http/pikku-fetch-http-request.ts +1 -1
- package/src/wirings/http/pikku-fetch-http-response.ts +12 -5
- package/src/wirings/http/routers/http-router.ts +1 -1
- package/src/wirings/http/routers/path-to-regex.test.ts +1 -1
- package/src/wirings/http/routers/path-to-regex.ts +4 -3
- package/src/wirings/mcp/mcp-endpoint-registry.ts +5 -1
- package/src/wirings/mcp/mcp-runner.ts +9 -15
- package/src/wirings/mcp/mcp.types.ts +2 -2
- package/src/wirings/oauth2/oauth2-client.ts +3 -3
- package/src/wirings/oauth2/wire-oauth2-credential.ts +1 -1
- package/src/wirings/queue/index.ts +0 -1
- package/src/wirings/queue/queue-runner.test.ts +52 -25
- package/src/wirings/queue/queue-runner.ts +8 -30
- package/src/wirings/queue/queue.types.ts +3 -13
- package/src/wirings/queue/register-queue-helper.ts +3 -5
- package/src/wirings/queue/validate-worker-config.test.ts +108 -0
- package/src/wirings/queue/validate-worker-config.ts +4 -1
- package/src/wirings/rpc/index.ts +2 -0
- package/src/wirings/rpc/rpc-runner.ts +92 -49
- package/src/wirings/rpc/rpc-types.ts +17 -2
- package/src/wirings/rpc/wire-addon.ts +20 -0
- package/src/wirings/scheduler/index.ts +0 -1
- package/src/wirings/scheduler/log-schedulers.ts +1 -1
- package/src/wirings/scheduler/scheduler-runner.test.ts +49 -60
- package/src/wirings/scheduler/scheduler-runner.ts +9 -56
- package/src/wirings/scheduler/scheduler.types.ts +2 -2
- package/src/wirings/secret/validate-secret-definitions.test.ts +140 -0
- package/src/wirings/trigger/pikku-trigger-service.ts +17 -39
- package/src/wirings/trigger/trigger-runner.test.ts +79 -0
- package/src/wirings/trigger/trigger-runner.ts +8 -11
- package/src/wirings/variable/validate-variable-definitions.test.ts +91 -0
- package/src/wirings/workflow/graph/graph-runner.test.ts +14 -22
- package/src/wirings/workflow/graph/template.test.ts +49 -0
- package/src/wirings/workflow/pikku-workflow-service.test.ts +15 -27
- package/src/wirings/workflow/pikku-workflow-service.ts +29 -45
- package/src/wirings/workflow/workflow-helpers.test.ts +129 -0
- package/src/wirings/workflow/workflow.types.ts +2 -2
- package/tsconfig.tsbuildinfo +1 -1
- package/dist/wirings/workflow/workflow-utils.d.ts +0 -1
- package/dist/wirings/workflow/workflow-utils.js +0 -1
- package/src/wirings/workflow/workflow-utils.ts +0 -0
|
@@ -0,0 +1,488 @@
|
|
|
1
|
+
import { describe, test, beforeEach } from 'node:test'
|
|
2
|
+
import assert from 'node:assert'
|
|
3
|
+
import { pikkuRemoteAuthMiddleware } from './remote-auth.js'
|
|
4
|
+
import { UnauthorizedError } from '../errors/errors.js'
|
|
5
|
+
import { resetPikkuState } from '../pikku-state.js'
|
|
6
|
+
import { encryptJSON } from '../crypto-utils.js'
|
|
7
|
+
|
|
8
|
+
beforeEach(() => {
|
|
9
|
+
resetPikkuState()
|
|
10
|
+
