yuukiii/hermes-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

test: add OAuth login route test suite (22 cases)

Browse Source 
Guards the browser OAuth popup flow used by claude.ai and ChatGPT:
- GET /login: return_to URL validation, XSS escaping, error display
- POST /login: first-party cookie properties (httpOnly/secure/lax/domain),
  open redirect blocking, credential rejection paths
- GET /oauth/authorize: must redirect to /login (never app.squaremcp.com),
  return_to encoding, valid session bypasses redirect

Also exports `app` from index.ts and guards main() with NODE_ENV !== 'test'
so the Express app can be imported by supertest without triggering DB init.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Garfield
2026-05-14 17:57:29 -04:00
parent 02398258a5
commit d6302a673d
4 changed files with 716 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/index.ts
View File

@@ -2134,7 +2134,11 @@ async function main() {
});
}
main().catch((err) => {
console.error('Failed to start server:', err);
process.exit(1);
});
export { app };
if (process.env.NODE_ENV !== 'test') {
main().catch((err) => {
console.error('Failed to start server:', err);
process.exit(1);
});
}