@webstir-io/webstir-backend 0.1.15 → 0.1.16

package/tests/authAdapter.test.js

@@ -0,0 +1,315 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import crypto from 'node:crypto';
+import fs from 'node:fs/promises';
+import http from 'node:http';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+import { build as esbuild } from 'esbuild';
+
+const packageRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const adapterTemplate = path.join(packageRoot, 'templates', 'backend', 'auth', 'adapter.ts');
+
+async function importAuthAdapter() {
+  const workspace = await fs.mkdtemp(path.join(os.tmpdir(), 'webstir-auth-adapter-'));
+  const outfile = path.join(workspace, 'adapter.mjs');
+  await esbuild({
+    entryPoints: [adapterTemplate],
+    outfile,
+    bundle: true,
+    format: 'esm',
+    platform: 'node',
+    target: 'node20',
+    logLevel: 'silent',
+  });
+  return await import(`${pathToFileURL(outfile).href}?t=${Date.now()}-${Math.random()}`);
+}
+
+function defaultSecrets(overrides = {}) {
+  return {
+    jwtSecret: 'jwt-secret',
+    jwtPublicKey: undefined,
+    jwksUrl: undefined,
+    jwtIssuer: 'https://issuer.example.com/',
+    jwtAudience: 'webstir-tests',
+    serviceTokens: [],
+    ...overrides,
+  };
+}
+
+function makeRequest(headers) {
+  return new Request('http://webstir.test/auth', { headers });
+}
+
+async function resolveBearer(resolveRequestAuth, token, secrets, logger) {
+  return await resolveRequestAuth(
+    makeRequest({ authorization: `Bearer ${token}` }),
+    secrets,
+    logger,
+  );
+}
+
+function signJwtToken(payload, key, options = {}) {
+  const encodedHeader = encodeJwtSegment({
+    alg: options.alg ?? 'HS256',
+    typ: 'JWT',
+    ...(options.kid ? { kid: options.kid } : {}),
+  });
+  const encodedPayload = encodeJwtSegment(payload);
+  return signJwtSegments(encodedHeader, encodedPayload, key, options);
+}
+
+function signJwtSegments(encodedHeader, encodedPayload, key, options = {}) {
+  const alg = options.alg ?? 'HS256';
+  const signedContent = `${encodedHeader}.${encodedPayload}`;
+  const signature =
+    alg === 'HS256'
+      ? crypto.createHmac('sha256', key).update(signedContent).digest('base64url')
+      : crypto.sign('RSA-SHA256', Buffer.from(signedContent), key).toString('base64url');
+  return `${signedContent}.${signature}`;
+}
+
+function encodeJwtSegment(value) {
+  return Buffer.from(JSON.stringify(value)).toString('base64url');
+}
+
+function validPayload(overrides = {}) {
+  const now = Math.floor(Date.now() / 1000);
+  return {
+    sub: 'user-123',
+    iss: 'https://issuer.example.com/',
+    aud: 'webstir-tests',
+    nbf: now - 60,
+    exp: now + 60,
+    ...overrides,
+  };
+}
+
+function publicJwk(keyPair, kid) {
+  return {
+    ...keyPair.publicKey.export({ format: 'jwk' }),
+    kid,
+    alg: 'RS256',
+    use: 'sig',
+  };
+}
+
+async function startJwksServer(handler) {
+  const server = http.createServer((req, res) => {
+    if ((req.url ?? '/') !== '/.well-known/jwks.json') {
+      res.statusCode = 404;
+      res.end('not found');
+      return;
+    }
+    handler(req, res);
+  });
+
+  await new Promise((resolve, reject) => {
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => resolve());
+  });
+
+  const address = server.address();
+  if (!address || typeof address === 'string') {
+    throw new Error('Failed to read JWKS test server address.');
+  }
+
+  return {
+    url: `http://127.0.0.1:${address.port}/.well-known/jwks.json`,
+    async stop() {
+      await new Promise((resolve, reject) => {
+        server.close((error) => (error ? reject(error) : resolve()));
+      });
+    },
+  };
+}
+
+test('auth adapter fails closed for invalid jwt algorithms, claims, and signatures', async () => {
+  const { resolveRequestAuth } = await importAuthAdapter();
+  const secret = 'jwt-secret';
+  const secrets = defaultSecrets({ jwtSecret: secret });
+  const unsupportedAlgToken = signJwtSegments(
+    encodeJwtSegment({ alg: 'HS512', typ: 'JWT' }),
+    encodeJwtSegment(validPayload()),
+    secret,
+  );
+
+  const cases = [
+    unsupportedAlgToken,
+    signJwtToken(validPayload({ iss: 'https://wrong.example.com/' }), secret),
+    signJwtToken(validPayload({ aud: 'wrong-audience' }), secret),
+    signJwtToken(validPayload({ aud: ['other-audience'] }), secret),
+    signJwtToken(validPayload({ exp: 'not-a-number' }), secret),
+    signJwtToken(validPayload({ nbf: 'not-a-number' }), secret),
+    signJwtToken(validPayload({ iat: 'not-a-number' }), secret),
+    signJwtToken(validPayload(), 'wrong-secret'),
+    `${encodeJwtSegment({ alg: 'HS256', typ: 'JWT' })}.${encodeJwtSegment(validPayload())}.`,
+  ];
+
+  for (const token of cases) {
+    assert.equal(await resolveBearer(resolveRequestAuth, token, secrets), undefined);
+  }
+});
+
+test('auth adapter rejects malformed compact jwt segments before verification', async () => {
+  const { resolveRequestAuth } = await importAuthAdapter();
+  const secret = 'jwt-secret';
+  const secrets = defaultSecrets({ jwtSecret: secret });
+
+  const malformedHeader = `${encodeJwtSegment({ alg: 'HS256', typ: 'JWT' })}@`;
+  const validPayloadSegment = encodeJwtSegment(validPayload());