})
|
|
11
|
+
|
|
12
|
+
const TEST_SECRET = 'test-remote-secret-key'
|
|
13
|
+
|
|
14
|
+
const createMockSecrets = (secret?: string) => ({
|
|
15
|
+
getSecret: async (key: string) => {
|
|
16
|
+
if (key === 'PIKKU_REMOTE_SECRET' && secret !== undefined) {
|
|
17
|
+
return secret
|
|
18
|
+
}
|
|
19
|
+
throw new Error(`Secret ${key} not found`)
|
|
20
|
+
},
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
const createMockJWT = (payload?: any, shouldThrow = false) => ({
|
|
24
|
+
decode: async (_token: string) => {
|
|
25
|
+
if (shouldThrow) throw new Error('Invalid token')
|
|
26
|
+
return payload
|
|
27
|
+
},
|
|
28
|
+
encode: async () => 'token',
|
|
29
|
+
})
|
|
30
|
+
|
|
31
|
+
const createMockRequest = (
|
|
32
|
+
headers: Record<string, string> = {},
|
|
33
|
+
path = '/api/test',
|
|
34
|
+
method = 'POST'
|
|
35
|
+
) => ({
|
|
36
|
+
header: (name: string) => headers[name.toLowerCase()] || headers[name],
|
|
37
|
+
path: () => path,
|
|
38
|
+
method: () => method,
|
|
39
|
+
})
|
|
40
|
+
|
|
41
|
+
describe('pikkuRemoteAuthMiddleware', () => {
|
|
42
|
+
test('should call next when no http.request', async () => {
|
|
43
|
+
let nextCalled = false
|
|
44
|
+
await pikkuRemoteAuthMiddleware(
|
|
45
|
+
{ secrets: createMockSecrets(TEST_SECRET) } as any,
|
|
46
|
+
{ http: {} } as any,
|
|
47
|
+
async () => {
|
|
48
|
+
nextCalled = true
|
|
49
|
+
}
|
|
50
|
+
)
|
|
51
|
+
assert.strictEqual(nextCalled, true)
|
|
52
|
+
})
|
|
53
|
+
|
|
54
|
+
test('should call next when no secrets service', async () => {
|
|
55
|
+
let nextCalled = false
|
|
56
|
+
await pikkuRemoteAuthMiddleware(
|
|
57
|
+
{} as any,
|
|
58
|
+
{ http: { request: createMockRequest() } } as any,
|
|
59
|
+
async () => {
|
|
60
|
+
nextCalled = true
|
|
61
|
+
}
|
|
62
|
+
)
|
|
63
|
+
assert.strictEqual(nextCalled, true)
|
|
64
|
+
})
|
|
65
|
+
|
|
66
|
+
test('should call next when PIKKU_REMOTE_SECRET not found', async () => {
|
|
67
|
+
let nextCalled = false
|
|
68
|
+
await pikkuRemoteAuthMiddleware(
|
|
69
|
+
{ secrets: createMockSecrets() } as any,
|
|
70
|
+
{ http: { request: createMockRequest() } } as any,
|
|
71
|
+
async () => {
|
|
72
|
+
nextCalled = true
|
|
73
|
+
}
|
|
74
|
+
)
|
|
75
|
+
assert.strictEqual(nextCalled, true)
|
|
76
|
+
})
|
|
77
|
+
|
|
78
|
+
test('should throw when PIKKU_REMOTE_SECRET set but no jwt service', async () => {
|
|
79
|
+
await assert.rejects(
|
|
80
|
+
() =>
|
|
81
|
+
pikkuRemoteAuthMiddleware(
|
|
82
|
+
{ secrets: createMockSecrets(TEST_SECRET) } as any,
|
|
83
|
+
{ http: { request: createMockRequest() } } as any,
|
|
84
|
+
async () => {}
|
|
85
|
+
),
|
|
86
|
+
{ message: 'PIKKU_REMOTE_SECRET set but JWT service missing' }
|
|
87
|
+
)
|
|
88
|
+
})
|
|
89
|
+
|
|
90
|
+
