Hartmut
bf8577dbaf
- Split auth config into auth.config.ts (edge-safe, no argon2) and auth-edge.ts for middleware use; auth.ts now spreads the shared config - Middleware wraps with auth() to redirect unauthenticated requests to /auth/signin before any page render; passes through /auth/, /api/, /invite/ paths - SessionGuard client component watches useSession() and redirects on status=unauthenticated, closing the SPA navigation gap - QueryCache + MutationCache in TRPCProvider redirect on UNAUTHORIZED tRPC errors without retrying; SessionProvider polls session state every 5 minutes - Middleware tests updated for async auth wrapper and auth-edge mock Co-Authored-By: claude-flow <ruv@ruv.net>
85 lines
3.9 KiB
TypeScript
85 lines
3.9 KiB
TypeScript
import { describe, it, expect, vi, afterEach } from "vitest";
|
|
import { NextRequest } from "next/server";
|
|
|
|
// Simulate an authenticated session so the middleware does not redirect
|
|
// and CSP headers are set on every response.
|
|
vi.mock("./server/auth-edge.js", () => ({
|
|
auth: (handler: (req: NextRequest & { auth: object | null }) => unknown) =>
|
|
(req: NextRequest) =>
|
|
handler(Object.assign(req, { auth: { user: { id: "test-user", email: "test@test.com" } } })),
|
|
}));
|
|
|
|
async function importMiddleware(nodeEnv: string) {
|
|
vi.stubEnv("NODE_ENV", nodeEnv);
|
|
vi.resetModules();
|
|
const mod = await import("./middleware.js");
|
|
// middleware is the default export (wrapped by auth())
|
|
return mod.default as (req: NextRequest) => Promise<Response>;
|
|
}
|
|
|
|
describe("middleware — Content-Security-Policy", () => {
|
|
afterEach(() => {
|
|
vi.unstubAllEnvs();
|
|
vi.resetModules();
|
|
});
|
|
|
|
it("sets a Content-Security-Policy header on every response", async () => {
|
|
const middleware = await importMiddleware("production");
|
|
const req = new NextRequest("http://localhost:3100/");
|
|
const res = await middleware(req);
|
|
expect(res.headers.get("Content-Security-Policy")).toBeTruthy();
|
|
});
|
|
|
|
it("production: script-src contains a nonce and does NOT contain unsafe-inline or unsafe-eval", async () => {
|
|
const middleware = await importMiddleware("production");
|
|
const req = new NextRequest("http://localhost:3100/dashboard");
|
|
const res = await middleware(req);
|
|
const csp = res.headers.get("Content-Security-Policy") ?? "";
|
|
const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? "";
|
|
expect(scriptSrc).toMatch(/'nonce-[A-Za-z0-9+/=]+'/);
|
|
expect(scriptSrc).not.toContain("'unsafe-inline'");
|
|
expect(scriptSrc).not.toContain("'unsafe-eval'");
|
|
});
|
|
|
|
it("production: each request gets a unique nonce", async () => {
|
|
const middleware = await importMiddleware("production");
|
|
const res1 = await middleware(new NextRequest("http://localhost:3100/a"));
|
|
const res2 = await middleware(new NextRequest("http://localhost:3100/b"));
|
|
const nonce1 = res1.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
|
|
const nonce2 = res2.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
|
|
expect(nonce1).toBeTruthy();
|
|
expect(nonce2).toBeTruthy();
|
|
expect(nonce1).not.toBe(nonce2);
|
|
});
|
|
|
|
it("production: x-nonce request header matches the nonce in the CSP response header", async () => {
|
|
const middleware = await importMiddleware("production");
|
|
const req = new NextRequest("http://localhost:3100/settings");
|
|
const res = await middleware(req);
|
|
const cspNonce = res.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
|
|
// The nonce is forwarded on the request (for server components) — not readable from
|
|
// the response directly, but verifiable via the CSP header consistency.
|
|
expect(cspNonce).toBeTruthy();
|
|
expect(cspNonce?.length).toBeGreaterThan(10);
|
|
});
|
|
|
|
it("development: script-src includes unsafe-eval and unsafe-inline for HMR", async () => {
|
|
const middleware = await importMiddleware("development");
|
|
const req = new NextRequest("http://localhost:3100/");
|
|
const res = await middleware(req);
|
|
const csp = res.headers.get("Content-Security-Policy") ?? "";
|
|
const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? "";
|
|
expect(scriptSrc).toContain("'unsafe-eval'");
|
|
expect(scriptSrc).toContain("'unsafe-inline'");
|
|
});
|
|
|
|
it("frame-ancestors is always 'none' regardless of environment", async () => {
|
|
for (const env of ["production", "development"] as const) {
|
|
const middleware = await importMiddleware(env);
|
|
const res = await middleware(new NextRequest("http://localhost:3100/"));
|
|
const csp = res.headers.get("Content-Security-Policy") ?? "";
|
|
expect(csp).toContain("frame-ancestors 'none'");
|
|
}
|
|
});
|
|
});
|