import { describe, it, expect, vi, afterEach } from "vitest"; import { NextRequest } from "next/server"; // Simulate an authenticated session so the middleware does not redirect // and CSP headers are set on every response. vi.mock("./server/auth-edge.js", () => ({ auth: (handler: (req: NextRequest & { auth: object | null }) => unknown) => (req: NextRequest) => handler(Object.assign(req, { auth: { user: { id: "test-user", email: "test@test.com" } } })), })); async function importMiddleware(nodeEnv: string) { vi.stubEnv("NODE_ENV", nodeEnv); vi.resetModules(); const mod = await import("./middleware.js"); // middleware is the default export (wrapped by auth()) return mod.default as (req: NextRequest) => Promise; } describe("middleware — Content-Security-Policy", () => { afterEach(() => { vi.unstubAllEnvs(); vi.resetModules(); }); it("sets a Content-Security-Policy header on every response", async () => { const middleware = await importMiddleware("production"); const req = new NextRequest("http://localhost:3100/"); const res = await middleware(req); expect(res.headers.get("Content-Security-Policy")).toBeTruthy(); }); it("production: script-src contains a nonce and does NOT contain unsafe-inline or unsafe-eval", async () => { const middleware = await importMiddleware("production"); const req = new NextRequest("http://localhost:3100/dashboard"); const res = await middleware(req); const csp = res.headers.get("Content-Security-Policy") ?? ""; const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? ""; expect(scriptSrc).toMatch(/'nonce-[A-Za-z0-9+/=]+'/); expect(scriptSrc).not.toContain("'unsafe-inline'"); expect(scriptSrc).not.toContain("'unsafe-eval'"); }); it("production: each request gets a unique nonce", async () => { const middleware = await importMiddleware("production"); const res1 = await middleware(new NextRequest("http://localhost:3100/a")); const res2 = await middleware(new NextRequest("http://localhost:3100/b")); const nonce1 = res1.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1]; const nonce2 = res2.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1]; expect(nonce1).toBeTruthy(); expect(nonce2).toBeTruthy(); expect(nonce1).not.toBe(nonce2); }); it("production: x-nonce request header matches the nonce in the CSP response header", async () => { const middleware = await importMiddleware("production"); const req = new NextRequest("http://localhost:3100/settings"); const res = await middleware(req); const cspNonce = res.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1]; // The nonce is forwarded on the request (for server components) — not readable from // the response directly, but verifiable via the CSP header consistency. expect(cspNonce).toBeTruthy(); expect(cspNonce?.length).toBeGreaterThan(10); }); it("development: script-src includes unsafe-eval and unsafe-inline for HMR", async () => { const middleware = await importMiddleware("development"); const req = new NextRequest("http://localhost:3100/"); const res = await middleware(req); const csp = res.headers.get("Content-Security-Policy") ?? ""; const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? ""; expect(scriptSrc).toContain("'unsafe-eval'"); expect(scriptSrc).toContain("'unsafe-inline'"); }); it("frame-ancestors is always 'none' regardless of environment", async () => { for (const env of ["production", "development"] as const) { const middleware = await importMiddleware(env); const res = await middleware(new NextRequest("http://localhost:3100/")); const csp = res.headers.get("Content-Security-Policy") ?? ""; expect(csp).toContain("frame-ancestors 'none'"); } }); });