yuukiii/hermes-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

test: add OAuth login route test suite (22 cases)

Browse Source 
Guards the browser OAuth popup flow used by claude.ai and ChatGPT:
- GET /login: return_to URL validation, XSS escaping, error display
- POST /login: first-party cookie properties (httpOnly/secure/lax/domain),
  open redirect blocking, credential rejection paths
- GET /oauth/authorize: must redirect to /login (never app.squaremcp.com),
  return_to encoding, valid session bypasses redirect

Also exports `app` from index.ts and guards main() with NODE_ENV !== 'test'
so the Express app can be imported by supertest without triggering DB init.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Garfield
2026-05-14 17:57:29 -04:00
parent 02398258a5
commit d6302a673d
4 changed files with 716 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@@ -38,10 +38,12 @@
"@types/jsonwebtoken": "^9.0.10",
"@types/node": "^20.0.0",
"@types/nodemailer": "^6.4.0",
"@types/supertest": "^7.2.0",
"@vitest/coverage-v8": "^4.1.6",
"pixelmatch": "^7.1.0",
"playwright": "^1.59.1",
"pngjs": "^7.0.0",
"supertest": "^7.2.2",
"tsx": "^4.0.0",
"typescript": "^5.0.0",
"vitest": "^4.1.6"