github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 05:34:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(test): dedupe trusted-proxy auth test setup

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 18:31:37 +00:00
parent 96eabcbe89
commit 9b70849567
1 changed files with 58 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
src/gateway/auth.test.ts
View File

@@ -183,30 +183,44 @@ describe("gateway auth", () => {
}); });
describe("trusted-proxy auth", () => { describe("trusted-proxy auth", () => {
type GatewayConnectInput = Parameters<typeof authorizeGatewayConnect>[0];
const trustedProxyConfig = { const trustedProxyConfig = {
userHeader: "x-forwarded-user", userHeader: "x-forwarded-user",
requiredHeaders: ["x-forwarded-proto"], requiredHeaders: ["x-forwarded-proto"],
allowUsers: [], allowUsers: [],
}; };
it("accepts valid request from trusted proxy", async () => { function authorizeTrustedProxy(options?: {
const res = await authorizeGatewayConnect({ auth?: GatewayConnectInput["auth"];
auth: { trustedProxies?: string[];
remoteAddress?: string;
headers?: Record<string, string>;
}) {
return authorizeGatewayConnect({
auth: options?.auth ?? {
mode: "trusted-proxy", mode: "trusted-proxy",
allowTailscale: false, allowTailscale: false,
trustedProxy: trustedProxyConfig, trustedProxy: trustedProxyConfig,
}, },
connectAuth: null, connectAuth: null,
trustedProxies: ["10.0.0.1"], trustedProxies: options?.trustedProxies ?? ["10.0.0.1"],
req: { req: {
socket: { remoteAddress: "10.0.0.1" }, socket: { remoteAddress: options?.remoteAddress ?? "10.0.0.1" },
headers: { headers: {
host: "gateway.local", host: "gateway.local",
"x-forwarded-user": "nick@example.com", ...options?.headers,
"x-forwarded-proto": "https",
}, },
} as never, } as never,
}); });
}
it("accepts valid request from trusted proxy", async () => {
const res = await authorizeTrustedProxy({
headers: {
"x-forwarded-user": "nick@example.com",
"x-forwarded-proto": "https",
},
});
expect(res.ok).toBe(true); expect(res.ok).toBe(true);
expect(res.method).toBe("trusted-proxy"); expect(res.method).toBe("trusted-proxy");
@@ -214,22 +228,12 @@ describe("trusted-proxy auth", () => {
}); });
it("rejects request from untrusted source", async () => { it("rejects request from untrusted source", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { remoteAddress: "192.168.1.100",
mode: "trusted-proxy", headers: {
allowTailscale: false, "x-forwarded-user": "attacker@evil.com",
trustedProxy: trustedProxyConfig, "x-forwarded-proto": "https",
}, },
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "192.168.1.100" },
headers: {
host: "gateway.local",
"x-forwarded-user": "attacker@evil.com",
"x-forwarded-proto": "https",
},
} as never,
}); });
expect(res.ok).toBe(false); expect(res.ok).toBe(false);
@@ -237,22 +241,10 @@ describe("trusted-proxy auth", () => {
}); });
it("rejects request with missing user header", async () => { it("rejects request with missing user header", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { headers: {
mode: "trusted-proxy", "x-forwarded-proto": "https",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
}, },
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-proto": "https",
// missing x-forwarded-user
},
} as never,
}); });
expect(res.ok).toBe(false); expect(res.ok).toBe(false);
@@ -260,22 +252,10 @@ describe("trusted-proxy auth", () => {
}); });
it("rejects request with missing required headers", async () => { it("rejects request with missing required headers", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { headers: {
mode: "trusted-proxy", "x-forwarded-user": "nick@example.com",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
}, },
connectAuth: null,
trustedProxies: ["10.0.0.1"],
req: {
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
// missing x-forwarded-proto
},
} as never,
}); });
expect(res.ok).toBe(false); expect(res.ok).toBe(false);
@@ -283,7 +263,7 @@ describe("trusted-proxy auth", () => {
}); });
it("rejects user not in allowlist", async () => { it("rejects user not in allowlist", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { auth: {
mode: "trusted-proxy", mode: "trusted-proxy",
