observability-toolkit 1.8.0 → 1.8.2

package/dist/backends/signoz-api.test.js

@@ -31,6 +31,35 @@ function createV5TraceResponse(spans) {
         },
     };
 }
+// Helper to create v5 API log response format
+function createV5LogResponse(logs) {
+    return {
+        data: {
+            data: {
+                results: [{
+                        rows: logs.map(l => ({
+                            timestamp: l.timestamp || new Date().toISOString(),
+                            data: l,
+                        })),
+                    }],
+            },
+        },
+    };
+}
+// Helper to create v5 API metric response format
+function createV5MetricResponse(series) {
+    return {
+        data: {
+            data: {
+                results: [{
+                        aggregations: [{
+                                series: series,
+                            }],
+                    }],
+            },
+        },
+    };
+}
 describe('SigNozApiBackend', () => {
     describe('constructor', () => {
         it('should initialize with default URL and API key from environment', () => {
@@ -347,21 +376,6 @@ describe('SigNozApiBackend', () => {
         });
     });
     describe('queryLogs', () => {
-        // Helper to create v5 API log response format
-        function createV5LogResponse(logs) {
-            return {
-                data: {
-                    data: {
-                        results: [{
-                                rows: logs.map(l => ({
-                                    timestamp: l.timestamp || new Date().toISOString(),
-                                    data: l,
-                                })),
-                            }],
-                    },
-                },
-            };
-        }
         it('should query logs with basic options', async () => {
             globalThis.fetch = setupMock(async () => ({
                 ok: true,
@@ -526,20 +540,6 @@ describe('SigNozApiBackend', () => {
         });
     });
     describe('queryMetrics', () => {
-        // Helper to create v5 API metric response format
-        function createV5MetricResponse(series) {
-            return {
-                data: {
-                    data: {
-                        results: [{
-                                aggregations: [{
-                                        series: series,
-                                    }],
-                            }],
-                    },
-                },
-            };
-        }
         it('should query metrics with required metricName', async () => {
             globalThis.fetch = setupMock(async () => ({
                 ok: true,
@@ -778,9 +778,42 @@ describe('SigNozApiBackend', () => {
         it('should handle complex base URL', () => {
             const backend = new SigNozApiBackend('https://ingest.signoz.example.com:4318/v1/traces', 'test-key');
             const url = backend.getTraceUrl('trace-123');
-            // Uses baseUrl directly
+            // Whitelisted path prefix (/v1/) is preserved for backward compatibility
             assert.strictEqual(url, 'https://ingest.signoz.example.com:4318/v1/traces/trace/trace-123');
         });
+        it('should preserve /api/ path prefix', () => {
+            const backend = new SigNozApiBackend('https://signoz.example.com/api/v3', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, 'https://signoz.example.com/api/v3/trace/trace-123');
+        });
+        it('should preserve /signoz/ path prefix', () => {
+            const backend = new SigNozApiBackend('https://proxy.example.com/signoz/query', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, 'https://proxy.example.com/signoz/query/trace/trace-123');
+        });
+        it('should preserve /query/ path prefix', () => {
+            const backend = new SigNozApiBackend('https://signoz.example.com/query/service', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, 'https://signoz.example.com/query/service/trace/trace-123');
+        });
+        it('should strip non-whitelisted path prefixes', () => {
+            const backend = new SigNozApiBackend('https://signoz.example.com/custom/path', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            // /custom/ is not whitelisted, so only origin is used
+            assert.strictEqual(url, 'https://signoz.example.com/trace/trace-123');
+        });
+        it('should strip query params from URL for security', () => {
+            const backend = new SigNozApiBackend('https://signoz.example.com/v1/traces?token=secret', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            // Query params stripped, path preserved
+            assert.strictEqual(url, 'https://signoz.example.com/v1/traces/trace/trace-123');
+            assert.ok(!url.includes('token'));
+        });
+        it('should strip fragment from URL for security', () => {
+            const backend = new SigNozApiBackend('https://signoz.example.com/api/v3#section', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.ok(!url.includes('#'));
+        });
     });
     describe('error response handling', () => {
         it('should throw error with status code (response text sanitized)', async () => {
@@ -1262,24 +1295,10 @@ describe('SigNozApiBackend', () => {
             });
         });
         describe('queryLogsPaginated', () => {
-            function createV5LogResponsePaginated(logs) {
-                return {
-                    data: {
-                        data: {
-                            results: [{
-                                    rows: logs.map(l => ({
-                                        timestamp: l.timestamp || new Date().toISOString(),
-                                        data: l,
-                                    })),
-                                }],
-                        },
-                    },
-                };
-            }
             it('should return paginated log results', async () => {
                 globalThis.fetch = setupMock(async () => ({
                     ok: true,
-                    json: async () => createV5LogResponsePaginated([
