Spaces:
Sleeping
Sleeping
File size: 3,485 Bytes
b6ecafa d94b281 b6ecafa | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | import { describe, expect, it, vi } from 'vitest'
function setNodeEnv(value: string) {
;(process.env as Record<string, string | undefined>).NODE_ENV = value
}
describe('proxy host matching', () => {
it('allows the system hostname implicitly', async () => {
vi.resetModules()
vi.doMock('node:os', () => ({
default: { hostname: () => 'hetzner-jarv' },
hostname: () => 'hetzner-jarv',
}))
const { proxy } = await import('./proxy')
const request = {
headers: new Headers({ host: 'hetzner-jarv' }),
nextUrl: { host: 'hetzner-jarv', hostname: 'hetzner-jarv', pathname: '/login', clone: () => ({ pathname: '/login' }) },
method: 'GET',
cookies: { get: () => undefined },
} as any
setNodeEnv('production')
process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1'
delete process.env.MC_ALLOW_ANY_HOST
const response = proxy(request)
expect(response.status).not.toBe(403)
})
it('keeps blocking unrelated hosts in production', async () => {
vi.resetModules()
vi.doMock('node:os', () => ({
default: { hostname: () => 'hetzner-jarv' },
hostname: () => 'hetzner-jarv',
}))
const { proxy } = await import('./proxy')
const request = {
headers: new Headers({ host: 'evil.example.com' }),
nextUrl: { host: 'evil.example.com', hostname: 'evil.example.com', pathname: '/login', clone: () => ({ pathname: '/login' }) },
method: 'GET',
cookies: { get: () => undefined },
} as any
setNodeEnv('production')
process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1'
delete process.env.MC_ALLOW_ANY_HOST
const response = proxy(request)
expect(response.status).toBe(403)
})
it('allows unauthenticated health probe for /api/status?action=health', async () => {
vi.resetModules()
vi.doMock('node:os', () => ({
default: { hostname: () => 'hetzner-jarv' },
hostname: () => 'hetzner-jarv',
}))
const { proxy } = await import('./proxy')
const request = {
headers: new Headers({ host: 'localhost:3000' }),
nextUrl: {
host: 'localhost:3000',
hostname: 'localhost',
pathname: '/api/status',
searchParams: new URLSearchParams('action=health'),
clone: () => ({ pathname: '/api/status' }),
},
method: 'GET',
cookies: { get: () => undefined },
} as any
setNodeEnv('production')
process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1'
delete process.env.MC_ALLOW_ANY_HOST
const response = proxy(request)
expect(response.status).not.toBe(401)
})
it('still blocks unauthenticated non-health status API calls', async () => {
vi.resetModules()
vi.doMock('node:os', () => ({
default: { hostname: () => 'hetzner-jarv' },
hostname: () => 'hetzner-jarv',
}))
const { proxy } = await import('./proxy')
const request = {
headers: new Headers({ host: 'localhost:3000' }),
nextUrl: {
host: 'localhost:3000',
hostname: 'localhost',
pathname: '/api/status',
searchParams: new URLSearchParams('action=overview'),
clone: () => ({ pathname: '/api/status' }),
},
method: 'GET',
cookies: { get: () => undefined },
} as any
setNodeEnv('production')
process.env.MC_ALLOWED_HOSTS = 'localhost,127.0.0.1'
delete process.env.MC_ALLOW_ANY_HOST
const response = proxy(request)
expect(response.status).toBe(401)
})
})
|