homeassistant-mcp/__tests__/security/middleware.test.ts

import { Request, Response } from 'express';
import {
    validateRequest,
    sanitizeInput,
    errorHandler,
    rateLimiter,
    securityHeaders
} from '../../src/security/index.js';

interface MockRequest extends Partial<Request> {
    headers: Record<string, string>;
    is: jest.Mock;
}

describe('Security Middleware', () => {
    let mockRequest: MockRequest;
    let mockResponse: Partial<Response>;
    let mockNext: jest.Mock;

    beforeEach(() => {
        mockRequest = {
            method: 'POST',
            headers: {
                'content-type': 'application/json',
                'authorization': 'Bearer validToken'
            },
            is: jest.fn().mockReturnValue(true),
            body: { test: 'data' }
        };
        mockResponse = {
            status: jest.fn().mockReturnThis(),
            json: jest.fn(),
            setHeader: jest.fn(),
            set: jest.fn()
        };
        mockNext = jest.fn();
    });

    describe('Request Validation', () => {
        it('should pass valid requests', () => {
            validateRequest(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );
            expect(mockNext).toHaveBeenCalled();
            expect(mockResponse.status).not.toHaveBeenCalled();
        });

        it('should reject requests with invalid content type', () => {
            mockRequest.is = jest.fn().mockReturnValue(false);
            validateRequest(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );
            expect(mockResponse.status).toHaveBeenCalledWith(415);
            expect(mockResponse.json).toHaveBeenCalledWith({
                error: 'Unsupported Media Type - Content-Type must be application/json'
            });
        });

        it('should reject requests without authorization', () => {
            mockRequest.headers = {};
            validateRequest(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );
            expect(mockResponse.status).toHaveBeenCalledWith(401);
            expect(mockResponse.json).toHaveBeenCalledWith({
                error: 'Invalid or expired token'
            });
        });

        it('should reject requests with invalid token', () => {
            mockRequest.headers.authorization = 'Bearer invalid.token.format';
            validateRequest(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );
            expect(mockResponse.status).toHaveBeenCalledWith(401);
        });

        it('should handle GET requests without body validation', () => {
            mockRequest.method = 'GET';
            mockRequest.body = undefined;
            validateRequest(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );
            expect(mockNext).toHaveBeenCalled();
        });
    });

    describe('Input Sanitization', () => {
        it('should remove HTML tags from request body', () => {
            mockRequest.body = {
                text: '<script>alert("xss")</script>',
                nested: {
                    html: '<img src="x" onerror="alert(1)">'
                }
            };

            sanitizeInput(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );

            expect(mockRequest.body.text).not.toContain('<script>');
            expect(mockRequest.body.nested.html).not.toContain('<img');
            expect(mockNext).toHaveBeenCalled();
        });

        it('should handle non-object body', () => {
            mockRequest.body = 'plain text';
            sanitizeInput(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );
            expect(mockRequest.body).toBe('plain text');
            expect(mockNext).toHaveBeenCalled();
        });

        it('should handle nested objects', () => {
            mockRequest.body = {
                level1: {
                    level2: {
                        text: '<p>test</p>'
                    }
                }
            };

            sanitizeInput(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );

            expect(mockRequest.body.level1.level2.text).not.toContain('<p>');
            expect(mockNext).toHaveBeenCalled();
        });

        it('should preserve safe content', () => {
            mockRequest.body = {
                text: 'Safe text without HTML',
                number: 42,
                boolean: true
            };

            const originalBody = { ...mockRequest.body };
            sanitizeInput(
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );

            expect(mockRequest.body).toEqual(originalBody);
            expect(mockNext).toHaveBeenCalled();
        });
    });

    describe('Error Handler', () => {
        const originalEnv = process.env.NODE_ENV;

        afterAll(() => {
            process.env.NODE_ENV = originalEnv;
        });

        it('should handle errors in production mode', () => {
            process.env.NODE_ENV = 'production';
            const error = new Error('Test error');

            errorHandler(
                error,
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );

            expect(mockResponse.status).toHaveBeenCalledWith(500);
            expect(mockResponse.json).toHaveBeenCalledWith({
                error: 'Internal Server Error',
                message: undefined
            });
        });

        it('should include error details in development mode', () => {
            process.env.NODE_ENV = 'development';
            const error = new Error('Test error');

            errorHandler(
                error,
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );

            expect(mockResponse.status).toHaveBeenCalledWith(500);
            expect(mockResponse.json).toHaveBeenCalledWith({
                error: 'Internal Server Error',
                message: 'Test error'
            });
        });

        it('should handle non-Error objects', () => {
            const error = 'String error message';

            errorHandler(
                error as any,
                mockRequest as Request,
                mockResponse as Response,
                mockNext
            );

            expect(mockResponse.status).toHaveBeenCalledWith(500);
        });
    });

    describe('Rate Limiter', () => {
        it('should be configured with correct options', () => {
            expect(rateLimiter).toBeDefined();
            const middleware = rateLimiter as any;
            expect(middleware.windowMs).toBeDefined();
            expect(middleware.max).toBeDefined();
        });
    });

    describe('Security Headers', () => {
        it('should be configured with secure defaults', () => {
            expect(securityHeaders).toBeDefined();
            const middleware = securityHeaders as any;
            expect(middleware.getDefaultDirectives).toBeDefined();
        });

        it('should set appropriate security headers', () => {
            const mockRes = {
                setHeader: jest.fn()
            };
            securityHeaders(mockRequest as Request, mockRes as any, mockNext);
            expect(mockRes.setHeader).toHaveBeenCalled();
        });
    });
});