mirror of
https://github.com/MoonshotAI/kimi-code.git
synced 2026-07-10 01:39:25 +00:00
* test(server): add API surface snapshot guardrail
Boot startServer on port 0 and snapshot the documented v1 route table derived from /openapi.json paths, plus the reachability of doc/meta endpoints (/healthz, /openapi.json, /asyncapi.json, /). Gives later auth/--host phases an intentional diff when routes change. M0 makes no production behavior change.
* test(server): add e2e server harness with token support
Add test/helpers/serverHarness.ts: boot() wraps startServer with an isolated lock + home dir and returns a handle (server, address, baseUrl, wsUrl, token, close) plus authedFetch/authedWs that carry Authorization: Bearer <token> (and the kimi-code.bearer.<token> WS subprotocol). serviceOverrides is the generic DI seam later phases use to inject a fixed-token auth service; IAuthTokenService is not referenced yet. closeAll() tears down every booted server and socket. M0 makes no production behavior change; typecheck-only gate.
* feat(server): add privateFiles 0600 atomic write/read utility
* feat(server): add per-start tokenStore
* feat(server): add env-based bcrypt password hash utility
* feat(server): add IAuthTokenService DI seam
* feat(server): add global onRequest auth hook with bypass + redaction
* fix(server): stop reflecting Host header in /asyncapi.json
* feat(server): add WS bearer subprotocol constant and parser
* feat(server): enforce bearer token auth on WS upgrade
* feat(server): add Host header allowlist middleware
* feat(server): add Origin/CORS middleware
* feat(server): wire Host/Origin checks into HTTP and WS
* feat(server): wire token auth, Host/Origin, and WS auth into start.ts
* fix(server): create lock file with 0600 permissions
* fix(server): suppress debug routes on non-loopback binds
* feat(kimi-code): read server token and send Authorization on CLI calls
* feat(kimi-code): inject server token into /web URL fragment
* feat(server): add bindClassify for loopback/lan/public classification
* feat(kimi-code): register --host flag and pass it through the daemon
* feat(server): require password and TLS opt-out on non-loopback binds
* feat(server): rate-limit repeated auth failures on non-loopback binds
* feat(server): disable shutdown and terminals on public binds by default
* feat(server): add security response headers on non-loopback binds
* test(server): cover LAN/public host-exposure hardening end to end
* docs(server): add deployment security and threat-model guide
* changeset: minor kimi-code for server auth and host exposure
* feat(kimi-web): add server bearer-token auth support
* fix: repair CI for server auth and host exposure
- Replace native @node-rs/bcrypt with pure-JS bcryptjs so the ESM CLI
bundle and the SEA native bundle both build without native-addon
require issues (node-rs/bcrypt broke the ESM smoke and the SEA
check-bundle allowlist).
- Remove dead cleanup references (stopSpinner, authLogoBlinkTimer) in
apps/kimi-web App.vue that failed vue-tsc.
- Fix lint: drop empty spread fallbacks in the e2e auth-header merge,
void the intentionally-async WS upgrade listener, add missing
assertions to satisfy jest/expect-expect, and convert a ternary
statement to if/else.
- Send the bearer token in the snapshot perf/smoke tests so they pass
under the new global auth hook.
- Refresh the pnpmDeps hash in flake.nix for the updated lockfile.
* feat(server): persist bearer token and add rotate-token command
- persist the server bearer token in <home>/server.token (0600) and reuse it across restarts instead of per-start server-<pid>.token
- add `kimi server rotate-token` to regenerate the token; the token store reloads on mtime/inode change so rotation applies without restart
- print the token and Vite-style Local/Network URLs in the startup banner
- allow non-loopback binds with bearer-token-only auth (password now optional) and update SECURITY.md
- surface daemon boot failures immediately with the exit reason and log tail instead of waiting for the spawn timeout
* feat(server): print full token URLs and re-print links after rotate
- Drop the ready-panel border so token URLs print in full for copying; keep the Kimi sprite beside the title.
- Re-print Local/Network access links after `server rotate-token` (host/port from the lock).
- Extract shared access-URL helpers into access-urls.ts.
- Unify link and token colors between the banner and rotate-token.
