kimi-code/packages/server/test/workspaces.e2e.test.ts
Haozhe 60dfb68a2d
feat(server): add bearer-token auth and safe host exposure (#1006)
* test(server): add API surface snapshot guardrail

Boot startServer on port 0 and snapshot the documented v1 route table derived from /openapi.json paths, plus the reachability of doc/meta endpoints (/healthz, /openapi.json, /asyncapi.json, /). Gives later auth/--host phases an intentional diff when routes change. M0 makes no production behavior change.

* test(server): add e2e server harness with token support

Add test/helpers/serverHarness.ts: boot() wraps startServer with an isolated lock + home dir and returns a handle (server, address, baseUrl, wsUrl, token, close) plus authedFetch/authedWs that carry Authorization: Bearer <token> (and the kimi-code.bearer.<token> WS subprotocol). serviceOverrides is the generic DI seam later phases use to inject a fixed-token auth service; IAuthTokenService is not referenced yet. closeAll() tears down every booted server and socket. M0 makes no production behavior change; typecheck-only gate.

* feat(server): add privateFiles 0600 atomic write/read utility

* feat(server): add per-start tokenStore

* feat(server): add env-based bcrypt password hash utility

* feat(server): add IAuthTokenService DI seam

* feat(server): add global onRequest auth hook with bypass + redaction

* fix(server): stop reflecting Host header in /asyncapi.json

* feat(server): add WS bearer subprotocol constant and parser

* feat(server): enforce bearer token auth on WS upgrade

* feat(server): add Host header allowlist middleware

* feat(server): add Origin/CORS middleware

* feat(server): wire Host/Origin checks into HTTP and WS

* feat(server): wire token auth, Host/Origin, and WS auth into start.ts

* fix(server): create lock file with 0600 permissions

* fix(server): suppress debug routes on non-loopback binds

* feat(kimi-code): read server token and send Authorization on CLI calls

* feat(kimi-code): inject server token into /web URL fragment

* feat(server): add bindClassify for loopback/lan/public classification

* feat(kimi-code): register --host flag and pass it through the daemon

* feat(server): require password and TLS opt-out on non-loopback binds

* feat(server): rate-limit repeated auth failures on non-loopback binds

* feat(server): disable shutdown and terminals on public binds by default

* feat(server): add security response headers on non-loopback binds

* test(server): cover LAN/public host-exposure hardening end to end

* docs(server): add deployment security and threat-model guide

* changeset: minor kimi-code for server auth and host exposure

* feat(kimi-web): add server bearer-token auth support

* fix: repair CI for server auth and host exposure

- Replace native @node-rs/bcrypt with pure-JS bcryptjs so the ESM CLI
  bundle and the SEA native bundle both build without native-addon
  require issues (node-rs/bcrypt broke the ESM smoke and the SEA
  check-bundle allowlist).
- Remove dead cleanup references (stopSpinner, authLogoBlinkTimer) in
  apps/kimi-web App.vue that failed vue-tsc.
- Fix lint: drop empty spread fallbacks in the e2e auth-header merge,
  void the intentionally-async WS upgrade listener, add missing
  assertions to satisfy jest/expect-expect, and convert a ternary
  statement to if/else.
- Send the bearer token in the snapshot perf/smoke tests so they pass
  under the new global auth hook.
- Refresh the pnpmDeps hash in flake.nix for the updated lockfile.

* feat(server): persist bearer token and add rotate-token command

- persist the server bearer token in <home>/server.token (0600) and reuse it across restarts instead of per-start server-<pid>.token
- add `kimi server rotate-token` to regenerate the token; the token store reloads on mtime/inode change so rotation applies without restart
- print the token and Vite-style Local/Network URLs in the startup banner
- allow non-loopback binds with bearer-token-only auth (password now optional) and update SECURITY.md
- surface daemon boot failures immediately with the exit reason and log tail instead of waiting for the spawn timeout

* feat(server): print full token URLs and re-print links after rotate

- Drop the ready-panel border so token URLs print in full for copying; keep the Kimi sprite beside the title.
- Re-print Local/Network access links after `server rotate-token` (host/port from the lock).
- Extract shared access-URL helpers into access-urls.ts.
- Unify link and token colors between the banner and rotate-token.

* feat(server): dim URL #token= fragment and de-highlight token

- Render the `#token=…` fragment in a dim gray so the host/port stands out in the banner and rotate-token links.
- De-highlight the standalone token; set it off with surrounding whitespace instead of color.
- Add splitTokenFragment helper.

* refactor(cli): polish server ready banner and rotate-token output

- move version onto the ready banner title line; drop the separate
  Ready:/Version: rows and the startup-time metric
- reorder rotate-token output so the new token sits between the
  invalidation note and the access links
- update server CLI tests for the new layout

* feat(server): warn on reuse and refine ready banner

- Warn when `server run` reuses an already-running daemon (its options are not applied) and show the running server's actual URLs.
- Show a `Network: off  use --host 0.0.0.0 to enable` hint on loopback binds.
- Move the version onto the title line and drop the startup-time metric.

* fix(web): relabel auth dialog to token and cover full page

- Relabel the server auth dialog from "password" to "token"; the server accepts the bearer token, with the password only as a fallback.
- Make the auth dialog overlay fully opaque so it covers the whole page instead of revealing the login page underneath.

* fix: resolve CI failures on web auth PR

- Replace chalk.yellow named color with chalk.hex(darkColors.warning)
  in the server reuse notice to satisfy the chalk named color guard.
- Update pnpmDeps hash in flake.nix to match the regenerated
  pnpm-lock.yaml so the Nix build succeeds.
- Retry rmSync in ws-broadcast e2e teardown to ride out EBUSY /
  ENOTEMPTY races while the server flushes files after close().

