test(profile-index): add regression tests for no-auth proxy profiles

David Ruzicka · Agent · David Ruzicka · commit f44c4b0548a5 · 2026-05-04T09:43:33.000Z
Verify that upstream_mcp proxy profiles without interceptors.auth are
presented with authTabs=[{key:'none'}] and never leak an OAuth or bearer
auth tab from upstream_mcp.auth env vars.

Co-authored-by: Agent &lt;noreply@agent&gt;
diff --git a/src/profile/profile-resolver.test.ts b/src/profile/profile-resolver.test.ts
@@ -193,6 +193,27 @@ describe('profile-resolver', () => {
     expect(profiles[0].envVars).toContain('LEGACY_UPSTREAM_TOKEN');
   });
 
+  it('reports authMethods=[] and envVars=[] for upstream_mcp proxy with no auth anywhere', async () => {
+    const root = await createTempDir();
+    const profilesDir = path.join(root, 'profiles');
+
+    await writeJson(path.join(profilesDir, 'no-auth-proxy.json'), {
+      profile_name: 'seznam-scif',
+      profile_id: 'seznam-scif',
+      tools: [],
+      upstream_mcp: {
+        name: 'scif',
+        transport: { type: 'http-streamable', url: 'https://scif.example.com/mcp' },
+      },
+    });
+
+    const profiles = await listProfilesDetailed(profilesDir);
+    expect(profiles).toHaveLength(1);
+    expect(profiles[0].authMethods).toEqual([]);
+    expect(profiles[0].envVars).toEqual([]);
+    expect(profiles[0].oauthEnvVars).toEqual([]);
+  });
+
   it('returns specPath=undefined for upstream_mcp proxy profile with no openapi_spec_path', async () => {
     const root = await createTempDir();
     const profilesDir = path.join(root, 'profiles');
diff --git a/src/transport/profile-index.test.ts b/src/transport/profile-index.test.ts
@@ -429,6 +429,7 @@ describe('profile index helpers', () => {
       { key: 'local', label: 'Local stdio' },
     ]);
     expect(profile.authTabs[0].label).toBe('Session cookie');
+    expect(profile.authTabs.every(t => t.key !== 'oauth')).toBe(true);
     expect(profile.snippets.find(s => s.key === 'vscode-session-cookie')).toBeUndefined();
     expect(profile.snippets.find(s => s.key === 'cursor-session-cookie')).toBeUndefined();
 
@@ -447,6 +448,68 @@ describe('profile index helpers', () => {
     expect(codexLocalToml?.content).toContain('N8N_NODES_BASE_URL = "https://admin.isatky.cz"');
   });
 
+  it('emits authTabs=[none] for proxy profile with no interceptors.auth (regression: no OAuth leak)', () => {
+    const profiles: ListedProfileDetails[] = [
+      {
+        profileId: 'seznam-scif',
+        profileName: 'seznam-scif',
+        profileAliases: [],
+        description: 'MCP proxy profile for Seznam SCIF',
+        envVars: [],
+        authMethods: [],
+      },
+    ];
+
+    const { payload } = buildProfileIndexPayload(profiles, 'https://mcp.example.com', 'en');
+    const [profile] = payload.profiles;
+    expect(profile.authTabs).toHaveLength(1);
+    expect(profile.authTabs[0].key).toBe('none');
+    expect(profile.authTabs[0].label).toBe('No auth');
+    expect(profile.authTabs.every(t => t.key !== 'oauth')).toBe(true);
+  });
+
+  it('emits authTabs=[none] with Czech label for no-auth proxy profile', () => {
+    const profiles: ListedProfileDetails[] = [
+      {
+        profileId: 'seznam-ai-adoption',
+        profileName: 'seznam-ai-adoption',
+        profileAliases: [],
+        description: 'MCP proxy profile for Seznam AI Adoption',
+        envVars: [],
+        authMethods: [],
+      },
+    ];
+
+    const { payload } = buildProfileIndexPayload(profiles, 'https://mcp.example.com', 'cs');
+    const [profile] = payload.profiles;
+    expect(profile.authTabs).toHaveLength(1);
+    expect(profile.authTabs[0].key).toBe('none');
+    expect(profile.authTabs[0].label).toBe('Bez autentizace');
+    expect(profile.authTabs.every(t => t.key !== 'oauth')).toBe(true);
+  });
+
+  it('does not include oauth authTab even when upstream_mcp env vars are present', () => {
+    // Regression: upstream_mcp.auth env vars appear in profile.envVars but must NOT
+    // create an oauth auth tab — authMethods reflects only interceptors.auth.
+    const profiles: ListedProfileDetails[] = [
+      {
+        profileId: 'proxy-with-upstream-auth',
+        profileName: 'proxy-with-upstream-auth',
+        profileAliases: [],
+        description: 'Proxy with server-to-server upstream auth',
+        envVars: ['UPSTREAM_TOKEN'],
+        authMethods: [],
+      },
+    ];
+
+    const { payload } = buildProfileIndexPayload(profiles, 'https://mcp.example.com', 'en');
+    const [profile] = payload.profiles;
+    expect(profile.authTabs).toHaveLength(1);
+    expect(profile.authTabs[0].key).toBe('none');
+    expect(profile.authTabs.every(t => t.key !== 'oauth')).toBe(true);
+    expect(profile.authTabs.every(t => t.key !== 'bearer')).toBe(true);
+  });
+
   it('renders template placeholders', () => {
     const profiles: ListedProfileDetails[] = [
       {