allowTailscale: false, allowTailscale: false,
@@ -292,15 +272,9 @@ describe("trusted-proxy auth", () => {
allowUsers: ["admin@example.com", "nick@example.com"], allowUsers: ["admin@example.com", "nick@example.com"],
}, },
}, },
connectAuth: null, headers: {
trustedProxies: ["10.0.0.1"], "x-forwarded-user": "stranger@other.com",
req: { },
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "stranger@other.com",
},
} as never,
}); });
expect(res.ok).toBe(false); expect(res.ok).toBe(false);
@@ -308,7 +282,7 @@ describe("trusted-proxy auth", () => {
}); });
it("accepts user in allowlist", async () => { it("accepts user in allowlist", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { auth: {
mode: "trusted-proxy", mode: "trusted-proxy",
allowTailscale: false, allowTailscale: false,
@@ -317,15 +291,9 @@ describe("trusted-proxy auth", () => {
allowUsers: ["admin@example.com", "nick@example.com"], allowUsers: ["admin@example.com", "nick@example.com"],
}, },
}, },
connectAuth: null, headers: {
trustedProxies: ["10.0.0.1"], "x-forwarded-user": "nick@example.com",
req: { },
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
},
} as never,
}); });
expect(res.ok).toBe(true); expect(res.ok).toBe(true);
@@ -334,21 +302,11 @@ describe("trusted-proxy auth", () => {
}); });
it("rejects when no trustedProxies configured", async () => { it("rejects when no trustedProxies configured", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: trustedProxyConfig,
},
connectAuth: null,
trustedProxies: [], trustedProxies: [],
req: { headers: {
socket: { remoteAddress: "10.0.0.1" }, "x-forwarded-user": "nick@example.com",
headers: { },
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
},
} as never,
}); });
expect(res.ok).toBe(false); expect(res.ok).toBe(false);
@@ -356,21 +314,14 @@ describe("trusted-proxy auth", () => {
}); });
it("rejects when trustedProxy config missing", async () => { it("rejects when trustedProxy config missing", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { auth: {
mode: "trusted-proxy", mode: "trusted-proxy",
allowTailscale: false, allowTailscale: false,
// trustedProxy missing
}, },
connectAuth: null, headers: {
trustedProxies: ["10.0.0.1"], "x-forwarded-user": "nick@example.com",
req: { },
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": "nick@example.com",
},
} as never,
}); });
expect(res.ok).toBe(false); expect(res.ok).toBe(false);
@@ -378,7 +329,7 @@ describe("trusted-proxy auth", () => {
}); });
it("supports Pomerium-style headers", async () => { it("supports Pomerium-style headers", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { auth: {
mode: "trusted-proxy", mode: "trusted-proxy",
allowTailscale: false, allowTailscale: false,
@@ -387,16 +338,12 @@ describe("trusted-proxy auth", () => {
requiredHeaders: ["x-pomerium-jwt-assertion"], requiredHeaders: ["x-pomerium-jwt-assertion"],
}, },
}, },
connectAuth: null,
trustedProxies: ["172.17.0.1"], trustedProxies: ["172.17.0.1"],
req: { remoteAddress: "172.17.0.1",
socket: { remoteAddress: "172.17.0.1" }, headers: {
headers: { "x-pomerium-claim-email": "nick@example.com",
host: "gateway.local", "x-pomerium-jwt-assertion": "eyJ...",
"x-pomerium-claim-email": "nick@example.com", },
"x-pomerium-jwt-assertion": "eyJ...",
},
} as never,
}); });
expect(res.ok).toBe(true); expect(res.ok).toBe(true);
@@ -405,7 +352,7 @@ describe("trusted-proxy auth", () => {
}); });
it("trims whitespace from user header value", async () => { it("trims whitespace from user header value", async () => {
const res = await authorizeGatewayConnect({ const res = await authorizeTrustedProxy({
auth: { auth: {
mode: "trusted-proxy", mode: "trusted-proxy",
allowTailscale: false, allowTailscale: false,
@@ -413,15 +360,9 @@ describe("trusted-proxy auth", () => {
userHeader: "x-forwarded-user", userHeader: "x-forwarded-user",
}, },
}, },
connectAuth: null, headers: {
trustedProxies: ["10.0.0.1"], "x-forwarded-user": " nick@example.com ",
req: { },
socket: { remoteAddress: "10.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-user": " nick@example.com ",
},
} as never,
}); });
expect(res.ok).toBe(true); expect(res.ok).toBe(true);