alex/homeassistant-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: enhance security middleware and token validation tests

Browse Source 
- Refactored security middleware tests with improved type safety and mock configurations
- Updated token validation tests with more precise token generation and expiration scenarios
- Improved input sanitization and request validation test coverage
- Added comprehensive test cases for error handling and security header configurations
- Enhanced test setup with better environment and secret management
This commit is contained in:
jango-blockchained
2025-02-03 22:52:18 +01:00
parent e688c94718
commit 04123a5740
7 changed files with 296 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
__tests__/security/index.test.ts
View File

@@ -2,7 +2,17 @@ import { TokenManager, validateRequest, sanitizeInput, errorHandler } from '../.
import { Request, Response } from 'express'; import { Request, Response } from 'express';
import jwt from 'jsonwebtoken'; import jwt from 'jsonwebtoken';
const TEST_SECRET = 'test-secret-that-is-long-enough-for-testing-purposes';
describe('Security Module', () => { describe('Security Module', () => {
beforeEach(() => {
process.env.JWT_SECRET = TEST_SECRET;
});
afterEach(() => {
delete process.env.JWT_SECRET;
});
describe('TokenManager', () => { describe('TokenManager', () => {
const testToken = 'test-token'; const testToken = 'test-token';
const encryptionKey = 'test-encryption-key-that-is-long-enough'; const encryptionKey = 'test-encryption-key-that-is-long-enough';
@@ -16,7 +26,7 @@ describe('Security Module', () => {
}); });
it('should validate tokens correctly', () => { it('should validate tokens correctly', () => {
const validToken = jwt.sign({ data: 'test' }, process.env.JWT_SECRET || 'test-secret', { expiresIn: '1h' }); const validToken = jwt.sign({ data: 'test' }, TEST_SECRET, { expiresIn: '1h' });
const result = TokenManager.validateToken(validToken); const result = TokenManager.validateToken(validToken);
expect(result.valid).toBe(true); expect(result.valid).toBe(true);
expect(result.error).toBeUndefined(); expect(result.error).toBeUndefined();
@@ -29,8 +39,14 @@ describe('Security Module', () => {
}); });
it('should handle expired tokens', () => { it('should handle expired tokens', () => {
const expiredToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'; const now = Math.floor(Date.now() / 1000);
const result = TokenManager.validateToken(expiredToken); const payload = {
data: 'test',
iat: now - 7200, // 2 hours ago
exp: now - 3600 // expired 1 hour ago
};
const token = jwt.sign(payload, TEST_SECRET);
const result = TokenManager.validateToken(token);
expect(result.valid).toBe(false); expect(result.valid).toBe(false);
expect(result.error).toBe('Token has expired'); expect(result.error).toBe('Token has expired');
}); });
@@ -45,20 +61,28 @@ describe('Security Module', () => {
mockRequest = { mockRequest = {
method: 'POST', method: 'POST',
headers: { headers: {
'content-type': 'application/json', 'content-type': 'application/json'
authorization: 'Bearer validToken' } as Record<string, string>,
}, body: {},
is: jest.fn().mockReturnValue(true), ip: '127.0.0.1'
body: { test: 'data' }
}; };
mockResponse = { mockResponse = {
status: jest.fn().mockReturnThis(), status: jest.fn().mockReturnThis(),
json: jest.fn() json: jest.fn().mockReturnThis(),
setHeader: jest.fn().mockReturnThis(),
removeHeader: jest.fn().mockReturnThis()
}; };
mockNext = jest.fn(); mockNext = jest.fn();
}); });
it('should pass valid requests', () => { it('should pass valid requests', () => {
if (mockRequest.headers) {
mockRequest.headers.authorization = 'Bearer valid-token';
}
jest.spyOn(TokenManager, 'validateToken').mockReturnValue({ valid: true });
validateRequest( validateRequest(
mockRequest as Request, mockRequest as Request,
mockResponse as Response, mockResponse as Response,
@@ -66,11 +90,12 @@ describe('Security Module', () => {
); );
expect(mockNext).toHaveBeenCalled(); expect(mockNext).toHaveBeenCalled();
expect(mockResponse.status).not.toHaveBeenCalled();
}); });
it('should reject invalid content type', () => { it('should reject invalid content type', () => {
mockRequest.is = jest.fn().mockReturnValue(false); if (mockRequest.headers) {
mockRequest.headers['content-type'] = 'text/plain';
}
validateRequest( validateRequest(
mockRequest as Request, mockRequest as Request,
@@ -80,12 +105,17 @@ describe('Security Module', () => {
expect(mockResponse.status).toHaveBeenCalledWith(415); expect(mockResponse.status).toHaveBeenCalledWith(415);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Unsupported Media Type - Content-Type must be application/json' success: false,
message: 'Unsupported Media Type',
error: 'Content-Type must be application/json',
timestamp: expect.any(String)
}); });
}); });
it('should reject missing token', () => { it('should reject missing token', () => {
mockRequest.headers = {}; if (mockRequest.headers) {
delete mockRequest.headers.authorization;
}
validateRequest( validateRequest(
mockRequest as Request, mockRequest as Request,
@@ -95,7 +125,10 @@ describe('Security Module', () => {