+                    json: async () => createV5LogResponse([
                         { body: 'log1', severity_text: 'INFO', timestamp: '2026-01-01T12:00:00Z' },
                         { body: 'log2', severity_text: 'ERROR', timestamp: '2026-01-01T12:01:00Z' },
                     ]),
@@ -1293,7 +1312,7 @@ describe('SigNozApiBackend', () => {
             it('should return hasMore=true when more logs available', async () => {
                 globalThis.fetch = setupMock(async () => ({
                     ok: true,
-                    json: async () => createV5LogResponsePaginated([
+                    json: async () => createV5LogResponse([
                         { body: 'log1', severity_text: 'INFO', timestamp: '2026-01-01T12:00:00Z' },
                         { body: 'log2', severity_text: 'ERROR', timestamp: '2026-01-01T12:01:00Z' },
                         { body: 'log3', severity_text: 'WARN', timestamp: '2026-01-01T12:02:00Z' },
@@ -1314,7 +1333,7 @@ describe('SigNozApiBackend', () => {
                     }
                     return {
                         ok: true,
-                        json: async () => createV5LogResponsePaginated([]),
+                        json: async () => createV5LogResponse([]),
                         text: async () => '',
                     };
                 });
@@ -1338,23 +1357,10 @@ describe('SigNozApiBackend', () => {
             });
         });
         describe('queryMetricsPaginated', () => {
-            function createV5MetricResponsePaginated(series) {
-                return {
-                    data: {
-                        data: {
-                            results: [{
-                                    aggregations: [{
-                                            series: series,
-                                        }],
-                                }],
-                        },
-                    },
-                };
-            }
             it('should return paginated metric results', async () => {
                 globalThis.fetch = setupMock(async () => ({
                     ok: true,
-                    json: async () => createV5MetricResponsePaginated([{
+                    json: async () => createV5MetricResponse([{
                             values: [
                                 { timestamp: 1704110400000, value: 42.5 },
                                 { timestamp: 1704110460000, value: 43.2 },
@@ -1370,7 +1376,7 @@ describe('SigNozApiBackend', () => {
             it('should return hasMore=true when more metrics available', async () => {
                 globalThis.fetch = setupMock(async () => ({
                     ok: true,
-                    json: async () => createV5MetricResponsePaginated([{
+                    json: async () => createV5MetricResponse([{
                             values: [
                                 { timestamp: 1704110400000, value: 1 },
                                 { timestamp: 1704110460000, value: 2 },
@@ -1393,7 +1399,7 @@ describe('SigNozApiBackend', () => {
                     }
                     return {
                         ok: true,
-                        json: async () => createV5MetricResponsePaginated([]),
+                        json: async () => createV5MetricResponse([]),
                         text: async () => '',
                     };
                 });
@@ -1493,5 +1499,346 @@ describe('SigNozApiBackend', () => {
             });
         });
     });
+    describe('rate limiter', () => {
+        it('should allow requests up to max tokens', async () => {
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                return {
+                    ok: true,
+                    json: async () => createV5TraceResponse([]),
+                    text: async () => '',
+                };
+            });
+            // Create backend - default is 60 tokens
+            const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+            // Make multiple rapid requests - should all succeed within token limit
+            for (let i = 0; i < 10; i++) {
+                await backend.queryTraces({});
+            }
+            assert.strictEqual(callCount, 10, 'All requests within limit should succeed');
+        });
+        it('should block requests when rate limit exceeded', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                return {
+                    ok: true,
+                    json: async () => createV5TraceResponse([]),
+                    text: async () => '',
+                };
+            });
+            // Create backend with very low rate limit (3 tokens) for testing
+            // We need to test the TokenBucketRateLimiter directly since the backend
+            // uses the default from constants
+            const { TokenBucketRateLimiter } = await import('./signoz-api.js');
+            const limiter = new TokenBucketRateLimiter(3, 1); // 3 tokens, 1/sec refill
+            // Use all tokens
+            assert.strictEqual(limiter.tryConsume(), true, '1st token should be available');
+            assert.strictEqual(limiter.tryConsume(), true, '2nd token should be available');
+            assert.strictEqual(limiter.tryConsume(), true, '3rd token should be available');
+            assert.strictEqual(limiter.tryConsume(), false, '4th token should be blocked');
+            Date.now = originalDateNow;
+        });
+        it('should refill tokens over time', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            const { TokenBucketRateLimiter } = await import('./signoz-api.js');
+            const limiter = new TokenBucketRateLimiter(3, 1); // 3 tokens, 1/sec refill
+            // Use all tokens
+            limiter.tryConsume();
+            limiter.tryConsume();
+            limiter.tryConsume();
+            assert.strictEqual(limiter.getAvailableTokens(), 0, 'All tokens should be used');
+            // Advance time by 2 seconds
+            currentTime += 2000;
+            // Should have refilled 2 tokens
