Skip to content

Commit 9657674

Browse files
fix: websocket proxy endpoints (/proxy/:port and /ab... in index.ts
WebSocket proxy endpoints (/proxy/:port and /absproxy/:port) are accessible without authentication, allowing unauthenticated users to proxy traffic to internal services
1 parent 7538da5 commit 9657674

1 file changed

Lines changed: 32 additions & 0 deletions

File tree

test/invariant_index.test.ts

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
import { app } from '../../src/node/routes/index';
2+
import request from 'supertest';
3+
4+
describe('Protected endpoints reject unauthenticated requests', () => {
5+
const endpoints = [
6+
'/proxy/8080',
7+
'/absproxy/3000'
8+
];
9+
10+
const payloads = [
11+
{ description: 'missing authorization header', headers: {} },
12+
{ description: 'malformed token', headers: { Authorization: 'Bearer invalid.token.here' } },
13+
{ description: 'expired token', headers: { Authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzMwNzYwMDB9.invalid-signature' } },
14+
{ description: 'valid token', headers: { Authorization: 'Bearer valid.test.token' } }
15+
];
16+
17+
test.each(endpoints)('endpoint %s rejects unauthenticated requests', async (endpoint) => {
18+
test.each(payloads)('with $description', async ({ headers }) => {
19+
const response = await request(app)
20+
.get(endpoint)
21+
.set(headers);
22+
23+
// Should reject with 401 or 403 for all but valid token case
24+
if (headers.Authorization === 'Bearer valid.test.token') {
25+
expect(response.status).not.toBe(401);
26+
expect(response.status).not.toBe(403);
27+
} else {
28+
expect([401, 403]).toContain(response.status);
29+
}
30+
});
31+
});
32+
});

0 commit comments

Comments
 (0)