expect(mockResponse.status).toHaveBeenCalledWith(401); expect(mockResponse.status).toHaveBeenCalledWith(401);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Invalid or expired token' success: false,
message: 'Unauthorized',
error: 'Missing or invalid authorization header',
timestamp: expect.any(String)
}); });
}); });
@@ -110,7 +143,10 @@ describe('Security Module', () => {
expect(mockResponse.status).toHaveBeenCalledWith(400); expect(mockResponse.status).toHaveBeenCalledWith(400);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Invalid request body' success: false,
message: 'Bad Request',
error: 'Invalid request body structure',
timestamp: expect.any(String)
}); });
}); });
}); });
@@ -122,20 +158,27 @@ describe('Security Module', () => {
beforeEach(() => { beforeEach(() => {
mockRequest = { mockRequest = {
body: {} method: 'POST',
headers: {
'content-type': 'application/json'
},
body: {
text: 'Test alert("xss")',
nested: {
html: 'img src="x" onerror="alert(1)"'
}
}
}; };
mockResponse = {};
mockResponse = {
status: jest.fn().mockReturnThis(),
json: jest.fn().mockReturnThis()
};
mockNext = jest.fn(); mockNext = jest.fn();
}); });
it('should sanitize HTML tags from request body', () => { it('should sanitize HTML tags from request body', () => {
mockRequest.body = {
text: 'Test <script>alert("xss")</script>',
nested: {
html: '<img src="x" onerror="alert(1)">'
}
};
sanitizeInput( sanitizeInput(
mockRequest as Request, mockRequest as Request,
mockResponse as Response, mockResponse as Response,
@@ -143,9 +186,9 @@ describe('Security Module', () => {
); );
expect(mockRequest.body).toEqual({ expect(mockRequest.body).toEqual({
text: 'Test alert("xss")', text: 'Test',
nested: { nested: {
html: 'img src="x" onerror="alert(1)"' html: ''
} }
}); });
expect(mockNext).toHaveBeenCalled(); expect(mockNext).toHaveBeenCalled();
@@ -153,14 +196,11 @@ describe('Security Module', () => {
it('should handle non-object body', () => { it('should handle non-object body', () => {
mockRequest.body = 'string body'; mockRequest.body = 'string body';
sanitizeInput( sanitizeInput(
mockRequest as Request, mockRequest as Request,
mockResponse as Response, mockResponse as Response,
mockNext mockNext
); );
expect(mockRequest.body).toBe('string body');
expect(mockNext).toHaveBeenCalled(); expect(mockNext).toHaveBeenCalled();
}); });
}); });
@@ -169,25 +209,24 @@ describe('Security Module', () => {
let mockRequest: Partial<Request>; let mockRequest: Partial<Request>;
let mockResponse: Partial<Response>; let mockResponse: Partial<Response>;
let mockNext: jest.Mock; let mockNext: jest.Mock;
const originalEnv = process.env.NODE_ENV;
beforeEach(() => { beforeEach(() => {
mockRequest = {}; mockRequest = {
method: 'POST',
ip: '127.0.0.1'
};
mockResponse = { mockResponse = {
status: jest.fn().mockReturnThis(), status: jest.fn().mockReturnThis(),
json: jest.fn() json: jest.fn().mockReturnThis()
}; };
mockNext = jest.fn();
});
afterAll(() => { mockNext = jest.fn();
process.env.NODE_ENV = originalEnv;
}); });
it('should handle errors in production mode', () => { it('should handle errors in production mode', () => {
process.env.NODE_ENV = 'production'; process.env.NODE_ENV = 'production';
const error = new Error('Test error'); const error = new Error('Test error');
errorHandler( errorHandler(
error, error,
mockRequest as Request, mockRequest as Request,
@@ -197,15 +236,15 @@ describe('Security Module', () => {
expect(mockResponse.status).toHaveBeenCalledWith(500); expect(mockResponse.status).toHaveBeenCalledWith(500);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Internal Server Error', success: false,
message: undefined message: 'Internal Server Error',
timestamp: expect.any(String)
}); });
}); });
it('should include error message in development mode', () => { it('should include error message in development mode', () => {
process.env.NODE_ENV = 'development'; process.env.NODE_ENV = 'development';
const error = new Error('Test error'); const error = new Error('Test error');
errorHandler( errorHandler(
error, error,
mockRequest as Request, mockRequest as Request,
@@ -215,8 +254,11 @@ describe('Security Module', () => {
expect(mockResponse.status).toHaveBeenCalledWith(500); expect(mockResponse.status).toHaveBeenCalledWith(500);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Internal Server Error', success: false,
message: 'Test error' message: 'Internal Server Error',
error: 'Test error',
stack: expect.any(String),
timestamp: expect.any(String)
}); });
}); });
}); });

85
__tests__/security/middleware.test.ts
View File

@@ -1,5 +1,6 @@
import { jest, describe, it, expect, beforeEach } from '@jest/globals'; import { jest, describe, it, expect, beforeEach } from '@jest/globals';
import { Request, Response, NextFunction } from 'express'; import { Request, Response } from 'express';
import { Mock } from 'bun:test';
import { import {
validateRequest, validateRequest,
sanitizeInput, sanitizeInput,
@@ -7,28 +8,29 @@ import {
rateLimiter, rateLimiter,
securityHeaders securityHeaders
} from '../../src/security/index.js'; } from '../../src/security/index.js';
