Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
c4b01c1bfc41605009a33910e458e03c51a33155
CapaKraken/apps/web/src/middleware.test.ts
T
Hartmut d1075af77d security: tighten CSP — drop provider wildcards, add object/frame/worker-src (#45) 
Browser code never calls OpenAI/Azure/Gemini directly; all AI traffic is
server-side tRPC. connect-src is now locked to 'self'. Added object-src 'none',
frame-src 'none', media-src 'self', and worker-src 'self' blob:. style-src
keeps 'unsafe-inline' for React + @react-pdf/renderer (documented residual
risk — script-src is nonce-based so CSS injection cannot escalate to JS).

Added three regression tests covering connect-src no-wildcards, object/frame-src
'none', and worker-src scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 09:08:40 +02:00

157 lines
6.8 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, afterEach } from "vitest";
import { NextRequest } from "next/server";
// Simulate an authenticated session so the middleware does not redirect
// and CSP headers are set on every response.
vi.mock("./server/auth-edge.js", () => ({
auth: (handler: (req: NextRequest & { auth: object | null }) => unknown) => (req: NextRequest) =>
handler(Object.assign(req, { auth: { user: { id: "test-user", email: "test@test.com" } } })),
}));
async function importMiddleware(nodeEnv: string) {
vi.stubEnv("NODE_ENV", nodeEnv);
vi.resetModules();
const mod = await import("./middleware.js");
// middleware is the default export (wrapped by auth())
return mod.default as (req: NextRequest) => Promise<Response>;
}
describe("middleware — Content-Security-Policy", () => {
afterEach(() => {
vi.unstubAllEnvs();
vi.resetModules();
});
it("sets a Content-Security-Policy header on every response", async () => {
const middleware = await importMiddleware("production");
const req = new NextRequest("http://localhost:3100/");
const res = await middleware(req);
expect(res.headers.get("Content-Security-Policy")).toBeTruthy();
});
it("production: script-src contains a nonce and does NOT contain unsafe-inline or unsafe-eval", async () => {
const middleware = await importMiddleware("production");
const req = new NextRequest("http://localhost:3100/dashboard");
const res = await middleware(req);
const csp = res.headers.get("Content-Security-Policy") ?? "";
const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? "";
expect(scriptSrc).toMatch(/'nonce-[A-Za-z0-9+/=]+'/);
expect(scriptSrc).not.toContain("'unsafe-inline'");
expect(scriptSrc).not.toContain("'unsafe-eval'");
});
it("production: each request gets a unique nonce", async () => {
const middleware = await importMiddleware("production");
const res1 = await middleware(new NextRequest("http://localhost:3100/a"));
const res2 = await middleware(new NextRequest("http://localhost:3100/b"));
const nonce1 = res1.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
const nonce2 = res2.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
expect(nonce1).toBeTruthy();
expect(nonce2).toBeTruthy();
expect(nonce1).not.toBe(nonce2);
});
it("production: x-nonce request header matches the nonce in the CSP response header", async () => {
const middleware = await importMiddleware("production");
const req = new NextRequest("http://localhost:3100/settings");
const res = await middleware(req);
const cspNonce = res.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
// The nonce is forwarded on the request (for server components) — not readable from
// the response directly, but verifiable via the CSP header consistency.
expect(cspNonce).toBeTruthy();
expect(cspNonce?.length).toBeGreaterThan(10);
});
it("development: script-src includes unsafe-eval and unsafe-inline for HMR", async () => {
const middleware = await importMiddleware("development");
const req = new NextRequest("http://localhost:3100/");
const res = await middleware(req);
const csp = res.headers.get("Content-Security-Policy") ?? "";
const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? "";
expect(scriptSrc).toContain("'unsafe-eval'");
expect(scriptSrc).toContain("'unsafe-inline'");
});
it("frame-ancestors is always 'none' regardless of environment", async () => {
for (const env of ["production", "development"] as const) {
const middleware = await importMiddleware(env);
const res = await middleware(new NextRequest("http://localhost:3100/"));
const csp = res.headers.get("Content-Security-Policy") ?? "";
expect(csp).toContain("frame-ancestors 'none'");
}
});
it("connect-src has no wildcards — browser cannot call external hosts directly", async () => {
const middleware = await importMiddleware("production");
const res = await middleware(new NextRequest("http://localhost:3100/"));
const csp = res.headers.get("Content-Security-Policy") ?? "";
const connectSrc = csp.split(";").find((d: string) => d.trim().startsWith("connect-src")) ?? "";
expect(connectSrc).toMatch(/connect-src\s+'self'\s*$/);
expect(connectSrc).not.toContain("*");
expect(connectSrc).not.toContain("openai.com");
expect(connectSrc).not.toContain("azure.com");
expect(connectSrc).not.toContain("googleapis.com");
});
it("object-src, frame-src are 'none' to block legacy plugin and iframe vectors", async () => {
const middleware = await importMiddleware("production");
const res = await middleware(new NextRequest("http://localhost:3100/"));
const csp = res.headers.get("Content-Security-Policy") ?? "";
expect(csp).toContain("object-src 'none'");
expect(csp).toContain("frame-src 'none'");
});
it("worker-src restricts web workers to same-origin and blob: (for Next.js)", async () => {
const middleware = await importMiddleware("production");
const res = await middleware(new NextRequest("http://localhost:3100/"));
const csp = res.headers.get("Content-Security-Policy") ?? "";
expect(csp).toContain("worker-src 'self' blob:");
});
});
describe("middleware — API allowlist (default-deny)", () => {
afterEach(() => {
vi.unstubAllEnvs();
vi.resetModules();
});
it("allows allowlisted API routes through", async () => {
const middleware = await importMiddleware("production");
for (const url of [
"http://localhost:3100/api/trpc/project.list",
"http://localhost:3100/api/auth/signin",
"http://localhost:3100/api/sse/timeline",
"http://localhost:3100/api/cron/health-check",
"http://localhost:3100/api/reports/allocations",
"http://localhost:3100/api/health",
"http://localhost:3100/api/ready",
"http://localhost:3100/api/perf",
]) {
const res = await middleware(new NextRequest(url));
expect(res.status).not.toBe(404);
}
});
it("returns 404 for non-allowlisted /api/* routes", async () => {
const middleware = await importMiddleware("production");
for (const url of [
"http://localhost:3100/api/debug",
"http://localhost:3100/api/internal/secret",
"http://localhost:3100/api/admin/users",
]) {
const res = await middleware(new NextRequest(url));
expect(res.status).toBe(404);
}
});
});
describe("isApiAllowlisted helper", () => {
it("exported via module for testing", async () => {
const { isApiAllowlisted } = await import("./middleware.js");
expect(isApiAllowlisted("/api/trpc/foo")).toBe(true);
expect(isApiAllowlisted("/api/debug")).toBe(false);
expect(isApiAllowlisted("/api/healthz")).toBe(false);
expect(isApiAllowlisted("/api/health")).toBe(true);
});
});
Reference in New Issue View Git Blame Copy Permalink