* feat(server): dim URL #token= fragment and de-highlight token
- Render the `#token=…` fragment in a dim gray so the host/port stands out in the banner and rotate-token links.
- De-highlight the standalone token; set it off with surrounding whitespace instead of color.
- Add splitTokenFragment helper.
* refactor(cli): polish server ready banner and rotate-token output
- move version onto the ready banner title line; drop the separate
Ready:/Version: rows and the startup-time metric
- reorder rotate-token output so the new token sits between the
invalidation note and the access links
- update server CLI tests for the new layout
* feat(server): warn on reuse and refine ready banner
- Warn when `server run` reuses an already-running daemon (its options are not applied) and show the running server's actual URLs.
- Show a `Network: off use --host 0.0.0.0 to enable` hint on loopback binds.
- Move the version onto the title line and drop the startup-time metric.
* fix(web): relabel auth dialog to token and cover full page
- Relabel the server auth dialog from "password" to "token"; the server accepts the bearer token, with the password only as a fallback.
- Make the auth dialog overlay fully opaque so it covers the whole page instead of revealing the login page underneath.
* fix: resolve CI failures on web auth PR
- Replace chalk.yellow named color with chalk.hex(darkColors.warning)
in the server reuse notice to satisfy the chalk named color guard.
- Update pnpmDeps hash in flake.nix to match the regenerated
pnpm-lock.yaml so the Nix build succeeds.
- Retry rmSync in ws-broadcast e2e teardown to ride out EBUSY /
ENOTEMPTY races while the server flushes files after close().
* test(server): update API surface snapshot for warnings route
The feat/web-auth branch adds GET /api/v1/sessions/{session_id}/warnings
(packages/server/src/routes/sessions.ts), so the API surface guardrail
snapshot needs to record the new documented v1 route.
464 lines
15 KiB
TypeScript
464 lines
15 KiB
TypeScript
/**
|
|
* `startServer` + lock integration + DI wiring (ROADMAP P0.12 + P0.14).
|
|
*
|
|
* Bind to port 0 → ephemeral port; tmpdir lock path → no `~/.kimi` interference.
|
|
* Tests share the assertion that the lock file appears alongside the listener
|
|
* and vanishes on close, and that a second startServer raises ServerLockedError.
|
|
*
|
|
* The DI graph end-to-end is exercised implicitly: every startServer call
|
|
* constructs ILogService, IRestGateway, IEventService, IApprovalService,
|
|
* IQuestionService, and ICoreProcessService in order. Failure modes there (missing
|
|
* service, wrong ctor args) would surface as a startServer reject.
|
|
*/
|
|
|
|
import {
|
|
existsSync,
|
|
mkdirSync,
|
|
mkdtempSync,
|
|
readFileSync,
|
|
rmSync,
|
|
writeFileSync,
|
|
} from 'node:fs';
|
|
import { createServer, type Server } from 'node:net';
|
|
import { tmpdir } from 'node:os';
|
|
import { join } from 'node:path';
|
|
|
|
import { afterEach, beforeEach, describe, expect, it } from 'vitest';
|
|
|
|
import { pino } from 'pino';
|
|
|
|
import { listenWithPortRetry } from '../src/start';
|
|
|
|
import {
|
|
ServerLockedError,
|
|
IApprovalService,
|
|
IConnectionRegistry,
|
|
IEventService,
|
|
ICoreProcessService,
|
|
ILogService,
|
|
IQuestionService,
|
|
IRestGateway,
|
|
IServerShutdownService,
|
|
ISessionClientsService,
|
|
IWSBroadcastService,
|
|
IWSGateway,
|
|
createServerLogger,
|
|
startServer,
|
|
type LockContents,
|
|
type RunningServer,
|
|
} from '../src';
|
|
import { authHeaders, fixedTokenAuth } from './helpers/serverHarness';
|
|
|
|
let tmpDir: string;
|
|
let lockPath: string;
|
|
let bridgeHome: string;
|
|
const running: RunningServer[] = [];
|
|
|
|
beforeEach(() => {
|
|
tmpDir = mkdtempSync(join(tmpdir(), 'kimi-server-start-test-'));
|
|
lockPath = join(tmpDir, 'lock');
|
|
// Isolate KimiCore's `~/.kimi` lookup — bridge construction touches it via plugin discovery.