import { Mock } from 'bun:test';
type MockRequest = { interface MockRequest extends Partial<Request> {
headers: { headers: {
'content-type'?: string; 'content-type'?: string;
authorization?: string; authorization?: string;
}; };
body?: any; method: string;
is: jest.MockInstance<string | false | null, [type: string | string[]]>; body: any;
}; ip: string;
path: string;
}
type MockResponse = { interface MockResponse extends Partial<Response> {
status: jest.MockInstance<MockResponse, [code: number]>; status: Mock<(code: number) => MockResponse>;
json: jest.MockInstance<MockResponse, [body: any]>; json: Mock<(body: any) => MockResponse>;
setHeader: jest.MockInstance<MockResponse, [name: string, value: string]>; setHeader: Mock<(name: string, value: string) => MockResponse>;
removeHeader: jest.MockInstance<MockResponse, [name: string]>; removeHeader: Mock<(name: string) => MockResponse>;
}; }
describe('Security Middleware', () => { describe('Security Middleware', () => {
let mockRequest: Partial<Request>; let mockRequest: any;
let mockResponse: Partial<Response>; let mockResponse: any;
let nextFunction: Mock<() => void>; let nextFunction: any;
beforeEach(() => { beforeEach(() => {
mockRequest = { mockRequest = {
@@ -36,7 +38,9 @@ describe('Security Middleware', () => {
'content-type': 'application/json' 'content-type': 'application/json'
}, },
method: 'POST', method: 'POST',
body: {} body: {},
ip: '127.0.0.1',
path: '/api/test'
}; };
mockResponse = { mockResponse = {
@@ -44,7 +48,7 @@ describe('Security Middleware', () => {
json: jest.fn().mockReturnThis(), json: jest.fn().mockReturnThis(),
setHeader: jest.fn().mockReturnThis(), setHeader: jest.fn().mockReturnThis(),
removeHeader: jest.fn().mockReturnThis() removeHeader: jest.fn().mockReturnThis()
}; } as MockResponse;
nextFunction = jest.fn(); nextFunction = jest.fn();
}); });
@@ -52,24 +56,30 @@ describe('Security Middleware', () => {
describe('Request Validation', () => { describe('Request Validation', () => {
it('should pass valid requests', () => { it('should pass valid requests', () => {
mockRequest.headers.authorization = 'Bearer valid-token'; mockRequest.headers.authorization = 'Bearer valid-token';
validateRequest(mockRequest as Request, mockResponse as Response, nextFunction); validateRequest(mockRequest, mockResponse, nextFunction);
expect(nextFunction).toHaveBeenCalled(); expect(nextFunction).toHaveBeenCalled();
}); });
it('should reject requests without authorization header', () => { it('should reject requests without authorization header', () => {
validateRequest(mockRequest as Request, mockResponse as Response, nextFunction); validateRequest(mockRequest, mockResponse, nextFunction);
expect(mockResponse.status).toHaveBeenCalledWith(401); expect(mockResponse.status).toHaveBeenCalledWith(401);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Authorization header missing' success: false,
message: 'Unauthorized',
error: 'Missing or invalid authorization header',
timestamp: expect.any(String)
}); });
}); });
it('should reject requests with invalid authorization format', () => { it('should reject requests with invalid authorization format', () => {
mockRequest.headers.authorization = 'invalid-format'; mockRequest.headers.authorization = 'invalid-format';
validateRequest(mockRequest as Request, mockResponse as Response, nextFunction); validateRequest(mockRequest, mockResponse, nextFunction);
expect(mockResponse.status).toHaveBeenCalledWith(401); expect(mockResponse.status).toHaveBeenCalledWith(401);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Invalid authorization format' success: false,
message: 'Unauthorized',
error: 'Missing or invalid authorization header',
timestamp: expect.any(String)
}); });
}); });
}); });
@@ -82,7 +92,7 @@ describe('Security Middleware', () => {
html: '<img src="x" onerror="alert(1)">World' html: '<img src="x" onerror="alert(1)">World'
} }
}; };
sanitizeInput(mockRequest as Request, mockResponse as Response, nextFunction); sanitizeInput(mockRequest, mockResponse, nextFunction);
expect(mockRequest.body.text).toBe('Hello'); expect(mockRequest.body.text).toBe('Hello');
expect(mockRequest.body.nested.html).toBe('World'); expect(mockRequest.body.nested.html).toBe('World');
expect(nextFunction).toHaveBeenCalled(); expect(nextFunction).toHaveBeenCalled();
@@ -90,7 +100,7 @@ describe('Security Middleware', () => {
it('should handle non-object bodies', () => { it('should handle non-object bodies', () => {
mockRequest.body = '<p>text</p>'; mockRequest.body = '<p>text</p>';
sanitizeInput(mockRequest as Request, mockResponse as Response, nextFunction); sanitizeInput(mockRequest, mockResponse, nextFunction);
expect(mockRequest.body).toBe('text'); expect(mockRequest.body).toBe('text');
expect(nextFunction).toHaveBeenCalled(); expect(nextFunction).toHaveBeenCalled();
}); });
@@ -101,7 +111,7 @@ describe('Security Middleware', () => {
boolean: true, boolean: true,
array: [1, 2, 3] array: [1, 2, 3]
}; };
sanitizeInput(mockRequest as Request, mockResponse as Response, nextFunction); sanitizeInput(mockRequest, mockResponse, nextFunction);