+            assert.strictEqual(limiter.getAvailableTokens(), 2, 'Should have refilled 2 tokens');
+            // Advance time by 5 more seconds (past max)
+            currentTime += 5000;
+            // Should cap at max tokens
+            assert.strictEqual(limiter.getAvailableTokens(), 3, 'Should cap at max tokens');
+            Date.now = originalDateNow;
+        });
+        it('should return empty array when rate limited', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                return {
+                    ok: true,
+                    json: async () => createV5TraceResponse([]),
+                    text: async () => '',
+                };
+            });
+            // We can't easily set custom rate limits on the backend, so we'll test
+            // the behavior by making 60+ requests (default limit)
+            const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+            // Make 60 requests (default token limit)
+            for (let i = 0; i < 60; i++) {
+                await backend.queryTraces({});
+            }
+            assert.strictEqual(callCount, 60);
+            // 61st request should be rate limited
+            const result = await backend.queryTraces({});
+            assert.deepStrictEqual(result, [], 'Should return empty array when rate limited');
+            assert.strictEqual(callCount, 60, 'Should not have made fetch call when rate limited');
+            Date.now = originalDateNow;
+        });
+        it('should log warning when rate limit exceeded', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            const warnLogs = [];
+            const originalWarn = console.warn;
+            console.warn = (msg) => { warnLogs.push(msg); };
+            const { TokenBucketRateLimiter } = await import('./signoz-api.js');
+            const limiter = new TokenBucketRateLimiter(2, 1);
+            // Use all tokens
+            limiter.tryConsume();
+            limiter.tryConsume();
+            // This should trigger the warning
+            limiter.tryConsume();
+            console.warn = originalWarn;
+            Date.now = originalDateNow;
+            assert(warnLogs.some(log => log.includes('[obs-toolkit] Rate limit exceeded')));
+        });
+        it('should report rate limit status in health check', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                return {
+                    ok: true,
+                    json: async () => ({ status: 'success' }),
+                    text: async () => '',
+                };
+            });
+            const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+            // Use all 60 tokens
+            for (let i = 0; i < 60; i++) {
+                await backend.queryTraces({});
+            }
+            // Health check should report rate limit status
+            const health = await backend.healthCheck();
+            assert.strictEqual(health.status, 'error');
+            assert(health.message?.includes('Rate limit'));
+            Date.now = originalDateNow;
+        });
+        it('should reset tokens with reset method', async () => {
+            const { TokenBucketRateLimiter } = await import('./signoz-api.js');
+            const limiter = new TokenBucketRateLimiter(3, 1);
+            // Use all tokens
+            limiter.tryConsume();
+            limiter.tryConsume();
+            limiter.tryConsume();
+            assert.strictEqual(limiter.getAvailableTokens(), 0);
+            // Reset
+            limiter.reset();
+            assert.strictEqual(limiter.getAvailableTokens(), 3, 'Should have all tokens after reset');
+        });
+        it('should handle logs query when rate limited', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                return {
+                    ok: true,
+                    json: async () => ({ data: { data: { results: [] } } }),
+                    text: async () => '',
+                };
+            });
+            const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+            // Use all 60 tokens
+            for (let i = 0; i < 60; i++) {
+                await backend.queryTraces({});
+            }
+            assert.strictEqual(callCount, 60);
+            // Logs query should also be rate limited
+            const result = await backend.queryLogs({});
+            assert.deepStrictEqual(result, []);
+            assert.strictEqual(callCount, 60, 'Should not make fetch call for logs when rate limited');
+            Date.now = originalDateNow;
+        });
+        it('should handle metrics query when rate limited', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                return {
+                    ok: true,
+                    json: async () => ({ data: { data: { results: [] } } }),
+                    text: async () => '',
+                };
+            });
+            const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+            // Use all 60 tokens
+            for (let i = 0; i < 60; i++) {
+                await backend.queryTraces({});
+            }
+            assert.strictEqual(callCount, 60);
+            // Metrics query should also be rate limited
+            const result = await backend.queryMetrics({ metricName: 'test' });
+            assert.deepStrictEqual(result, []);
+            assert.strictEqual(callCount, 60, 'Should not make fetch call for metrics when rate limited');
+            Date.now = originalDateNow;
+        });
+        it('should refund single token correctly', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            const { TokenBucketRateLimiter } = await import('./signoz-api.js');
+            const limiter = new TokenBucketRateLimiter(3, 1); // 3 tokens, 1/sec refill
+            // Use all tokens
+            limiter.tryConsume();
+            limiter.tryConsume();
+            limiter.tryConsume();
+            assert.strictEqual(limiter.getAvailableTokens(), 0, 'All tokens should be used');
+            // Refund one token
+            limiter.refund();
+            assert.strictEqual(limiter.getAvailableTokens(), 1, 'Should have 1 token after refund');
