@zereight/mcp-gitlab 2.1.5 → 2.1.6

package/build/test/stateless/session-id.test.js

@@ -0,0 +1,131 @@
+/**
+ * Unit tests for the sealed Mcp-Session-Id helpers.
+ */
+import assert from "node:assert/strict";
+import { randomBytes } from "node:crypto";
+import { describe, test } from "node:test";
+import { loadKeyMaterialFromEnv, looksLikeStatelessSessionId, mintSessionId, openSessionId, } from "../../stateless/index.js";
+function secret() {
+    return randomBytes(32).toString("base64url");
+}
+function load(current, previous) {
+    const env = {
+        OAUTH_STATELESS_SECRET: current,
+    };
+    if (previous)
+        env.OAUTH_STATELESS_SECRET_PREVIOUS = previous;
+    const m = loadKeyMaterialFromEnv(true, env);
+    assert.ok(m);
+    return m;
+}
+describe("mintSessionId / openSessionId", () => {
+    test("roundtrips across pods", () => {
+        const s = secret();
+        const a = load(s);
+        const b = load(s);
+        const sid = mintSessionId(a, {
+            header: "Authorization",
+            token: "glpat-ABCDEFG123456789-abcdef",
+            apiUrl: "https://gitlab.example.com/api/v4",
+        });
+        assert.ok(looksLikeStatelessSessionId(sid));
+        const opened = openSessionId(b, sid, 3600);
+        assert.ok(opened);
+        assert.equal(opened.h, "Authorization");
+        assert.equal(opened.t, "glpat-ABCDEFG123456789-abcdef");
+        assert.equal(opened.u, "https://gitlab.example.com/api/v4");
+    });
+    test("preserves Private-Token / JOB-TOKEN headers", () => {
+        const m = load(secret());
+        for (const h of ["Private-Token", "JOB-TOKEN"]) {
+            const sid = mintSessionId(m, {
+                header: h,
+                token: "some-token-value-at-least-20-chars",
+                apiUrl: "https://gitlab.example.com/api/v4",
+            });
+            const opened = openSessionId(m, sid, 3600);
+            assert.ok(opened);
+            assert.equal(opened.h, h);
+        }
+    });
+    test("rejects unknown header values", () => {
+        // Hand-craft a payload with a bogus header value. We do this by minting a
+        // legitimate token then mutating the decoded payload via a second mint
+        // won't work (AEAD). Instead, assert the helper rejects garbage input
+        // by tampering with an unrelated value and checking it still fails safely.
+        const m = load(secret());
+        const sid = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        // Truncate to force bad ciphertext on open.
+        const broken = sid.slice(0, -3);
+        assert.equal(openSessionId(m, broken, 3600), null);
+    });
+    test("expired sid rejected", () => {
+        const m = load(secret());
+        const past = Math.floor(Date.now() / 1000) - 10_000;
+        const sid = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+            now: () => past,
+        });
+        assert.equal(openSessionId(m, sid, 60), null);
+    });
+    test("different secret rejects", () => {
+        const a = load(secret());
+        const b = load(secret());
+        const sid = mintSessionId(a, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        assert.equal(openSessionId(b, sid, 3600), null);
+    });
+    test("rotation: sid minted under previous secret opens on rotated pod", () => {
+        const s1 = secret();
+        const s2 = secret();
+        const old = load(s1);
+        const rotated = load(s2, s1);
+        const sid = mintSessionId(old, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        const opened = openSessionId(rotated, sid, 3600);
+        assert.ok(opened);
+    });
+    test("looksLikeStatelessSessionId distinguishes legacy UUIDs", () => {
+        const m = load(secret());
+        const sid = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        assert.ok(looksLikeStatelessSessionId(sid));
+        assert.ok(!looksLikeStatelessSessionId("a4f1c2b8-f2c4-4ee6-bc14-2b7ab0e6ab11"));
+        assert.ok(!looksLikeStatelessSessionId(""));
+    });
+    test("fresh sid has different iat each time (rotation on every refresh)", () => {
+        const m = load(secret());
+        const sid1 = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+            now: () => 1000,
+        });
+        const sid2 = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+            now: () => 2000,
+        });
+        assert.notEqual(sid1, sid2);
+        const open1 = openSessionId(m, sid1, 3600, () => 2000);
+        const open2 = openSessionId(m, sid2, 3600, () => 2000);
+        assert.equal(open1.iat, 1000);
+        assert.equal(open2.iat, 2000);
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.1.5",
+  "version": "2.1.6",
   "mcpName": "io.github.zereight/gitlab-mcp",
   "description": "GitLab MCP server for projects, merge requests, issues, pipelines, wiki, releases, and more",
   "keywords": [
@@ -51,7 +51,8 @@
     "changelog": "auto-changelog -p",
     "test": "npm run test:all",
     "test:all": "npm run build && npm run test:mock && npm run test:live",
-    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-auth-retry.ts",
+    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-auth-retry.ts && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts",
+    "test:stateless": "npm run build && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts",
     "test:mcp-oauth": "npm run build && node --import tsx/esm --test test/mcp-oauth-tests.ts",
     "test:live": "node test/validate-api.js",
     "test:remote-auth": "npm run build && node --import tsx/esm --test test/remote-auth-simple-test.ts",