test: add resolveProxySecret and verifyProxyRequest tests

harlan-zw · harlan-zw · commit 48c0865a4bdd · 2026-04-10T16:47:11.000+10:00
- resolveProxySecret: config precedence, env var fallback, .env auto-gen,
  existing key detection, newline handling, read-only FS fallback, process.env
  population (10 tests)
- verifyProxyRequest: URL signature mode, page token mode, expired tokens,
  tampered sigs, empty secret, any-params page token, dual-mode precedence
  (8 tests)

Total: 54 tests across sign.test.ts and resolve-proxy-secret.test.ts
diff --git a/test/unit/resolve-proxy-secret.test.ts b/test/unit/resolve-proxy-secret.test.ts
@@ -0,0 +1,105 @@
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { afterEach, beforeEach, describe, expect, it } from 'vitest'
+import { resolveProxySecret } from '../../packages/script/src/module'
+
+const ENV_KEY = 'NUXT_SCRIPTS_PROXY_SECRET'
+
+describe('resolveProxySecret', () => {
+  let testDir: string
+  let savedEnv: string | undefined
+
+  beforeEach(() => {
+    testDir = join(tmpdir(), `nuxt-scripts-test-${Date.now()}`)
+    mkdirSync(testDir, { recursive: true })
+    savedEnv = process.env[ENV_KEY]
+    delete process.env[ENV_KEY]
+  })
+
+  afterEach(() => {
+    rmSync(testDir, { recursive: true, force: true })
+    if (savedEnv !== undefined)
+      process.env[ENV_KEY] = savedEnv
+    else
+      delete process.env[ENV_KEY]
+  })
+
+  it('returns config secret with highest priority', () => {
+    process.env[ENV_KEY] = 'env-secret'
+    const result = resolveProxySecret(testDir, true, 'config-secret')
+    expect(result).toEqual({ secret: 'config-secret', ephemeral: false, source: 'config' })
+  })
+
+  it('falls back to env var when no config secret', () => {
+    process.env[ENV_KEY] = 'env-secret'
+    const result = resolveProxySecret(testDir, true)
+    expect(result).toEqual({ secret: 'env-secret', ephemeral: false, source: 'env' })
+  })
+
+  it('returns undefined in prod when no secret is available', () => {
+    const result = resolveProxySecret(testDir, false)
+    expect(result).toBeUndefined()
+  })
+
+  it('returns undefined when autoGenerate is false even in dev', () => {
+    const result = resolveProxySecret(testDir, true, undefined, false)
+    expect(result).toBeUndefined()
+  })
+
+  it('auto-generates and writes to .env in dev when file does not exist', () => {
+    const result = resolveProxySecret(testDir, true)
+    expect(result).toBeDefined()
+    expect(result!.source).toBe('dotenv-generated')
+    expect(result!.ephemeral).toBe(false)
+    expect(result!.secret).toHaveLength(64) // 32 bytes hex
+
+    const envContent = readFileSync(join(testDir, '.env'), 'utf-8')
+    expect(envContent).toContain(`${ENV_KEY}=${result!.secret}`)
+    expect(envContent).toContain('# Generated by @nuxt/scripts')
+  })
+
+  it('appends to existing .env in dev', () => {
+    writeFileSync(join(testDir, '.env'), 'OTHER_VAR=value\n')
+    const result = resolveProxySecret(testDir, true)
+    expect(result!.source).toBe('dotenv-generated')
+
+    const envContent = readFileSync(join(testDir, '.env'), 'utf-8')
+    expect(envContent).toContain('OTHER_VAR=value')
+    expect(envContent).toContain(`${ENV_KEY}=`)
+  })
+
+  it('returns existing secret from .env without generating a new one', () => {
+    writeFileSync(join(testDir, '.env'), `${ENV_KEY}=existing-secret-value\n`)
+    const result = resolveProxySecret(testDir, true)
+    expect(result).toEqual({ secret: 'existing-secret-value', ephemeral: false, source: 'dotenv-generated' })
+
+    // Should not have written a second line
+    const envContent = readFileSync(join(testDir, '.env'), 'utf-8')
+    const matches = envContent.match(new RegExp(ENV_KEY, 'g'))
+    expect(matches).toHaveLength(1)
+  })
+
+  it('populates process.env after generating a new secret', () => {
+    resolveProxySecret(testDir, true)
+    expect(process.env[ENV_KEY]).toBeDefined()
+    expect(process.env[ENV_KEY]).toHaveLength(64)
+  })
+
+  it('falls back to in-memory when .env dir is read-only', () => {
+    // Use a non-existent deeply nested path that can't be written
+    const result = resolveProxySecret('/proc/nonexistent/path', true)
+    expect(result).toBeDefined()
+    expect(result!.source).toBe('memory-generated')
+    expect(result!.ephemeral).toBe(true)
+    expect(result!.secret).toHaveLength(64)
+  })
+
+  it('adds newline before appending when .env does not end with newline', () => {
+    writeFileSync(join(testDir, '.env'), 'OTHER_VAR=value')
+    resolveProxySecret(testDir, true)
+    const envContent = readFileSync(join(testDir, '.env'), 'utf-8')
+    // Should have a newline between existing content and new key
+    expect(envContent).toMatch(/value\n.*NUXT_SCRIPTS_PROXY_SECRET=/)
+  })
+})
diff --git a/test/unit/sign.test.ts b/test/unit/sign.test.ts
@@ -1,16 +1,32 @@
+import type { H3Event } from 'h3'
 import { describe, expect, it } from 'vitest'
 import {
   buildSignedProxyUrl,
   canonicalizeQuery,
   constantTimeEqual,
   generateProxyToken,
   PAGE_TOKEN_MAX_AGE,
+  PAGE_TOKEN_PARAM,
+  PAGE_TOKEN_TS_PARAM,
   SIG_LENGTH,
   SIG_PARAM,
   signProxyUrl,
+  verifyProxyRequest,
   verifyProxyToken,
 } from '../../packages/script/src/runtime/server/utils/sign'
 