test('should throw UnauthorizedError when no authorization header', async () => {
|
|
91
|
+
await assert.rejects(
|
|
92
|
+
() =>
|
|
93
|
+
pikkuRemoteAuthMiddleware(
|
|
94
|
+
{
|
|
95
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
96
|
+
jwt: createMockJWT(),
|
|
97
|
+
} as any,
|
|
98
|
+
{ http: { request: createMockRequest({}) } } as any,
|
|
99
|
+
async () => {}
|
|
100
|
+
),
|
|
101
|
+
(err: any) => err instanceof UnauthorizedError
|
|
102
|
+
)
|
|
103
|
+
})
|
|
104
|
+
|
|
105
|
+
test('should throw UnauthorizedError for non-Bearer scheme', async () => {
|
|
106
|
+
await assert.rejects(
|
|
107
|
+
() =>
|
|
108
|
+
pikkuRemoteAuthMiddleware(
|
|
109
|
+
{
|
|
110
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
111
|
+
jwt: createMockJWT(),
|
|
112
|
+
} as any,
|
|
113
|
+
{
|
|
114
|
+
http: {
|
|
115
|
+
request: createMockRequest({ authorization: 'Basic abc123' }),
|
|
116
|
+
},
|
|
117
|
+
} as any,
|
|
118
|
+
async () => {}
|
|
119
|
+
),
|
|
120
|
+
(err: any) => err instanceof UnauthorizedError
|
|
121
|
+
)
|
|
122
|
+
})
|
|
123
|
+
|
|
124
|
+
test('should throw UnauthorizedError when Bearer has no token', async () => {
|
|
125
|
+
await assert.rejects(
|
|
126
|
+
() =>
|
|
127
|
+
pikkuRemoteAuthMiddleware(
|
|
128
|
+
{
|
|
129
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
130
|
+
jwt: createMockJWT(),
|
|
131
|
+
} as any,
|
|
132
|
+
{
|
|
133
|
+
http: { request: createMockRequest({ authorization: 'Bearer' }) },
|
|
134
|
+
} as any,
|
|
135
|
+
async () => {}
|
|
136
|
+
),
|
|
137
|
+
(err: any) => err instanceof UnauthorizedError
|
|
138
|
+
)
|
|
139
|
+
})
|
|
140
|
+
|
|
141
|
+
test('should throw UnauthorizedError when JWT decode fails', async () => {
|
|
142
|
+
await assert.rejects(
|
|
143
|
+
() =>
|
|
144
|
+
pikkuRemoteAuthMiddleware(
|
|
145
|
+
{
|
|
146
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
147
|
+
jwt: createMockJWT(null, true),
|
|
148
|
+
} as any,
|
|
149
|
+
{
|
|
150
|
+
http: {
|
|
151
|
+
request: createMockRequest({
|
|
152
|
+
authorization: 'Bearer valid-token',
|
|
153
|
+
}),
|
|
154
|
+
},
|
|
155
|
+
} as any,
|
|
156
|
+
async () => {}
|
|
157
|
+
),
|
|
158
|
+
(err: any) => err instanceof UnauthorizedError
|
|
159
|
+
)
|
|
160
|
+
})
|
|
161
|
+
|
|
162
|
+
test('should throw UnauthorizedError when audience is not pikku-remote', async () => {
|
|
163
|
+
await assert.rejects(
|
|
164
|
+
() =>
|
|
165
|
+
pikkuRemoteAuthMiddleware(
|
|
166
|
+
{
|
|
167
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
168
|
+
jwt: createMockJWT({ aud: 'wrong-audience' }),
|
|
169
|
+
} as any,
|
|
170
|
+
{
|
|
171
|
+
http: {
|
|
172
|
+
request: createMockRequest({
|
|
173
|
+
authorization: 'Bearer valid-token',
|
|
174
|
+