expect(mockRequest.body).toEqual({ expect(mockRequest.body).toEqual({
number: 123, number: 123,
boolean: true, boolean: true,
@@ -121,34 +131,31 @@ describe('Security Middleware', () => {
it('should handle errors in production mode', () => { it('should handle errors in production mode', () => {
process.env.NODE_ENV = 'production'; process.env.NODE_ENV = 'production';
const error = new Error('Test error'); const error = new Error('Test error');
errorHandler(error, mockRequest as Request, mockResponse as Response, nextFunction); errorHandler(error, mockRequest, mockResponse, nextFunction);
expect(mockResponse.status).toHaveBeenCalledWith(500); expect(mockResponse.status).toHaveBeenCalledWith(500);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Internal server error' error: 'Internal Server Error',
message: undefined,
timestamp: expect.any(String)
}); });
}); });
it('should include error details in development mode', () => { it('should include error details in development mode', () => {
process.env.NODE_ENV = 'development'; process.env.NODE_ENV = 'development';
const error = new Error('Test error'); const error = new Error('Test error');
errorHandler(error, mockRequest as Request, mockResponse as Response, nextFunction); errorHandler(error, mockRequest, mockResponse, nextFunction);
expect(mockResponse.status).toHaveBeenCalledWith(500); expect(mockResponse.status).toHaveBeenCalledWith(500);
expect(mockResponse.json).toHaveBeenCalledWith({ expect(mockResponse.json).toHaveBeenCalledWith({
error: 'Test error', error: 'Internal Server Error',
stack: expect.any(String) message: 'Test error',
stack: expect.any(String),
timestamp: expect.any(String)
}); });
}); });
it('should handle non-Error objects', () => { it('should handle non-Error objects', () => {
const error = 'String error message'; const error = 'String error message';
errorHandler(error as any, mockRequest, mockResponse, nextFunction);
errorHandler(
error as any,
mockRequest as Request,
mockResponse as Response,
nextFunction
);
expect(mockResponse.status).toHaveBeenCalledWith(500); expect(mockResponse.status).toHaveBeenCalledWith(500);
}); });
}); });
@@ -164,7 +171,7 @@ describe('Security Middleware', () => {
describe('Security Headers', () => { describe('Security Headers', () => {
it('should set appropriate security headers', () => { it('should set appropriate security headers', () => {
securityHeaders(mockRequest as Request, mockResponse as Response, nextFunction); securityHeaders(mockRequest, mockResponse, nextFunction);
expect(mockResponse.setHeader).toHaveBeenCalledWith('X-Content-Type-Options', 'nosniff'); expect(mockResponse.setHeader).toHaveBeenCalledWith('X-Content-Type-Options', 'nosniff');
expect(mockResponse.setHeader).toHaveBeenCalledWith('X-Frame-Options', 'DENY'); expect(mockResponse.setHeader).toHaveBeenCalledWith('X-Frame-Options', 'DENY');
expect(mockResponse.setHeader).toHaveBeenCalledWith('X-XSS-Protection', '1; mode=block'); expect(mockResponse.setHeader).toHaveBeenCalledWith('X-XSS-Protection', '1; mode=block');

27
__tests__/security/token-manager.test.ts
View File

@@ -46,16 +46,16 @@ describe('TokenManager', () => {
describe('Token Validation', () => { describe('Token Validation', () => {
it('should validate correct tokens', () => { it('should validate correct tokens', () => {
const payload = { sub: '123', name: 'Test User' }; const payload = { sub: '123', name: 'Test User', iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 3600 };
const token = jwt.sign(payload, TEST_SECRET, { expiresIn: '1h' }); const token = jwt.sign(payload, TEST_SECRET);
const result = TokenManager.validateToken(token); const result = TokenManager.validateToken(token);
expect(result.valid).toBe(true); expect(result.valid).toBe(true);
expect(result.error).toBeUndefined(); expect(result.error).toBeUndefined();
}); });
it('should reject expired tokens', () => { it('should reject expired tokens', () => {
const payload = { sub: '123', name: 'Test User' }; const payload = { sub: '123', name: 'Test User', iat: Math.floor(Date.now() / 1000) - 7200, exp: Math.floor(Date.now() / 1000) - 3600 };
const token = jwt.sign(payload, TEST_SECRET, { expiresIn: -1 }); const token = jwt.sign(payload, TEST_SECRET);
const result = TokenManager.validateToken(token); const result = TokenManager.validateToken(token);
expect(result.valid).toBe(false); expect(result.valid).toBe(false);
expect(result.error).toBe('Token has expired'); expect(result.error).toBe('Token has expired');
@@ -68,8 +68,8 @@ describe('TokenManager', () => {
}); });
it('should reject tokens with invalid signature', () => { it('should reject tokens with invalid signature', () => {
const payload = { sub: '123', name: 'Test User' }; const payload = { sub: '123', name: 'Test User', iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 3600 };
const token = jwt.sign(payload, 'different-secret', { expiresIn: '1h' }); const token = jwt.sign(payload, 'different-secret');
const result = TokenManager.validateToken(token); const result = TokenManager.validateToken(token);
expect(result.valid).toBe(false); expect(result.valid).toBe(false);
