@xtr-dev/rondevu-server 0.5.0 → 0.5.6

package/tests/integration/api.test.ts

@@ -0,0 +1,395 @@
+/**
+ * Integration tests for api.ronde.vu
+ *
+ * Run with: npm test
+ *
+ * Note: Uses shared credentials to avoid rate limits (10 per hour)
+ */
+
+import { describe, it, before } from 'node:test'
+import assert from 'node:assert'
+import { createTestContext, generateCredentials, rpc, sleep, API_URL, Credential } from './setup.js'
+
+describe('Integration Tests - api.ronde.vu', () => {
+    console.log(`Testing against: ${API_URL}`)
+
+    // Shared credentials - created once, reused across tests
+    let userA: Awaited<ReturnType<typeof createTestContext>>
+    let userB: Awaited<ReturnType<typeof createTestContext>>
+    let userC: Awaited<ReturnType<typeof createTestContext>>
+
+    before(async () => {
+        // Create 3 shared user contexts for all tests
+        userA = await createTestContext()
+        userB = await createTestContext()
+        userC = await createTestContext()
+    })
+
+    describe('1. Authentication', () => {
+        it('should generate valid credentials', async () => {
+            // Use already-generated credentials from userA
+            assert.ok(userA.credential.name, 'Should have a name')
+            assert.ok(userA.credential.secret, 'Should have a secret')
+            assert.strictEqual(typeof userA.credential.name, 'string')
+            assert.strictEqual(typeof userA.credential.secret, 'string')
+            assert.strictEqual(userA.credential.secret.length, 64, 'Secret should be 32 bytes (64 hex chars)')
+        })
+
+        it('should reject requests without authentication for protected methods', async () => {
+            await assert.rejects(
+                async () => {
+                    await rpc('publishOffer', {
+                        tags: ['test'],
+                        offers: [{ sdp: 'test-sdp' }],
+                        ttl: 60000
+                    })
+                },
+                /AUTH_REQUIRED|authentication|unauthorized/i,
+                'Should reject unauthenticated publish request'
+            )
+        })
+
+        it('should reject invalid signatures', async () => {
+            // Create a credential with wrong secret (reuse userA's name)
+            const badCredential: Credential = {
+                name: userA.credential.name,
+                secret: '0'.repeat(64) // Invalid secret
+            }
+
+            await assert.rejects(
+                async () => {
+                    await rpc('publishOffer', {
+                        tags: ['test'],
+                        offers: [{ sdp: 'test-sdp' }],
+                        ttl: 60000
+                    }, badCredential)
+                },
+                /INVALID_CREDENTIALS|signature|invalid/i,
+                'Should reject invalid signature'
+            )
+        })
+    })
+
+    describe('2. Publish Offers', () => {
+        it('should publish offers with tags', async () => {
+            const result = await userA.api.publish({
+                tags: ['chat', 'video'],
+                offers: [
+                    { sdp: 'v=0\r\no=- 123 1 IN IP4 127.0.0.1\r\n' }
+                ],
+                ttl: 60000
+            })
+
+            assert.ok(result.offers, 'Should return offers array')
+            assert.strictEqual(result.offers.length, 1, 'Should have one offer')
+            assert.ok(result.offers[0].offerId, 'Offer should have an ID')
+        })
+
+        it('should publish multiple offers at once', async () => {
+            const result = await userA.api.publish({
+                tags: ['multi-test'],
+                offers: [
+                    { sdp: 'sdp-1' },
+                    { sdp: 'sdp-2' },
+                    { sdp: 'sdp-3' }
+                ],
+                ttl: 60000
+            })
+
+            assert.strictEqual(result.offers.length, 3, 'Should have three offers')
+
+            const offerIds = result.offers.map((o: any) => o.offerId)
+            const uniqueIds = new Set(offerIds)
+            assert.strictEqual(uniqueIds.size, 3, 'All offer IDs should be unique')
+        })
+
+        it('should reject empty tags array', async () => {
+            await assert.rejects(
+                async () => {
+                    await userA.api.publish({
+                        tags: [],
+                        offers: [{ sdp: 'test' }],
+                        ttl: 60000
+                    })
+                },
+                /tag|required|empty/i,
+                'Should reject empty tags'
+            )
+        })
+
+        it('should enforce tag format validation', async () => {
+            await assert.rejects(
+                async () => {
+                    await userA.api.publish({
+                        tags: ['invalid tag with spaces!'],
+                        offers: [{ sdp: 'test' }],
+                        ttl: 60000
+                    })
+                },
+                /tag|invalid|format/i,
+                'Should reject invalid tag format'
+            )
+        })
+    })
+
+    describe('3. Discover by Tags', () => {
+        let publishedOfferId: string
+
+        before(async () => {
