@slashgear/gdpr-cookie-scanner 1.3.0 → 2.0.0

package/src/types.ts

@@ -108,6 +108,8 @@ export interface ComplianceScore {
   grade: "A" | "B" | "C" | "D" | "F";
 }
 
+export type ReportFormat = "md" | "html" | "json" | "pdf";
+
 export interface ScanOptions {
   url: string;
   outputDir: string;
@@ -115,6 +117,7 @@ export interface ScanOptions {
   screenshots: boolean;
   locale: string;
   verbose: boolean;
+  formats: ReportFormat[];
   userAgent?: string;
 }
 

package/tests/e2e/fixtures/compliant-site.html

@@ -0,0 +1,80 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>Compliant Test Site</title>
+  </head>
+  <body>
+    <main>
+      <h1>Welcome to our website</h1>
+      <p>This is a test page with a GDPR-compliant cookie banner.</p>
+    </main>
+
+    <footer>
+      <a href="/privacy-policy">Privacy Policy</a>
+      <a href="/terms">Terms of Service</a>
+    </footer>
+
+    <!-- GDPR-compliant cookie banner -->
+    <div
+      id="cookie-banner"
+      style="
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        background: #1a1a2e;
+        color: #fff;
+        padding: 20px;
+        z-index: 9999;
+        display: flex;
+        align-items: center;
+        gap: 16px;
+      "
+    >
+      <p style="flex: 1; margin: 0">
+        We use cookies for analytics purposes with <strong>third-party vendors</strong>. Cookies
+        expire after <strong>13 months</strong>. You may <strong>withdraw your consent</strong> at
+        any time. See our <a href="/privacy-policy" style="color: #90e0ef">Privacy Policy</a>.
+      </p>
+      <button
+        id="reject-btn"
+        style="
+          padding: 10px 20px;
+          background: transparent;
+          color: #fff;
+          border: 1px solid #fff;
+          cursor: pointer;
+          font-size: 14px;
+        "
+      >
+        Reject all
+      </button>
+      <button
+        id="accept-btn"
+        style="
+          padding: 10px 20px;
+          background: #4caf50;
+          color: #fff;
+          border: none;
+          cursor: pointer;
+          font-size: 14px;
+        "
+      >
+        Accept all
+      </button>
+    </div>
+
+    <script>
+      document.getElementById("accept-btn").addEventListener("click", function () {
+        document.getElementById("cookie-banner").style.display = "none";
+        document.cookie = "consent=accepted; path=/; max-age=31536000";
+      });
+
+      document.getElementById("reject-btn").addEventListener("click", function () {
+        document.getElementById("cookie-banner").style.display = "none";
+        document.cookie = "consent=rejected; path=/; max-age=31536000";
+      });
+    </script>
+  </body>
+</html>

package/tests/e2e/fixtures/no-modal-site.html

@@ -0,0 +1,17 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>No Modal Test Site</title>
+  </head>
+  <body>
+    <main>
+      <h1>Welcome</h1>
+      <p>This page has no cookie consent modal at all.</p>
+    </main>
+
+    <footer>
+      <a href="/privacy-policy">Privacy Policy</a>
+    </footer>
+  </body>
+</html>

package/tests/e2e/fixtures/non-compliant-site.html

@@ -0,0 +1,54 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>Non-Compliant Test Site</title>
+  </head>
+  <body>
+    <main>
+      <h1>Welcome</h1>
+      <p>This page has no reject button and sets analytics cookies immediately.</p>
+    </main>
+
+    <!-- Non-compliant: no reject button, no privacy policy link, cookie set before interaction -->
+    <div
+      id="cookie-banner"
+      style="
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        background: #333;
+        color: #fff;
+        padding: 20px;
+        z-index: 9999;
+      "
+    >
+      <p style="margin: 0 0 10px 0">
+        By continuing to browse this site, you accept the use of cookies.
+      </p>
+      <button
+        id="accept-btn"
+        style="
+          padding: 10px 24px;
+          background: #e53935;
+          color: #fff;
+          border: none;
+          cursor: pointer;
+          font-size: 16px;
+        "
+      >
+        OK
+      </button>
+    </div>
+
+    <script>
+      // Set analytics cookie before any interaction (non-compliant)
+      document.cookie = "_ga=GA1.2.123456789.1234567890; path=/; max-age=34560000";
+
+      document.getElementById("accept-btn").addEventListener("click", function () {
+        document.getElementById("cookie-banner").style.display = "none";
+      });
+    </script>
+  </body>
+</html>

