Add Vitest security test suite and update security evaluation doc
Set up Vitest with server (node) and client (jsdom) test projects. 79 tests across 8 files verify all Phase 0-1 security controls: escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF enforcement, security headers, rate limiting, auth guards, profile field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md with remediation status, implementation summary, and automated test coverage details.
This commit is contained in:
parent
d5c95ace0a
commit
29c96a207e
14 changed files with 2454 additions and 3 deletions
142
tests/server/utils/auth.test.js
Normal file
142
tests/server/utils/auth.test.js
Normal file
|
|
@ -0,0 +1,142 @@
|
|||
import { describe, it, expect, vi, beforeEach } from 'vitest'
|
||||
|
||||
vi.mock('../../../server/models/member.js', () => ({
|
||||
default: { findById: vi.fn() }
|
||||
}))
|
||||
|
||||
vi.mock('../../../server/utils/mongoose.js', () => ({
|
||||
connectDB: vi.fn()
|
||||
}))
|
||||
|
||||
vi.mock('jsonwebtoken', () => ({
|
||||
default: { verify: vi.fn() }
|
||||
}))
|
||||
|
||||
import Member from '../../../server/models/member.js'
|
||||
import jwt from 'jsonwebtoken'
|
||||
import { requireAuth, requireAdmin } from '../../../server/utils/auth.js'
|
||||
import { createMockEvent } from '../helpers/createMockEvent.js'
|
||||
|
||||
describe('requireAuth', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
})
|
||||
|
||||
it('throws 401 when no auth-token cookie', async () => {
|
||||
const event = createMockEvent({ path: '/api/test' })
|
||||
|
||||
await expect(requireAuth(event)).rejects.toMatchObject({
|
||||
statusCode: 401,
|
||||
statusMessage: 'Authentication required'
|
||||
})
|
||||
})
|
||||
|
||||
it('throws 401 when JWT is invalid', async () => {
|
||||
jwt.verify.mockImplementation(() => { throw new Error('invalid token') })
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/test',
|
||||
cookies: { 'auth-token': 'bad-token' }
|
||||
})
|
||||
|
||||
await expect(requireAuth(event)).rejects.toMatchObject({
|
||||
statusCode: 401,
|
||||
statusMessage: 'Invalid or expired token'
|
||||
})
|
||||
})
|
||||
|
||||
it('throws 401 when member not found in DB', async () => {
|
||||
jwt.verify.mockReturnValue({ memberId: 'member-123' })
|
||||
Member.findById.mockResolvedValue(null)
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/test',
|
||||
cookies: { 'auth-token': 'valid-token' }
|
||||
})
|
||||
|
||||
await expect(requireAuth(event)).rejects.toMatchObject({
|
||||
statusCode: 401,
|
||||
statusMessage: 'Member not found'
|
||||
})
|
||||
})
|
||||
|
||||
it('throws 403 when member is suspended', async () => {
|
||||
jwt.verify.mockReturnValue({ memberId: 'member-123' })
|
||||
Member.findById.mockResolvedValue({ _id: 'member-123', status: 'suspended', role: 'member' })
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/test',
|
||||
cookies: { 'auth-token': 'valid-token' }
|
||||
})
|
||||
|
||||
await expect(requireAuth(event)).rejects.toMatchObject({
|
||||
statusCode: 403,
|
||||
statusMessage: 'Account is suspended'
|
||||
})
|
||||
})
|
||||
|
||||
it('throws 403 when member is cancelled', async () => {
|
||||
jwt.verify.mockReturnValue({ memberId: 'member-123' })
|
||||
Member.findById.mockResolvedValue({ _id: 'member-123', status: 'cancelled', role: 'member' })
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/test',
|
||||
cookies: { 'auth-token': 'valid-token' }
|
||||
})
|
||||
|
||||
await expect(requireAuth(event)).rejects.toMatchObject({
|
||||
statusCode: 403,
|
||||
statusMessage: 'Account is cancelled'
|
||||
})
|
||||
})
|
||||
|
||||
it('returns member when token and status are valid', async () => {
|
||||
