mirror of
https://github.com/diegosouzapw/OmniRoute.git
synced 2026-07-09 17:28:51 +00:00
Centralizes browser-mutation origin validation into `src/server/origin/publicOrigin.ts` and wires it through the authz pipeline, replacing the per-route same-origin-only check that 403'd dashboard mutations when served behind a reverse proxy on a different public origin. The new module resolves the allowed public origin from configured base-URL env vars or trusted forwarded headers (only when OMNIROUTE_TRUST_PROXY is set AND the peer is loopback/LAN via peer-stamp), validates Sec-Fetch-Site metadata, and sanitizes Host/Forwarded inputs (rejects control chars, userinfo, path/query in Host). Reviewed sound; validated locally: authz/public-origin + pipeline suites 27/27 green (incl. invalid-origin reject + configured-origin accept), typecheck clean. Maintainer fix-up: moved the new test from tests/unit/server/ (not collected by any runner — orphan-test gate fail) into tests/unit/authz/. Remaining red CI shards are the pre-existing #4076 Dockerfile heap base-red on `main` (unrelated; de-brittled in the v3.8.40 release line). Co-authored-by: Thinkscape <Thinkscape@users.noreply.github.com>
334 lines
12 KiB
TypeScript
334 lines
12 KiB
TypeScript
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import fs from "node:fs";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
import { SignJWT } from "jose";
|
|
import { NextRequest } from "next/server";
|
|
|
|
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omr-authz-pipeline-"));
|
|
process.env.DATA_DIR = TEST_DATA_DIR;
|
|
process.env.API_KEY_SECRET = "test-secret";
|
|
|
|
const core = await import("../../../src/lib/db/core.ts");
|
|
const apiKeysDb = await import("../../../src/lib/db/apiKeys.ts");
|
|
const settingsDb = await import("../../../src/lib/db/settings.ts");
|
|
const pipeline = await import("../../../src/server/authz/pipeline.ts");
|
|
|
|
const ORIGINAL_JWT = process.env.JWT_SECRET;
|
|
const ORIGINAL_INITIAL = process.env.INITIAL_PASSWORD;
|
|
const ORIGINAL_AUTH_COOKIE_SECURE = process.env.AUTH_COOKIE_SECURE;
|
|
const ORIGINAL_OMNIROUTE_PUBLIC_BASE_URL = process.env.OMNIROUTE_PUBLIC_BASE_URL;
|
|
const ORIGINAL_NEXT_PUBLIC_BASE_URL = process.env.NEXT_PUBLIC_BASE_URL;
|
|
const ORIGINAL_NEXT_PUBLIC_APP_URL = process.env.NEXT_PUBLIC_APP_URL;
|
|
const ORIGINAL_OMNIROUTE_TRUST_PROXY = process.env.OMNIROUTE_TRUST_PROXY;
|
|
const ORIGINAL_OMNIROUTE_PEER_STAMP_TOKEN = process.env.OMNIROUTE_PEER_STAMP_TOKEN;
|
|
|
|
function resetEnvironment() {
|
|
core.resetDbInstance();
|
|
apiKeysDb.resetApiKeyState();
|
|
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
|
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
|
|
process.env.JWT_SECRET = "pipeline-jwt-secret";
|
|
process.env.INITIAL_PASSWORD = "pipeline-initial-password";
|
|
delete process.env.AUTH_COOKIE_SECURE;
|
|
delete process.env.OMNIROUTE_PUBLIC_BASE_URL;
|
|
delete process.env.NEXT_PUBLIC_BASE_URL;
|
|
delete process.env.NEXT_PUBLIC_APP_URL;
|
|
delete process.env.OMNIROUTE_TRUST_PROXY;
|
|
delete process.env.OMNIROUTE_PEER_STAMP_TOKEN;
|
|
globalThis.__omnirouteShutdown = { init: false, shuttingDown: false, activeRequests: 0 };
|
|
}
|
|
|
|
async function forceAuthRequired() {
|
|
await settingsDb.updateSettings({ requireLogin: true });
|
|
}
|
|
|
|
async function dashboardCookie(expiresIn = "1h"): Promise<string> {
|
|
const secret = new TextEncoder().encode(process.env.JWT_SECRET);
|
|
const token = await new SignJWT({ authenticated: true })
|
|
.setProtectedHeader({ alg: "HS256" })
|
|
.setExpirationTime(expiresIn)
|
|
.sign(secret);
|
|
return `auth_token=${token}`;
|
|
}
|
|
|
|
function request(url: string, init?: RequestInit): NextRequest {
|
|
return new NextRequest(url, init);
|
|
}
|
|
|
|
test.beforeEach(() => {
|
|
resetEnvironment();
|
|
});
|
|
|
|
test.after(() => {
|
|
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
|
if (ORIGINAL_JWT === undefined) delete process.env.JWT_SECRET;
|
|
else process.env.JWT_SECRET = ORIGINAL_JWT;
|
|
if (ORIGINAL_INITIAL === undefined) delete process.env.INITIAL_PASSWORD;
|
|
else process.env.INITIAL_PASSWORD = ORIGINAL_INITIAL;
|
|
if (ORIGINAL_AUTH_COOKIE_SECURE === undefined) delete process.env.AUTH_COOKIE_SECURE;
|
|
else process.env.AUTH_COOKIE_SECURE = ORIGINAL_AUTH_COOKIE_SECURE;
|
|
if (ORIGINAL_OMNIROUTE_PUBLIC_BASE_URL === undefined)
|