+            // userA publishes offers for discovery tests
+            const result = await userA.api.publish({
+                tags: ['discover-test', 'video-discover'],
+                offers: [{ sdp: 'discover-test-sdp' }],
+                ttl: 120000
+            })
+            publishedOfferId = result.offers[0].offerId
+        })
+
+        it('should discover offers matching ANY tag (OR logic)', async () => {
+            // Search for 'video-discover' tag only (unauthenticated, paginated mode)
+            const result = await rpc('discover', { tags: ['video-discover'], limit: 10 }) as any
+
+            assert.ok(result.offers, 'Should return offers')
+            const found = result.offers.find((o: any) => o.offerId === publishedOfferId)
+            assert.ok(found, 'Should find published offer by video tag')
+        })
+
+        it('should discover with multiple tags (OR)', async () => {
+            // Search for either 'discover-test' or 'nonexistent' (paginated mode)
+            const result = await rpc('discover', {
+                tags: ['discover-test', 'nonexistent-tag'],
+                limit: 10
+            }) as any
+
+            assert.ok(result.offers, 'Should return offers')
+            const found = result.offers.find((o: any) => o.offerId === publishedOfferId)
+            assert.ok(found, 'Should find offer matching at least one tag')
+        })
+
+        it('should support pagination', async () => {
+            const result = await rpc('discover', {
+                tags: ['discover-test'],
+                limit: 5,
+                offset: 0
+            }) as any
+
+            assert.ok(result.offers !== undefined, 'Should return offers array')
+            assert.ok(typeof result.count === 'number', 'Should return count')
+            assert.ok(typeof result.limit === 'number', 'Should return limit')
+            assert.ok(typeof result.offset === 'number', 'Should return offset')
+        })
+
+        it('should exclude own offers from discovery', async () => {
+            // userA should not see their own offers (paginated mode)
+            const result = await userA.api.discover({
+                tags: ['discover-test'],
+                limit: 10
+            }) as any
+
+            const foundOwn = result.offers?.find((o: any) => o.offerId === publishedOfferId)
+            assert.ok(!foundOwn, 'Should not find own offers in discovery')
+        })
+    })
+
+    describe('4. Answer Offer', () => {
+        let offerId: string
+
+        before(async () => {
+            // userA publishes offer, userB will answer it
+            const result = await userA.api.publish({
+                tags: ['answer-test'],
+                offers: [{ sdp: 'offer-sdp-for-answer' }],
+                ttl: 120000
+            })
+            offerId = result.offers[0].offerId
+        })
+
+        it('should answer an available offer', async () => {
+            await userB.api.answerOffer(offerId, 'answer-sdp-content')
+            // If no error, answer was successful
+            assert.ok(true, 'Should successfully answer offer')
+        })
+
+        it('should reject answering already-answered offer', async () => {
+            // Try to answer the same offer again with userC
+            await assert.rejects(
+                async () => {
+                    await userC.api.answerOffer(offerId, 'another-answer-sdp')
+                },
+                /OFFER_ALREADY_ANSWERED|already|answered|claimed/i,
+                'Should reject answering already-answered offer'
+            )
+        })
+    })
+
+    describe('5. ICE Candidates', () => {
+        let offerId: string
+
+        before(async () => {
+            // userB publishes offer, userC answers
+            const publishResult = await userB.api.publish({
+                tags: ['ice-test'],
+                offers: [{ sdp: 'ice-test-offer-sdp' }],
+                ttl: 120000
+            })
+            offerId = publishResult.offers[0].offerId
+
+            await userC.api.answerOffer(offerId, 'ice-test-answer-sdp')
+        })
+
+        it('should add ICE candidates as offerer', async () => {
+            const result = await userB.api.addOfferIceCandidates(offerId, [
+                { candidate: 'candidate:1 1 UDP 2130706431 192.168.1.1 54321 typ host' }
+            ])
+
+            assert.ok(result.count >= 0, 'Should return candidate count')
+        })
+
+        it('should add ICE candidates as answerer', async () => {
+            const result = await userC.api.addOfferIceCandidates(offerId, [
+                { candidate: 'candidate:2 1 UDP 2130706431 192.168.1.2 54322 typ host' }
+            ])
+
+            assert.ok(result.count >= 0, 'Should return candidate count')
+        })
+
+        it('should retrieve ICE candidates filtered by role', async () => {
+            await sleep(100) // Small delay to ensure candidates are stored
+
+            // Offerer should receive answerer's candidates
+            const offererResult = await userB.api.getOfferIceCandidates(offerId, 0)
+
+            assert.ok(Array.isArray(offererResult.candidates), 'Should return candidates array')
+