|
|
bridgeHome = mkdtempSync(join(tmpdir(), 'kimi-server-start-home-'));
|
|
});
|
|
|
|
afterEach(async () => {
|
|
// Tear down every server spawned in the test in the order they were created.
|
|
for (const r of running.splice(0)) {
|
|
try {
|
|
await r.close();
|
|
} catch {
|
|
// ignore
|
|
}
|
|
}
|
|
rmSync(tmpDir, { recursive: true, force: true });
|
|
rmSync(bridgeHome, { recursive: true, force: true });
|
|
});
|
|
|
|
function silentLogger() {
|
|
return pino({ level: 'silent' });
|
|
}
|
|
|
|
function listenOnPort(host: string, port: number): Promise<Server> {
|
|
return new Promise((resolve, reject) => {
|
|
const server = createServer();
|
|
server.once('error', reject);
|
|
server.listen({ host, port }, () => resolve(server));
|
|
});
|
|
}
|
|
|
|
function closeNetServer(server: Server): Promise<void> {
|
|
return new Promise((resolve) => server.close(() => resolve()));
|
|
}
|
|
|
|
/** Find `port` such that both `port` and `port + 1` are free to bind. */
|
|
async function allocateAdjacentFreePair(
|
|
host = '127.0.0.1',
|
|
): Promise<{ port: number; next: number }> {
|
|
for (let i = 0; i < 30; i++) {
|
|
const a = await listenOnPort(host, 0);
|
|
const address = a.address();
|
|
const port = typeof address === 'object' && address !== null ? address.port : 0;
|
|
await closeNetServer(a);
|
|
if (port <= 0 || port >= 65535) continue;
|
|
const probe = await listenOnPort(host, port + 1).catch(() => null);
|
|
if (probe === null) continue;
|
|
await closeNetServer(probe);
|
|
return { port, next: port + 1 };
|
|
}
|
|
throw new Error('could not allocate an adjacent free port pair');
|
|
}
|
|
|
|
function fakeGateway(
|
|
listen: (host: string, port: number) => Promise<string>,
|
|
): Parameters<typeof listenWithPortRetry>[0]['gateway'] {
|
|
return { _serviceBrand: undefined, app: undefined, listen } as unknown as Parameters<
|
|
typeof listenWithPortRetry
|
|
>[0]['gateway'];
|
|
}
|
|
|
|
function addrInUse(): NodeJS.ErrnoException {
|
|
const err = new Error('listen EADDRINUSE') as NodeJS.ErrnoException;
|
|
err.code = 'EADDRINUSE';
|
|
return err;
|
|
}
|
|
|
|
async function spawn(): Promise<RunningServer> {
|
|
const r = await startServer({
|
|
serviceOverrides: [fixedTokenAuth()],
|
|
host: '127.0.0.1',
|
|
port: 0,
|
|
lockPath,
|
|
logger: silentLogger(),
|
|
coreProcessOptions: { homeDir: bridgeHome },
|
|
});
|
|
running.push(r);
|
|
return r;
|
|
}
|
|
|
|
describe('startServer — lock + healthz smoke', () => {
|
|
it('acquires the lock and writes pid/port; close releases', async () => {
|
|
const r = await spawn();
|
|
|
|
expect(existsSync(lockPath)).toBe(true);
|
|
const stored = JSON.parse(readFileSync(lockPath, 'utf8')) as LockContents;
|
|
expect(stored.pid).toBe(process.pid);
|
|
expect(stored.host).toBe('127.0.0.1');
|
|
expect(stored.port).toBe(0);
|
|
|
|
expect(r.address).toMatch(/^http:\/\/127\.0\.0\.1:\d+$/);
|
|
|
|
await r.close();
|
|
expect(existsSync(lockPath)).toBe(false);
|
|
});
|
|
|
|
it('second startServer with the same lockPath throws ServerLockedError', async () => {
|
|
await spawn();
|
|
await expect(spawn()).rejects.toBeInstanceOf(ServerLockedError);
|
|
});
|
|
|
|
it('close() is idempotent', async () => {
|
|
const r = await spawn();
|
|
await r.close();
|
|
await r.close(); // second call is a no-op (would throw on double-app.close otherwise)
|
|
expect(existsSync(lockPath)).toBe(false);
|
|
});
|
|
|
|
it('retries on port+1 and updates the lock when the requested port is held by a third party', async () => {
|
|
// Occupy the requested port with a raw TCP server (a "third-party" process
|
|
// from the server's point of view — it does NOT hold the lock).
