Harden frontend auth token handling in runtime memory
This commit is contained in:
@@ -48,46 +48,13 @@ function toRequestUrl(input: RequestInfo | URL): string {
|
||||
return input.url;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a minimal session storage implementation for Node-based tests.
|
||||
*/
|
||||
function createMemorySessionStorage(): Storage {
|
||||
const values = new Map<string, string>();
|
||||
return {
|
||||
get length(): number {
|
||||
return values.size;
|
||||
},
|
||||
clear(): void {
|
||||
values.clear();
|
||||
},
|
||||
getItem(key: string): string | null {
|
||||
return values.has(key) ? values.get(key) ?? null : null;
|
||||
},
|
||||
key(index: number): string | null {
|
||||
return Array.from(values.keys())[index] ?? null;
|
||||
},
|
||||
removeItem(key: string): void {
|
||||
values.delete(key);
|
||||
},
|
||||
setItem(key: string, value: string): void {
|
||||
values.set(key, String(value));
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Runs API helper tests for authenticated media and auth session workflows.
|
||||
*/
|
||||
async function runApiTests(): Promise<void> {
|
||||
const originalFetch = globalThis.fetch;
|
||||
const sessionStorageDescriptor = Object.getOwnPropertyDescriptor(globalThis, 'sessionStorage');
|
||||
|
||||
try {
|
||||
Object.defineProperty(globalThis, 'sessionStorage', {
|
||||
configurable: true,
|
||||
writable: true,
|
||||
value: createMemorySessionStorage(),
|
||||
});
|
||||
setRuntimeApiToken(null);
|
||||
|
||||
const requestUrls: string[] = [];
|
||||
@@ -115,7 +82,7 @@ async function runApiTests(): Promise<void> {
|
||||
assert(requestAuthHeaders[1] === null, `Expected no auth header for preview request, got "${requestAuthHeaders[1]}"`);
|
||||
|
||||
setRuntimeApiToken('session-user-token');
|
||||
assert(getRuntimeApiToken() === 'session-user-token', 'Expected session token readback to match persisted token');
|
||||
assert(getRuntimeApiToken() === 'session-user-token', 'Expected runtime token readback to match active token');
|
||||
globalThis.fetch = (async (_input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
|
||||
const authHeader = new Headers(init?.headers).get('Authorization');
|
||||
assert(authHeader === 'Bearer session-user-token', `Expected session token auth header, got "${authHeader}"`);
|
||||
@@ -203,11 +170,6 @@ async function runApiTests(): Promise<void> {
|
||||
await assertRejects(async () => downloadDocumentContentMarkdown('doc-4'), 'Failed to download document markdown');
|
||||
} finally {
|
||||
setRuntimeApiToken(null);
|
||||
if (sessionStorageDescriptor) {
|
||||
Object.defineProperty(globalThis, 'sessionStorage', sessionStorageDescriptor);
|
||||
} else {
|
||||
delete (globalThis as { sessionStorage?: Storage }).sessionStorage;
|
||||
}
|
||||
globalThis.fetch = originalFetch;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user