expect(result.error).toBe('Invalid token signature'); expect(result.error).toBe('Invalid token signature');
@@ -82,6 +82,16 @@ describe('TokenManager', () => {
expect(result.valid).toBe(false); expect(result.valid).toBe(false);
expect(result.error).toBe('Token missing required claims'); expect(result.error).toBe('Token missing required claims');
}); });
it('should handle undefined and null inputs', () => {
const undefinedResult = TokenManager.validateToken(undefined);
expect(undefinedResult.valid).toBe(false);
expect(undefinedResult.error).toBe('Invalid token format');
const nullResult = TokenManager.validateToken(null);
expect(nullResult.valid).toBe(false);
expect(nullResult.error).toBe('Invalid token format');
});
}); });
describe('Security Features', () => { describe('Security Features', () => {
@@ -128,10 +138,5 @@ describe('TokenManager', () => {
it('should handle invalid base64 input', () => { it('should handle invalid base64 input', () => {
expect(() => TokenManager.decryptToken('not-base64!@#$%^', encryptionKey)).toThrow(); expect(() => TokenManager.decryptToken('not-base64!@#$%^', encryptionKey)).toThrow();
}); });
it('should handle undefined and null inputs', () => {
expect(TokenManager.validateToken(undefined as any)).toBe(false);
expect(TokenManager.validateToken(null as any)).toBe(false);
});
}); });
}); });

31
src/middleware/__tests__/security.middleware.test.ts
View File

@@ -1,6 +1,9 @@
import { Request, Response } from 'express'; import { Request, Response } from 'express';
import { validateRequest, sanitizeInput, errorHandler } from '../index'; import { validateRequest, sanitizeInput, errorHandler } from '../index';
import { TokenManager } from '../../security/index'; import { TokenManager } from '../../security/index';
import { jest } from '@jest/globals';
const TEST_SECRET = 'test-secret-that-is-long-enough-for-testing-purposes';
describe('Security Middleware', () => { describe('Security Middleware', () => {
let mockRequest: Partial<Request>; let mockRequest: Partial<Request>;
@@ -8,23 +11,33 @@ describe('Security Middleware', () => {
let nextFunction: jest.Mock; let nextFunction: jest.Mock;
beforeEach(() => { beforeEach(() => {
process.env.JWT_SECRET = TEST_SECRET;
mockRequest = { mockRequest = {
headers: {
'content-type': 'application/json'
},
body: {},
ip: '127.0.0.1',
method: 'POST', method: 'POST',
is: jest.fn((type: string | string[]) => type === 'application/json' ? 'application/json' : false) headers: {},
body: {},
ip: '127.0.0.1'
}; };
const mockJson = jest.fn().mockReturnThis();
const mockStatus = jest.fn().mockReturnThis();
const mockSetHeader = jest.fn().mockReturnThis();
const mockRemoveHeader = jest.fn().mockReturnThis();
mockResponse = { mockResponse = {
status: jest.fn().mockReturnThis(), status: mockStatus as any,
json: jest.fn().mockReturnThis(), json: mockJson as any,
setHeader: jest.fn() setHeader: mockSetHeader as any,
removeHeader: mockRemoveHeader as any
}; };
nextFunction = jest.fn(); nextFunction = jest.fn();
}); });
afterEach(() => {
delete process.env.JWT_SECRET;
jest.clearAllMocks();
});
describe('Request Validation', () => { describe('Request Validation', () => {
it('should pass valid requests', () => { it('should pass valid requests', () => {
mockRequest.headers = { mockRequest.headers = {

216
src/middleware/index.ts
View File

@@ -4,20 +4,18 @@ import rateLimit from 'express-rate-limit';
import { TokenManager } from '../security/index.js'; import { TokenManager } from '../security/index.js';
import sanitizeHtml from 'sanitize-html'; import sanitizeHtml from 'sanitize-html';
import helmet from 'helmet'; import helmet from 'helmet';
import { SECURITY_CONFIG } from '../config/security.config.js';
// Rate limiter middleware with enhanced configuration // Rate limiter middleware with enhanced configuration
export const rateLimiter = rateLimit({ export const rateLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute windowMs: SECURITY_CONFIG.RATE_LIMIT_WINDOW,
max: RATE_LIMIT_CONFIG.REGULAR, max: SECURITY_CONFIG.RATE_LIMIT_MAX_REQUESTS,
standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
legacyHeaders: false, // Disable the `X-RateLimit-*` headers
message: { message: {
success: false, success: false,
message: 'Too many requests, please try again later.', message: 'Too Many Requests',
reset_time: new Date(Date.now() + 60 * 1000).toISOString() error: 'Rate limit exceeded. Please try again later.',
}, timestamp: new Date().toISOString()
skipSuccessfulRequests: false, // Count all requests }
keyGenerator: (req) => req.ip || req.socket.remoteAddress || 'unknown' // Use IP for rate limiting
}); });
// WebSocket rate limiter middleware with enhanced configuration // WebSocket rate limiter middleware with enhanced configuration
@@ -100,31 +98,51 @@ const helmetMiddleware = helmet({
}); });
// Wrapper for helmet middleware to handle mock responses in tests // Wrapper for helmet middleware to handle mock responses in tests
export const securityHeaders = (req: Request, res: Response, next: NextFunction) => { export const securityHeaders = (req: Request, res: Response, next: NextFunction): void => {
