opensoma 0.4.0 → 0.5.1

package/src/toz-http.test.ts

@@ -0,0 +1,157 @@
+import { afterEach, describe, expect, it, mock } from 'bun:test'
+
+import { TOZ_BASE_URL } from './constants'
+import { TozHttp } from './toz-http'
+
+const originalFetch = globalThis.fetch
+
+afterEach(() => {
+  globalThis.fetch = originalFetch
+  mock.restore()
+})
+
+describe('TozHttp', () => {
+  it('seeds JSESSIONID by GETting index.htm during bootstrap', async () => {
+    const fetchMock = mock(async (input: RequestInfo | URL, init?: RequestInit) => {
+      expect(String(input)).toBe(`${TOZ_BASE_URL}/index.htm`)
+      expect(init?.method).toBe('GET')
+      return createResponse('ok', ['JSESSIONID=ABC123; Path=/; HttpOnly'])
+    })
+    globalThis.fetch = fetchMock as typeof fetch
+
+    const http = new TozHttp()
+    await http.bootstrap()
+
+    expect(http.getSessionCookie()).toBe('ABC123')
+    expect(fetchMock).toHaveBeenCalledTimes(1)
+  })
+
+  it('skips bootstrap when JSESSIONID is already set', async () => {
+    const fetchMock = mock(async () => createResponse('ok'))
+    globalThis.fetch = fetchMock as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'JSESSIONID=EXISTING' })
+    await http.bootstrap()
+
+    expect(fetchMock).not.toHaveBeenCalled()
+    expect(http.getSessionCookie()).toBe('EXISTING')
+  })
+
+  it('sends URL-encoded POST bodies with the required headers and cookie', async () => {
+    const fetchMock = mock(async (input: RequestInfo | URL, init?: RequestInit) => {
+      expect(String(input)).toBe(`${TOZ_BASE_URL}/ajaxGetEnableBoothes.htm`)
+      expect(init?.method).toBe('POST')
+
+      const headers = init?.headers as Record<string, string>
+      expect(headers['Content-Type']).toBe('application/x-www-form-urlencoded; charset=UTF-8')
+      expect(headers['X-Requested-With']).toBe('XMLHttpRequest')
+      expect(headers.Referer).toBe(`${TOZ_BASE_URL}/booking.htm`)
+      expect(headers.cookie).toBe('JSESSIONID=ABC123')
+
+      expect(init?.body).toBe('basedate=2026-04-21&starttime=1400&durationTime=0200&userCount=2&branchIds=27%2C')
+      return createResponse('[]', [], 'application/json')
+    })
+    globalThis.fetch = fetchMock as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'ABC123' })
+    const text = await http.post('/ajaxGetEnableBoothes.htm', {
+      basedate: '2026-04-21',
+      starttime: '1400',
+      durationTime: '0200',
+      userCount: '2',
+      branchIds: '27,',
+    })
+
+    expect(text).toBe('[]')
+  })
+
+  it('parses the JSON body returned by postJson', async () => {
+    globalThis.fetch = mock(async () => createResponse('{"result":"SUCCESS","resultMsg":"abc"}')) as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'ABC' })
+    const json = await http.postJson<{ result: string; resultMsg: string }>('/ajaxReservationBooth.htm', {})
+
+    expect(json).toEqual({ result: 'SUCCESS', resultMsg: 'abc' })
+  })
+
+  it('trims the plain-text body returned by postText', async () => {
+    globalThis.fetch = mock(async () => createResponse('SUCCESS\n')) as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'ABC' })
+    expect(await http.postText('/ajaxHpVerify.htm', {})).toBe('SUCCESS')
+  })
+
+  it('strips the "JSESSIONID=" prefix when constructed with a full cookie string', async () => {
+    const http = new TozHttp({ sessionCookie: 'JSESSIONID=XYZ789' })
+    expect(http.getSessionCookie()).toBe('XYZ789')
+    expect(http.getCookies()).toEqual({ JSESSIONID: 'XYZ789' })
+  })
+
+  it('preserves every cookie when constructed with a cookies map', async () => {
+    const http = new TozHttp({ cookies: { JSESSIONID: 'A', other: 'B' } })
+    expect(http.getCookies()).toEqual({ JSESSIONID: 'A', other: 'B' })
+  })
+
+  it('throws on a non-2xx response', async () => {
+    globalThis.fetch = mock(async () =>
+      createResponse('Server Error', [], 'text/html', { status: 500 }),