}),
|
|
175
|
+
},
|
|
176
|
+
} as any,
|
|
177
|
+
async () => {}
|
|
178
|
+
),
|
|
179
|
+
(err: any) => err instanceof UnauthorizedError
|
|
180
|
+
)
|
|
181
|
+
})
|
|
182
|
+
|
|
183
|
+
test('should throw UnauthorizedError when audience is missing', async () => {
|
|
184
|
+
await assert.rejects(
|
|
185
|
+
() =>
|
|
186
|
+
pikkuRemoteAuthMiddleware(
|
|
187
|
+
{
|
|
188
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
189
|
+
jwt: createMockJWT({}),
|
|
190
|
+
} as any,
|
|
191
|
+
{
|
|
192
|
+
http: {
|
|
193
|
+
request: createMockRequest({
|
|
194
|
+
authorization: 'Bearer valid-token',
|
|
195
|
+
}),
|
|
196
|
+
},
|
|
197
|
+
} as any,
|
|
198
|
+
async () => {}
|
|
199
|
+
),
|
|
200
|
+
(err: any) => err instanceof UnauthorizedError
|
|
201
|
+
)
|
|
202
|
+
})
|
|
203
|
+
|
|
204
|
+
test('should call next for valid token with correct audience', async () => {
|
|
205
|
+
let nextCalled = false
|
|
206
|
+
await pikkuRemoteAuthMiddleware(
|
|
207
|
+
{
|
|
208
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
209
|
+
jwt: createMockJWT({ aud: 'pikku-remote' }),
|
|
210
|
+
} as any,
|
|
211
|
+
{
|
|
212
|
+
http: {
|
|
213
|
+
request: createMockRequest({ authorization: 'Bearer valid-token' }),
|
|
214
|
+
},
|
|
215
|
+
} as any,
|
|
216
|
+
async () => {
|
|
217
|
+
nextCalled = true
|
|
218
|
+
}
|
|
219
|
+
)
|
|
220
|
+
assert.strictEqual(nextCalled, true)
|
|
221
|
+
})
|
|
222
|
+
|
|
223
|
+
test('should accept Authorization header (capitalized)', async () => {
|
|
224
|
+
let nextCalled = false
|
|
225
|
+
await pikkuRemoteAuthMiddleware(
|
|
226
|
+
{
|
|
227
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
228
|
+
jwt: createMockJWT({ aud: 'pikku-remote' }),
|
|
229
|
+
} as any,
|
|
230
|
+
{
|
|
231
|
+
http: {
|
|
232
|
+
request: createMockRequest({ Authorization: 'Bearer valid-token' }),
|
|
233
|
+
},
|
|
234
|
+
} as any,
|
|
235
|
+
async () => {
|
|
236
|
+
nextCalled = true
|
|
237
|
+
}
|
|
238
|
+
)
|
|
239
|
+
assert.strictEqual(nextCalled, true)
|
|
240
|
+
})
|
|
241
|
+
|
|
242
|
+
describe('RPC function authorization', () => {
|
|
243
|
+
test('should throw UnauthorizedError when token fn does not match requested function', async () => {
|
|
244
|
+
await assert.rejects(
|
|
245
|
+
() =>
|
|
246
|
+
pikkuRemoteAuthMiddleware(
|
|
247
|
+
{
|
|
248
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
249
|
+
jwt: createMockJWT({ aud: 'pikku-remote', fn: 'allowedFunc' }),
|
|
250
|
+
} as any,
|
|
251
|
+
{
|
|
252
|
+
http: {
|
|
253
|
+
request: createMockRequest(
|
|
254
|
+
{ authorization: 'Bearer valid-token' },
|
|
255
|
+
'/rpc/otherFunc'
|
|
256
|
+
),
|
|
257
|
+
},
|
|
258
|
+
} as any,
|
|
259
|
+
async () => {}
|
|
260
|
+
),
|
|
261
|
+
