Add test suite for CORS and CSP validation in Express app
This commit is contained in:
Julio Cesar
63
test-backend/test/run-tests.ts
Normal file
63
test-backend/test/run-tests.ts
Normal file
@@ -0,0 +1,63 @@
|
|||||||
|
import http from "http"
|
||||||
|
import fetch from "node-fetch"
|
||||||
|
import app from "../app"
|
||||||
|
|
||||||
|
async function listenOnRandomPort() {
|
||||||
|
return new Promise<{ server: http.Server; port: number }>(
|
||||||
|
(resolve, reject) => {
|
||||||
|
const server = http.createServer(app)
|
||||||
|
server.listen(0, () => {
|
||||||
|
// @ts-ignore
|
||||||
|
const addr = server.address()
|
||||||
|
if (!addr || typeof addr === "string")
|
||||||
|
return reject(new Error("Failed to get server address"))
|
||||||
|
resolve({ server, port: addr.port })
|
||||||
|
})
|
||||||
|
}
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
async function run() {
|
||||||
|
const FRONTEND = process.env.FRONTEND_URL || "http://localhost:5173"
|
||||||
|
const { server, port } = await listenOnRandomPort()
|
||||||
|
const base = `http://localhost:${port}`
|
||||||
|
|
||||||
|
try {
|
||||||
|
// 1) Allowed origin
|
||||||
|
const allowed = await fetch(base + "/api/meters", {
|
||||||
|
headers: { Origin: FRONTEND },
|
||||||
|
})
|
||||||
|
console.log("Allowed origin status:", allowed.status)
|
||||||
|
const csp = allowed.headers.get("content-security-policy")
|
||||||
|
const nonce = allowed.headers.get("x-csp-nonce")
|
||||||
|
console.log("CSP header present:", !!csp)
|
||||||
|
console.log("X-CSP-Nonce present:", !!nonce)
|
||||||
|
|
||||||
|
if (allowed.status !== 200) throw new Error("Allowed origin request failed")
|
||||||
|
if (!csp) throw new Error("CSP header missing")
|
||||||
|
if (!nonce) throw new Error("X-CSP-Nonce missing")
|
||||||
|
|
||||||
|
// 2) Disallowed origin
|
||||||
|
const disallowed = await fetch(base + "/api/meters", {
|
||||||
|
headers: { Origin: "https://evil.com" },
|
||||||
|
})
|
||||||
|
console.log("Disallowed origin status:", disallowed.status)
|
||||||
|
if (disallowed.status !== 403)
|
||||||
|
throw new Error("Disallowed origin not rejected")
|
||||||
|
|
||||||
|
// 3) Missing origin -> should be rejected now
|
||||||
|
const missing = await fetch(base + "/api/meters")
|
||||||
|
console.log("Missing origin status:", missing.status)
|
||||||
|
if (missing.status !== 403)
|
||||||
|
throw new Error("Request without Origin header should be rejected")
|
||||||
|
|
||||||
|
console.log("\nAll tests passed")
|
||||||
|
} catch (err) {
|
||||||
|
console.error("Test failure:", err)
|
||||||
|
process.exitCode = 1
|
||||||
|
} finally {
|
||||||
|
server.close()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
run()
|
||||||
Reference in New Issue
Block a user