|
|
const { port, next } = await allocateAdjacentFreePair();
|
|
const occupant = await listenOnPort('127.0.0.1', port);
|
|
// Distinct lock path: the global single-instance lock is not what we are
|
|
// testing here; the port conflict must come from the TCP bind alone.
|
|
const thirdPartyLockPath = join(tmpDir, 'lock-third-party');
|
|
try {
|
|
const r = await startServer({
|
|
serviceOverrides: [fixedTokenAuth()],
|
|
host: '127.0.0.1',
|
|
port,
|
|
lockPath: thirdPartyLockPath,
|
|
logger: silentLogger(),
|
|
coreProcessOptions: { homeDir: bridgeHome },
|
|
});
|
|
running.push(r);
|
|
|
|
// Bound to the next port, and the lock advertises it so status/kill/ps work.
|
|
expect(r.address).toBe(`http://127.0.0.1:${String(next)}`);
|
|
const stored = JSON.parse(readFileSync(thirdPartyLockPath, 'utf8')) as LockContents;
|
|
expect(stored.port).toBe(next);
|
|
} finally {
|
|
await closeNetServer(occupant);
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('listenWithPortRetry', () => {
|
|
it('returns the requested port when the first listen succeeds', async () => {
|
|
const attempts: number[] = [];
|
|
const gateway = fakeGateway(async (_host, port) => {
|
|
attempts.push(port);
|
|
return `http://127.0.0.1:${String(port)}`;
|
|
});
|
|
|
|
const result = await listenWithPortRetry({
|
|
gateway,
|
|
host: '127.0.0.1',
|
|
port: 5000,
|
|
logger: silentLogger(),
|
|
});
|
|
|
|
expect(result.port).toBe(5000);
|
|
expect(attempts).toEqual([5000]);
|
|
});
|
|
|
|
it('retries with port+1 on EADDRINUSE until a bind succeeds', async () => {
|
|
const attempts: number[] = [];
|
|
const gateway = fakeGateway(async (_host, port) => {
|
|
attempts.push(port);
|
|
if (port < 5002) throw addrInUse();
|
|
return `http://127.0.0.1:${String(port)}`;
|
|
});
|
|
|
|
const result = await listenWithPortRetry({
|
|
gateway,
|
|
host: '127.0.0.1',
|
|
port: 5000,
|
|
logger: silentLogger(),
|
|
});
|
|
|
|
expect(result.port).toBe(5002);
|
|
expect(result.address).toBe('http://127.0.0.1:5002');
|
|
expect(attempts).toEqual([5000, 5001, 5002]);
|
|
});
|
|
|
|
it('does not retry on non-EADDRINUSE errors', async () => {
|
|
const attempts: number[] = [];
|
|
const boom = Object.assign(new Error('listen EACCES'), { code: 'EACCES' });
|
|
const gateway = fakeGateway(async (_host, port) => {
|
|
attempts.push(port);
|
|
throw boom;
|
|
});
|
|
|
|
await expect(
|
|
listenWithPortRetry({ gateway, host: '127.0.0.1', port: 5000, logger: silentLogger() }),
|
|
).rejects.toBe(boom);
|
|
expect(attempts).toEqual([5000]);
|
|
});
|
|
|
|
it('throws after exhausting maxRetries', async () => {
|
|
const attempts: number[] = [];
|
|
const gateway = fakeGateway(async (_host, port) => {
|
|
attempts.push(port);
|
|
throw addrInUse();
|
|
});
|
|
|
|
await expect(
|
|
listenWithPortRetry({
|
|
gateway,
|
|
host: '127.0.0.1',
|
|
port: 5000,
|
|
logger: silentLogger(),
|
|
maxRetries: 3,
|
|
}),
|
|
).rejects.toMatchObject({ code: 'EADDRINUSE' });
|
|
// initial attempt + 3 retries, then the cap throws.