+            // Answerer should receive offerer's candidates
+            const answererResult = await userC.api.getOfferIceCandidates(offerId, 0)
+
+            assert.ok(Array.isArray(answererResult.candidates), 'Should return candidates array')
+        })
+    })
+
+    describe('6. Polling', () => {
+        let offerId: string
+
+        before(async () => {
+            // userC publishes offer
+            const result = await userC.api.publish({
+                tags: ['poll-test'],
+                offers: [{ sdp: 'poll-test-offer' }],
+                ttl: 120000
+            })
+            offerId = result.offers[0].offerId
+        })
+
+        it('should poll for new answers', async () => {
+            // First poll - should be empty (or have previous answers)
+            const before = await userC.api.poll(0)
+            const initialAnswerCount = before.answers.length
+
+            // userA answers the offer
+            await userA.api.answerOffer(offerId, 'poll-test-answer')
+
+            await sleep(100)
+
+            // Second poll - should have the answer
+            const after = await userC.api.poll(0)
+            assert.ok(after.answers.length > initialAnswerCount, 'Should have new answer after polling')
+
+            const found = after.answers.find((a: any) => a.offerId === offerId)
+            assert.ok(found, 'Should find our answer')
+            assert.strictEqual(found.sdp, 'poll-test-answer', 'Should have correct SDP')
+        })
+
+        it('should support since parameter', async () => {
+            const timestamp = Date.now()
+
+            // Poll with recent timestamp - should get no old answers
+            const result = await userC.api.poll(timestamp)
+
+            // All returned answers should be after the timestamp
+            for (const answer of result.answers) {
+                assert.ok(answer.answeredAt >= timestamp - 1000, 'Answers should be after since timestamp')
+            }
+        })
+    })
+
+    describe('7. Ownership', () => {
+        let offerId: string
+
+        before(async () => {
+            // userA publishes offer for ownership tests
+            const result = await userA.api.publish({
+                tags: ['ownership-test'],
+                offers: [{ sdp: 'ownership-test-sdp' }],
+                ttl: 120000
+            })
+            offerId = result.offers[0].offerId
+        })
+
+        it('should allow owner to delete offer', async () => {
+            await userA.api.deleteOffer(offerId)
+            assert.ok(true, 'Should successfully delete own offer')
+        })
+
+        it('should reject delete from non-owner', async () => {
+            // First publish a new offer as userA
+            const newOffer = await userA.api.publish({
+                tags: ['ownership-test-2'],
+                offers: [{ sdp: 'another-sdp' }],
+                ttl: 120000
+            })
+            const newOfferId = newOffer.offers[0].offerId
+
+            // Try to delete as userB (non-owner)
+            await assert.rejects(
+                async () => {
+                    await userB.api.deleteOffer(newOfferId)
+                },
+                /OWNERSHIP_MISMATCH|NOT_AUTHORIZED|forbidden|owner/i,
+                'Should reject delete from non-owner'
+            )
+        })
+    })
+
+    describe('8. TTL/Expiry', () => {
+        it('should enforce minimum TTL', async () => {
+            // Server enforces minimum TTL of 60 seconds
+            // Publish with short TTL - server should apply minimum
+            const result = await userA.api.publish({
+                tags: ['ttl-test-min'],
+                offers: [{ sdp: 'ttl-test-sdp' }],
+                ttl: 1000 // Request 1 second, but server enforces 60s minimum
+            })
+            const offerId = result.offers[0].offerId
+
+            // Offer should have expiresAt at least 60 seconds in the future
+            const offer = result.offers[0]
+            const now = Date.now()
+            const minExpiry = now + 55000 // Allow 5s buffer for timing
+
+            assert.ok(offer.expiresAt >= minExpiry, 'Server should enforce minimum TTL of ~60 seconds')
+
+            // Should be discoverable
+            const discoveryResult = await rpc('discover', { tags: ['ttl-test-min'], limit: 10 }) as any
+            const found = discoveryResult.offers?.find((o: any) => o.offerId === offerId)
+            assert.ok(found, 'Should find offer with minimum TTL applied')
+        })
+
+        it('should respect TTL when publishing', async () => {
+            // Publish with valid TTL (2 minutes)
+            const ttl = 120000
+            const result = await userA.api.publish({
+                tags: ['ttl-test-valid'],
+                offers: [{ sdp: 'ttl-valid-sdp' }],
+                ttl
+            })
+
+            const offer = result.offers[0]
+            const now = Date.now()
+
+            // expiresAt should be approximately now + ttl
+            assert.ok(offer.expiresAt >= now + ttl - 5000, 'Should expire at approximately now + TTL')
+            assert.ok(offer.expiresAt <= now + ttl + 5000, 'Should expire at approximately now + TTL')
+        })
+    })
+})

