@unifiedmemory/cli 1.3.1 → 1.3.6

package/tests/unit/jwt-utils.test.js

@@ -0,0 +1,217 @@
+/**
+ * Unit tests for lib/jwt-utils.js
+ *
+ * Tests JWT parsing, validation, and expiration checking functions.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import {
+  parseJWT,
+  isJWTExpired,
+  validateJWTStructure,
+  getTimeUntilExpiration,
+} from '../../lib/jwt-utils.js';
+
+describe('jwt-utils', () => {
+  describe('parseJWT', () => {
+    it('should parse a valid JWT and return the payload', () => {
+      // Create a valid JWT with base64url-encoded payload
+      const payload = { sub: 'user_123', email: 'test@test.com', exp: 9999999999 };
+      const encodedPayload = Buffer.from(JSON.stringify(payload)).toString('base64');
+      const token = `header.${encodedPayload}.signature`;
+
+      const result = parseJWT(token);
+
+      expect(result).toEqual(payload);
+    });
+
+    it('should return null for invalid JWT with wrong number of parts', () => {
+      expect(parseJWT('invalid')).toBeNull();
+      expect(parseJWT('only.two')).toBeNull();
+      expect(parseJWT('too.many.parts.here')).toBeNull();
+    });
+
+    it('should return null for JWT with invalid base64 payload', () => {
+      const token = 'header.!!!invalid-base64!!!.signature';
+
+      const result = parseJWT(token);
+
+      expect(result).toBeNull();
+    });
+
+    it('should return null for JWT with non-JSON payload', () => {
+      const encodedPayload = Buffer.from('not-json').toString('base64');
+      const token = `header.${encodedPayload}.signature`;
+
+      const result = parseJWT(token);
+
+      expect(result).toBeNull();
+    });
+
+    it('should return null for empty string', () => {
+      expect(parseJWT('')).toBeNull();
+    });
+
+    it('should handle JWT with special characters in payload', () => {
+      const payload = { sub: 'user_123', email: 'test+special@test.com', name: 'Test User' };
+      const encodedPayload = Buffer.from(JSON.stringify(payload)).toString('base64');
+      const token = `header.${encodedPayload}.signature`;
+
+      const result = parseJWT(token);
+
+      expect(result).toEqual(payload);
+    });
+  });
+
+  describe('isJWTExpired', () => {
+    beforeEach(() => {
+      // Mock Date.now() for consistent testing
+      vi.useFakeTimers();
+      vi.setSystemTime(new Date('2024-06-15T12:00:00.000Z'));
+    });
+
+    afterEach(() => {
+      vi.useRealTimers();
+    });
+
+    it('should return true for expired token', () => {
+      // Token expired on Jan 1, 2024
+      const decoded = { exp: Math.floor(new Date('2024-01-01T00:00:00.000Z').getTime() / 1000) };
+
+      expect(isJWTExpired(decoded)).toBe(true);
+    });
+
+    it('should return false for valid (non-expired) token', () => {
+      // Token expires on Dec 31, 2024
+      const decoded = { exp: Math.floor(new Date('2024-12-31T00:00:00.000Z').getTime() / 1000) };
+
+      expect(isJWTExpired(decoded)).toBe(false);
+    });
+
+    it('should return true when token has no exp claim', () => {
+      expect(isJWTExpired({})).toBe(true);
+      expect(isJWTExpired({ sub: 'user_123' })).toBe(true);
+    });
+
+    it('should return true for null/undefined decoded value', () => {
+      expect(isJWTExpired(null)).toBe(true);
+      expect(isJWTExpired(undefined)).toBe(true);
+    });
+
+    it('should respect buffer parameter', () => {
+      // Token expires in exactly 5 minutes from now
+      const fiveMinutesFromNow = Math.floor(Date.now() / 1000) + 300;
+      const decoded = { exp: fiveMinutesFromNow };
+
+      // Without buffer, not expired
+      expect(isJWTExpired(decoded, 0)).toBe(false);
+
+      // With 10-minute buffer (600000ms), considered expired
+      expect(isJWTExpired(decoded, 600000)).toBe(true);
+
