mirror of
https://github.com/MoonshotAI/kimi-code.git
synced 2026-07-18 13:44:21 +00:00
* test(server): add API surface snapshot guardrail
Boot startServer on port 0 and snapshot the documented v1 route table derived from /openapi.json paths, plus the reachability of doc/meta endpoints (/healthz, /openapi.json, /asyncapi.json, /). Gives later auth/--host phases an intentional diff when routes change. M0 makes no production behavior change.
* test(server): add e2e server harness with token support
Add test/helpers/serverHarness.ts: boot() wraps startServer with an isolated lock + home dir and returns a handle (server, address, baseUrl, wsUrl, token, close) plus authedFetch/authedWs that carry Authorization: Bearer <token> (and the kimi-code.bearer.<token> WS subprotocol). serviceOverrides is the generic DI seam later phases use to inject a fixed-token auth service; IAuthTokenService is not referenced yet. closeAll() tears down every booted server and socket. M0 makes no production behavior change; typecheck-only gate.
* feat(server): add privateFiles 0600 atomic write/read utility
* feat(server): add per-start tokenStore
* feat(server): add env-based bcrypt password hash utility
* feat(server): add IAuthTokenService DI seam
* feat(server): add global onRequest auth hook with bypass + redaction
* fix(server): stop reflecting Host header in /asyncapi.json
* feat(server): add WS bearer subprotocol constant and parser
* feat(server): enforce bearer token auth on WS upgrade
* feat(server): add Host header allowlist middleware
* feat(server): add Origin/CORS middleware
* feat(server): wire Host/Origin checks into HTTP and WS
* feat(server): wire token auth, Host/Origin, and WS auth into start.ts
* fix(server): create lock file with 0600 permissions
* fix(server): suppress debug routes on non-loopback binds
* feat(kimi-code): read server token and send Authorization on CLI calls
* feat(kimi-code): inject server token into /web URL fragment
* feat(server): add bindClassify for loopback/lan/public classification
* feat(kimi-code): register --host flag and pass it through the daemon
* feat(server): require password and TLS opt-out on non-loopback binds
* feat(server): rate-limit repeated auth failures on non-loopback binds
* feat(server): disable shutdown and terminals on public binds by default
* feat(server): add security response headers on non-loopback binds
* test(server): cover LAN/public host-exposure hardening end to end
* docs(server): add deployment security and threat-model guide
* changeset: minor kimi-code for server auth and host exposure
* feat(kimi-web): add server bearer-token auth support
* fix: repair CI for server auth and host exposure
- Replace native @node-rs/bcrypt with pure-JS bcryptjs so the ESM CLI
bundle and the SEA native bundle both build without native-addon
require issues (node-rs/bcrypt broke the ESM smoke and the SEA
check-bundle allowlist).
- Remove dead cleanup references (stopSpinner, authLogoBlinkTimer) in
apps/kimi-web App.vue that failed vue-tsc.
- Fix lint: drop empty spread fallbacks in the e2e auth-header merge,
void the intentionally-async WS upgrade listener, add missing
assertions to satisfy jest/expect-expect, and convert a ternary
statement to if/else.
- Send the bearer token in the snapshot perf/smoke tests so they pass
under the new global auth hook.
- Refresh the pnpmDeps hash in flake.nix for the updated lockfile.
* feat(server): persist bearer token and add rotate-token command
- persist the server bearer token in <home>/server.token (0600) and reuse it across restarts instead of per-start server-<pid>.token
- add `kimi server rotate-token` to regenerate the token; the token store reloads on mtime/inode change so rotation applies without restart
- print the token and Vite-style Local/Network URLs in the startup banner
- allow non-loopback binds with bearer-token-only auth (password now optional) and update SECURITY.md
- surface daemon boot failures immediately with the exit reason and log tail instead of waiting for the spawn timeout
* feat(server): print full token URLs and re-print links after rotate
- Drop the ready-panel border so token URLs print in full for copying; keep the Kimi sprite beside the title.