+    ) as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'ABC' })
+    await expect(http.get('/index.htm')).rejects.toThrow(/HTTP 500/)
+  })
+
+  it('refuses to follow cross-origin redirects to prevent cookie leaks', async () => {
+    globalThis.fetch = mock(async (input: RequestInfo | URL) => {
+      const url = String(input)
+      if (url.endsWith('/index.htm')) {
+        return redirectResponse('https://evil.example.com/steal')
+      }
+      throw new Error(`Should not fetch ${url} — cross-origin redirect must be blocked`)
+    }) as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'ABC' })
+    await expect(http.get('/index.htm')).rejects.toThrow(/cross-origin redirect/)
+  })
+
+  it('follows same-origin redirects normally', async () => {
+    let hit = 0
+    globalThis.fetch = mock(async (input: RequestInfo | URL) => {
+      const url = String(input)
+      hit += 1
+      if (hit === 1) return redirectResponse(`${TOZ_BASE_URL}/mypage.htm`)
+      expect(url).toBe(`${TOZ_BASE_URL}/mypage.htm`)
+      return createResponse('mypage content')
+    }) as typeof fetch
+
+    const http = new TozHttp({ sessionCookie: 'ABC' })
+    const body = await http.get('/mypage_login_.htm')
+    expect(body).toBe('mypage content')
+    expect(hit).toBe(2)
+  })
+})
+
+function redirectResponse(location: string): Response {
+  const headers = new Headers({ location })
+  const response = new Response(null, { status: 302, headers })
+  Object.defineProperty(response.headers, 'getSetCookie', {
+    value: () => [],
+    configurable: true,
+  })
+  return response
+}
+
+function createResponse(
+  body: string,
+  cookies: string[] = [],
+  contentType = 'text/html',
+  options: { status?: number } = {},
+): Response {
+  const headers = new Headers({ 'Content-Type': contentType })
+  const response = new Response(body, { headers, status: options.status ?? 200 })
+  Object.defineProperty(response.headers, 'getSetCookie', {
+    value: () => cookies,
+    configurable: true,
+  })
+  return response
+}

package/src/toz-http.ts

@@ -0,0 +1,188 @@
+import { TOZ_BASE_URL } from './constants'
+
+const DEFAULT_USER_AGENT =
+  'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36'
+const DEFAULT_ACCEPT_LANGUAGE = 'ko,en-US;q=0.9,en;q=0.8'
+
+interface HeadersWithCookieHelpers extends Omit<Headers, 'getSetCookie'> {
+  getSetCookie?: () => string[]
+}
+
+export interface TozHttpOptions {
+  sessionCookie?: string
+  cookies?: Record<string, string>
+}
+
+export interface TozHttpState {
+  cookies: Record<string, string>
+}
+
+export class TozHttp {
+  private cookies = new Map<string, string>()
+
+  constructor(options: TozHttpOptions = {}) {
+    if (options.cookies) {
+      for (const [name, value] of Object.entries(options.cookies)) {
+        this.cookies.set(name, value)
+      }
+    } else if (options.sessionCookie) {
+      this.cookies.set('JSESSIONID', stripJsessionPrefix(options.sessionCookie))
+    }
+  }
+
+  async bootstrap(): Promise<void> {
+    if (this.cookies.has('JSESSIONID')) return
+    await this.get('/index.htm')
+  }
+
+  async get(path: string, params?: Record<string, string>): Promise<string> {
+    const response = await fetch(this.buildUrl(path, params), {
+      method: 'GET',
+      headers: this.buildHeaders(),
+      redirect: 'manual',
+    })
+
+    this.updateFromResponse(response)
+    return this.readFollowingRedirects(response, 'GET')
+  }
+
+  async post(path: string, body: Record<string, string>): Promise<string> {
+    const response = await this.rawPost(path, body)
+    return this.readFollowingRedirects(response, 'POST')
+  }
+
+  async postJson<T>(path: string, body: Record<string, string>): Promise<T> {
+    const text = await this.post(path, body)
+    try {
+      return JSON.parse(text) as T
+    } catch (error) {
+      throw new Error(
+        `Failed to parse JSON response from ${path}: ${error instanceof Error ? error.message : 'unknown'}`,