+  const signedMalformedHeaderToken = signJwtSegments(malformedHeader, validPayloadSegment, secret);
+  const malformedJsonPayload = signJwtSegments(
+    encodeJwtSegment({ alg: 'HS256', typ: 'JWT' }),
+    Buffer.from('not-json').toString('base64url'),
+    secret,
+  );
+
+  assert.equal(
+    await resolveBearer(resolveRequestAuth, signedMalformedHeaderToken, secrets),
+    undefined,
+  );
+  assert.equal(await resolveBearer(resolveRequestAuth, malformedJsonPayload, secrets), undefined);
+  assert.equal(await resolveBearer(resolveRequestAuth, 'not-a-jwt', secrets), undefined);
+});
+
+test('auth adapter refreshes jwks on unknown kid without accepting wrong keys', async () => {
+  const { resolveRequestAuth } = await importAuthAdapter();
+  const firstKeyPair = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
+  const refreshedKeyPair = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
+  let requests = 0;
+
+  const jwks = await startJwksServer((_req, res) => {
+    requests += 1;
+    res.setHeader('content-type', 'application/json');
+    res.setHeader('cache-control', 'public, max-age=60');
+    const keys =
+      requests === 1
+        ? [publicJwk(firstKeyPair, 'initial-key')]
+        : [publicJwk(firstKeyPair, 'initial-key'), publicJwk(refreshedKeyPair, 'refreshed-key')];
+    res.end(JSON.stringify({ keys }));
+  });
+
+  try {
+    const secrets = defaultSecrets({
+      jwtSecret: undefined,
+      jwksUrl: jwks.url,
+    });
+    const refreshedToken = signJwtToken(
+      validPayload({ sub: 'refreshed-user' }),
+      refreshedKeyPair.privateKey,
+      { alg: 'RS256', kid: 'refreshed-key' },
+    );
+    const context = await resolveBearer(resolveRequestAuth, refreshedToken, secrets);
+
+    assert.equal(context?.source, 'jwt');
+    assert.equal(context?.userId, 'refreshed-user');
+    assert.equal(requests, 2);
+
+    const wrongKeyPair = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
+    const wrongKidToken = signJwtToken(validPayload(), wrongKeyPair.privateKey, {
+      alg: 'RS256',
+      kid: 'missing-key',
+    });
+
+    assert.equal(await resolveBearer(resolveRequestAuth, wrongKidToken, secrets), undefined);
+    assert.equal(requests, 3);
+  } finally {
+    await jwks.stop();
+  }
+});
+
+test('auth adapter fails closed when jwks fetch fails', async () => {
+  const { resolveRequestAuth } = await importAuthAdapter();
+  const keyPair = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
+  const jwks = await startJwksServer((_req, res) => {
+    res.statusCode = 500;
+    res.end('not available');
+  });
+
+  try {
+    const token = signJwtToken(validPayload(), keyPair.privateKey, {
+      alg: 'RS256',
+      kid: 'unavailable-key',
+    });
+    const context = await resolveBearer(
+      resolveRequestAuth,
+      token,
+      defaultSecrets({ jwtSecret: undefined, jwksUrl: jwks.url }),
+    );
+    assert.equal(context, undefined);
+  } finally {
+    await jwks.stop();
+  }
+});
+
+test('auth adapter fails closed when jwks fetch times out', async () => {
+  const { resolveRequestAuth } = await importAuthAdapter();
+  const keyPair = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
+  const originalFetch = globalThis.fetch;
+  const originalSetTimeout = globalThis.setTimeout;
+
+  globalThis.fetch = async (_url, options = {}) => {
+    return await new Promise((_resolve, reject) => {
+      options.signal?.addEventListener(
+        'abort',
+        () => {
+          const error = new Error('aborted');
+          error.name = 'AbortError';
+          reject(error);
+        },
+        { once: true },
+      );
+    });
+  };
+  globalThis.setTimeout = (callback, delay, ...args) =>
+    originalSetTimeout(callback, delay === 5_000 ? 1 : delay, ...args);
+
+  try {
+    const token = signJwtToken(validPayload(), keyPair.privateKey, {
+      alg: 'RS256',
+      kid: 'timeout-key',
+    });
+    const context = await resolveBearer(
+      resolveRequestAuth,
+      token,
+      defaultSecrets({ jwtSecret: undefined, jwksUrl: 'http://jwks.test/keys' }),
+    );
+    assert.equal(context, undefined);
+  } finally {
+    globalThis.fetch = originalFetch;
+    globalThis.setTimeout = originalSetTimeout;
+  }
+});
+
+test('auth adapter keeps service token precedence explicit and redacts diagnostics', async () => {
+  const { resolveRequestAuth } = await importAuthAdapter();
+  const messages = [];
+  const token = signJwtToken(validPayload(), 'wrong-secret');
+  const request = makeRequest({
+    authorization: `Bearer ${token}`,
+    'x-service-token': 'service-secret',
+  });
+  const logger = {
+    warn(message, metadata) {
+      messages.push({ message, metadata });
+    },
+  };
+
+  const context = await resolveRequestAuth(
+    request,
+    defaultSecrets({ jwtSecret: 'jwt-secret', serviceTokens: ['service-secret'] }),
+    logger,
+  );
+
+  assert.equal(context?.source, 'service-token');
+  assert.equal(context?.token, 'service-secret');
+  assert.deepEqual(messages, [
+    {
+      message: 'Bearer token validation failed',
+      metadata: { reason: 'invalid_token' },
+    },
+  ]);
+  assert.doesNotMatch(JSON.stringify(messages), /service-secret|wrong-secret|eyJ/);
+});