(err: any) => err instanceof UnauthorizedError
|
|
262
|
+
)
|
|
263
|
+
})
|
|
264
|
+
|
|
265
|
+
test('should allow when token fn matches requested function', async () => {
|
|
266
|
+
let nextCalled = false
|
|
267
|
+
await pikkuRemoteAuthMiddleware(
|
|
268
|
+
{
|
|
269
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
270
|
+
jwt: createMockJWT({ aud: 'pikku-remote', fn: 'myFunc' }),
|
|
271
|
+
} as any,
|
|
272
|
+
{
|
|
273
|
+
http: {
|
|
274
|
+
request: createMockRequest(
|
|
275
|
+
{ authorization: 'Bearer valid-token' },
|
|
276
|
+
'/rpc/myFunc'
|
|
277
|
+
),
|
|
278
|
+
},
|
|
279
|
+
} as any,
|
|
280
|
+
async () => {
|
|
281
|
+
nextCalled = true
|
|
282
|
+
}
|
|
283
|
+
)
|
|
284
|
+
assert.strictEqual(nextCalled, true)
|
|
285
|
+
})
|
|
286
|
+
|
|
287
|
+
test('should allow any RPC call when token has no fn claim', async () => {
|
|
288
|
+
let nextCalled = false
|
|
289
|
+
await pikkuRemoteAuthMiddleware(
|
|
290
|
+
{
|
|
291
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
292
|
+
jwt: createMockJWT({ aud: 'pikku-remote' }),
|
|
293
|
+
} as any,
|
|
294
|
+
{
|
|
295
|
+
http: {
|
|
296
|
+
request: createMockRequest(
|
|
297
|
+
{ authorization: 'Bearer valid-token' },
|
|
298
|
+
'/rpc/anyFunc'
|
|
299
|
+
),
|
|
300
|
+
},
|
|
301
|
+
} as any,
|
|
302
|
+
async () => {
|
|
303
|
+
nextCalled = true
|
|
304
|
+
}
|
|
305
|
+
)
|
|
306
|
+
assert.strictEqual(nextCalled, true)
|
|
307
|
+
})
|
|
308
|
+
|
|
309
|
+
test('should skip fn check for non-RPC paths even if fn in token', async () => {
|
|
310
|
+
let nextCalled = false
|
|
311
|
+
await pikkuRemoteAuthMiddleware(
|
|
312
|
+
{
|
|
313
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
314
|
+
jwt: createMockJWT({ aud: 'pikku-remote', fn: 'someFunc' }),
|
|
315
|
+
} as any,
|
|
316
|
+
{
|
|
317
|
+
http: {
|
|
318
|
+
request: createMockRequest(
|
|
319
|
+
{ authorization: 'Bearer valid-token' },
|
|
320
|
+
'/api/other'
|
|
321
|
+
),
|
|
322
|
+
},
|
|
323
|
+
} as any,
|
|
324
|
+
async () => {
|
|
325
|
+
nextCalled = true
|
|
326
|
+
}
|
|
327
|
+
)
|
|
328
|
+
assert.strictEqual(nextCalled, true)
|
|
329
|
+
})
|
|
330
|
+
|
|
331
|
+
test('should handle URI-encoded function names', async () => {
|
|
332
|
+
let nextCalled = false
|
|
333
|
+
await pikkuRemoteAuthMiddleware(
|
|
334
|
+
{
|
|
335
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
336
|
+
jwt: createMockJWT({ aud: 'pikku-remote', fn: 'my func' }),
|
|
337
|
+
} as any,
|
|
338
|
+
{
|
|
339
|
+
http: {
|
|
340
|
+
request: createMockRequest(
|
|
341
|
+
{ authorization: 'Bearer valid-token' },
|
|
342
|
+
'/rpc/my%20func'
|
|
343
|
+
),
|
|
344
|
+
},
|
|
345
|
+
} as any,
|
|
346
|
+
async () => {
|
|
347
|
+
nextCalled = true
|
|
348
|
+
}
|
|
349
|
+
)
