Jennie Robinson Faber
29c96a207e
Set up Vitest with server (node) and client (jsdom) test projects. 79 tests across 8 files verify all Phase 0-1 security controls: escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF enforcement, security headers, rate limiting, auth guards, profile field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md with remediation status, implementation summary, and automated test coverage details.
157 lines
5.1 KiB
JavaScript
157 lines
5.1 KiB
JavaScript
import { describe, it, expect, vi, beforeEach } from 'vitest'
|
|
|
|
vi.mock('../../../server/utils/auth.js', () => ({
|
|
requireAuth: vi.fn()
|
|
}))
|
|
|
|
vi.mock('../../../server/models/member.js', () => ({
|
|
default: { findByIdAndUpdate: vi.fn() }
|
|
}))
|
|
|
|
import { requireAuth } from '../../../server/utils/auth.js'
|
|
import Member from '../../../server/models/member.js'
|
|
import profilePatchHandler from '../../../server/api/members/profile.patch.js'
|
|
import { createMockEvent } from '../helpers/createMockEvent.js'
|
|
|
|
describe('members profile PATCH endpoint', () => {
|
|
const mockMember = {
|
|
_id: 'member-123',
|
|
email: 'test@example.com',
|
|
name: 'Test User',
|
|
circle: 'community',
|
|
contributionTier: 5,
|
|
pronouns: 'they/them',
|
|
timeZone: 'America/New_York',
|
|
avatar: 'https://example.com/avatar.jpg',
|
|
studio: 'Test Studio',
|
|
bio: 'Updated bio',
|
|
location: 'NYC',
|
|
socialLinks: { twitter: '@test' },
|
|
offering: { text: 'help', tags: ['code'] },
|
|
lookingFor: { text: 'feedback', tags: ['design'] },
|
|
showInDirectory: true
|
|
}
|
|
|
|
beforeEach(() => {
|
|
vi.clearAllMocks()
|
|
requireAuth.mockResolvedValue({ _id: 'member-123' })
|
|
Member.findByIdAndUpdate.mockResolvedValue(mockMember)
|
|
})
|
|
|
|
describe('field allowlist - forbidden fields are rejected', () => {
|
|
it('does not pass helcimCustomerId to database update', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: { bio: 'new bio', helcimCustomerId: 'hacked-id' }
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const updateCall = Member.findByIdAndUpdate.mock.calls[0]
|
|
const setData = updateCall[1].$set
|
|
expect(setData).not.toHaveProperty('helcimCustomerId')
|
|
expect(setData).toHaveProperty('bio', 'new bio')
|
|
})
|
|
|
|
it('does not pass role to database update', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: { bio: 'new bio', role: 'admin' }
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
|
|
expect(setData).not.toHaveProperty('role')
|
|
})
|
|
|
|
it('does not pass status to database update', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: { bio: 'new bio', status: 'active' }
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
|
|
expect(setData).not.toHaveProperty('status')
|
|
})
|
|
|
|
it('does not pass email to database update', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: { bio: 'new bio', email: 'hacked@evil.com' }
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
|
|
expect(setData).not.toHaveProperty('email')
|
|
})
|
|
|
|
it('does not pass _id to database update', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: { bio: 'new bio', _id: 'different-id' }
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
|
|
expect(setData).not.toHaveProperty('_id')
|
|
})
|
|
})
|
|
|
|
describe('field allowlist - allowed fields pass through', () => {
|
|
it('passes allowed profile fields through', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: {
|
|
pronouns: 'they/them',
|
|
bio: 'Updated bio',
|
|
studio: 'Test Studio',
|
|
location: 'NYC',
|
|
timeZone: 'America/New_York',
|
|
avatar: 'https://example.com/avatar.jpg',
|
|
showInDirectory: true,
|
|
socialLinks: { twitter: '@test' }
|
|
}
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
|
|
expect(setData).toHaveProperty('pronouns', 'they/them')
|
|
expect(setData).toHaveProperty('bio', 'Updated bio')
|
|
expect(setData).toHaveProperty('studio', 'Test Studio')
|
|
expect(setData).toHaveProperty('location', 'NYC')
|
|
expect(setData).toHaveProperty('timeZone', 'America/New_York')
|
|
expect(setData).toHaveProperty('avatar', 'https://example.com/avatar.jpg')
|
|
expect(setData).toHaveProperty('showInDirectory', true)
|
|
expect(setData).toHaveProperty('socialLinks')
|
|
})
|
|
|
|
it('passes offering and lookingFor nested objects through', async () => {
|
|
const event = createMockEvent({
|
|
method: 'PATCH',
|
|
path: '/api/members/profile',
|
|
body: {
|
|
offering: { text: 'mentoring', tags: ['code', 'design'] },
|
|
lookingFor: { text: 'feedback', tags: ['art'] }
|
|
}
|
|
})
|
|
|
|
await profilePatchHandler(event)
|
|
|
|
const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
|
|
expect(setData.offering).toEqual({ text: 'mentoring', tags: ['code', 'design'] })
|
|
expect(setData.lookingFor).toEqual({ text: 'feedback', tags: ['art'] })
|
|
})
|
|
})
|
|
})
|