package/tests/bundlerParity.test.js

@@ -0,0 +1,217 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import { spawn } from 'node:child_process';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+import { backendProvider } from '../dist/index.js';
+
+async function createTempWorkspace(prefix = 'webstir-backend-bundler-parity-') {
+  return await fs.mkdtemp(path.join(os.tmpdir(), prefix));
+}
+
+async function ensureDir(dir) {
+  await fs.mkdir(dir, { recursive: true });
+}
+
+async function copyFile(src, dest) {
+  await ensureDir(path.dirname(dest));
+  await fs.copyFile(src, dest);
+}
+
+function getPackageRoot() {
+  const here = path.dirname(fileURLToPath(import.meta.url));
+  return path.resolve(here, '..');
+}
+
+async function hydrateBackendScaffold(workspace) {
+  const assets = await backendProvider.getScaffoldAssets();
+
+  for (const asset of assets) {
+    const normalized = asset.targetPath.replace(/\\/g, '/');
+    if (!normalized.includes('src/backend/')) {
+      continue;
+    }
+
+    const target = path.join(workspace, asset.targetPath);
+    await copyFile(asset.sourcePath, target);
+  }
+}
+
+async function listRelativeFiles(root) {
+  const collected = [];
+
+  async function walk(current, prefix = '') {
+    let entries = [];
+    try {
+      entries = await fs.readdir(current, { withFileTypes: true });
+    } catch (error) {
+      if (error && typeof error === 'object' && 'code' in error && error.code === 'ENOENT') {
+        return;
+      }
+      throw error;
+    }
+
+    entries.sort((a, b) => a.name.localeCompare(b.name));
+    for (const entry of entries) {
+      const relativePath = prefix ? path.posix.join(prefix, entry.name) : entry.name;
+      const absolutePath = path.join(current, entry.name);
+      if (entry.isDirectory()) {
+        await walk(absolutePath, relativePath);
+        continue;
+      }
+      collected.push(relativePath);
+    }
+  }
+
+  await walk(root);
+  return collected;
+}
+
+async function readCachedOutputPaths(workspace) {
+  const cachePath = path.join(workspace, '.webstir', 'backend-outputs.json');
+  try {
+    const raw = await fs.readFile(cachePath, 'utf8');
+    const parsed = JSON.parse(raw);
+    return Object.keys(parsed).sort();
+  } catch (error) {
+    if (error && typeof error === 'object' && 'code' in error && error.code === 'ENOENT') {
+      return [];
+    }
+    throw error;
+  }
+}
+
+function selectPrimaryArtifactPaths(paths) {
+  return paths.filter((relativePath) => {
+    return (
+      /(^|\/)index\.js(\.map)?$/.test(relativePath) ||
+      relativePath === 'module.js' ||
+      relativePath === 'module.js.map' ||
+      relativePath === 'env.js' ||
+      relativePath === 'env.js.map'
+    );
+  });
+}
+
+async function snapshotWorkspaceBuild(workspace, entryPoints) {
+  const buildRoot = path.join(workspace, 'build', 'backend');
+  const artifactPaths = await listRelativeFiles(buildRoot);
+
+  return {
+    entryPoints: [...entryPoints].sort(),
+    artifactPaths,
+    primaryArtifactPaths: selectPrimaryArtifactPaths(artifactPaths).sort(),
+    cachedOutputPaths: await readCachedOutputPaths(workspace),
+  };
+}
+
+async function buildWithNodeProvider(workspace, env) {
+  const result = await backendProvider.build({
+    workspaceRoot: workspace,
+    env,
+    incremental: false,
+  });
