HotPlate/discord-rpg-concept
1
0
Fork 0
forked from syntaxbullet/aurorabot
Code Pull Requests Activity

fix: address security review findings, implement real cache clearing, and fix lifecycle promises

Browse Source
This commit is contained in:
syntaxbullet
2026-01-08 21:29:09 +01:00
parent 0f6cce9b6e
commit 19206b5cc7
11 changed files with 176 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
web/src/server.test.ts
View File

@@ -51,18 +51,7 @@ mock.module("../../bot/lib/clientStats", () => ({
})),
}));
// 3. Mock System Events
mock.module("@shared/lib/events", () => ({
systemEvents: {
on: mock(() => { }),
emit: mock(() => { }),
},
EVENTS: {
DASHBOARD: {
NEW_EVENT: "dashboard:new_event",
}
}
}));
// 3. System Events (No mock needed, use real events)
describe("WebServer Security & Limits", () => {
const port = 3001;
@@ -110,4 +99,45 @@ describe("WebServer Security & Limits", () => {
const data = (await response.json()) as { status: string };
expect(data.status).toBe("ok");
});
describe("Administrative Actions Authorization", () => {
test("should reject administrative actions without token", async () => {
const response = await fetch(`http://localhost:${port}/api/actions/reload-commands`, {
method: "POST"
});
expect(response.status).toBe(401);
});
test("should reject administrative actions with invalid token", async () => {
const response = await fetch(`http://localhost:${port}/api/actions/reload-commands`, {
method: "POST",
headers: { "Authorization": "Bearer wrong-token" }
});
expect(response.status).toBe(401);
});
test("should accept administrative actions with valid token", async () => {
const { env } = await import("@shared/lib/env");
const response = await fetch(`http://localhost:${port}/api/actions/reload-commands`, {
method: "POST",
headers: { "Authorization": `Bearer ${env.ADMIN_TOKEN}` }
});
expect(response.status).toBe(200);
});
test("should reject maintenance mode with invalid payload", async () => {
const { env } = await import("@shared/lib/env");
const response = await fetch(`http://localhost:${port}/api/actions/maintenance-mode`, {
method: "POST",
headers: {
"Authorization": `Bearer ${env.ADMIN_TOKEN}`,
"Content-Type": "application/json"
},
body: JSON.stringify({ not_enabled: true }) // Wrong field
});
expect(response.status).toBe(400);
const data = await response.json() as { error: string };
expect(data.error).toBe("Invalid payload");
});
});
});