+      // With 3-minute buffer (180000ms), not expired yet
+      expect(isJWTExpired(decoded, 180000)).toBe(false);
+    });
+
+    it('should handle edge case where exp equals current time', () => {
+      const now = Math.floor(Date.now() / 1000);
+      const decoded = { exp: now };
+
+      // Exactly at expiration time should be considered expired
+      expect(isJWTExpired(decoded)).toBe(true);
+    });
+  });
+
+  describe('validateJWTStructure', () => {
+    it('should return truthy for valid JWT structure with sub and exp', () => {
+      const decoded = { sub: 'user_123', exp: 9999999999 };
+
+      expect(validateJWTStructure(decoded)).toBeTruthy();
+    });
+
+    it('should return falsy when sub is missing', () => {
+      const decoded = { exp: 9999999999, email: 'test@test.com' };
+
+      expect(validateJWTStructure(decoded)).toBeFalsy();
+    });
+
+    it('should return falsy when exp is missing', () => {
+      const decoded = { sub: 'user_123', email: 'test@test.com' };
+
+      expect(validateJWTStructure(decoded)).toBeFalsy();
+    });
+
+    it('should return falsy for null/undefined', () => {
+      expect(validateJWTStructure(null)).toBeFalsy();
+      expect(validateJWTStructure(undefined)).toBeFalsy();
+    });
+
+    it('should return falsy for non-object values', () => {
+      expect(validateJWTStructure('string')).toBeFalsy();
+      expect(validateJWTStructure(123)).toBeFalsy();
+      expect(validateJWTStructure([])).toBeFalsy();
+    });
+
+    it('should return truthy when sub and exp have any truthy value', () => {
+      const decoded = { sub: 'any_value', exp: 1 };
+
+      expect(validateJWTStructure(decoded)).toBeTruthy();
+    });
+
+    it('should return falsy when sub or exp are falsy (0, empty string)', () => {
+      expect(validateJWTStructure({ sub: '', exp: 9999999999 })).toBeFalsy();
+      expect(validateJWTStructure({ sub: 'user_123', exp: 0 })).toBeFalsy();
+    });
+  });
+
+  describe('getTimeUntilExpiration', () => {
+    beforeEach(() => {
+      vi.useFakeTimers();
+      vi.setSystemTime(new Date('2024-06-15T12:00:00.000Z'));
+    });
+
+    afterEach(() => {
+      vi.useRealTimers();
+    });
+
+    it('should return positive milliseconds for future expiration', () => {
+      // Expires 1 hour from now
+      const oneHourFromNow = Math.floor(Date.now() / 1000) + 3600;
+      const decoded = { exp: oneHourFromNow };
+
+      const result = getTimeUntilExpiration(decoded);
+
+      // Should be approximately 1 hour in milliseconds
+      expect(result).toBeCloseTo(3600000, -2); // Allow small variance
+    });
+
+    it('should return negative milliseconds for past expiration', () => {
+      // Expired 1 hour ago
+      const oneHourAgo = Math.floor(Date.now() / 1000) - 3600;
+      const decoded = { exp: oneHourAgo };
+
+      const result = getTimeUntilExpiration(decoded);
+
+      expect(result).toBeCloseTo(-3600000, -2);
+    });
+
+    it('should return -1 when no exp claim exists', () => {
+      expect(getTimeUntilExpiration({})).toBe(-1);
+      expect(getTimeUntilExpiration({ sub: 'user_123' })).toBe(-1);
+    });
+
+    it('should return -1 for null/undefined decoded value', () => {
+      expect(getTimeUntilExpiration(null)).toBe(-1);
+      expect(getTimeUntilExpiration(undefined)).toBe(-1);
+    });
+
+    it('should return approximately 0 when exp equals current time', () => {
+      const now = Math.floor(Date.now() / 1000);
+      const decoded = { exp: now };
+
+      const result = getTimeUntilExpiration(decoded);
+
+      expect(result).toBeCloseTo(0, -2);
+    });
+  });
+});

package/tests/unit/mcp-proxy.test.js

@@ -0,0 +1,459 @@
+/**
+ * Unit tests for lib/mcp-proxy.js
+ *
+ * Tests MCP proxy functions including tool schema transformation
+ * and context parameter injection.
