test: add comprehensive test coverage for all 43 security fixes

- Body parser: RAW_BODY_SYMBOL, empty body, nesting depth, streaming limits
- JWT auth: token type validation, algorithm confusion, timing-safe comparison
- Rate limit: minimal headers, unique unknown keys, IP spoofing prevention
- CORS: allowedHeaders caching, null origin rejection
- Router: prototype pollution, LRU cache, frozen params
- Security: dedicated prototype pollution test suite
- Integration & regression: updated for new security behaviors

483 tests passing, 1906 expect() calls.

Author: jkyberneees

test/integration/router.test.js

@@ -164,9 +164,12 @@ describe('Router Integration Tests', () => {
 
   describe('Error Handling', () => {
     it('should return a 500 response for a route that throws an error', async () => {
+      const originalError = console.error
+      console.error = () => {}
       const response = await router.fetch(createTestRequest('GET', '/error'))
+      console.error = originalError
       expect(response.status).toBe(500)
-      expect(await response.text()).toEqual('Unexpected error')
+      expect(await response.text()).toEqual('Internal Server Error')
     })
 
     it('should return a 404 response for a non-existent route', async () => {
@@ -346,12 +349,12 @@ describe('Router Integration Tests', () => {
       const testCases = [
         {
           url: '/search/hello%20world?filter=test%20value',
-          expectedTerm: 'hello%20world',
+          expectedTerm: 'hello world',
           expectedQuery: {filter: 'test value'}, // Query parser decodes spaces
         },
         {
           url: '/search/café?type=beverage',
-          expectedTerm: 'caf%C3%A9', // URL parameters are URL-encoded
+          expectedTerm: 'café',
           expectedQuery: {type: 'beverage'},
         },
         {
@@ -426,9 +429,14 @@ describe('Router Integration Tests', () => {
         return {success: true}
       })
 
+      const originalError = console.error
+      console.error = () => {}
+
       const req = createTestRequest('GET', '/api/error/test')
       const result = await router.fetch(req)
 
+      console.error = originalError
+
       // Should get error response with error handling
       expect(result.status).toBe(500)
       expect(req.step1).toBe(true)

test/performance/regression.test.js

@@ -214,13 +214,19 @@ describe('Performance Regression Tests', () => {
         throw new Error('Test error')
       })
 
+      // Suppress console.error during perf test (default error handler logs errors)
+      const originalError = console.error
+      console.error = () => {}
+
       const iterations = 500
       const {time} = await measureTime(async () => {
         for (let i = 0; i < iterations; i++) {
           await router.fetch(createTestRequest('GET', '/error-test'))
         }
       })
 
+      console.error = originalError
+
       const avgTime = time / iterations
       expect(avgTime).toBeLessThan(3) // Error handling should not be too slow
     })

test/security/prototype-pollution.test.js

@@ -207,4 +207,77 @@ describe('Prototype Pollution Security Tests', () => {
       expect({}.polluted).toBeUndefined()
     })
   })
+
+  describe('Query Prototype Pollution Protection (L-1)', () => {
+    it('should filter __proto__ from query parameters', async () => {
+      routerInstance.get('/search', (req) => {
+        return Response.json({query: req.query})
+      })
+
+      const testReq = {
+        method: 'GET',
+        url: 'http://localhost/search?__proto__[polluted]=true&safe=value',
+        headers: {},
+      }
+
+      await routerInstance.fetch(testReq)
+
+      // __proto__ key should be filtered from query
+      expect(testReq.query['__proto__']).toBeUndefined()
+      expect(testReq.query.safe).toBe('value')
+      expect({}.polluted).toBeUndefined()
+    })
+
+    it('should filter constructor from query parameters', async () => {
+      routerInstance.get('/search', (req) => {
+        return Response.json({query: req.query})
+      })
+
+      const testReq = {
+        method: 'GET',
+        url: 'http://localhost/search?constructor=malicious&name=test',
+        headers: {},
+      }
+
+      await routerInstance.fetch(testReq)
+
+      expect(testReq.query['constructor']).toBeUndefined()
+      expect(testReq.query.name).toBe('test')
+    })
+
+    it('should filter prototype from query parameters', async () => {
+      routerInstance.get('/search', (req) => {
+        return Response.json({query: req.query})
+      })
+
+      const testReq = {
+        method: 'GET',
+        url: 'http://localhost/search?prototype=bad&ok=yes',
+        headers: {},
+      }
+
+      await routerInstance.fetch(testReq)
+
+      expect(testReq.query['prototype']).toBeUndefined()
+      expect(testReq.query.ok).toBe('yes')
+    })
+
+    it('should still allow normal query parameters', async () => {
+      routerInstance.get('/search', (req) => {
+        return Response.json({query: req.query})
+      })
+
+      const testReq = {
+        method: 'GET',
+        url: 'http://localhost/search?page=1&limit=10&filter=active',
+        headers: {},
+      }
+
+      await routerInstance.fetch(testReq)
+
+      expect(testReq.query.page).toBe('1')
+      expect(testReq.query.limit).toBe('10')
+      expect(testReq.query.filter).toBe('active')
+    })
+  })
 })

test/unit/body-parser.test.js

@@ -395,7 +395,7 @@ describe('Body Parser Middleware', () => {
       const middleware = bodyParser()
       await middleware(req, next)
 