|
|
350
|
+
assert.strictEqual(nextCalled, true)
|
|
351
|
+
})
|
|
352
|
+
})
|
|
353
|
+
|
|
354
|
+
describe('session decryption', () => {
|
|
355
|
+
test('should decrypt and set session when payload.session exists', async () => {
|
|
356
|
+
const sessionData = { userId: 'user-1', role: 'admin' }
|
|
357
|
+
const encryptedSession = await encryptJSON(TEST_SECRET, {
|
|
358
|
+
session: sessionData,
|
|
359
|
+
})
|
|
360
|
+
let receivedSession: any
|
|
361
|
+
|
|
362
|
+
await pikkuRemoteAuthMiddleware(
|
|
363
|
+
{
|
|
364
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
365
|
+
jwt: createMockJWT({
|
|
366
|
+
aud: 'pikku-remote',
|
|
367
|
+
session: encryptedSession,
|
|
368
|
+
}),
|
|
369
|
+
} as any,
|
|
370
|
+
{
|
|
371
|
+
http: {
|
|
372
|
+
request: createMockRequest({ authorization: 'Bearer valid-token' }),
|
|
373
|
+
},
|
|
374
|
+
setSession: async (session: any) => {
|
|
375
|
+
receivedSession = session
|
|
376
|
+
},
|
|
377
|
+
} as any,
|
|
378
|
+
async () => {}
|
|
379
|
+
)
|
|
380
|
+
|
|
381
|
+
assert.deepStrictEqual(receivedSession, sessionData)
|
|
382
|
+
})
|
|
383
|
+
|
|
384
|
+
test('should throw UnauthorizedError when session decryption fails', async () => {
|
|
385
|
+
await assert.rejects(
|
|
386
|
+
() =>
|
|
387
|
+
pikkuRemoteAuthMiddleware(
|
|
388
|
+
{
|
|
389
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
390
|
+
jwt: createMockJWT({
|
|
391
|
+
aud: 'pikku-remote',
|
|
392
|
+
session: 'invalid-encrypted-data',
|
|
393
|
+
}),
|
|
394
|
+
} as any,
|
|
395
|
+
{
|
|
396
|
+
http: {
|
|
397
|
+
request: createMockRequest({
|
|
398
|
+
authorization: 'Bearer valid-token',
|
|
399
|
+
}),
|
|
400
|
+
},
|
|
401
|
+
setSession: async () => {},
|
|
402
|
+
} as any,
|
|
403
|
+
async () => {}
|
|
404
|
+
),
|
|
405
|
+
(err: any) => err instanceof UnauthorizedError
|
|
406
|
+
)
|
|
407
|
+
})
|
|
408
|
+
|
|
409
|
+
test('should skip setSession when setSession is not available', async () => {
|
|
410
|
+
const encryptedSession = await encryptJSON(TEST_SECRET, {
|
|
411
|
+
session: { userId: 'u1' },
|
|
412
|
+
})
|
|
413
|
+
let nextCalled = false
|
|
414
|
+
|
|
415
|
+
await pikkuRemoteAuthMiddleware(
|
|
416
|
+
{
|
|
417
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
418
|
+
jwt: createMockJWT({
|
|
419
|
+
aud: 'pikku-remote',
|
|
420
|
+
session: encryptedSession,
|
|
421
|
+
}),
|
|
422
|
+
} as any,
|
|
423
|
+
{
|
|
424
|
+
http: {
|
|
425
|
+
request: createMockRequest({ authorization: 'Bearer valid-token' }),
|
|
426
|
+
},
|
|
427
|
+
} as any,
|
|
428
|
+
async () => {
|
|
429
|
+
nextCalled = true
|
|
430
|
+
}
|
|
431
|
+
)
|
|
432
|
+
|
|
433
|
+
assert.strictEqual(nextCalled, true)
|
|
434
|
+
})
|
|
435
|
+
|
|
436
|
+