+            // Refund again
+            limiter.refund();
+            assert.strictEqual(limiter.getAvailableTokens(), 2, 'Should have 2 tokens after second refund');
+            // Refund at max should not exceed max
+            limiter.refund();
+            limiter.refund(); // This should cap at max
+            assert.strictEqual(limiter.getAvailableTokens(), 3, 'Should cap at max tokens');
+            Date.now = originalDateNow;
+        });
+        it('should refund token when circuit breaker rejects request', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            let callCount = 0;
+            globalThis.fetch = setupMock(async () => {
+                callCount++;
+                // Simulate failures to open circuit breaker
+                const response = {
+                    ok: false,
+                    status: 500,
+                    json: async () => ({}),
+                    text: async () => 'Internal Server Error',
+                };
+                return response;
+            });
+            const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+            // Cause circuit breaker to open (default is 3 failures per constants.ts)
+            for (let i = 0; i < 3; i++) {
+                try {
+                    await backend.queryTraces({});
+                }
+                catch {
+                    // Expected to throw
+                }
+            }
+            assert.strictEqual(callCount, 3, 'Should have made 3 failing requests');
+            // Get initial token count - 60 tokens - 3 consumed = 57
+            // Now circuit breaker is open, subsequent requests should refund tokens
+            const result1 = await backend.queryTraces({});
+            assert.deepStrictEqual(result1, [], 'Should return empty when circuit breaker open');
+            // This should not consume more tokens because the token was refunded
+            const result2 = await backend.queryTraces({});
+            assert.deepStrictEqual(result2, [], 'Should return empty when circuit breaker open');
+            // No additional fetch calls should have been made
+            assert.strictEqual(callCount, 3, 'Should not make more fetch calls when circuit breaker open');
+            Date.now = originalDateNow;
+        });
+    });
+    describe('SSRF protection', () => {
+        it('should block localhost URL', () => {
+            const backend = new SigNozApiBackend('https://localhost/api', 'test-key');
+            // Backend with blocked URL will have empty baseUrl
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should have empty base for blocked localhost');
+        });
+        it('should block 127.0.0.1', () => {
+            const backend = new SigNozApiBackend('https://127.0.0.1/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should have empty base for blocked 127.0.0.1');
+        });
+        it('should block IPv6 localhost ::1', () => {
+            const backend = new SigNozApiBackend('https://[::1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block IPv6 localhost');
+        });
+        it('should block long-form IPv6 localhost', () => {
+            const backend = new SigNozApiBackend('https://[0:0:0:0:0:0:0:1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block long-form IPv6 localhost');
+        });
+        it('should block IPv4-mapped IPv6 localhost', () => {
+            const backend = new SigNozApiBackend('https://[::ffff:127.0.0.1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block IPv4-mapped localhost');
+        });
+        it('should block .localhost TLD', () => {
+            const backend = new SigNozApiBackend('https://myapp.localhost/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block .localhost TLD');
+        });
+        it('should block private 192.168.x.x ranges', () => {
+            const backend = new SigNozApiBackend('https://192.168.1.1/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block 192.168.x.x');
+        });
+        it('should block private 10.x.x.x ranges', () => {
+            const backend = new SigNozApiBackend('https://10.0.0.1/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block 10.x.x.x');
+        });
+        it('should block private 172.16-31.x.x ranges', () => {
+            const backend = new SigNozApiBackend('https://172.16.0.1/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block 172.16.x.x');
+        });
+        it('should block IPv6 unique local addresses (fc00::/7)', () => {
+            const backend = new SigNozApiBackend('https://[fc00::1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block fc00:: ULA');
+        });
+        it('should block IPv6 link-local addresses (fe80::)', () => {
+            const backend = new SigNozApiBackend('https://[fe80::1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block fe80:: link-local');
+        });
+        it('should block .local domain', () => {
+            const backend = new SigNozApiBackend('https://myhost.local/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block .local domain');
+        });
+        it('should block .internal domain', () => {
+            const backend = new SigNozApiBackend('https://signoz.internal/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block .internal domain');
+        });
+        it('should block .home.arpa domain', () => {
+            const backend = new SigNozApiBackend('https://router.home.arpa/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block .home.arpa domain');
+        });
+        it('should allow valid external HTTPS URL', () => {
+            const backend = new SigNozApiBackend('https://signoz.example.com/api/', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.ok(url.includes('signoz.example.com'), 'Should allow valid external URL');
+        });
+        it('should block HTTP protocol', () => {
+            const backend = new SigNozApiBackend('http://signoz.example.com/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block HTTP protocol');
+        });
+    });
 });
 //# sourceMappingURL=signoz-api.test.js.map