-      expect(req.body).toEqual({})
+      expect(req.body).toBeUndefined()
       expect(next).toHaveBeenCalled()
     })
 
@@ -899,8 +899,8 @@ describe('Body Parser Middleware', () => {
     })
 
     it('should handle non-string, non-number limit values', () => {
-      expect(parseLimit(null)).toBe(1024 * 1024) // Default 1MB
-      expect(parseLimit(undefined)).toBe(1024 * 1024) // Default 1MB
+      expect(() => parseLimit(null)).toThrow(TypeError)
+      expect(() => parseLimit(undefined)).toThrow(TypeError)
     })
 
     it('should handle custom JSON parser in main body parser', async () => {
@@ -1261,9 +1261,9 @@ describe('Body Parser Middleware', () => {
 
       const {createTextParser} = require('../../lib/middleware/body-parser')
       const middleware = createTextParser()
-      await expect(middleware(mockReq, () => {})).rejects.toThrow(
-        'Text parsing failed',
-      )
+      const response = await middleware(mockReq, () => {})
+      expect(response.status).toBe(400)
+      expect(await response.text()).toBe('Failed to read request body')
     })
 
     test('should handle invalid content-length in URL-encoded parser', async () => {
@@ -1322,9 +1322,9 @@ describe('Body Parser Middleware', () => {
         createURLEncodedParser,
       } = require('../../lib/middleware/body-parser')
       const middleware = createURLEncodedParser()
-      await expect(middleware(mockReq, () => {})).rejects.toThrow(
-        'URL-encoded parsing failed',
-      )
+      const response = await middleware(mockReq, () => {})
+      expect(response.status).toBe(400)
+      expect(await response.text()).toBe('Failed to read request body')
     })
 
     test('should handle invalid content-length in multipart parser', async () => {
@@ -1607,9 +1607,9 @@ describe('Body Parser Middleware', () => {
 
     const {createTextParser} = require('../../lib/middleware/body-parser')
     const middleware = createTextParser()
-    await expect(middleware(mockReq, () => {})).rejects.toThrow(
-      'Text reading failed',
-    )
+    const response = await middleware(mockReq, () => {})
+    expect(response.status).toBe(400)
+    expect(await response.text()).toBe('Failed to read request body')
   })
 
   test('should handle URL-encoded early return for non-matching content type (lines 360-361)', async () => {
@@ -1701,10 +1701,7 @@ describe('Body Parser Middleware', () => {
         // This might not be possible due to the restrictive regex
         expect(() => parseLimit('0.b')).toThrow('Invalid limit format')
       } catch (e) {
-        // If this doesn't work, the line might be unreachable
-        console.log(
-          'Line 40 may be mathematically unreachable due to regex constraints',
-        )
+        // Line 40 may be mathematically unreachable due to regex constraints
       }
     })
 
@@ -1720,7 +1717,6 @@ describe('Body Parser Middleware', () => {
           ['content-type', 'application/x-www-form-urlencoded'],
         ]),
         text: async () => 'simpleKey=simpleValue', // Simple key without brackets
-        _rawBodyText: 'simpleKey=simpleValue',
       }
 
       const urlEncodedParser = createURLEncodedParser({
@@ -1741,7 +1737,6 @@ describe('Body Parser Middleware', () => {
         method: 'POST',
         headers: new Map([['content-type', 'application/json']]),
         text: async () => '', // Empty string should be handled
-        _rawBodyText: '',
       }
 
       const jsonParser = createJSONParser()
@@ -1815,7 +1810,6 @@ describe('Body Parser Middleware', () => {
           ['content-length', bodyContent.length.toString()],
         ]),
         text: async () => bodyContent,
-        _rawBodyText: bodyContent,
       }
 
