Add Vitest security test suite and update security evaluation doc

Set up Vitest with server (node) and client (jsdom) test projects. 79 tests across 8 files verify all Phase 0-1 security controls: escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF enforcement, security headers, rate limiting, auth guards, profile field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md with remediation status, implementation summary, and automated test coverage details.
2026-03-01 12:30:06 +00:00 · 2026-03-01 12:30:06 +00:00 · 29c96a207e
commit 29c96a207e
parent d5c95ace0a
14 changed files with 2454 additions and 3 deletions
--- a/tests/server/setup.js
+++ b/tests/server/setup.js
@ -0,0 +1,34 @@
+import { vi } from 'vitest'
+import {
+  getCookie,
+  setCookie,
+  getMethod,
+  getHeader,
+  getHeaders,
+  setHeader,
+  getRequestURL,
+  createError,
+  defineEventHandler,
+  readBody,
+  getQuery,
+  getRouterParam
+} from 'h3'
+
+// Register real h3 functions as globals so server code that relies on
+// Nitro auto-imports can find them in the test environment.
+vi.stubGlobal('getCookie', getCookie)
+vi.stubGlobal('setCookie', setCookie)
+vi.stubGlobal('getMethod', getMethod)
+vi.stubGlobal('getHeader', getHeader)
+vi.stubGlobal('getHeaders', getHeaders)
+vi.stubGlobal('setHeader', setHeader)
+vi.stubGlobal('getRequestURL', getRequestURL)
+vi.stubGlobal('createError', createError)
+vi.stubGlobal('defineEventHandler', defineEventHandler)
+vi.stubGlobal('readBody', readBody)
+vi.stubGlobal('getQuery', getQuery)
+vi.stubGlobal('getRouterParam', getRouterParam)
+
+vi.stubGlobal('useRuntimeConfig', () => ({
+  jwtSecret: 'test-jwt-secret'
+}))