|
delete process.env.OMNIROUTE_PUBLIC_BASE_URL;
|
|
else process.env.OMNIROUTE_PUBLIC_BASE_URL = ORIGINAL_OMNIROUTE_PUBLIC_BASE_URL;
|
|
if (ORIGINAL_NEXT_PUBLIC_BASE_URL === undefined) delete process.env.NEXT_PUBLIC_BASE_URL;
|
|
else process.env.NEXT_PUBLIC_BASE_URL = ORIGINAL_NEXT_PUBLIC_BASE_URL;
|
|
if (ORIGINAL_NEXT_PUBLIC_APP_URL === undefined) delete process.env.NEXT_PUBLIC_APP_URL;
|
|
else process.env.NEXT_PUBLIC_APP_URL = ORIGINAL_NEXT_PUBLIC_APP_URL;
|
|
if (ORIGINAL_OMNIROUTE_TRUST_PROXY === undefined) delete process.env.OMNIROUTE_TRUST_PROXY;
|
|
else process.env.OMNIROUTE_TRUST_PROXY = ORIGINAL_OMNIROUTE_TRUST_PROXY;
|
|
if (ORIGINAL_OMNIROUTE_PEER_STAMP_TOKEN === undefined) {
|
|
delete process.env.OMNIROUTE_PEER_STAMP_TOKEN;
|
|
} else {
|
|
process.env.OMNIROUTE_PEER_STAMP_TOKEN = ORIGINAL_OMNIROUTE_PEER_STAMP_TOKEN;
|
|
}
|
|
globalThis.__omnirouteShutdown = { init: false, shuttingDown: false, activeRequests: 0 };
|
|
});
|
|
|
|
test("runAuthzPipeline redirects root to dashboard before management auth", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/"), { enforce: true });
|
|
|
|
assert.equal(response.status, 307);
|
|
assert.equal(response.headers.get("location"), "http://localhost/dashboard");
|
|
});
|
|
|
|
test("runAuthzPipeline redirects unauthenticated dashboard pages to login", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/dashboard"), {
|
|
enforce: true,
|
|
});
|
|
|
|
assert.equal(response.status, 307);
|
|
assert.equal(response.headers.get("location"), "http://localhost/login");
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "MANAGEMENT");
|
|
assert.ok(response.headers.get("x-request-id"));
|
|
});
|
|
|
|
test("runAuthzPipeline redirects unauthenticated /home to login (#2712)", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/home"), {
|
|
enforce: true,
|
|
});
|
|
|
|
assert.equal(response.status, 307);
|
|
assert.equal(response.headers.get("location"), "http://localhost/login");
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "MANAGEMENT");
|
|
});
|
|
|
|
test("runAuthzPipeline redirects unauthenticated /home/* nested paths to login (#2712)", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/home/settings"), {
|
|
enforce: true,
|
|
});
|
|
|
|
assert.equal(response.status, 307);
|
|
assert.equal(response.headers.get("location"), "http://localhost/login");
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "MANAGEMENT");
|
|
});
|
|
|
|
test("runAuthzPipeline allows onboarding when login is required but no password exists", async () => {
|
|
delete process.env.INITIAL_PASSWORD;
|
|
await settingsDb.updateSettings({
|
|
requireLogin: true,
|
|
setupComplete: true,
|
|
password: "",
|
|
});
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("https://example.com/dashboard/onboarding"),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 200);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "PUBLIC");
|
|
});
|
|
|
|
test("runAuthzPipeline allows first password writes when login is required but no password exists", async () => {
|
|
delete process.env.INITIAL_PASSWORD;
|
|
await settingsDb.updateSettings({
|
|
requireLogin: true,
|
|
setupComplete: true,
|
|
password: "",
|
|
});
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("https://example.com/api/settings/require-login", { method: "POST" }),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 200);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "MANAGEMENT");
|
|
});
|
|
|
|
test("runAuthzPipeline keeps management API rejections as JSON", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/api/keys"), {
|
|
enforce: true,
|
|
});
|
|
const body = await response.json();
|
|
|
|
assert.equal(response.status, 401);
|
|
assert.equal(response.headers.get("content-type")?.includes("application/json"), true);
|
|
assert.equal(body.error.code, "AUTH_001");
|
|
});
|
|
|
|
test("runAuthzPipeline rejects oversized API bodies before auth", async () => {
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://localhost/api/v1/chat/completions", {
|
|
method: "POST",
|
|
headers: {
|
|
"content-length": String(99 * 1024 * 1024),
|
|
origin: "https://app.example.com",
|
|
},
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 413);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "CLIENT_API");
|
|
assert.ok(response.headers.get("x-request-id"));
|
|
assert.equal(
|
|