+      )
+    }
+  }
+
+  async postText(path: string, body: Record<string, string>): Promise<string> {
+    return (await this.post(path, body)).trim()
+  }
+
+  getCookies(): Record<string, string> {
+    return Object.fromEntries(this.cookies)
+  }
+
+  getSessionCookie(): string | undefined {
+    return this.cookies.get('JSESSIONID')
+  }
+
+  getState(): TozHttpState {
+    return { cookies: this.getCookies() }
+  }
+
+  private async rawPost(path: string, body: Record<string, string>): Promise<Response> {
+    const url = this.buildUrl(path)
+    const formBody = new URLSearchParams(body).toString()
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        ...this.buildHeaders(),
+        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+        'X-Requested-With': 'XMLHttpRequest',
+        Referer: this.buildUrl('/booking.htm'),
+      },
+      body: formBody,
+      redirect: 'manual',
+    })
+
+    this.updateFromResponse(response)
+    return response
+  }
+
+  private async readFollowingRedirects(initial: Response, method: string): Promise<string> {
+    let response = initial
+    let hops = 0
+
+    while (response.status >= 300 && response.status < 400 && hops < 5) {
+      const location = response.headers.get('location')
+      if (!location) break
+      const redirectUrl = location.startsWith('http') ? location : new URL(location, `${TOZ_BASE_URL}/`).toString()
+      if (!isSameOrigin(redirectUrl, TOZ_BASE_URL)) {
+        throw new Error(`Refusing to follow cross-origin redirect to ${new URL(redirectUrl).origin}`)
+      }
+      response = await fetch(redirectUrl, {
+        method: 'GET',
+        headers: this.buildHeaders(),
+        redirect: 'manual',
+      })
+      this.updateFromResponse(response)
+      hops += 1
+    }
+
+    if (!response.ok) {
+      throw new Error(`Toz ${method} ${initial.url} failed: HTTP ${response.status} ${response.statusText}`)
+    }
+
+    return response.text()
+  }
+
+  private buildUrl(path: string, params?: Record<string, string>): string {
+    const normalized = path.startsWith('/') ? path.slice(1) : path
+    const url = new URL(normalized, `${TOZ_BASE_URL}/`)
+    if (params) {
+      for (const [key, value] of Object.entries(params)) {
+        url.searchParams.set(key, value)
+      }
+    }
+    return url.toString()
+  }
+
+  private buildHeaders(): Record<string, string> {
+    const cookieHeader = this.serializeCookies()
+    return {
+      'Accept-Language': DEFAULT_ACCEPT_LANGUAGE,
+      'User-Agent': DEFAULT_USER_AGENT,
+      ...(cookieHeader ? { cookie: cookieHeader } : {}),
+    }
+  }
+
+  private updateFromResponse(response: Response): void {
+    for (const cookie of readSetCookies(response.headers)) {
+      this.setCookie(cookie)
+    }
+  }
+
+  private setCookie(cookieHeader: string): void {
+    const pair = cookieHeader.split(';')[0]?.trim()
+    if (!pair) return
+    const idx = pair.indexOf('=')
+    if (idx === -1) return
+    const name = pair.slice(0, idx).trim()
+    const value = pair.slice(idx + 1).trim()
+    if (name) this.cookies.set(name, value)
+  }
+
+  private serializeCookies(): string {
+    return [...this.cookies.entries()].map(([name, value]) => `${name}=${value}`).join('; ')
+  }
+}
+
+function stripJsessionPrefix(cookie: string): string {
+  return cookie.includes('=') ? (cookie.split('=', 2)[1] ?? cookie) : cookie
+}
+
+function isSameOrigin(url: string, baseUrl: string): boolean {
+  try {
+    return new URL(url).origin === new URL(baseUrl).origin
+  } catch {
+    return false
+  }
+}
+
+function readSetCookies(headers: Headers): string[] {
+  const enhanced = headers as HeadersWithCookieHelpers
+  if (typeof enhanced.getSetCookie === 'function') {
+    return enhanced.getSetCookie()
+  }
+  const single = headers.get('set-cookie')
+  return single ? [single] : []
+}