Alfred-Mission-Control/middleware.test.ts at main · SabaTech-dev/Alfred-Mission-Control · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import { afterEach, beforeEach, describe, expect, it } from "vitest";
import { NextRequest } from "next/server";

import { middleware } from "./middleware";
import { sessionStore } from "@/lib/session-store";
import { resetAgentKeysCache } from "@/lib/agent-auth";

const previousAuthSecret = process.env.AUTH_SECRET;
const previousAgentKeys = process.env.OPENCLAW_AGENT_KEYS;

describe("middleware auth policy", () => {
  let authToken = "";

  beforeEach(async () => {
    process.env.AUTH_SECRET = "test-secret-123456789012345678901234567890";
    process.env.OPENCLAW_AGENT_KEYS = "agent-a:key-agent-a";
    resetAgentKeysCache();
    authToken = await sessionStore.generateToken();
  });

  afterEach(() => {
    sessionStore.clearRevoked();

    if (previousAuthSecret === undefined) {
      delete process.env.AUTH_SECRET;
    } else {
      process.env.AUTH_SECRET = previousAuthSecret;
    }

    if (previousAgentKeys === undefined) {
      delete process.env.OPENCLAW_AGENT_KEYS;
    } else {
      process.env.OPENCLAW_AGENT_KEYS = previousAgentKeys;
    }

    resetAgentKeysCache();
  });

  it("allows public auth routes", async () => {
    const request = new NextRequest(new URL("http://localhost/api/auth/login"));
    const response = await middleware(request);

    expect(response.status).toBe(200);
  });

  it("blocks non-whitelisted auth-like routes", async () => {
    const request = new NextRequest(new URL("http://localhost/api/auth/internal"));
    const response = await middleware(request);

    expect(response.status).toBe(401);
  });

  it("blocks protected API routes without session", async () => {
    const request = new NextRequest(new URL("http://localhost/api/git"));
    const response = await middleware(request);
    const data = await response.json();

    expect(response.status).toBe(401);
    expect(data.error).toBe("Unauthorized");
  });

  it("allows protected API routes with valid session", async () => {
    const request = new NextRequest(new URL("http://localhost/api/git"), {
      headers: { Authorization: `Bearer ${authToken}` },
    });

    const response = await middleware(request);
    expect(response.status).toBe(200);
  });

  it("blocks agent routes when agent credentials are missing", async () => {
    const request = new NextRequest(new URL("http://localhost/api/heartbeat/tasks"));
    const response = await middleware(request);

    expect(response.status).toBe(401);
  });

  it("allows agent routes with valid agent credentials", async () => {
    const request = new NextRequest(new URL("http://localhost/api/heartbeat/tasks"), {
      headers: {
        "X-Agent-Id": "agent-a",
        "X-Agent-Key": "key-agent-a",
      },
    });

    const response = await middleware(request);
    expect(response.status).toBe(200);
  });

  it("does not allow session-only access to heartbeat agent route", async () => {
    const request = new NextRequest(new URL("http://localhost/api/heartbeat/tasks"), {
      headers: { Authorization: `Bearer ${authToken}` },
    });

    const response = await middleware(request);
    expect(response.status).toBe(401);
  });

  it("allows session access to kanban agent routes", async () => {
    const request = new NextRequest(new URL("http://localhost/api/kanban/agent/tasks"), {
      headers: { Authorization: `Bearer ${authToken}` },
    });

    const response = await middleware(request);
    expect(response.status).toBe(200);
  });
});