+  return await snapshotWorkspaceBuild(workspace, result.manifest.entryPoints);
+}
+
+async function buildWithBunProvider(workspace, env) {
+  const packageRoot = getPackageRoot();
+  const moduleUrl = pathToFileURL(path.join(packageRoot, 'dist', 'index.js')).href;
+  const script = `
+const workspace = process.argv[1];
+const env = JSON.parse(process.argv[2]);
+const { backendProvider } = await import(${JSON.stringify(moduleUrl)});
+const result = await backendProvider.build({ workspaceRoot: workspace, env, incremental: false });
+const errors = result.manifest.diagnostics.filter((entry) => entry.severity === 'error');
+if (errors.length > 0) {
+  console.error('__ERROR__' + JSON.stringify(errors));
+  process.exit(1);
+}
+console.log('__RESULT__' + JSON.stringify({ entryPoints: result.manifest.entryPoints }));
+`;
+
+  const child = spawn('bun', ['--eval', script, workspace, JSON.stringify(env)], {
+    cwd: packageRoot,
+    stdio: ['ignore', 'pipe', 'pipe'],
+    env: process.env,
+  });
+
+  let stdout = '';
+  let stderr = '';
+  child.stdout.setEncoding('utf8');
+  child.stderr.setEncoding('utf8');
+  child.stdout.on('data', (chunk) => {
+    stdout += chunk;
+  });
+  child.stderr.on('data', (chunk) => {
+    stderr += chunk;
+  });
+
+  const exitCode = await new Promise((resolve, reject) => {
+    child.once('error', reject);
+    child.once('close', resolve);
+  });
+
+  const resultLine = stdout
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter((line) => line.startsWith('__RESULT__'))
+    .at(-1);
+
+  if (exitCode !== 0 || !resultLine) {
+    throw new Error(
+      `bun build parity harness failed (exit=${exitCode ?? 'null'})\nstdout:\n${stdout}\nstderr:\n${stderr}`,
+    );
+  }
+
+  const payload = JSON.parse(resultLine.slice('__RESULT__'.length));
+  return await snapshotWorkspaceBuild(workspace, payload.entryPoints ?? []);
+}
+
+async function compareBundlerSnapshots(mode, extraEnv = {}) {
+  const esbuildWorkspace = await createTempWorkspace(`${mode}-esbuild-`);
+  const bunWorkspace = await createTempWorkspace(`${mode}-bun-`);
+  await hydrateBackendScaffold(esbuildWorkspace);
+  await hydrateBackendScaffold(bunWorkspace);
+
+  const baseEnv = {
+    WEBSTIR_MODULE_MODE: mode,
+    WEBSTIR_BACKEND_TYPECHECK: 'skip',
+    ...extraEnv,
+  };
+
+  const esbuildSnapshot = await buildWithNodeProvider(esbuildWorkspace, baseEnv);
+  const bunSnapshot = await buildWithBunProvider(bunWorkspace, {
+    ...baseEnv,
+    WEBSTIR_BACKEND_BUNDLER: 'bun',
+  });
+
+  assert.deepEqual(
+    bunSnapshot.entryPoints,
+    esbuildSnapshot.entryPoints,
+    `${mode}: entry points should stay aligned`,
+  );
+  assert.deepEqual(
+    bunSnapshot.cachedOutputPaths,
+    esbuildSnapshot.cachedOutputPaths,
+    `${mode}: cached output accounting should stay aligned`,
+  );
+  assert.deepEqual(
+    bunSnapshot.primaryArtifactPaths,
+    esbuildSnapshot.primaryArtifactPaths,
+    `${mode}: primary emitted artifacts should stay aligned`,
+  );
+}
+
+test('build mode Bun bundler preserves artifact accounting parity', async () => {
+  await compareBundlerSnapshots('build');
+});
+
+test('publish mode Bun bundler preserves artifact accounting parity with sourcemaps enabled', async () => {
+  await compareBundlerSnapshots('publish', {
+    WEBSTIR_BACKEND_SOURCEMAPS: 'on',
+  });
+});