|
|
expect(attempts).toEqual([5000, 5001, 5002, 5003]);
|
|
});
|
|
|
|
it('does not walk ports when the requested port is 0 (ephemeral)', async () => {
|
|
const attempts: number[] = [];
|
|
const gateway = fakeGateway(async (_host, port) => {
|
|
attempts.push(port);
|
|
return 'http://127.0.0.1:54321';
|
|
});
|
|
|
|
const result = await listenWithPortRetry({
|
|
gateway,
|
|
host: '127.0.0.1',
|
|
port: 0,
|
|
logger: silentLogger(),
|
|
});
|
|
|
|
expect(result.port).toBe(0);
|
|
expect(attempts).toEqual([0]);
|
|
});
|
|
});
|
|
|
|
describe('createServerLogger', () => {
|
|
it('uses an in-process pretty stream instead of pino worker transport', () => {
|
|
const logger = createServerLogger({ level: 'info', pretty: true });
|
|
const streamSym = (pino as unknown as { symbols: { streamSym: symbol } }).symbols.streamSym;
|
|
const stream = logger[streamSym as keyof typeof logger] as unknown as NodeJS.WritableStream & {
|
|
constructor?: { name?: string };
|
|
};
|
|
|
|
expect(stream.constructor?.name).not.toBe('ThreadStream');
|
|
stream.end();
|
|
});
|
|
});
|
|
|
|
describe('startServer — web assets', () => {
|
|
it('serves web assets from the server root without shadowing API routes', async () => {
|
|
const assetsDir = join(tmpDir, 'web-assets');
|
|
rmSync(assetsDir, { recursive: true, force: true });
|
|
mkdirSync(assetsDir);
|
|
writeFileSync(join(assetsDir, 'index.html'), '<html><div id="app"></div></html>', 'utf8');
|
|
writeFileSync(join(assetsDir, 'app.js'), 'console.log("kimi web");', 'utf8');
|
|
|
|
const r = await startServer({
|
|
serviceOverrides: [fixedTokenAuth()],
|
|
host: '127.0.0.1',
|
|
port: 0,
|
|
lockPath,
|
|
logger: silentLogger(),
|
|
coreProcessOptions: { homeDir: bridgeHome },
|
|
webAssetsDir: assetsDir,
|
|
});
|
|
running.push(r);
|
|
|
|
await expect(fetch(`${r.address}/`).then((res) => res.text())).resolves.toContain(
|
|
'<div id="app"></div>',
|
|
);
|
|
await expect(fetch(`${r.address}/sessions/abc`).then((res) => res.text())).resolves.toContain(
|
|
'<div id="app"></div>',
|
|
);
|
|
await expect(fetch(`${r.address}/app.js`).then((res) => res.text())).resolves.toBe(
|
|
'console.log("kimi web");',
|
|
);
|
|
|
|
const health = await fetch(`${r.address}/api/v1/healthz`);
|
|
await expect(health.json()).resolves.toMatchObject({ code: 0 });
|
|
|
|
const openApi = await fetch(`${r.address}/openapi.json`, { headers: authHeaders() });
|
|
expect(openApi.status).toBe(200);
|
|
expect(openApi.headers.get('content-type')).toContain('application/json');
|
|
await expect(openApi.json()).resolves.toMatchObject({
|
|
info: {
|
|
title: 'Kimi Code Server API',
|
|
},
|
|
paths: {
|
|
'/api/v1/healthz': {},
|
|
'/api/v1/sessions': {},
|
|
},
|
|
});
|
|
|
|
const asyncApi = await fetch(`${r.address}/asyncapi.json`, { headers: authHeaders() });
|
|
expect(asyncApi.status).toBe(200);
|
|
expect(asyncApi.headers.get('content-type')).toContain('application/json');
|
|
await expect(asyncApi.json()).resolves.toMatchObject({
|
|
asyncapi: '3.1.0',
|
|
defaultContentType: 'application/json',
|
|
channels: {
|
|
kimiCodeWebSocket: {
|
|
address: '/api/v1/ws',
|
|
},
|
|
},
|
|
operations: {
|
|
receiveClientMessages: {
|
|
action: 'receive',
|
|
},
|
|
sendServerMessages: {
|
|
action: 'send',
|
|
},
|
|
},
|
|
});
|
|
});
|
|
|
|
it('does not expose the Swagger UI while keeping /openapi.json available', async () => {
|
|
const r = await startServer({
|
|
serviceOverrides: [fixedTokenAuth()],
|
|
host: '127.0.0.1',
|
|
port: 0,
|
|
lockPath,
|
|
logger: silentLogger(),
|
|
coreProcessOptions: { homeDir: bridgeHome },
|
|
});
|
|
running.push(r);
|
|
|
|
const openApi = await fetch(`${r.address}/openapi.json`, { headers: authHeaders() });
|
|
expect(openApi.status).toBe(200);
|
|
|
|
const res = await fetch(`${r.address}/documentation`);
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('startServer — DI container wiring', () => {
|
|
it('exposes all DI services through running.services', async () => {
|
|
const r = await spawn();
|
|
// Every decorator should resolve. .get() would throw "No service registered"
|
|
// if any were missing.