- Re-print Local/Network access links after `server rotate-token` (host/port from the lock).
- Extract shared access-URL helpers into access-urls.ts.
- Unify link and token colors between the banner and rotate-token.
* feat(server): dim URL #token= fragment and de-highlight token
- Render the `#token=…` fragment in a dim gray so the host/port stands out in the banner and rotate-token links.
- De-highlight the standalone token; set it off with surrounding whitespace instead of color.
- Add splitTokenFragment helper.
* refactor(cli): polish server ready banner and rotate-token output
- move version onto the ready banner title line; drop the separate
Ready:/Version: rows and the startup-time metric
- reorder rotate-token output so the new token sits between the
invalidation note and the access links
- update server CLI tests for the new layout
* feat(server): warn on reuse and refine ready banner
- Warn when `server run` reuses an already-running daemon (its options are not applied) and show the running server's actual URLs.
- Show a `Network: off use --host 0.0.0.0 to enable` hint on loopback binds.
- Move the version onto the title line and drop the startup-time metric.
* fix(web): relabel auth dialog to token and cover full page
- Relabel the server auth dialog from "password" to "token"; the server accepts the bearer token, with the password only as a fallback.
- Make the auth dialog overlay fully opaque so it covers the whole page instead of revealing the login page underneath.
* fix: resolve CI failures on web auth PR
- Replace chalk.yellow named color with chalk.hex(darkColors.warning)
in the server reuse notice to satisfy the chalk named color guard.
- Update pnpmDeps hash in flake.nix to match the regenerated
pnpm-lock.yaml so the Nix build succeeds.
- Retry rmSync in ws-broadcast e2e teardown to ride out EBUSY /
ENOTEMPTY races while the server flushes files after close().
* test(server): update API surface snapshot for warnings route
The feat/web-auth branch adds GET /api/v1/sessions/{session_id}/warnings
(packages/server/src/routes/sessions.ts), so the API surface guardrail
snapshot needs to record the new documented v1 route.
143 lines
4.4 KiB
TypeScript
143 lines
4.4 KiB
TypeScript
/**
|
|
* Origin / CORS middleware (ROADMAP M4.2).
|
|
*
|
|
* Pure unit cases for `originHost` / `isOriginAllowed` / `parseCorsOrigins`,
|
|
* plus a minimal Fastify integration test that drives the `onRequest` hook
|
|
* through `app.inject` and asserts the emitted (or withheld) CORS headers.
|
|
*/
|
|
|
|
import Fastify, { type FastifyInstance } from 'fastify';
|
|
import { afterEach, beforeEach, describe, expect, it } from 'vitest';
|
|
|
|
import {
|
|
createOriginHook,
|
|
isOriginAllowed,
|
|
originHost,
|
|
parseCorsOrigins,
|
|
} from '#/middleware/origin';
|
|
|
|
describe('originHost', () => {
|
|
it('returns the host for a valid origin', () => {
|
|
expect(originHost('https://foo.com')).toBe('foo.com');
|
|
});
|
|
|
|
it('drops the default port', () => {
|
|
expect(originHost('http://localhost:80')).toBe('localhost');
|
|
});
|
|
|
|
it('keeps a non-default port', () => {
|
|
expect(originHost('http://127.0.0.1:58627')).toBe('127.0.0.1:58627');
|
|
});
|
|
|
|
it('returns undefined for a missing origin', () => {
|
|
expect(originHost(undefined)).toBeUndefined();
|
|
});
|
|
|
|
it('returns undefined for a malformed origin', () => {
|
|
expect(originHost('not a url')).toBeUndefined();
|
|
});
|
|
});
|
|
|
|