       const urlEncodedParser = createURLEncodedParser({limit: 500}) // Small limit
@@ -1870,3 +1864,67 @@ describe('Body Parser Middleware', () => {
     })
   })
 })
+
+describe('RAW_BODY_SYMBOL Security (L-3)', () => {
+  const {
+    createJSONParser,
+    createTextParser,
+    createURLEncodedParser,
+    RAW_BODY_SYMBOL,
+  } = require('../../lib/middleware/body-parser')
+  const {createTestRequest} = require('../helpers')
+
+  it('should export RAW_BODY_SYMBOL', () => {
+    expect(RAW_BODY_SYMBOL).toBeDefined()
+    expect(typeof RAW_BODY_SYMBOL).toBe('symbol')
+    expect(RAW_BODY_SYMBOL.toString()).toBe('Symbol(0http.rawBody)')
+  })
+
+  it('should store raw body via Symbol in JSON parser', async () => {
+    const req = createTestRequest('POST', '/api/data', {
+      headers: {'Content-Type': 'application/json'},
+      body: '{"key": "value"}',
+    })
+
+    const parser = createJSONParser()
+    const next = jest.fn()
+    await parser(req, next)
+
+    // Raw body should be accessible via Symbol
+    expect(req[RAW_BODY_SYMBOL]).toBe('{"key": "value"}')
+    // Raw body should NOT be accessible as a regular string property
+    expect(req._rawBodyText).toBeUndefined()
+  })
+
+  it('should store raw body via Symbol in text parser', async () => {
+    const req = createTestRequest('POST', '/api/data', {
+      headers: {'Content-Type': 'text/plain'},
+      body: 'hello world',
+    })
+
+    const parser = createTextParser()
+    const next = jest.fn()
+    await parser(req, next)
+
+    expect(req[RAW_BODY_SYMBOL]).toBe('hello world')
+    expect(req._rawBodyText).toBeUndefined()
+  })
+
+  it('should not expose raw body as enumerable property', async () => {
+    const req = createTestRequest('POST', '/api/data', {
+      headers: {'Content-Type': 'application/json'},
+      body: '{"secret": "password123"}',
+    })
+
+    const parser = createJSONParser()
+    const next = jest.fn()
+    await parser(req, next)
+
+    // Symbol-keyed properties should not appear in Object.keys
+    const keys = Object.keys(req)
+    expect(keys).not.toContain('_rawBodyText')
+    // The raw body should only be accessible via Symbol
+    expect(req._rawBodyText).toBeUndefined()
+    expect(req[RAW_BODY_SYMBOL]).toBe('{"secret": "password123"}')
+  })
+})

test/unit/config.test.js

@@ -96,11 +96,16 @@ describe('Router Configuration', () => {
         throw new Error('Test error')
       })
 
+      const originalError = console.error
+      console.error = () => {}
+
       const response = await router.fetch(
         new Request('http://localhost:3000/test-error', {
           method: 'GET',
         }),
       )
+
+      console.error = originalError
       expect(response.status).toBe(500)
     })
   })

test/unit/cors.test.js

@@ -667,7 +667,10 @@ describe('CORS Middleware', () => {
 
       expect(response.status).toBe(204)
       expect(headersFunction).toHaveBeenCalledWith(req)
-      expect(response.headers.get('Access-Control-Allow-Headers')).toBe('')
+      // I-2: string return values are now correctly handled as single-element arrays
+      expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
+        'Content-Type',
+      )
       expect(next).not.toHaveBeenCalled()
     })
 
@@ -701,4 +704,49 @@ describe('CORS Middleware', () => {
       )
     })
   })
+
+  describe('Preflight allowedHeaders Function Caching (I-2)', () => {
+    it('should call allowedHeaders function only once during preflight', async () => {
+      req = createTestRequest('OPTIONS', '/api/test')
+      req.headers = new Headers({
+        Origin: 'https://example.com',
+        'Access-Control-Request-Method': 'POST',
+        'Access-Control-Request-Headers': 'Content-Type',
+      })
+
+      const headersFunction = jest.fn(() => ['Content-Type', 'Authorization'])
+
+      const middleware = cors({
+        origin: 'https://example.com',
+        allowedHeaders: headersFunction,
+      })
+
+      const response = await middleware(req, next)
+
+      expect(response.status).toBe(204)
+      // I-2: should be called exactly once, not 3 times
+      expect(headersFunction).toHaveBeenCalledTimes(1)
+      expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
+        'Content-Type, Authorization',
+      )
+    })
+
+    it('should still call allowedHeaders function for non-preflight requests', async () => {
+      req.headers = new Headers({Origin: 'https://example.com'})
+
+      const headersFunction = jest.fn(() => ['Content-Type'])
+
+      const middleware = cors({
+        origin: 'https://example.com',
+        allowedHeaders: headersFunction,
+      })
+
+      const response = await middleware(req, next)
+
+      expect(headersFunction).toHaveBeenCalledTimes(1)
+      expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
+        'Content-Type',
+      )
+    })
+  })
 })

test/unit/edge-cases.test.js

@@ -286,9 +286,14 @@ describe('Router Edge Cases and Boundary Conditions', () => {
       // This should not break the router
       router.get('/test', null, (req) => ({message: 'success'}))
 
+      const originalError = console.error
+      console.error = () => {}
+
       const req = createTestRequest('GET', '/test')
       const result = await router.fetch(req)
 
+      console.error = originalError
+
       // Should handle gracefully
       expect(typeof result).toBe('object')
     })