package/tests/integration/setup.ts

@@ -0,0 +1,170 @@
+/**
+ * Integration test setup and helpers for api.ronde.vu
+ * Implements HMAC-SHA256 authentication directly (not dependent on client library)
+ */
+
+import { Buffer } from 'node:buffer'
+import * as crypto from 'node:crypto'
+
+const API_URL = process.env.API_URL || 'https://api.ronde.vu'
+
+export interface Credential {
+    name: string
+    secret: string
+}
+
+/**
+ * Convert hex string to bytes
+ */
+function hexToBytes(hex: string): Uint8Array {
+    const match = hex.match(/.{1,2}/g)
+    if (!match) throw new Error('Invalid hex string')
+    return new Uint8Array(match.map(byte => parseInt(byte, 16)))
+}
+
+/**
+ * Generate HMAC-SHA256 signature
+ */
+async function generateSignature(secret: string, message: string): Promise<string> {
+    const secretBytes = hexToBytes(secret)
+    const key = await globalThis.crypto.subtle.importKey(
+        'raw',
+        secretBytes,
+        { name: 'HMAC', hash: 'SHA-256' },
+        false,
+        ['sign']
+    )
+    const encoder = new TextEncoder()
+    const messageBytes = encoder.encode(message)
+    const signatureBytes = await globalThis.crypto.subtle.sign('HMAC', key, messageBytes)
+    return Buffer.from(signatureBytes).toString('base64')
+}
+
+/**
+ * Build auth headers for authenticated RPC calls
+ */
+async function buildAuthHeaders(
+    credential: Credential,
+    method: string,
+    params: any
+): Promise<Record<string, string>> {
+    const timestamp = Date.now()
+    const nonce = crypto.randomUUID()
+    const paramsStr = params ? JSON.stringify(params) : '{}'
+    const message = `${timestamp}:${nonce}:${method}:${paramsStr}`
+    const signature = await generateSignature(credential.secret, message)
+
+    return {
+        'X-Name': credential.name,
+        'X-Timestamp': timestamp.toString(),
+        'X-Nonce': nonce,
+        'X-Signature': signature
+    }
+}
+
+/**
+ * Make an RPC call to the API (authenticated or unauthenticated)
+ */
+export async function rpc<T = any>(
+    method: string,
+    params: any,
+    credential?: Credential
+): Promise<T> {
+    const headers: Record<string, string> = {
+        'Content-Type': 'application/json'
+    }
+
+    // Add auth headers if credential provided
+    if (credential) {
+        const authHeaders = await buildAuthHeaders(credential, method, params)
+        Object.assign(headers, authHeaders)
+    }
+
+    const body = JSON.stringify([{ method, params }])
+
+    const response = await fetch(`${API_URL}/rpc`, {
+        method: 'POST',
+        headers,
+        body
+    })
+
+    const results = await response.json() as Array<{ success: boolean; result?: T; error?: string; errorCode?: string }>
+
+    if (!Array.isArray(results) || results.length === 0) {
+        throw new Error('Invalid response from API')
+    }
+
+    const res = results[0]
+
+    if (!res.success || res.error) {
+        throw new Error(`RPC Error: ${res.error || 'Unknown error'} (${res.errorCode || 'UNKNOWN'})`)
+    }
+
+    return res.result as T
+}
+
+/**
+ * Generate new credentials from the API
+ */
+export async function generateCredentials(): Promise<Credential> {
+    const result = await rpc<{ name: string; secret: string }>('generateCredentials', {})
+    return result
+}
+
+/**
+ * Simple authenticated API wrapper for tests
+ */
+class TestAPI {
+    constructor(private credential: Credential) {}
+
+    async publish(params: { tags: string[], offers: { sdp: string }[], ttl: number }) {
+        return rpc('publishOffer', params, this.credential)
+    }
+
+    async discover(params: { tags: string[], limit?: number, offset?: number }) {
+        return rpc('discover', params, this.credential)
+    }
+
+    async answerOffer(offerId: string, sdp: string) {
+        return rpc('answerOffer', { offerId, sdp }, this.credential)
+    }
+
+    async addOfferIceCandidates(offerId: string, candidates: any[]) {
+        return rpc('addIceCandidates', { offerId, candidates }, this.credential)
+    }
+
+    async getOfferIceCandidates(offerId: string, since: number) {
+        return rpc('getIceCandidates', { offerId, since }, this.credential)
+    }
+
+    async poll(since: number) {
+        return rpc('poll', { since }, this.credential)
+    }
+
+    async deleteOffer(offerId: string) {
+        return rpc('deleteOffer', { offerId }, this.credential)
+    }
+}
+
+/**
+ * Create a test context with fresh credentials and API wrapper
+ */
+export async function createTestContext() {
+    const credential = await generateCredentials()
+    const api = new TestAPI(credential)
+
+    return {
+        credential,
+        api,
+        apiUrl: API_URL
+    }
+}
+
+/**
+ * Sleep for a given number of milliseconds
+ */
+export function sleep(ms: number): Promise<void> {
+    return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+export { API_URL }