describe('isOriginAllowed', () => {
|
|
it('allows same-origin', () => {
|
|
expect(isOriginAllowed('http://localhost:80', 'localhost:80', [])).toBe(true);
|
|
});
|
|
|
|
it('denies cross-origin that is not whitelisted', () => {
|
|
expect(isOriginAllowed('http://evil.com', 'localhost:80', [])).toBe(false);
|
|
});
|
|
|
|
it('allows cross-origin that is whitelisted', () => {
|
|
expect(isOriginAllowed('https://foo.com', 'localhost:80', ['https://foo.com'])).toBe(true);
|
|
});
|
|
|
|
it('allows an absent origin', () => {
|
|
expect(isOriginAllowed(undefined, 'localhost:80', [])).toBe(true);
|
|
});
|
|
|
|
it('treats a malformed origin as absent (allowed)', () => {
|
|
expect(isOriginAllowed('not a url', 'h', [])).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('parseCorsOrigins', () => {
|
|
it('splits, trims, and drops empties', () => {
|
|
expect(parseCorsOrigins({ KIMI_CODE_CORS_ORIGINS: ' https://a.com, https://b.com, ' })).toEqual([
|
|
'https://a.com',
|
|
'https://b.com',
|
|
]);
|
|
});
|
|
|
|
it('returns [] when unset', () => {
|
|
expect(parseCorsOrigins({})).toEqual([]);
|
|
});
|
|
});
|
|
|
|
describe('createOriginHook (onRequest hook)', () => {
|
|
let app: FastifyInstance;
|
|
|
|
beforeEach(async () => {
|
|
app = Fastify();
|
|
app.addHook('onRequest', createOriginHook({ allowedOrigins: ['https://foo.com'] }));
|
|
app.get('/api/v1/probe', async () => ({ ok: true }));
|
|
app.options('/api/v1/probe', async () => ({ ok: true }));
|
|
await app.ready();
|
|
});
|
|
|
|
afterEach(async () => {
|
|
await app.close();
|
|
});
|
|
|
|
it('echoes CORS headers for a same-origin request', async () => {
|
|
const res = await app.inject({
|
|
method: 'GET',
|
|
url: '/api/v1/probe',
|
|
headers: { origin: 'http://localhost:80', host: 'localhost:80' },
|
|
});
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.headers['access-control-allow-origin']).toBe('http://localhost:80');
|
|
});
|
|
|
|
it('echoes the whitelisted cross-origin and short-circuits OPTIONS to 204', async () => {
|
|
const res = await app.inject({
|
|
method: 'OPTIONS',
|
|
url: '/api/v1/probe',
|
|
headers: { origin: 'https://foo.com', host: 'localhost:80' },
|
|
});
|
|
expect(res.statusCode).toBe(204);
|
|
expect(res.headers['access-control-allow-origin']).toBe('https://foo.com');
|
|
expect(res.headers['access-control-allow-methods']).toBe(
|
|
'GET, POST, PUT, PATCH, DELETE, OPTIONS',
|
|
);
|
|
});
|
|
|
|
it('withholds CORS headers for a non-whitelisted cross-origin', async () => {
|
|
const res = await app.inject({
|
|
method: 'GET',
|
|
url: '/api/v1/probe',
|
|
headers: { origin: 'http://evil.com', host: 'localhost:80' },
|
|
});
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.headers['access-control-allow-origin']).toBeUndefined();
|
|
});
|
|
|
|
it('returns 204 without CORS headers for a non-whitelisted OPTIONS', async () => {
|
|
const res = await app.inject({
|
|
method: 'OPTIONS',
|
|
url: '/api/v1/probe',
|
|
headers: { origin: 'http://evil.com', host: 'localhost:80' },
|
|
});
|
|
expect(res.statusCode).toBe(204);
|
|
expect(res.headers['access-control-allow-origin']).toBeUndefined();
|
|
});
|
|
|
|
it('emits no CORS headers when Origin is absent', async () => {
|
|
const res = await app.inject({
|
|
method: 'GET',
|
|
url: '/api/v1/probe',
|
|
headers: { host: 'localhost:80' },
|
|
});
|
|
expect(res.statusCode).toBe(200);
|
|
expect(res.headers['access-control-allow-origin']).toBeUndefined();
|
|
});
|
|
});
|