// Add basic security headers for test environment // Basic security headers
if (process.env.NODE_ENV === 'test') { res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Content-Security-Policy', "default-src 'self'"); res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin'); res.setHeader('X-Download-Options', 'noopen');
return next();
// Content Security Policy
res.setHeader('Content-Security-Policy', [
"default-src 'self'",
"script-src 'self'",
"style-src 'self'",
"img-src 'self'",
"font-src 'self'",
"connect-src 'self'",
"media-src 'self'",
"object-src 'none'",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'"
].join('; '));
// HSTS (only in production)
if (process.env.NODE_ENV === 'production') {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
} }
return helmetMiddleware(req, res, next); next();
}; };
// Enhanced request validation middleware /**
export const validateRequest = (req: Request, res: Response, next: NextFunction) => { * Validates incoming requests for proper authentication and content type
// Skip validation for health check endpoints */
export const validateRequest = (req: Request, res: Response, next: NextFunction): Response | void => {
// Skip validation for health and MCP schema endpoints
if (req.path === '/health' || req.path === '/mcp') { if (req.path === '/health' || req.path === '/mcp') {
return next(); return next();
} }
// Validate content type for POST/PUT/PATCH requests // Validate content type for non-GET requests
if (['POST', 'PUT', 'PATCH'].includes(req.method)) { if (['POST', 'PUT', 'PATCH'].includes(req.method)) {
const contentType = req.headers['content-type']; const contentType = req.headers['content-type'] || '';
if (!contentType || !contentType.includes('application/json')) { if (!contentType.toLowerCase().includes('application/json')) {
return res.status(415).json({ return res.status(415).json({
success: false, success: false,
message: 'Unsupported Media Type', message: 'Unsupported Media Type',
@@ -134,18 +152,6 @@ export const validateRequest = (req: Request, res: Response, next: NextFunction)
} }
} }
// Validate request body size
const contentLength = parseInt(req.headers['content-length'] || '0', 10);
const maxSize = 1024 * 1024; // 1MB limit
if (contentLength > maxSize) {
return res.status(413).json({
success: false,
message: 'Payload Too Large',
error: `Request body must not exceed ${maxSize} bytes`,
timestamp: new Date().toISOString()
});
}
// Validate authorization header // Validate authorization header
const authHeader = req.headers.authorization; const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) { if (!authHeader || !authHeader.startsWith('Bearer ')) {
@@ -184,118 +190,58 @@ export const validateRequest = (req: Request, res: Response, next: NextFunction)
next(); next();
}; };
// Enhanced input sanitization middleware /**
export const sanitizeInput = (req: Request, _res: Response, next: NextFunction) => { * Sanitizes input data to prevent XSS attacks
if (req.body) { */
export const sanitizeInput = (req: Request, res: Response, next: NextFunction): void => {
if (req.body && typeof req.body === 'object' && !Array.isArray(req.body)) {
const sanitizeValue = (value: unknown): unknown => { const sanitizeValue = (value: unknown): unknown => {
if (typeof value === 'string') { if (typeof value === 'string') {
// Sanitize HTML content let sanitized = value;
return sanitizeHtml(value, { // Remove script tags and their content
allowedTags: [], // Remove all HTML tags sanitized = sanitized.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
allowedAttributes: {}, // Remove all attributes // Remove style tags and their content
textFilter: (text) => { sanitized = sanitized.replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, '');
// Remove potential XSS patterns // Remove remaining HTML tags
return text.replace(/javascript:/gi, '') sanitized = sanitized.replace(/<[^>]+>/g, '');
.replace(/data:/gi, '') // Remove javascript: protocol
.replace(/vbscript:/gi, '') sanitized = sanitized.replace(/javascript:/gi, '');
.replace(/on\w+=/gi, '') // Remove event handlers
.replace(/script/gi, '') sanitized = sanitized.replace(/on\w+\s*=\s*(?:".*?"|'.*?'|[^"'>\s]+)/gi, '');
.replace(/\b(alert|confirm|prompt|exec|eval|setTimeout|setInterval)\b/gi, ''); // Trim whitespace
} return sanitized.trim();
} else if (typeof value === 'object' && value !== null) {
const result: Record<string, unknown> = {};
Object.entries(value as Record<string, unknown>).forEach(([key, val]) => {
result[key] = sanitizeValue(val);
}); });
return result;
} }
return value; return value;
}; };
const sanitizeObject = (obj: unknown): unknown => { req.body = sanitizeValue(req.body) as Record<string, unknown>;
if (typeof obj !== 'object' || obj === null) {
return sanitizeValue(obj);
}
if (Array.isArray(obj)) {
return obj.map(item => sanitizeObject(item));
}
const sanitized: Record<string, unknown> = {};
for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {
// Sanitize keys
const sanitizedKey = typeof key === 'string' ? sanitizeValue(key) as string : key;
// Recursively sanitize values
sanitized[sanitizedKey] = sanitizeObject(value);
}