const mockMember = { _id: 'member-123', status: 'active', role: 'member', email: 'test@example.com' }
|
||||
jwt.verify.mockReturnValue({ memberId: 'member-123' })
|
||||
Member.findById.mockResolvedValue(mockMember)
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/test',
|
||||
cookies: { 'auth-token': 'valid-token' }
|
||||
})
|
||||
|
||||
const result = await requireAuth(event)
|
||||
expect(result).toEqual(mockMember)
|
||||
})
|
||||
})
|
||||
|
||||
describe('requireAdmin', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
})
|
||||
|
||||
it('throws 403 when member is not admin', async () => {
|
||||
const mockMember = { _id: 'member-123', status: 'active', role: 'member' }
|
||||
jwt.verify.mockReturnValue({ memberId: 'member-123' })
|
||||
Member.findById.mockResolvedValue(mockMember)
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/admin/test',
|
||||
cookies: { 'auth-token': 'valid-token' }
|
||||
})
|
||||
|
||||
await expect(requireAdmin(event)).rejects.toMatchObject({
|
||||
statusCode: 403,
|
||||
statusMessage: 'Admin access required'
|
||||
})
|
||||
})
|
||||
|
||||
it('returns member when role is admin', async () => {
|
||||
const mockMember = { _id: 'admin-123', status: 'active', role: 'admin', email: 'admin@example.com' }
|
||||
jwt.verify.mockReturnValue({ memberId: 'admin-123' })
|
||||
Member.findById.mockResolvedValue(mockMember)
|
||||
|
||||
const event = createMockEvent({
|
||||
path: '/api/admin/test',
|
||||
cookies: { 'auth-token': 'valid-token' }
|
||||
})
|
||||
|
||||
const result = await requireAdmin(event)
|
||||
expect(result).toEqual(mockMember)
|
||||
})
|
||||
})
|
||||
60
tests/server/utils/escapeHtml.test.js
Normal file
60
tests/server/utils/escapeHtml.test.js
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
import { describe, it, expect } from 'vitest'
|
||||
import { escapeHtml } from '../../../server/utils/escapeHtml.js'
|
||||
|
||||
describe('escapeHtml', () => {
|
||||
it('escapes ampersands', () => {
|
||||
expect(escapeHtml('a&b')).toBe('a&b')
|
||||
})
|
||||
|
||||
it('escapes less-than signs', () => {
|
||||
expect(escapeHtml('a<b')).toBe('a<b')
|
||||
})
|
||||
|
||||
it('escapes greater-than signs', () => {
|
||||
expect(escapeHtml('a>b')).toBe('a>b')
|
||||
})
|
||||
|
||||
it('escapes double quotes', () => {
|
||||
expect(escapeHtml('a"b')).toBe('a"b')
|
||||
})
|
||||
|
||||
it('escapes single quotes', () => {
|
||||
expect(escapeHtml("a'b")).toBe('a'b')
|
||||
})
|
||||
|
||||
it('escapes all entities in a single string', () => {
|
||||
expect(escapeHtml('<div class="x">&\'test\'')).toBe(
|
||||
'<div class="x">&'test''
|
||||
)
|
||||
})
|
||||
|
||||
it('returns empty string for null', () => {
|
||||
expect(escapeHtml(null)).toBe('')
|
||||
})
|
||||
|
||||
it('returns empty string for undefined', () => {
|
||||
expect(escapeHtml(undefined)).toBe('')
|
||||
})
|
||||
|
||||
it('converts numbers to string', () => {
|
||||
expect(escapeHtml(42)).toBe('42')
|
||||
})
|
||||
|
||||
it('passes safe strings through unchanged', () => {
|
||||
expect(escapeHtml('hello world')).toBe('hello world')
|
||||
})
|
||||
|
||||
it('neutralizes script tag XSS payload', () => {
|
||||
const payload = '<script>alert("xss")</script>'
|
||||
const result = escapeHtml(payload)
|
||||
expect(result).not.toContain('<script>')
|
||||
expect(result).toBe('<script>alert("xss")</script>')
|
||||
})
|
||||
|
||||
it('neutralizes img onerror XSS payload', () => {
|
||||
const payload = '<img onerror="alert(1)" src=x>'
|
||||
const result = escapeHtml(payload)
|
||||
expect(result).not.toContain('<img')
|
||||
expect(result).toBe('<img onerror="alert(1)" src=x>')
|
||||
})
|
||||
})
|
||||
Loading…
Add table
Add a link
Reference in a new issue