package/tests/e2e/scanner.test.ts

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { mkdtemp, rm } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { Scanner } from "../../src/scanner/index.js";
+import { startTestServer, type TestServer } from "../helpers/test-server.js";
+
+// E2E tests spin up real Playwright browsers — allow generous timeouts
+const E2E_TIMEOUT = 60_000;
+
+describe("Scanner E2E", { timeout: E2E_TIMEOUT }, () => {
+  let server: TestServer;
+  let outputDir: string;
+
+  beforeAll(async () => {
+    server = await startTestServer();
+    outputDir = await mkdtemp(join(tmpdir(), "gdpr-test-"));
+  });
+
+  afterAll(async () => {
+    await server.close();
+    await rm(outputDir, { recursive: true, force: true });
+  });
+
+  function makeOptions(fixture: string) {
+    return {
+      url: `${server.url}/${fixture}`,
+      outputDir: join(outputDir, fixture.replace(".html", "")),
+      timeout: 30_000,
+      screenshots: false,
+      locale: "en-US",
+      verbose: false,
+    };
+  }
+
+  describe("compliant-site.html", () => {
+    it("detects the consent modal", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.detected).toBe(true);
+    });
+
+    it("finds both accept and reject buttons", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      const types = result.modal.buttons.map((b) => b.type);
+      expect(types).toContain("accept");
+      expect(types).toContain("reject");
+    });
+
+    it("finds the privacy policy link in the modal", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.privacyPolicyUrl).toBeTruthy();
+    });
+
+    it("finds a privacy policy link on the page", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.privacyPolicyUrl).toBeTruthy();
+    });
+
+    it("assigns a passing compliance grade (A or B)", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(["A", "B"]).toContain(result.compliance.grade);
+    });
+
+    it("does not flag pre-consent cookies", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      const illegalPreConsent = result.cookiesBeforeInteraction.filter((c) => c.requiresConsent);
+      expect(illegalPreConsent).toHaveLength(0);
+    });
+  });
+
+  describe("non-compliant-site.html", () => {
+    it("detects the consent modal", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.detected).toBe(true);
+    });
+
+    it("detects _ga cookie set before any interaction", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      const gaBeforeInteraction = result.cookiesBeforeInteraction.some(
+        (c) => c.name === "_ga" && c.requiresConsent,
+      );
+      expect(gaBeforeInteraction).toBe(true);
+    });
+
+    it("raises an auto-consent issue for pre-interaction cookies", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      const issue = result.compliance.issues.find((i) => i.type === "auto-consent");
+      expect(issue).toBeDefined();
+    });
+
+    it("assigns a failing grade (C, D, or F)", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      expect(["C", "D", "F"]).toContain(result.compliance.grade);
+    });
+  });
+
+  describe("no-modal-site.html", () => {
+    it("reports modal as not detected", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.detected).toBe(false);
+    });
+
+    it("still finds the page-level privacy policy link", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      expect(result.privacyPolicyUrl).toBeTruthy();
+    });
+
+    it("assigns grade F when no modal is detected", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      expect(result.compliance.grade).toBe("F");
+    });
+
+    it("raises a critical no-reject-button issue", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      const issue = result.compliance.issues.find(
+        (i) => i.type === "no-reject-button" && i.severity === "critical",
+      );
+      expect(issue).toBeDefined();
+    });
+  });
+});

package/tests/helpers/test-server.ts

@@ -0,0 +1,57 @@
+import { createServer } from "http";
+import { readFile } from "fs/promises";
+import { join, extname } from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const FIXTURES_DIR = join(__dirname, "../e2e/fixtures");
+
+const MIME_TYPES: Record<string, string> = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+};
+
+export interface TestServer {
+  url: string;
+  close(): Promise<void>;
+}
+
+/**
+ * Starts a minimal HTTP server serving static HTML fixtures.
+ * Returns the base URL and a close() function.
+ */
+export async function startTestServer(port = 0): Promise<TestServer> {
+  const server = createServer(async (req, res) => {
+    const urlPath = req.url === "/" ? "/index.html" : (req.url ?? "/");
+    // Map /privacy-policy → privacy-policy.html or return a stub
+    const filePath = urlPath.endsWith(".html")
+      ? join(FIXTURES_DIR, urlPath)
+      : join(FIXTURES_DIR, `${urlPath.slice(1)}.html`);
+
+    try {
+      const content = await readFile(filePath);
+      const ext = extname(filePath) || ".html";
+      res.writeHead(200, { "Content-Type": MIME_TYPES[ext] ?? "text/plain" });
+      res.end(content);
+    } catch {
+      // Return a minimal stub for unknown paths (e.g., /privacy-policy)
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end("<!DOCTYPE html><html><body><h1>Privacy Policy</h1></body></html>");
+    }
+  });
+
+  await new Promise<void>((resolve) => server.listen(port, "127.0.0.1", resolve));
+
+  const address = server.address();
+  if (!address || typeof address === "string") {
+    throw new Error("Unexpected server address type");
+  }
+
+  return {
+    url: `http://127.0.0.1:${address.port}`,
+    close: () =>
+      new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve()))),
+  };
+}