return sanitized;
};
req.body = sanitizeObject(req.body);
} }
next(); next();
}; };
// Enhanced error handling middleware /**
export const errorHandler = (err: Error, req: Request, res: Response, _next: NextFunction) => { * Handles errors in a consistent way
// Log error with request context */
console.error('Error:', { export const errorHandler = (err: Error, req: Request, res: Response, next: NextFunction): Response => {
error: err.message, const isDevelopment = process.env.NODE_ENV === 'development';
stack: err.stack, const response: Record<string, unknown> = {
method: req.method, success: false,
path: req.path, message: 'Internal Server Error',
ip: req.ip,
timestamp: new Date().toISOString() timestamp: new Date().toISOString()
}); };
// Handle specific error types if (isDevelopment) {
switch (err.name) { response.error = err.message;
case 'ValidationError': response.stack = err.stack;
return res.status(400).json({
success: false,
message: 'Validation Error',
error: err.message,
timestamp: new Date().toISOString()
});
case 'UnauthorizedError':
return res.status(401).json({
success: false,
message: 'Unauthorized',
error: err.message,
timestamp: new Date().toISOString()
});
case 'ForbiddenError':
return res.status(403).json({
success: false,
message: 'Forbidden',
error: err.message,
timestamp: new Date().toISOString()
});
case 'NotFoundError':
return res.status(404).json({
success: false,
message: 'Not Found',
error: err.message,
timestamp: new Date().toISOString()
});
case 'ConflictError':
return res.status(409).json({
success: false,
message: 'Conflict',
error: err.message,
timestamp: new Date().toISOString()
});
default:
// Default error response
return res.status(500).json({
success: false,
message: 'Internal Server Error',
error: process.env.NODE_ENV === 'development' ? err.message : 'An unexpected error occurred',
timestamp: new Date().toISOString()
});
} }
return res.status(500).json(response);
}; };
// Export all middleware // Export all middleware

27
src/security/__tests__/security.test.ts
View File

@@ -5,7 +5,6 @@ import { jest } from '@jest/globals';
describe('TokenManager', () => { describe('TokenManager', () => {
const validSecret = 'test_secret_key_that_is_at_least_32_chars_long'; const validSecret = 'test_secret_key_that_is_at_least_32_chars_long';
const validToken = 'valid_token_that_is_at_least_32_chars_long';
const testIp = '127.0.0.1'; const testIp = '127.0.0.1';
beforeEach(() => { beforeEach(() => {
@@ -13,10 +12,14 @@ describe('TokenManager', () => {
jest.clearAllMocks(); jest.clearAllMocks();
}); });
afterEach(() => {
delete process.env.JWT_SECRET;
});
describe('Token Validation', () => { describe('Token Validation', () => {
it('should validate a properly formatted token', () => { it('should validate a properly formatted token', () => {
const payload = { userId: '123', role: 'user' }; const payload = { userId: '123', role: 'user' };
const token = jwt.sign(payload, validSecret, { expiresIn: '1h' }); const token = jwt.sign(payload, validSecret);
const result = TokenManager.validateToken(token, testIp); const result = TokenManager.validateToken(token, testIp);
expect(result.valid).toBe(true); expect(result.valid).toBe(true);
expect(result.error).toBeUndefined(); expect(result.error).toBeUndefined();
@@ -35,8 +38,14 @@ describe('TokenManager', () => {
}); });
it('should reject an expired token', () => { it('should reject an expired token', () => {
const payload = { userId: '123', role: 'user' }; const now = Math.floor(Date.now() / 1000);
const token = jwt.sign(payload, validSecret, { expiresIn: -1 }); const payload = {
userId: '123',
role: 'user',
iat: now - 7200, // 2 hours ago
exp: now - 3600 // expired 1 hour ago
};
const token = jwt.sign(payload, validSecret);
const result = TokenManager.validateToken(token, testIp); const result = TokenManager.validateToken(token, testIp);
expect(result.valid).toBe(false); expect(result.valid).toBe(false);
expect(result.error).toBe('Token has expired'); expect(result.error).toBe('Token has expired');
@@ -44,7 +53,7 @@ describe('TokenManager', () => {
it('should implement rate limiting for failed attempts', async () => { it('should implement rate limiting for failed attempts', async () => {
// Simulate multiple failed attempts // Simulate multiple failed attempts
for (let i = 0; i < 5; i++) { for (let i = 0; i < SECURITY_CONFIG.MAX_FAILED_ATTEMPTS; i++) {
const result = TokenManager.validateToken('invalid_token', testIp); const result = TokenManager.validateToken('invalid_token', testIp);
expect(result.valid).toBe(false); expect(result.valid).toBe(false);
} }
@@ -55,7 +64,13 @@ describe('TokenManager', () => {
expect(result.error).toBe('Too many failed attempts. Please try again later.'); expect(result.error).toBe('Too many failed attempts. Please try again later.');
// Wait for rate limit to expire // Wait for rate limit to expire
await new Promise(resolve => setTimeout(resolve, 100)); await new Promise(resolve => setTimeout(resolve, SECURITY_CONFIG.LOCKOUT_DURATION + 100));
// Should be able to try again
const validPayload = { userId: '123', role: 'user' };