+ *
+ * Note: The internal transformToolSchema and injectContextParams functions
+ * are tested indirectly through the exported functions.
+ */
+
+import { describe, it, expect, vi, beforeAll, afterAll, afterEach } from 'vitest';
+import { setupServer } from 'msw/node';
+import { http, HttpResponse } from 'msw';
+
+const GATEWAY_MCP_URL = 'https://rose-asp-main-1c0b114.d2.zuplo.dev/mcp';
+
+// Sample tool with pathParams and headers that should be transformed
+const sampleToolWithContext = {
+  name: 'create_note',
+  description: 'Create a new note',
+  inputSchema: {
+    type: 'object',
+    properties: {
+      content: { type: 'string', description: 'Note content' },
+      pathParams: {
+        type: 'object',
+        properties: {
+          org: { type: 'string', description: 'Organization ID' },
+          proj: { type: 'string', description: 'Project ID' },
+          user: { type: 'string', description: 'User ID' },
+        },
+        required: ['org', 'proj', 'user'],
+      },
+      headers: {
+        type: 'object',
+        properties: {
+          'X-Org-Id': { type: 'string' },
+          'X-User-Id': { type: 'string' },
+        },
+      },
+    },
+    required: ['content', 'pathParams', 'headers'],
+  },
+};
+
+// Tool with no context params (should remain unchanged)
+const sampleToolNoContext = {
+  name: 'get_health',
+  description: 'Check health status',
+  inputSchema: {
+    type: 'object',
+    properties: {
+      verbose: { type: 'boolean', description: 'Include details' },
+    },
+  },
+};
+
+// Setup MSW server for mocking fetch
+const server = setupServer();
+
+beforeAll(() => server.listen({ onUnhandledRequest: 'bypass' }));
+afterEach(() => server.resetHandlers());
+afterAll(() => server.close());
+
+describe('mcp-proxy', () => {
+  describe('fetchRemoteMCPTools', () => {
+    it('should fetch tools and transform schemas to hide context params', async () => {
+      // Setup mock response
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: {
+              tools: [sampleToolWithContext, sampleToolNoContext],
+            },
+          });
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      const result = await fetchRemoteMCPTools({
+        Authorization: 'Bearer test_token',
+        'X-Org-Id': 'org_123',
+      });
+
+      expect(result.tools).toHaveLength(2);
+
+      // First tool should have pathParams context removed
+      const transformedTool = result.tools[0];
+      expect(transformedTool.name).toBe('create_note');
+
+      // org, proj, user should be removed from pathParams
+      const pathParamProps = transformedTool.inputSchema.properties.pathParams?.properties || {};
+      expect(pathParamProps.org).toBeUndefined();
+      expect(pathParamProps.proj).toBeUndefined();
+      expect(pathParamProps.user).toBeUndefined();
+
+      // headers should be removed entirely
+      expect(transformedTool.inputSchema.properties.headers).toBeUndefined();
+
+      // headers should be removed from required array
+      expect(transformedTool.inputSchema.required).not.toContain('headers');
+
+      // Second tool should remain relatively unchanged
+      const healthTool = result.tools[1];
+      expect(healthTool.name).toBe('get_health');
+      expect(healthTool.inputSchema.properties.verbose).toBeDefined();
+    });
+
+    it('should handle empty tools list', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: { tools: [] },
+          });
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      const result = await fetchRemoteMCPTools({
+        Authorization: 'Bearer test_token',
+      });
+
+      expect(result.tools).toEqual([]);
+    });
+
+    it('should throw error on 401 unauthorized response', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json(
+            { error: 'Unauthorized' },
+            { status: 401 }
+          );
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      await expect(
+        fetchRemoteMCPTools({ Authorization: 'Bearer invalid_token' })
+      ).rejects.toThrow('Authentication failed');
+    });
+
+    it('should throw error on 403 forbidden response', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json(
