forked from molecule-ai/molecule-core
eb42f7d145
Per the 2026-04-23 audit, wsauth_middleware.go had two coverage holes
on auth-boundary code:
CanvasOrBearer 50.0% (only fail-open + Origin paths covered)
IsSameOriginCanvas 0.0% (exported wrapper never exercised)
This adds focused tests for the missing branches:
CanvasOrBearer:
- ValidBearer_Passes (path-1 success)
- InvalidBearer_Returns401 (auth-escape regression: bad
bearer + matching Origin must
NOT fall through to Origin)
- AdminTokenEnv_Passes (ADMIN_TOKEN constant-time match)
- DBError_FailOpen (documented fail-open behavior)
- SameOriginCanvas_Passes (path-3 combined-tenant image)
IsSameOriginCanvas / isSameOriginCanvas:
- ExportedWrapper_DelegatesToInternal
- DisabledByEnv (CANVAS_PROXY_URL unset short-circuit)
- BranchCoverage (table-driven: 11 host/referer/origin
cases incl. the h.example.com.evil.com
suffix-attack rejection)
Coverage moves CanvasOrBearer 50% → 100%, IsSameOriginCanvas 0% → 100%,
and middleware-package overall 81.6% → 86.0%. No production code change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| artifacts | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| orgtoken | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||