test: modernize v3 API security tests (mock /v3/, deterministic headers); add runnable modern copy
This commit is contained in:
Scott Idem
@@ -13,11 +13,12 @@ test.describe('V3 API Header Integrity', () => {
|
||||
}
|
||||
});
|
||||
|
||||
// Mock all API requests to ensure tests are fast and independent of the network.
|
||||
await page.route('**/*oneskyit.com/**', async (route) => {
|
||||
const url = route.request().url();
|
||||
// Mock all local /v3/ API requests so tests are deterministic.
|
||||
await page.route('**/v3/**', async (route) => {
|
||||
const req = route.request();
|
||||
const url = req.url();
|
||||
|
||||
// 1. Handshake Mock: Provide a complete response to allow the app to boot.
|
||||
// Handshake mock so app boots predictably
|
||||
if (url.includes('site_domain/search')) {
|
||||
return route.fulfill({
|
||||
status: 200,
|
||||
@@ -26,7 +27,6 @@ test.describe('V3 API Header Integrity', () => {
|
||||
data: [
|
||||
{
|
||||
id: 'test-site-domain-id',
|
||||
id_random: 'test-site-domain-id',
|
||||
account_id: 'test-account-id',
|
||||
site_id: 'test-site-id',
|
||||
account_name: 'Test Account',
|
||||
@@ -37,12 +37,18 @@ test.describe('V3 API Header Integrity', () => {
|
||||
})
|
||||
});
|
||||
}
|
||||
// 2. Default Mock: Provide a generic empty success response for all other API calls.
|
||||
return route.fulfill({
|
||||
status: 200,
|
||||
contentType: 'application/json',
|
||||
body: JSON.stringify({ data: [] })
|
||||
});
|
||||
|
||||
// Provide lightweight responses for endpoints we assert on
|
||||
if (url.includes('/v3/lookup/country/list')) {
|
||||
return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ data: [] }) });
|
||||
}
|
||||
|
||||
if (url.includes('/v3/crud/user/search')) {
|
||||
return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ data: [] }) });
|
||||
}
|
||||
|
||||
// Default handler
|
||||
return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ data: [] }) });
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
74
tests/v3_api_security.modern.test.ts
Normal file
74
tests/v3_api_security.modern.test.ts
Normal file
@@ -0,0 +1,74 @@
|
||||
import { test, expect } from '@playwright/test';
|
||||
import { ae_app_local_data_defaults } from './_helpers/ae_defaults';
|
||||
|
||||
test.describe('V3 API Header Integrity (modernized)', () => {
|
||||
test.setTimeout(10000);
|
||||
|
||||
test.beforeEach(async ({ page }) => {
|
||||
page.on('pageerror', (err) => console.error(`BROWSER ERROR: ${err.message}`));
|
||||
page.on('console', (msg) => {
|
||||
if (msg.type() === 'error' || msg.type() === 'warn') {
|
||||
console.error(`BROWSER [${msg.type().toUpperCase()}]: ${msg.text()}`);
|
||||
}
|
||||
});
|
||||
|
||||
// Mock local /v3/ endpoints used by the app to make the test deterministic.
|
||||
await page.route('**/v3/**', async (route) => {
|
||||
const req = route.request();
|
||||
const url = req.url();
|
||||
|
||||
if (url.includes('site_domain/search')) {
|
||||
return route.fulfill({
|
||||
status: 200,
|
||||
contentType: 'application/json',
|
||||
body: JSON.stringify({ data: [{ id: 'test-site', account_id: 'test-account-id', site_id: 'test-site-id', cfg_json: {} }] })
|
||||
});
|
||||
}
|
||||
|
||||
if (url.includes('/v3/lookup/country/list')) {
|
||||
return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ data: [] }) });
|
||||
}
|
||||
|
||||
if (url.includes('/v3/crud/user/search')) {
|
||||
return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ data: [] }) });
|
||||
}
|
||||
|
||||
return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ data: [] }) });
|
||||
});
|
||||
});
|
||||
|
||||
test('Verify lookup requests include the unauthenticated bypass header', async ({ page }) => {
|
||||
await page.addInitScript((defaults) => {
|
||||
const testData = { ...defaults, account_id: 'test-account-id', manager_access: true };
|
||||
window.localStorage.setItem('ae_loc', JSON.stringify(testData));
|
||||
}, ae_app_local_data_defaults);
|
||||
|
||||
const requestPromise = page.waitForRequest((request) => request.url().includes('/v3/lookup/country/list'));
|
||||
|
||||
await page.goto('/core/lookups');
|
||||
|
||||
const request = await requestPromise;
|
||||
const headers = request.headers();
|
||||
|
||||
expect(headers['x-no-account-id']).toBe('Nothing to See Here');
|
||||
expect(headers['x-aether-api-key']).toBeDefined();
|
||||
});
|
||||
|
||||
test('Verify Account ID Scavenging from localStorage on CRUD requests', async ({ page }) => {
|
||||
const testAccountId = 'scavenged-account-id-123';
|
||||
|
||||
await page.addInitScript(({ defaults, id }) => {
|
||||
const testData = { ...defaults, account_id: id, manager_access: true };
|
||||
window.localStorage.setItem('ae_loc', JSON.stringify(testData));
|
||||
}, { defaults: ae_app_local_data_defaults, id: testAccountId });
|
||||
|
||||
const requestPromise = page.waitForRequest((request) => request.url().includes('/v3/crud/user/search'));
|
||||
|
||||
await page.goto('/core/users');
|
||||
|
||||
const request = await requestPromise;
|
||||
const headers = request.headers();
|
||||
|
||||
expect(headers['x-account-id']).toBe(testAccountId);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user