DBT/clawgo
1
0
Fork 0
mirror of https://github.com/YspCoder/clawgo.git synced 2026-04-13 21:57:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

Refactor runtime around world core

Browse Source
This commit is contained in:
lpf
2026-03-15 23:46:06 +08:00
parent ba95aeed35
commit afae9076df
79 changed files with 6526 additions and 6960 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
pkg/api/server_security_test.go
View File

@@ -42,13 +42,13 @@ func TestCheckAuthAllowsBearerAndCookieOnly(t *testing.T) {
}
}
func TestWithCORSRejectsForeignOrigin(t *testing.T) {
func TestWithCORSRejectsInvalidOrigin(t *testing.T) {
t.Parallel()
srv := NewServer("127.0.0.1", 0, "", nil)
req := httptest.NewRequest(http.MethodGet, "http://example.com/api/config", nil)
req.Host = "example.com"
req.Header.Set("Origin", "https://evil.example")
req.Header.Set("Origin", "javascript:alert(1)")
rec := httptest.NewRecorder()
srv.withCORS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -81,7 +81,32 @@ func TestWithCORSAcceptsSameOrigin(t *testing.T) {
}
}
func TestHandleNodeConnectRejectsForeignOrigin(t *testing.T) {
func TestWithCORSAcceptsCrossOrigin(t *testing.T) {
t.Parallel()
srv := NewServer("127.0.0.1", 0, "", nil)
req := httptest.NewRequest(http.MethodGet, "http://example.com/api/config", nil)
req.Host = "example.com"
req.Header.Set("Origin", "https://web.example")
rec := httptest.NewRecorder()
srv.withCORS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})).ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", rec.Code)
}
if got := rec.Header().Get("Access-Control-Allow-Origin"); got != "https://web.example" {
t.Fatalf("unexpected allow-origin header %q", got)
}
if got := rec.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
t.Fatalf("expected allow credentials, got %q", got)
}
}
func TestHandleNodeConnectRejectsInvalidOrigin(t *testing.T) {
t.Parallel()
srv := NewServer("127.0.0.1", 0, "", nodes.NewManager())
@@ -92,7 +117,7 @@ func TestHandleNodeConnectRejectsForeignOrigin(t *testing.T) {
wsURL := "ws" + strings.TrimPrefix(httpSrv.URL, "http") + "/nodes/connect"
dialer := websocket.Dialer{}
headers := http.Header{"Origin": []string{"https://evil.example"}}
headers := http.Header{"Origin": []string{"javascript:alert(1)"}}
conn, resp, err := dialer.Dial(wsURL, headers)
if err == nil {
conn.Close()
@@ -103,6 +128,25 @@ func TestHandleNodeConnectRejectsForeignOrigin(t *testing.T) {
}
}
func TestHandleNodeConnectAcceptsCrossOrigin(t *testing.T) {
t.Parallel()
srv := NewServer("127.0.0.1", 0, "", nodes.NewManager())
mux := http.NewServeMux()
mux.HandleFunc("/nodes/connect", srv.handleNodeConnect)
httpSrv := httptest.NewServer(mux)
defer httpSrv.Close()
wsURL := "ws" + strings.TrimPrefix(httpSrv.URL, "http") + "/nodes/connect"
dialer := websocket.Dialer{}
headers := http.Header{"Origin": []string{"https://web.example"}}
conn, resp, err := dialer.Dial(wsURL, headers)
if err != nil {
t.Fatalf("expected websocket handshake to succeed, resp=%#v err=%v", resp, err)
}
_ = conn.Close()
}
func TestHandleWebUISetsCookieForBearerOnly(t *testing.T) {
t.Parallel()
@@ -125,6 +169,34 @@ func TestHandleWebUISetsCookieForBearerOnly(t *testing.T) {
}
}
func TestHandleWebUIAuthSessionSetsCrossSiteCookieForAllowedOrigin(t *testing.T) {
t.Parallel()
srv := NewServer("127.0.0.1", 0, "secret-token", nil)
req := httptest.NewRequest(http.MethodPost, "http://gateway.example/api/auth/session", nil)
req.Host = "gateway.example"
req.Header.Set("Origin", "https://web.example")
req.Header.Set("Authorization", "Bearer secret-token")
rec := httptest.NewRecorder()
srv.withCORS(http.HandlerFunc(srv.handleWebUIAuthSession)).ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("expected 200, got %d: %s", rec.Code, rec.Body.String())
}
cookies := rec.Result().Cookies()
if len(cookies) != 1 {
t.Fatalf("expected one cookie, got %d", len(cookies))
}
if cookies[0].SameSite != http.SameSiteNoneMode {
t.Fatalf("expected SameSite=None for cross-site session, got %v", cookies[0].SameSite)
}
if got := rec.Header().Get("Access-Control-Allow-Origin"); got != "https://web.example" {
t.Fatalf("unexpected allow-origin header %q", got)
}
}
func TestHandleWebUIUploadDoesNotExposeAbsolutePath(t *testing.T) {
t.Parallel()