response.headers.get("Access-Control-Allow-Methods"),
|
|
"GET, POST, PUT, DELETE, PATCH, OPTIONS"
|
|
);
|
|
});
|
|
|
|
test("runAuthzPipeline rejects oversized rewritten alias API bodies before auth", async () => {
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://localhost/v1/chat/completions", {
|
|
method: "POST",
|
|
headers: {
|
|
"content-length": String(99 * 1024 * 1024),
|
|
origin: "https://app.example.com",
|
|
},
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 413);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "CLIENT_API");
|
|
assert.ok(response.headers.get("x-request-id"));
|
|
});
|
|
|
|
test("runAuthzPipeline rejects new API requests during shutdown drain", async () => {
|
|
globalThis.__omnirouteShutdown = { init: true, shuttingDown: true, activeRequests: 0 };
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/api/v1/models"), {
|
|
enforce: true,
|
|
});
|
|
const body = await response.json();
|
|
|
|
assert.equal(response.status, 503);
|
|
assert.equal(body.error.code, "SERVICE_UNAVAILABLE");
|
|
});
|
|
|
|
test("runAuthzPipeline rejects rewritten API aliases during shutdown drain", async () => {
|
|
globalThis.__omnirouteShutdown = { init: true, shuttingDown: true, activeRequests: 0 };
|
|
|
|
const response = await pipeline.runAuthzPipeline(request("http://localhost/responses"), {
|
|
enforce: true,
|
|
});
|
|
const body = await response.json();
|
|
|
|
assert.equal(response.status, 503);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "CLIENT_API");
|
|
assert.equal(body.error.code, "SERVICE_UNAVAILABLE");
|
|
});
|
|
|
|
test("runAuthzPipeline allows dashboard sessions to read model catalog aliases", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://localhost/v1/models", {
|
|
headers: { cookie: await dashboardCookie() },
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 200);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "CLIENT_API");
|
|
});
|
|
|
|
test("runAuthzPipeline allows dashboard sessions to reach DB health management API", async () => {
|
|
await forceAuthRequired();
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://localhost/api/db/health", {
|
|
headers: { cookie: await dashboardCookie() },
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 200);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "MANAGEMENT");
|
|
});
|
|
|
|
test("runAuthzPipeline accepts dashboard mutations from configured public origin", async () => {
|
|
await forceAuthRequired();
|
|
process.env.NEXT_PUBLIC_BASE_URL = "https://gateway.example.test";
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://omniroute:20128/api/providers/health-autopilot/actions", {
|
|
method: "POST",
|
|
headers: {
|
|
cookie: await dashboardCookie(),
|
|
origin: "https://gateway.example.test",
|
|
"content-type": "application/json",
|
|
},
|
|
body: "{}",
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 200);
|
|
assert.equal(response.headers.get("x-omniroute-route-class"), "MANAGEMENT");
|
|
});
|
|
|
|
test("runAuthzPipeline rejects dashboard mutations from invalid browser origin", async () => {
|
|
await forceAuthRequired();
|
|
process.env.NEXT_PUBLIC_BASE_URL = "https://gateway.example.test";
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://omniroute:20128/api/providers/health-autopilot/actions", {
|
|
method: "POST",
|
|
headers: {
|
|
cookie: await dashboardCookie(),
|
|
origin: "https://evil.example",
|
|
"content-type": "application/json",
|
|
},
|
|
body: "{}",
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
const body = await response.json();
|
|
|
|
assert.equal(response.status, 403);
|
|
assert.equal(body.error.code, "INVALID_ORIGIN");
|
|
assert.equal(body.error.message, "Invalid request origin");
|
|
});
|
|
|
|
test("runAuthzPipeline refreshes dashboard JWTs near expiry", async () => {
|
|
await forceAuthRequired();
|
|
const secret = new TextEncoder().encode(process.env.JWT_SECRET);
|
|
const expiringToken = await new SignJWT({ authenticated: true })
|
|
.setProtectedHeader({ alg: "HS256" })
|
|
.setExpirationTime("1h")
|
|
.sign(secret);
|
|
|
|
const response = await pipeline.runAuthzPipeline(
|
|
request("http://localhost/dashboard", {
|
|
headers: { cookie: `auth_token=${expiringToken}` },
|
|
}),
|
|
{ enforce: true }
|
|
);
|
|
|
|
assert.equal(response.status, 200);
|
|
assert.match(response.headers.get("set-cookie") || "", /auth_token=/);
|
|
});
|