+            { error: 'Forbidden' },
+            { status: 403 }
+          );
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      await expect(
+        fetchRemoteMCPTools({ Authorization: 'Bearer test_token' })
+      ).rejects.toThrow('Access denied');
+    });
+
+    it('should throw error on MCP protocol error response', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            error: { code: -32600, message: 'Invalid Request' },
+          });
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      await expect(
+        fetchRemoteMCPTools({ Authorization: 'Bearer test_token' })
+      ).rejects.toThrow('MCP error');
+    });
+
+    it('should throw connection error on network failure', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.error();
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      await expect(
+        fetchRemoteMCPTools({ Authorization: 'Bearer test_token' })
+      ).rejects.toThrow();
+    });
+  });
+
+  describe('callRemoteMCPTool', () => {
+    it('should inject context params into tool call', async () => {
+      let capturedBody = null;
+
+      server.use(
+        http.post(GATEWAY_MCP_URL, async ({ request }) => {
+          capturedBody = await request.json();
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: {
+              content: [{ type: 'text', text: 'Success' }],
+            },
+          });
+        })
+      );
+
+      const { callRemoteMCPTool } = await import('../../lib/mcp-proxy.js');
+
+      const authHeaders = {
+        Authorization: 'Bearer test_token',
+      };
+
+      const authContext = {
+        decoded: { sub: 'user_123' },
+        selectedOrg: { id: 'org_456' },
+      };
+
+      const projectContext = {
+        project_id: 'proj_789',
+        org_id: 'org_456',
+      };
+
+      await callRemoteMCPTool(
+        'create_note',
+        { content: 'Test note' },
+        authHeaders,
+        authContext,
+        projectContext
+      );
+
+      // Verify context was injected
+      expect(capturedBody.params.arguments.pathParams.user).toBe('user_123');
+      expect(capturedBody.params.arguments.pathParams.org).toBe('org_456');
+      expect(capturedBody.params.arguments.pathParams.proj).toBe('proj_789');
+      expect(capturedBody.params.arguments.headers['X-User-Id']).toBe('user_123');
+      expect(capturedBody.params.arguments.headers['X-Org-Id']).toBe('org_456');
+    });
+
+    it('should fallback to user_id for org when no selectedOrg', async () => {
+      let capturedBody = null;
+
+      server.use(
+        http.post(GATEWAY_MCP_URL, async ({ request }) => {
+          capturedBody = await request.json();
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: { content: [] },
+          });
+        })
+      );
+
+      const { callRemoteMCPTool } = await import('../../lib/mcp-proxy.js');
+
+      const authContext = {
+        decoded: { sub: 'user_123' },
+        // No selectedOrg
+      };
+
+      await callRemoteMCPTool(
+        'create_note',
+        {},
+        { Authorization: 'Bearer test' },
+        authContext,
+        null
+      );
+
+      // Org should fallback to user_id
+      expect(capturedBody.params.arguments.pathParams.org).toBe('user_123');
+      expect(capturedBody.params.arguments.headers['X-Org-Id']).toBe('user_123');
+    });
+
+    it('should return tool execution result', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: {
+              content: [
+                { type: 'text', text: 'Note created successfully' },
+                { type: 'text', text: 'Note ID: note_123' },
+              ],
+            },
+          });
+        })
+      );
+
+      const { callRemoteMCPTool } = await import('../../lib/mcp-proxy.js');
+
+      const result = await callRemoteMCPTool(
+        'create_note',
+        { content: 'Test' },
+        { Authorization: 'Bearer test' },
+        { decoded: { sub: 'user_123' } },
+        null
+      );
+
+      expect(result.content).toHaveLength(2);
+      expect(result.content[0].text).toBe('Note created successfully');
+    });
+
+    it('should throw error on tool execution failure', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            error: { code: -32000, message: 'Note creation failed: duplicate content' },