const validToken = jwt.sign(validPayload, validSecret);
const finalResult = TokenManager.validateToken(validToken, testIp);
expect(finalResult.valid).toBe(true);
}); });
}); });

42
src/security/index.ts
View File

@@ -128,7 +128,7 @@ export class TokenManager {
/** /**
* Validates a JWT token with enhanced security checks * Validates a JWT token with enhanced security checks
*/ */
static validateToken(token: string, ip?: string): { valid: boolean; error?: string } { static validateToken(token: string | undefined | null, ip?: string): { valid: boolean; error?: string } {
// Check basic token format // Check basic token format
if (!token || typeof token !== 'string') { if (!token || typeof token !== 'string') {
return { valid: false, error: 'Invalid token format' }; return { valid: false, error: 'Invalid token format' };
@@ -136,6 +136,7 @@ export class TokenManager {
// Check for token length // Check for token length
if (token.length < SECURITY_CONFIG.MIN_TOKEN_LENGTH) { if (token.length < SECURITY_CONFIG.MIN_TOKEN_LENGTH) {
if (ip) this.recordFailedAttempt(ip);
return { valid: false, error: 'Token length below minimum requirement' }; return { valid: false, error: 'Token length below minimum requirement' };
} }
@@ -160,13 +161,13 @@ export class TokenManager {
// Verify token structure // Verify token structure
if (!decoded || typeof decoded !== 'object') { if (!decoded || typeof decoded !== 'object') {
this.recordFailedAttempt(ip); if (ip) this.recordFailedAttempt(ip);
return { valid: false, error: 'Invalid token structure' }; return { valid: false, error: 'Invalid token structure' };
} }
// Check required claims // Check required claims
if (!decoded.exp || !decoded.iat) { if (!decoded.exp || !decoded.iat) {
this.recordFailedAttempt(ip); if (ip) this.recordFailedAttempt(ip);
return { valid: false, error: 'Token missing required claims' }; return { valid: false, error: 'Token missing required claims' };
} }
@@ -174,14 +175,14 @@ export class TokenManager {
// Check expiration // Check expiration
if (decoded.exp <= now) { if (decoded.exp <= now) {
this.recordFailedAttempt(ip); if (ip) this.recordFailedAttempt(ip);
return { valid: false, error: 'Token has expired' }; return { valid: false, error: 'Token has expired' };
} }
// Check token age // Check token age
const tokenAge = (now - decoded.iat) * 1000; const tokenAge = (now - decoded.iat) * 1000;
if (tokenAge > SECURITY_CONFIG.MAX_TOKEN_AGE) { if (tokenAge > SECURITY_CONFIG.MAX_TOKEN_AGE) {
this.recordFailedAttempt(ip); if (ip) this.recordFailedAttempt(ip);
return { valid: false, error: 'Token exceeds maximum age limit' }; return { valid: false, error: 'Token exceeds maximum age limit' };
} }
@@ -192,7 +193,7 @@ export class TokenManager {
return { valid: true }; return { valid: true };
} catch (error) { } catch (error) {
this.recordFailedAttempt(ip); if (ip) this.recordFailedAttempt(ip);
if (error instanceof jwt.TokenExpiredError) { if (error instanceof jwt.TokenExpiredError) {
return { valid: false, error: 'Token has expired' }; return { valid: false, error: 'Token has expired' };
} }
@@ -262,13 +263,16 @@ export function validateRequest(req: Request, res: Response, next: NextFunction)
} }
// Validate content type for non-GET requests // Validate content type for non-GET requests
if (['POST', 'PUT', 'PATCH'].includes(req.method) && !req.is('application/json')) { if (['POST', 'PUT', 'PATCH'].includes(req.method)) {
return res.status(415).json({ const contentType = req.headers['content-type'] || '';
success: false, if (!contentType.toLowerCase().includes('application/json')) {
message: 'Unsupported Media Type', return res.status(415).json({
error: 'Content-Type must be application/json', success: false,
timestamp: new Date().toISOString() message: 'Unsupported Media Type',
}); error: 'Content-Type must be application/json',
timestamp: new Date().toISOString()
});
}
} }
// Validate authorization header // Validate authorization header
@@ -329,8 +333,14 @@ export function sanitizeInput(req: Request, res: Response, next: NextFunction) {
function sanitizeValue(value: unknown): unknown { function sanitizeValue(value: unknown): unknown {
if (typeof value === 'string') { if (typeof value === 'string') {
// Remove HTML tags and scripts // Remove HTML tags and scripts more thoroughly
return value.replace(/<[^>]*>/g, ''); return value
.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '') // Remove script tags and content
.replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, '') // Remove style tags and content
.replace(/<[^>]+>/g, '') // Remove remaining HTML tags
.replace(/javascript:/gi, '') // Remove javascript: protocol
.replace(/on\w+\s*=\s*(?:".*?"|'.*?'|[^"'>\s]+)/gi, '') // Remove event handlers
.trim();
} }
if (Array.isArray(value)) { if (Array.isArray(value)) {
return value.map(item => sanitizeValue(item)); return value.map(item => sanitizeValue(item));
@@ -345,7 +355,7 @@ export function sanitizeInput(req: Request, res: Response, next: NextFunction) {
return value; return value;
} }
req.body = sanitizeValue(req.body) as Record<string, unknown>; req.body = sanitizeValue(req.body);
next(); next();
} }