From d767e296e2d862ae1b6a84dc265c77538e105ef8 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 1 Jun 2026 19:20:43 +0200
Subject: [PATCH] refactor: share plugin node auth test helpers

---
 ...server.plugin-node-capability-auth.test.ts | 112 +++++++++---------
 1 file changed, 56 insertions(+), 56 deletions(-)

diff --git a/src/gateway/server.plugin-node-capability-auth.test.ts b/src/gateway/server.plugin-node-capability-auth.test.ts
index 1bd9745b2f5..dc5d18761f7 100644
--- a/src/gateway/server.plugin-node-capability-auth.test.ts
+++ b/src/gateway/server.plugin-node-capability-auth.test.ts
@@ -218,6 +218,49 @@ async function sendRawHttpRequest(params: {
   });
 }
 
+type CanvasGatewayListener = Awaited<ReturnType<typeof listen>>;
+
+function canvasUrl(listener: CanvasGatewayListener, path = CANVAS_HOST_PATH): string {
+  return `http://127.0.0.1:${listener.port}${path}`;
+}
+
+async function fetchCanvasHost(
+  listener: CanvasGatewayListener,
+  init?: RequestInit,
+): Promise<Response> {
+  return await fetchCanvas(canvasUrl(listener), init);
+}
+
+async function expectMalformedRequestTargetsRejected(params: {
+  listener: CanvasGatewayListener;
+  headers?: readonly string[];
+}): Promise<void> {
+  for (const requestTarget of ["//", "///", "//${jndi:ldap://example}.action"]) {
+    const response = await sendRawHttpRequest({
+      host: "127.0.0.1",
+      port: params.listener.port,
+      requestTarget,
+      ...(params.headers ? { headers: params.headers } : {}),
+    });
+    expect(response).toMatch(/^HTTP\/1\.1 401 /);
+  }
+
+  const res = await fetchCanvasHost(params.listener);
+  expect(res.status).toBe(401);
+}
+
+async function expectRepeatedCanvasAuthAttemptsRateLimited(
+  listener: CanvasGatewayListener,
+  headers: Record<string, string>,
+): Promise<Response> {
+  const first = await fetchCanvasHost(listener, { headers });
+  expect(first.status).toBe(401);
+
+  const second = await fetchCanvasHost(listener, { headers });
+  expect(second.status).toBe(429);
+  return second;
+}
+
 function makeWsClient(params: {
   connId: string;
   clientIp: string;
@@ -463,17 +506,7 @@ describe("gateway plugin node capability auth", () => {
       resolvedAuth: tokenResolvedAuth,
       handleHttpRequest: allowCanvasHostHttp,
       run: async ({ listener }) => {
-        for (const requestTarget of ["//", "///", "//${jndi:ldap://example}.action"]) {
-          const response = await sendRawHttpRequest({
-            host: "127.0.0.1",
-            port: listener.port,
-            requestTarget,
-          });
-          expect(response).toMatch(/^HTTP\/1\.1 401 /);
-        }
-
-        const res = await fetchCanvas(`http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`);
-        expect(res.status).toBe(401);
+        await expectMalformedRequestTargetsRejected({ listener });
       },
     });
   }, 60_000);
@@ -483,24 +516,16 @@ describe("gateway plugin node capability auth", () => {
       resolvedAuth: tokenResolvedAuth,
       handleHttpRequest: allowCanvasHostHttp,
       run: async ({ listener }) => {
-        for (const requestTarget of ["//", "///", "//${jndi:ldap://example}.action"]) {
-          const response = await sendRawHttpRequest({
-            host: "127.0.0.1",
-            port: listener.port,
-            requestTarget,
-            headers: [
-              "Host: localhost",
-              "Upgrade: websocket",
-              "Connection: Upgrade",
-              "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==",
-              "Sec-WebSocket-Version: 13",
-            ],
-          });
-          expect(response).toMatch(/^HTTP\/1\.1 401 /);
-        }
-
-        const res = await fetchCanvas(`http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`);
-        expect(res.status).toBe(401);
+        await expectMalformedRequestTargetsRejected({
+          listener,
+          headers: [
+            "Host: localhost",
+            "Upgrade: websocket",
+            "Connection: Upgrade",
+            "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==",
+            "Sec-WebSocket-Version: 13",
+          ],
+        });
       },
     });
   }, 60_000);
@@ -638,18 +663,7 @@ describe("gateway plugin node capability auth", () => {
             authorization: "Bearer wrong",
             "x-forwarded-for": "203.0.113.99",
           };
-          const first = await fetchCanvas(`http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`, {
-            headers,
-          });
-          expect(first.status).toBe(401);
-
-          const second = await fetchCanvas(
-            `http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`,
-            {
-              headers,
-            },
-          );
-          expect(second.status).toBe(429);
+          const second = await expectRepeatedCanvasAuthAttemptsRateLimited(listener, headers);
           expect(second.headers.get("retry-after")).toMatch(/^\d+$/);
 
           await expectWsRejected(`ws://127.0.0.1:${listener.port}${CANVAS_WS_PATH}`, headers, 429);
@@ -683,21 +697,7 @@ describe("gateway plugin node capability auth", () => {
               host: "localhost",
               "x-forwarded-for": "127.0.0.1, 203.0.113.24",
             };
-            const first = await fetchCanvas(
-              `http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`,
-              {
-                headers,
-              },
-            );
-            expect(first.status).toBe(401);
-
-            const second = await fetchCanvas(
-              `http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`,
-              {
-                headers,
-              },
-            );
-            expect(second.status).toBe(429);
+            await expectRepeatedCanvasAuthAttemptsRateLimited(listener, headers);
           },
         });
       },