|
|
r.services.invokeFunction((a) => {
|
|
expect(a.get(ILogService)).toBeDefined();
|
|
expect(a.get(IRestGateway)).toBeDefined();
|
|
expect(a.get(IConnectionRegistry)).toBeDefined();
|
|
expect(a.get(ISessionClientsService)).toBeDefined();
|
|
expect(a.get(IEventService)).toBeDefined();
|
|
expect(a.get(IWSBroadcastService)).toBeDefined();
|
|
expect(a.get(IApprovalService)).toBeDefined();
|
|
expect(a.get(IQuestionService)).toBeDefined();
|
|
expect(a.get(IWSGateway)).toBeDefined();
|
|
const bridge = a.get(ICoreProcessService);
|
|
expect(bridge).toBeDefined();
|
|
expect(typeof bridge.rpc).toBe('object');
|
|
expect(typeof bridge.dispose).toBe('function');
|
|
});
|
|
});
|
|
|
|
it('CoreProcessService.rpc rejects after the server is closed (dispose cascade)', async () => {
|
|
const r = await spawn();
|
|
// Grab a bridge reference BEFORE close — after close the container is disposed
|
|
// and a.get(ICoreProcessService) would throw on the dead InstantiationService.
|
|
const bridge = r.services.invokeFunction((a) => a.get(ICoreProcessService));
|
|
await r.close();
|
|
await expect(bridge.rpc.getCoreInfo({})).rejects.toThrow(/disposed/);
|
|
});
|
|
});
|
|
|
|
describe('POST /api/v1/shutdown', () => {
|
|
it('responds ok and triggers the shutdown service', async () => {
|
|
let resolveCalled!: () => void;
|
|
const called = new Promise<void>((res) => {
|
|
resolveCalled = res;
|
|
});
|
|
const reasons: string[] = [];
|
|
const fake = {
|
|
_serviceBrand: undefined,
|
|
requestShutdown: async (reason: string) => {
|
|
reasons.push(reason);
|
|
resolveCalled();
|
|
},
|
|
};
|
|
|
|
const r = await startServer({
|
|
host: '127.0.0.1',
|
|
port: 0,
|
|
lockPath,
|
|
logger: silentLogger(),
|
|
coreProcessOptions: { homeDir: bridgeHome },
|
|
// Override the real shutdown service so the route does not exit the
|
|
// test runner via `process.exit(0)`.
|
|
serviceOverrides: [fixedTokenAuth(), [IServerShutdownService, fake] as const],
|
|
});
|
|
running.push(r);
|
|
|
|
const res = await fetch(`${r.address}/api/v1/shutdown`, {
|
|
method: 'POST',
|
|
headers: authHeaders(),
|
|
});
|
|
expect(res.status).toBe(200);
|
|
const body = (await res.json()) as Record<string, unknown>;
|
|
expect(body['code']).toBe(0);
|
|
expect(body['data']).toEqual({ ok: true });
|
|
|
|
// The route defers shutdown via setImmediate so the response can flush.
|
|
await called;
|
|
expect(reasons).toEqual(['api']);
|
|
});
|
|
|
|
it('registers a real shutdown service by default', async () => {
|
|
const r = await spawn();
|
|
const service = r.services.invokeFunction((a) => a.get(IServerShutdownService));
|
|
expect(typeof service.requestShutdown).toBe('function');
|
|
});
|
|
});
|