bytelyst/learning_ai_invt_trdg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3cbbd6ccaa
learning_ai_invt_trdg/backend/verifySecurityGuards.ts

55 lines
2.4 KiB
TypeScript
Raw Blame History

import assert from 'node:assert/strict';
import fs from 'node:fs';
import path from 'node:path';
import { fileURLToPath } from 'node:url';
import { ApiServer } from './src/services/apiServer.js';
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const repoRoot = __dirname;
async function verifyStaticGuards(): Promise<void> {
const apiServerSource = fs.readFileSync(path.join(repoRoot, 'src/services/apiServer.ts'), 'utf8');
const supabaseSource = fs.readFileSync(path.join(repoRoot, 'src/services/SupabaseService.ts'), 'utf8');
assert(/app\.post\('\/api\/trade',\s*this\.requireAuth/.test(apiServerSource), 'Missing auth guard on /api/trade');
assert(/app\.post\('\/api\/close',\s*this\.requireAuth/.test(apiServerSource), 'Missing auth guard on /api/close');
assert(/app\.post\('\/api\/chat',\s*this\.requireAuth/.test(apiServerSource), 'Missing auth guard on /api/chat');
assert(/this\.io\.use\(async\s*\(socket,\s*next\)/.test(apiServerSource), 'Missing websocket auth middleware');
assert(/Unauthorized:\s*missing token/.test(apiServerSource), 'Missing explicit websocket unauthorized path');
assert(/SUPABASE_JWT_ISSUER/.test(supabaseSource), 'Missing JWT issuer check wiring');
assert(/SUPABASE_JWT_AUDIENCE/.test(supabaseSource), 'Missing JWT audience check wiring');
assert(/Invalid token issuer/.test(supabaseSource), 'Missing explicit invalid issuer rejection');
assert(/Invalid token audience/.test(supabaseSource), 'Missing explicit invalid audience rejection');
}
async function verifyRuntimeGuards(): Promise<void> {
const port = 5900 + Math.floor(Math.random() * 300);
const server = new ApiServer(port);
try {
await new Promise((resolve) => setTimeout(resolve, 250));
const response = await fetch(`http://127.0.0.1:${port}/api/trade`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
symbol: 'BTC/USD',
side: 'buy',
qty: 0.01,
type: 'market'
})
});
assert.equal(response.status, 401, `Expected 401 for unauthorized /api/trade, got ${response.status}`);
} finally {
await server.stop();
}
}
await verifyStaticGuards();
await verifyRuntimeGuards();
console.log('[security-guards] OK: static + unauthorized REST checks passed');
Reference in New Issue View Git Blame Copy Permalink