48 lines
1.8 KiB
TypeScript
48 lines
1.8 KiB
TypeScript
import { describe, expect, it } from "bun:test";
|
|
|
|
import {
|
|
DESKTOP_PRODUCTION_URL,
|
|
isSafeExternalUrl,
|
|
isTrustedAppUrl,
|
|
resolveDesktopStartUrl
|
|
} from "./security.js";
|
|
|
|
describe("desktop URL policy", () => {
|
|
it("allows the hosted production origin on /options", () => {
|
|
expect(isTrustedAppUrl("https://flow.deltaisland.io/options?symbol=SPY")).toBe(true);
|
|
});
|
|
|
|
it("keeps /tape trusted as a compatibility path on the same origin", () => {
|
|
expect(isTrustedAppUrl("https://flow.deltaisland.io/tape?symbol=SPY")).toBe(true);
|
|
});
|
|
|
|
it("allows local dev origins", () => {
|
|
expect(isTrustedAppUrl("http://127.0.0.1:3000/signals")).toBe(true);
|
|
expect(isTrustedAppUrl("http://localhost:3000/charts")).toBe(true);
|
|
});
|
|
|
|
it("rejects untrusted origins", () => {
|
|
expect(isTrustedAppUrl("https://example.com")).toBe(false);
|
|
expect(isTrustedAppUrl("http://127.0.0.1:4000")).toBe(false);
|
|
});
|
|
|
|
it("rejects malformed URLs", () => {
|
|
expect(isTrustedAppUrl("not a url")).toBe(false);
|
|
expect(isTrustedAppUrl("javascript:alert('xss')")).toBe(false);
|
|
});
|
|
|
|
it("treats third-party http targets as external-only", () => {
|
|
expect(isSafeExternalUrl("https://deltaisland.io/about")).toBe(true);
|
|
expect(isSafeExternalUrl("mailto:support@deltaisland.io")).toBe(false);
|
|
expect(isSafeExternalUrl("https://flow.deltaisland.io/help")).toBe(false);
|
|
});
|
|
|
|
it("falls back to production when the desktop start URL is invalid", () => {
|
|
expect(resolveDesktopStartUrl(undefined)).toBe(DESKTOP_PRODUCTION_URL);
|
|
expect(resolveDesktopStartUrl("https://example.com")).toBe(DESKTOP_PRODUCTION_URL);
|
|
expect(resolveDesktopStartUrl("http://127.0.0.1:3000")).toBe("http://127.0.0.1:3000");
|
|
expect(resolveDesktopStartUrl("https://flow.deltaisland.io/options")).toBe(
|
|
"https://flow.deltaisland.io/options"
|
|
);
|
|
});
|
|
});
|