eliott/openwork
1
0
Fork 0
mirror of https://github.com/different-ai/openwork synced 2026-04-27 09:57:38 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
47db4e39e3fb312fcb198ecdf786d87ac2b6cc76
openwork/apps/share/server/_lib/publish-security.test.ts
Source Open ef5b59977e fix(share): harden legacy publish endpoints (#1243) 
Align the legacy v1 bundle publish routes with the scoped Next API protections so older deployment paths stop accepting wildcard origins or host-derived share URLs.

Co-authored-by: src-opn <src-opn@users.noreply.github.com>
2026-03-30 17:24:39 -07:00

42 lines
1.4 KiB
TypeScript
Raw Blame History

import test from "node:test";
import assert from "node:assert/strict";
import { buildCanonicalRequest } from "./request-like.ts";
import { buildCorsHeaders, validateTrustedOrigin } from "./publish-security.ts";
test("buildCanonicalRequest pins legacy publish routes to the fixed share origin", () => {
const request = buildCanonicalRequest({
pathname: "/v1/bundles",
method: "POST",
headers: {
host: "evil.example",
"x-forwarded-host": "evil.example",
origin: "https://openworklabs.com",
},
});
assert.equal(new URL(request.url).origin, "https://share.openworklabs.com");
});
test("buildCorsHeaders reflects only trusted publisher origins", () => {
const trustedRequest = buildCanonicalRequest({
pathname: "/v1/bundles",
method: "POST",
headers: { origin: "https://openworklabs.com" },
});
const trustedHeaders = buildCorsHeaders(trustedRequest);
assert.equal(trustedHeaders["Access-Control-Allow-Origin"], "https://openworklabs.com");
assert.equal(trustedHeaders.Vary, "Origin");
const untrustedRequest = buildCanonicalRequest({
pathname: "/v1/bundles",
method: "POST",
headers: { origin: "https://evil.example" },
});
const untrustedHeaders = buildCorsHeaders(untrustedRequest);
assert.equal(untrustedHeaders["Access-Control-Allow-Origin"], undefined);
assert.equal(validateTrustedOrigin(untrustedRequest).ok, false);
});
Reference in New Issue View Git Blame Copy Permalink