test('should skip setSession when decrypted.session is falsy', async () => {
|
|
437
|
+
const encryptedSession = await encryptJSON(TEST_SECRET, { session: null })
|
|
438
|
+
let setSessionCalled = false
|
|
439
|
+
|
|
440
|
+
await pikkuRemoteAuthMiddleware(
|
|
441
|
+
{
|
|
442
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
443
|
+
jwt: createMockJWT({
|
|
444
|
+
aud: 'pikku-remote',
|
|
445
|
+
session: encryptedSession,
|
|
446
|
+
}),
|
|
447
|
+
} as any,
|
|
448
|
+
{
|
|
449
|
+
http: {
|
|
450
|
+
request: createMockRequest({ authorization: 'Bearer valid-token' }),
|
|
451
|
+
},
|
|
452
|
+
setSession: async () => {
|
|
453
|
+
setSessionCalled = true
|
|
454
|
+
},
|
|
455
|
+
} as any,
|
|
456
|
+
async () => {}
|
|
457
|
+
)
|
|
458
|
+
|
|
459
|
+
assert.strictEqual(setSessionCalled, false)
|
|
460
|
+
})
|
|
461
|
+
|
|
462
|
+
test('should not call setSession when no session in payload', async () => {
|
|
463
|
+
let setSessionCalled = false
|
|
464
|
+
let nextCalled = false
|
|
465
|
+
|
|
466
|
+
await pikkuRemoteAuthMiddleware(
|
|
467
|
+
{
|
|
468
|
+
secrets: createMockSecrets(TEST_SECRET),
|
|
469
|
+
jwt: createMockJWT({ aud: 'pikku-remote' }),
|
|
470
|
+
} as any,
|
|
471
|
+
{
|
|
472
|
+
http: {
|
|
473
|
+
request: createMockRequest({ authorization: 'Bearer valid-token' }),
|
|
474
|
+
},
|
|
475
|
+
setSession: async () => {
|
|
476
|
+
setSessionCalled = true
|
|
477
|
+
},
|
|
478
|
+
} as any,
|
|
479
|
+
async () => {
|
|
480
|
+
nextCalled = true
|
|
481
|
+
}
|
|
482
|
+
)
|
|
483
|
+
|
|
484
|
+
assert.strictEqual(setSessionCalled, false)
|
|
485
|
+
assert.strictEqual(nextCalled, true)
|
|
486
|
+
})
|
|
487
|
+
})
|
|
488
|
+
})
|
|
@@ -6,7 +6,7 @@ import {
|
|
|
6
6
|
runMiddleware,
|
|
7
7
|
} from './middleware-runner.js'
|
|
8
8
|
import { resetPikkuState } from './pikku-state.js'
|
|
9
|
-
import { CorePikkuMiddleware } from './types/core.types.js'
|
|
9
|
+
import type { CorePikkuMiddleware } from './types/core.types.js'
|
|
10
10
|
|
|
11
11
|
beforeEach(() => {
|
|
12
12
|
resetPikkuState()
|
package/src/middleware-runner.ts
CHANGED
package/src/permissions.test.ts
CHANGED
|
@@ -2,8 +2,8 @@ import { describe, test, beforeEach } from 'node:test'
|
|
|
2
2
|
import * as assert from 'node:assert'
|
|
3
3
|
import { addPermission, runPermissions } from './permissions.js'
|
|
4
4
|
import { pikkuState, resetPikkuState } from './pikku-state.js'
|
|
5
|
-
import { CoreServices, CoreUserSession } from './types/core.types.js'
|
|
6
|
-
import {
|
|
5
|
+
import type { CoreServices, CoreUserSession } from './types/core.types.js'
|
|
6
|
+
import type {
|
|
7
7
|
CorePermissionGroup,
|
|
8
8
|
CorePikkuPermission,
|
|
9
9
|
} from './function/functions.types.js'
|
package/src/permissions.ts
CHANGED