LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-03-21 16:41:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(test): dedupe trusted-proxy auth test setup

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 18:31:37 +00:00
parent 96eabcbe89
commit 9b70849567
1 changed files with 58 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
src/gateway/auth.test.ts
View File

@@ -183,30 +183,44 @@ describe("gateway auth", () => {
});
describe("trusted-proxy auth", () => {
type GatewayConnectInput = Parameters<typeof authorizeGatewayConnect>[0];
const trustedProxyConfig = {
userHeader: "x-forwarded-user",
requiredHeaders: ["x-forwarded-proto"],
allowUsers: [],
};
it("accepts valid request from trusted proxy", async () => {
const res = await authorizeGatewayConnect({
auth: {
function authorizeTrustedProxy(options?: {
auth?: GatewayConnectInput["auth"];
trustedProxies?: string[];
remoteAddress?: string;
headers?: Record<string, string>;
}) {
return authorizeGatewayConnect({
auth: options?.auth ?? {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
trustedProxies: options?.trustedProxies ?? ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
socket: { remoteAddress: options?.remoteAddress ?? "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
"x-forwarded-proto": "https",
...options?.headers,
},
} as never,
});
}
it("accepts valid request from trusted proxy", async () => {
const res = await authorizeTrustedProxy({
headers: {
"x-forwarded-user": "nick@example.com",
"x-forwarded-proto": "https",
},
});
expect(res.ok).toBe(true);
expect(res.method).toBe("trusted-proxy");
@@ -214,22 +228,12 @@ describe("trusted-proxy auth", () => {
});
it("rejects request from untrusted source", async () => {
const res = await authorizeGatewayConnect({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
const res = await authorizeTrustedProxy({
remoteAddress: "192.168.1.100",
headers: {
"x-forwarded-user": "attacker@evil.com",
"x-forwarded-proto": "https",
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "192.168.1.100" },
headers: {
host: "gateway.local",
"x-forwarded-user": "attacker@evil.com",
"x-forwarded-proto": "https",
},
} as never,
});
expect(res.ok).toBe(false);
@@ -237,22 +241,10 @@ describe("trusted-proxy auth", () => {
});
it("rejects request with missing user header", async () => {
const res = await authorizeGatewayConnect({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
const res = await authorizeTrustedProxy({
headers: {
"x-forwarded-proto": "https",
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-proto": "https",
// missing x-forwarded-user
},
} as never,
});
expect(res.ok).toBe(false);
@@ -260,22 +252,10 @@ describe("trusted-proxy auth", () => {
});
it("rejects request with missing required headers", async () => {
const res = await authorizeGatewayConnect({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
const res = await authorizeTrustedProxy({
headers: {
"x-forwarded-user": "nick@example.com",
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
// missing x-forwarded-proto
},
} as never,
});
expect(res.ok).toBe(false);
@@ -283,7 +263,7 @@ describe("trusted-proxy auth", () => {
});
it("rejects user not in allowlist", async () => {
const res = await authorizeGatewayConnect({
const res = await authorizeTrustedProxy({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
@@ -292,15 +272,9 @@ describe("trusted-proxy auth", () => {
allowUsers: ["admin@example.com", "nick@example.com"],
},
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "stranger@other.com",
},
} as never,
headers: {
"x-forwarded-user": "stranger@other.com",
},
});
expect(res.ok).toBe(false);
@@ -308,7 +282,7 @@ describe("trusted-proxy auth", () => {
});
it("accepts user in allowlist", async () => {
const res = await authorizeGatewayConnect({
const res = await authorizeTrustedProxy({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
@@ -317,15 +291,9 @@ describe("trusted-proxy auth", () => {
allowUsers: ["admin@example.com", "nick@example.com"],
},
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
},
} as never,
headers: {
"x-forwarded-user": "nick@example.com",
},
});
expect(res.ok).toBe(true);
@@ -334,21 +302,11 @@ describe("trusted-proxy auth", () => {
});
it("rejects when no trustedProxies configured", async () => {
const res = await authorizeGatewayConnect({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
},
connectAuth: null,
const res = await authorizeTrustedProxy({
trustedProxies: [],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
},
} as never,
headers: {
"x-forwarded-user": "nick@example.com",
},
});
expect(res.ok).toBe(false);
@@ -356,21 +314,14 @@ describe("trusted-proxy auth", () => {
});
it("rejects when trustedProxy config missing", async () => {
const res = await authorizeGatewayConnect({
const res = await authorizeTrustedProxy({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
// trustedProxy missing
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
},
} as never,
headers: {
"x-forwarded-user": "nick@example.com",
},
});
expect(res.ok).toBe(false);
@@ -378,7 +329,7 @@ describe("trusted-proxy auth", () => {
});
it("supports Pomerium-style headers", async () => {
const res = await authorizeGatewayConnect({
const res = await authorizeTrustedProxy({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
@@ -387,16 +338,12 @@ describe("trusted-proxy auth", () => {
requiredHeaders: ["x-pomerium-jwt-assertion"],
},
},
connectAuth: null,
trustedProxies: ["172.17.0.1"],
req: {
socket: { remoteAddress: "172.17.0.1" },
headers: {
host: "gateway.local",
"x-pomerium-claim-email": "nick@example.com",
"x-pomerium-jwt-assertion": "eyJ...",
},
} as never,
remoteAddress: "172.17.0.1",
headers: {
"x-pomerium-claim-email": "nick@example.com",
"x-pomerium-jwt-assertion": "eyJ...",
},
});
expect(res.ok).toBe(true);
@@ -405,7 +352,7 @@ describe("trusted-proxy auth", () => {
});
it("trims whitespace from user header value", async () => {
const res = await authorizeGatewayConnect({
const res = await authorizeTrustedProxy({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
@@ -413,15 +360,9 @@ describe("trusted-proxy auth", () => {
userHeader: "x-forwarded-user",
},
},
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": " nick@example.com ",
},
} as never,
headers: {
"x-forwarded-user": " nick@example.com ",
},
});
expect(res.ok).toBe(true);