package/tests/cacheReporter.test.js

@@ -22,7 +22,7 @@ function makeManifest(overrides = {}) {
     jobs: [],
     events: [],
     services: [],
-    ...overrides
+    ...overrides,
   };
 }
 
@@ -33,13 +33,13 @@ test('cache reporter emits diagnostics for output and manifest diffs', async ()
     workspaceRoot,
     buildRoot: path.join(workspaceRoot, 'build', 'backend'),
     env: {},
-    diagnostics
+    diagnostics,
   });
 
   await reporter.diffOutputs({ 'index.js': 128 }, 'build');
   assert.ok(
     diagnostics.some((d) => d.message.includes('changed 1 file')),
-    'expected first diff to report changed files'
+    'expected first diff to report changed files',
   );
 
   diagnostics.length = 0;
@@ -47,7 +47,7 @@ test('cache reporter emits diagnostics for output and manifest diffs', async ()
   await reporter.diffOutputs({ 'index.js': 256 }, 'build');
   assert.ok(
     diagnostics.some((d) => d.message.includes('changed 1 file')),
-    'expected subsequent diffs to report changed files'
+    'expected subsequent diffs to report changed files',
   );
 
   diagnostics.length = 0;
@@ -57,12 +57,12 @@ test('cache reporter emits diagnostics for output and manifest diffs', async ()
 
   await reporter.diffManifest(
     makeManifest({
-      routes: [{ method: 'GET', path: '/accounts' }]
-    })
+      routes: [{ method: 'GET', path: '/accounts' }],
+    }),
   );
   assert.ok(
     diagnostics.some((d) => d.message.includes('manifest changed')),
-    'expected manifest changes to produce diagnostics'
+    'expected manifest changes to produce diagnostics',
   );
 });
 
@@ -73,7 +73,7 @@ test('cache reporter can silence diagnostics via env', async () => {
     workspaceRoot,
     buildRoot: path.join(workspaceRoot, 'build', 'backend'),
     env: { WEBSTIR_BACKEND_CACHE_LOG: 'off' },
-    diagnostics
+    diagnostics,
   });
 
   await reporter.diffOutputs({ 'index.js': 128 }, 'build');
@@ -81,8 +81,8 @@ test('cache reporter can silence diagnostics via env', async () => {
   await reporter.diffManifest(makeManifest());
   await reporter.diffManifest(
     makeManifest({
-      routes: [{ method: 'POST', path: '/silent' }]
-    })
+      routes: [{ method: 'POST', path: '/silent' }],
+    }),
   );
 
   assert.equal(diagnostics.length, 0, 'expected diagnostics to stay empty when logging disabled');