+          });
+        })
+      );
+
+      const { callRemoteMCPTool } = await import('../../lib/mcp-proxy.js');
+
+      await expect(
+        callRemoteMCPTool(
+          'create_note',
+          { content: 'Duplicate' },
+          { Authorization: 'Bearer test' },
+          { decoded: { sub: 'user_123' } },
+          null
+        )
+      ).rejects.toThrow('Tool execution failed');
+    });
+
+    it('should throw 401 error message for unauthorized', async () => {
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json(
+            { error: 'Token expired' },
+            { status: 401 }
+          );
+        })
+      );
+
+      const { callRemoteMCPTool } = await import('../../lib/mcp-proxy.js');
+
+      await expect(
+        callRemoteMCPTool(
+          'create_note',
+          {},
+          { Authorization: 'Bearer expired' },
+          { decoded: { sub: 'user_123' } },
+          null
+        )
+      ).rejects.toThrow('um login');
+    });
+  });
+
+  describe('schema transformation edge cases', () => {
+    it('should handle tool with pathParams but empty after context removal', async () => {
+      const toolWithOnlyContextParams = {
+        name: 'context_only_tool',
+        description: 'Tool with only context params',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            pathParams: {
+              type: 'object',
+              properties: {
+                org: { type: 'string' },
+                proj: { type: 'string' },
+              },
+              required: ['org', 'proj'],
+            },
+          },
+          required: ['pathParams'],
+        },
+      };
+
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: { tools: [toolWithOnlyContextParams] },
+          });
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      const result = await fetchRemoteMCPTools({
+        Authorization: 'Bearer test',
+      });
+
+      const transformed = result.tools[0];
+
+      // pathParams should be removed entirely since it's empty after context removal
+      expect(transformed.inputSchema.properties.pathParams).toBeUndefined();
+
+      // pathParams should also be removed from required array (or required should be undefined/empty)
+      if (transformed.inputSchema.required) {
+        expect(transformed.inputSchema.required).not.toContain('pathParams');
+      }
+    });
+
+    it('should preserve non-context pathParams properties', async () => {
+      const toolWithMixedParams = {
+        name: 'mixed_params_tool',
+        description: 'Tool with mixed params',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            pathParams: {
+              type: 'object',
+              properties: {
+                org: { type: 'string' },
+                noteId: { type: 'string', description: 'Note ID' },
+                version: { type: 'number', description: 'Version number' },
+              },
+              required: ['org', 'noteId'],
+            },
+          },
+          required: ['pathParams'],
+        },
+      };
+
+      server.use(
+        http.post(GATEWAY_MCP_URL, () => {
+          return HttpResponse.json({
+            jsonrpc: '2.0',
+            id: 1,
+            result: { tools: [toolWithMixedParams] },
+          });
+        })
+      );
+
+      const { fetchRemoteMCPTools } = await import('../../lib/mcp-proxy.js');
+
+      const result = await fetchRemoteMCPTools({
+        Authorization: 'Bearer test',
+      });
+
+      const transformed = result.tools[0];
+
+      // noteId and version should be preserved
+      expect(transformed.inputSchema.properties.pathParams.properties.noteId).toBeDefined();
+      expect(transformed.inputSchema.properties.pathParams.properties.version).toBeDefined();
+
+      // org should be removed
+      expect(transformed.inputSchema.properties.pathParams.properties.org).toBeUndefined();
+
+      // required should only have noteId (org removed)
+      expect(transformed.inputSchema.properties.pathParams.required).toContain('noteId');
+      expect(transformed.inputSchema.properties.pathParams.required).not.toContain('org');
+    });
+  });
+});