package/wrangler.toml

@@ -1,43 +1,42 @@
 name = "rondevu"
 main = "src/worker.ts"
 compatibility_date = "2024-01-01"
+# Required for crypto and better-sqlite3 compatibility
 compatibility_flags = ["nodejs_compat"]
+workers_dev = true
+preview_urls = true
 
-# D1 Database binding
+routes = [{ pattern = "api.ronde.vu/*", zone_name = "ronde.vu" }]
+
+# Cleanup runs every 5 minutes
+[triggers]
+crons = ["*/5 * * * *"]
+
+# D1 SQLite database
+# Get your database_id: npx wrangler d1 create rondevu-db
 [[d1_databases]]
 binding = "DB"
-database_name = "rondevu-offers"
 database_id = "3d469855-d37f-477b-b139-fa58843a54ff"
 
-# Environment variables
 [vars]
-OFFER_DEFAULT_TTL = "60000"  # Default offer TTL: 1 minute
-OFFER_MAX_TTL = "86400000"  # Max offer TTL: 24 hours
-OFFER_MIN_TTL = "60000"  # Min offer TTL: 1 minute
-MAX_OFFERS_PER_REQUEST = "100"  # Max offers per request
-MAX_TOPICS_PER_OFFER = "50"  # Max topics per offer
-CORS_ORIGINS = "*"  # Comma-separated list of allowed origins
-VERSION = "0.4.0"  # Semantic version
-
-# AUTH_SECRET should be set as a secret, not a var
-# Run: npx wrangler secret put AUTH_SECRET
-# Enter a 64-character hex string (32 bytes)
-
-# Build configuration
+OFFER_DEFAULT_TTL = "60000"
+OFFER_MAX_TTL = "86400000"
+OFFER_MIN_TTL = "60000"
+MAX_OFFERS_PER_REQUEST = "100"
+CORS_ORIGINS = "*"
+VERSION = "0.5.2"
+
+# MASTER_ENCRYPTION_KEY must be set as a secret:
+# npx wrangler secret put MASTER_ENCRYPTION_KEY
+# Generate with: openssl rand -hex 32
+
 [build]
 command = ""
 
-# For local development:
-# Run: npx wrangler dev
-# The local D1 database will be created automatically
-
-# For production deployment:
-# 1. Create D1 database: npx wrangler d1 create rondevu-sessions
-# 2. Update the 'database_id' field above with the returned ID
-# 3. Initialize schema: npx wrangler d1 execute rondevu-sessions --remote --file=./migrations/schema.sql
-# 4. Deploy: npx wrangler deploy
+# Development: npx wrangler dev
+# Deploy: npx wrangler deploy
+# Init DB: npx wrangler d1 execute rondevu-db --remote --file=./migrations/schema.sql
 
-[observability]
 [observability.logs]
 enabled = true
 head_sampling_rate = 1