test: tighten gateway auth path assertions

2026-05-18 19:24:46 +00:00 · 2026-05-11 12:49:55 +01:00
parent a85c7936e9
commit 7a6dbffa05
2 changed files with 18 additions and 20 deletions
--- a/src/gateway/http-utils.authorize-request.test.ts
+++ b/src/gateway/http-utils.authorize-request.test.ts
@@ -108,16 +108,16 @@ describe("authorizeGatewayHttpRequestOrReply", () => {
      trustedProxies: ["127.0.0.1"],
    });

-    expect(vi.mocked(authorizeHttpGatewayConnect)).toHaveBeenCalledWith(
-      expect.objectContaining({
-        browserOriginPolicy: {
-          requestHost: "gateway.example.com",
-          origin: "https://evil.example",
-          allowedOrigins: ["https://control.example.com"],
-          allowHostHeaderOriginFallback: false,
-        },
-      }),
-    );
+    const [authParams] = vi.mocked(authorizeHttpGatewayConnect).mock.calls.at(-1) ?? [];
+    if (authParams === undefined) {
+      throw new Error("Expected HTTP gateway auth to be called");
+    }
+    expect(authParams.browserOriginPolicy).toEqual({
+      requestHost: "gateway.example.com",
+      origin: "https://evil.example",
+      allowedOrigins: ["https://control.example.com"],
+      allowHostHeaderOriginFallback: false,
+    });
  });

  it("replies with auth failure and returns null when auth fails", async () => {
--- a/src/gateway/security-path.test.ts
+++ b/src/gateway/security-path.test.ts
@@ -17,16 +17,14 @@ function buildRepeatedEncodedSlashPath(depth: number): string {

 describe("security-path canonicalization", () => {
  it("canonicalizes decoded case/slash variants", () => {
-    expect(canonicalizePathForSecurity("/API/channels//nostr/default/profile/")).toEqual(
-      expect.objectContaining({
-        canonicalPath: "/api/channels/nostr/default/profile",
-        candidates: ["/api/channels/nostr/default/profile"],
-        malformedEncoding: false,
-        decodePasses: 0,
-        decodePassLimitReached: false,
-        rawNormalizedPath: "/api/channels/nostr/default/profile",
-      }),
-    );
+    expect(canonicalizePathForSecurity("/API/channels//nostr/default/profile/")).toEqual({
+      canonicalPath: "/api/channels/nostr/default/profile",
+      candidates: ["/api/channels/nostr/default/profile"],
+      malformedEncoding: false,
+      decodePasses: 0,
+      decodePassLimitReached: false,
+      rawNormalizedPath: "/api/channels/nostr/default/profile",
+    });
    const encoded = canonicalizePathForSecurity("/api/%63hannels%2Fnostr%2Fdefault%2Fprofile");
    expect(encoded.canonicalPath).toBe("/api/channels/nostr/default/profile");
    expect(encoded.candidates).toContain("/api/%63hannels%2fnostr%2fdefault%2fprofile");