Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/app/api/auth/backup-pin/route.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ async function authenticateUser(request) {
}

const cookies = Object.fromEntries(
cookieHeader.split('; ').map(cookie => {
cookieHeader.split(/;\s*/).map(cookie => {
const [name, value] = cookie.split('=');
return [name, decodeURIComponent(value)];
})
Expand Down
72 changes: 72 additions & 0 deletions src/app/api/auth/backup-pin/route.test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
import { beforeEach, describe, expect, it, vi } from 'vitest';

const mocks = vi.hoisted(() => ({
authGetUser: vi.fn(),
serviceFrom: vi.fn()
}));

vi.mock('@supabase/supabase-js', () => ({
createClient: vi.fn(() => ({
auth: {
getUser: mocks.authGetUser
}
}))
}));

vi.mock('@/lib/supabase/service-role.js', () => ({
createServiceRoleClient: vi.fn(() => ({
from: mocks.serviceFrom
}))
}));

function cookieValue(token) {
return `base64-${Buffer.from(JSON.stringify({ access_token: token })).toString('base64')}`;
}

function createUsersQuery() {
const query = {
select: vi.fn(() => query),
eq: vi.fn(() => query),
single: vi.fn(() =>
Promise.resolve({
data: { backup_pin_hash: 'pin-hash' },
error: null
})
)
};
return query;
}

describe('backup PIN cookie authentication', () => {
beforeEach(() => {
vi.resetModules();
vi.clearAllMocks();
process.env.NEXT_PUBLIC_SUPABASE_URL = 'https://example.supabase.co';
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY = 'anon-key';

mocks.authGetUser.mockResolvedValue({
data: { user: { id: 'auth-user-id' } },
error: null
});
mocks.serviceFrom.mockImplementation((table) => {
if (table === 'users') return createUsersQuery();
throw new Error(`Unexpected table: ${table}`);
});
});

it('accepts valid cookie headers without a space after semicolons', async () => {
const { GET } = await import('./route.js');
const response = await GET(
new Request('https://qrypt.chat/api/auth/backup-pin', {
headers: {
cookie: `sb-xydzwxwsbgmznthiiscl-auth-token=${cookieValue('access-token')};session=ignored`
}
})
);
const body = await response.json();

expect(response.status).toBe(200);
expect(body).toEqual({ hasPin: true });
expect(mocks.authGetUser).toHaveBeenCalledWith('access-token');
});
});
2 changes: 1 addition & 1 deletion src/app/api/auth/salt/route.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ async function authenticateUser(request) {
// Fall back to cookies
const cookieHeader = request.headers.get('cookie') ?? '';
const cookies = Object.fromEntries(
cookieHeader.split('; ').map(c => {
cookieHeader.split(/;\s*/).map(c => {
const [name, ...rest] = c.split('=');
return [name, rest.join('=')];
})
Expand Down
72 changes: 72 additions & 0 deletions src/app/api/auth/salt/route.test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
import { beforeEach, describe, expect, it, vi } from 'vitest';

const mocks = vi.hoisted(() => ({
authGetUser: vi.fn(),
serviceFrom: vi.fn()
}));

vi.mock('@supabase/supabase-js', () => ({
createClient: vi.fn(() => ({
auth: {
getUser: mocks.authGetUser
}
}))
}));

vi.mock('@/lib/supabase/service-role.js', () => ({
createServiceRoleClient: vi.fn(() => ({
from: mocks.serviceFrom
}))
}));

function cookieValue(token) {
return `base64-${Buffer.from(JSON.stringify({ access_token: token })).toString('base64')}`;
}

function createUsersQuery() {
const query = {
select: vi.fn(() => query),
eq: vi.fn(() => query),
single: vi.fn(() =>
Promise.resolve({
data: { salt: 'stored-salt' },
error: null
})
)
};
return query;
}

describe('salt cookie authentication', () => {
beforeEach(() => {
vi.resetModules();
vi.clearAllMocks();
process.env.NEXT_PUBLIC_SUPABASE_URL = 'https://example.supabase.co';
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY = 'anon-key';

mocks.authGetUser.mockResolvedValue({
data: { user: { id: 'auth-user-id' } },
error: null
});
mocks.serviceFrom.mockImplementation((table) => {
if (table === 'users') return createUsersQuery();
throw new Error(`Unexpected table: ${table}`);
});
});

it('accepts valid cookie headers without a space after semicolons', async () => {
const { GET } = await import('./route.js');
const response = await GET(
new Request('https://qrypt.chat/api/auth/salt', {
headers: {
cookie: `sb-xydzwxwsbgmznthiiscl-auth-token=${cookieValue('access-token')};session=ignored`
}
})
);
const body = await response.json();

expect(response.status).toBe(200);
expect(body).toEqual({ salt: 'stored-salt' });
expect(mocks.authGetUser).toHaveBeenCalledWith('access-token');
});
});
2 changes: 1 addition & 1 deletion src/app/api/chat/conversations/[id]/participants/route.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ async function authenticateUser(request) {

// Parse cookies to find auth token
const cookies = Object.fromEntries(
cookieHeader.split('; ').map(cookie => {
cookieHeader.split(/;\s*/).map(cookie => {
const [name, value] = cookie.split('=');
return [name, decodeURIComponent(value)];
})
Expand Down
2 changes: 1 addition & 1 deletion src/app/api/chat/messages/route.js
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ async function authenticateUser(request) {

// Extract access token from cookies
const cookies = Object.fromEntries(
cookieHeader.split('; ').map(cookie => {
cookieHeader.split(/;\s*/).map(cookie => {
const [name, ...rest] = cookie.split('=');
return [name, rest.join('=')];
})
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ async function authenticateUser(request) {

// Extract access token from cookies
const cookies = Object.fromEntries(
cookieHeader.split('; ').map(cookie => {
cookieHeader.split(/;\s*/).map(cookie => {
const [name, ...rest] = cookie.split('=');
return [name, rest.join('=')];
})
Expand Down Expand Up @@ -101,4 +101,4 @@ export async function GET(request, { params } = {}) {
console.error('Error in GET /api/conversations/:id/disappearing-messages/presets:', error);
return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ async function authenticateUser(request) {

// Extract access token from cookies
const cookies = Object.fromEntries(
cookieHeader.split('; ').map(cookie => {
cookieHeader.split(/;\s*/).map(cookie => {
const [name, ...rest] = cookie.split('=');
return [name, rest.join('=')];
})
Expand Down
4 changes: 2 additions & 2 deletions src/app/api/user/nuclear-delete/route.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ async function authenticateUser(request) {

// Extract access token from cookies
const cookies = Object.fromEntries(
cookieHeader.split('; ').map(cookie => {
cookieHeader.split(/;\s*/).map(cookie => {
const [name, ...rest] = cookie.split('=');
return [name, rest.join('=')];
})
Expand Down Expand Up @@ -198,4 +198,4 @@ export async function PUT() {

export async function PATCH() {
return NextResponse.json({ error: 'Method not allowed' }, { status: 405 });
}
}
Loading