+/** Create a minimal mock H3Event with a path and query params. */
+function mockEvent(url: string): H3Event {
+  const parsed = new URL(url, 'http://localhost')
+  const query: Record<string, string> = {}
+  for (const [k, v] of parsed.searchParams.entries())
+    query[k] = v
+  return {
+    path: parsed.pathname + parsed.search,
+    _query: query,
+  } as unknown as H3Event
+}
+
 const SECRET = 'test-secret-9f2c8b4e7a1d6f3c5b9e8a2d4f7c1b6e'
 
 describe('canonicalizeQuery', () => {
@@ -215,3 +231,60 @@ describe('verifyProxyToken', () => {
     expect(verifyProxyToken(token, ts, 'wrong-secret')).toBe(false)
   })
 })
+
+describe('verifyProxyRequest', () => {
+  it('verifies a valid URL signature (mode 1)', () => {
+    const url = buildSignedProxyUrl('/_scripts/proxy/x', { center: 'Sydney' }, SECRET)
+    const event = mockEvent(url)
+    expect(verifyProxyRequest(event, SECRET)).toBe(true)
+  })
+
+  it('rejects a tampered URL signature', () => {
+    const url = buildSignedProxyUrl('/_scripts/proxy/x', { center: 'Sydney' }, SECRET)
+    const tampered = url.replace(/sig=[0-9a-f]+/, 'sig=0000000000000000')
+    const event = mockEvent(tampered)
+    expect(verifyProxyRequest(event, SECRET)).toBe(false)
+  })
+
+  it('rejects a request with no sig and no page token', () => {
+    const event = mockEvent('/_scripts/proxy/x?center=Sydney')
+    expect(verifyProxyRequest(event, SECRET)).toBe(false)
+  })
+
+  it('returns false when secret is empty', () => {
+    const url = buildSignedProxyUrl('/_scripts/proxy/x', { center: 'Sydney' }, SECRET)
+    const event = mockEvent(url)
+    expect(verifyProxyRequest(event, '')).toBe(false)
+  })
+
+  it('verifies a valid page token (mode 2)', () => {
+    const ts = Math.floor(Date.now() / 1000)
+    const token = generateProxyToken(SECRET, ts)
+    const event = mockEvent(`/_scripts/proxy/x?center=Sydney&${PAGE_TOKEN_PARAM}=${token}&${PAGE_TOKEN_TS_PARAM}=${ts}`)
+    expect(verifyProxyRequest(event, SECRET)).toBe(true)
+  })
+
+  it('rejects an expired page token', () => {
+    const ts = Math.floor(Date.now() / 1000) - PAGE_TOKEN_MAX_AGE - 100
+    const token = generateProxyToken(SECRET, ts)
+    const event = mockEvent(`/_scripts/proxy/x?center=Sydney&${PAGE_TOKEN_PARAM}=${token}&${PAGE_TOKEN_TS_PARAM}=${ts}`)
+    expect(verifyProxyRequest(event, SECRET)).toBe(false)
+  })
+
+  it('allows page token with different query params than original (any-params mode)', () => {
+    const ts = Math.floor(Date.now() / 1000)
+    const token = generateProxyToken(SECRET, ts)
+    // Token was generated without any query context, so it works with any params
+    const event = mockEvent(`/_scripts/proxy/x?center=Melbourne&zoom=10&${PAGE_TOKEN_PARAM}=${token}&${PAGE_TOKEN_TS_PARAM}=${ts}`)
+    expect(verifyProxyRequest(event, SECRET)).toBe(true)
+  })
+
+  it('prefers URL signature over page token when both are present', () => {
+    const ts = Math.floor(Date.now() / 1000)
+    const pageToken = generateProxyToken(SECRET, ts)
+    // Build a signed URL and also add a page token
+    const signedUrl = buildSignedProxyUrl('/_scripts/proxy/x', { center: 'Sydney' }, SECRET)
+    const event = mockEvent(`${signedUrl}&${PAGE_TOKEN_PARAM}=${pageToken}&${PAGE_TOKEN_TS_PARAM}=${ts}`)
+    expect(verifyProxyRequest(event, SECRET)).toBe(true)
+  })
+})