* test(server): update API surface snapshot for warnings route

The feat/web-auth branch adds GET /api/v1/sessions/{session_id}/warnings
(packages/server/src/routes/sessions.ts), so the API surface guardrail
snapshot needs to record the new documented v1 route.
2026-06-25 17:57:56 +08:00

322 lines
10 KiB
TypeScript

/**
* Workspace registry end-to-end tests.
*
* Covers:
* - POST /api/v1/workspaces (idempotent on root)
* - GET /api/v1/workspaces (list with git probe)
* - PATCH /api/v1/workspaces/{id} (rename)
* - DELETE /api/v1/workspaces/{id} (removes the registry entry only)
* - Unknown id → 40410
* - Non-existent root → 40409
*/
import {
existsSync,
mkdirSync,
mkdtempSync,
readFileSync,
rmSync,
writeFileSync,
} from 'node:fs';
import { tmpdir } from 'node:os';
import { join } from 'node:path';
import { pino } from 'pino';
import { afterEach, beforeEach, describe, expect, it } from 'vitest';
import { IRestGateway, startServer, type RunningServer } from '../src';
import { fixedTokenAuth } from './helpers/serverHarness';
import type { Workspace } from '@moonshot-ai/protocol';
let tmpDir: string;
let lockPath: string;
let bridgeHome: string;
let server: RunningServer | undefined;
beforeEach(() => {
tmpDir = mkdtempSync(join(tmpdir(), 'kimi-server-workspaces-test-'));
lockPath = join(tmpDir, 'lock');
bridgeHome = mkdtempSync(join(tmpdir(), 'kimi-server-workspaces-home-'));
});
afterEach(async () => {
try {
await server?.close();
} catch {
// ignore
}
server = undefined;
rmSync(tmpDir, { recursive: true, force: true });
rmSync(bridgeHome, { recursive: true, force: true });
});
async function bootDaemon(): Promise<RunningServer> {
server = await startServer({
serviceOverrides: [fixedTokenAuth()],
host: '127.0.0.1',
port: 0,
lockPath,
logger: pino({ level: 'silent' }),
coreProcessOptions: { homeDir: bridgeHome },
});
return server;
}
function appOf(r: RunningServer): {
inject: (req: unknown) => Promise<{ statusCode: number; json: () => unknown }>;
} {
const app = r.services.invokeFunction((a) => {
const gw = a.get(IRestGateway);
return gw.app as unknown as {
inject: (req: unknown) => Promise<{ statusCode: number; json: () => unknown }>;
};
});
// Auto-attach the fixed bearer token so the M5.1 auth hook passes. A
// caller-supplied `authorization` header wins, so explicit token tests keep
// working; every other header (Range, content-type, …) is preserved.
return {
inject(req: unknown) {
const q = req as { headers?: Record<string, string | string[] | undefined> };
return app.inject({
...q,
headers: { authorization: 'Bearer test-token', ...q.headers },
});
},
};
}
function envelopeOf<T>(body: unknown): {
code: number;
msg: string;
data: T | null;
request_id: string;
details?: unknown;
} {
return body as { code: number; msg: string; data: T | null; request_id: string; details?: unknown };
}
/** Lay down a minimal git fixture: `.git/HEAD` referring to a branch. */
function makeGitRepo(root: string, branch: string): void {
mkdirSync(join(root, '.git'), { recursive: true });
writeFileSync(join(root, '.git', 'HEAD'), `ref: refs/heads/${branch}\n`, 'utf8');
}
interface RegistryFile {
version: number;
workspaces: Record<string, { root: string; name: string }>;
}
function readRegistry(): RegistryFile {
return JSON.parse(readFileSync(join(bridgeHome, 'workspaces.json'), 'utf8')) as RegistryFile;
}
function bucketDir(workspaceId: string): string {
return join(bridgeHome, 'sessions', workspaceId);
}
describe('POST /api/v1/workspaces — register', () => {
it('creates a Workspace with derived id, name=basename, is_git_repo via probe', async () => {
const r = await bootDaemon();
const root = join(tmpDir, 'my-project');
mkdirSync(root, { recursive: true });
makeGitRepo(root, 'main');
const res = await appOf(r).inject({
method: 'POST',
url: '/api/v1/workspaces',
payload: { root },
});
expect(res.statusCode).toBe(200);
const env = envelopeOf<Workspace>(res.json());
expect(env.code).toBe(0);
const ws = env.data!;
expect(ws.id).toMatch(/^wd_[a-z0-9._-]+_[0-9a-f]{12}$/);
expect(ws.name).toBe('my-project');
expect(ws.is_git_repo).toBe(true);
expect(ws.branch).toBe('main');
expect(ws.session_count).toBe(0);
expect(ws.root).toBeTruthy();
});
it('writes the entry to workspaces.json and does not create per-bucket workspace.json', async () => {
const r = await bootDaemon();
const root = join(tmpDir, 'registry-source');
mkdirSync(root, { recursive: true });
const ws = envelopeOf<Workspace>(
(await appOf(r).inject({ method: 'POST', url: '/api/v1/workspaces', payload: { root } })).json(),
).data!;
const registry = readRegistry();
expect(registry.workspaces[ws.id]?.name).toBe('registry-source');
expect(registry.workspaces[ws.id]?.root).toBe(ws.root);
expect(existsSync(join(bucketDir(ws.id), 'workspace.json'))).toBe(false);
});
it('uses caller-supplied name when present', async () => {
const r = await bootDaemon();
const root = join(tmpDir, 'p');
mkdirSync(root, { recursive: true });
const res = await appOf(r).inject({
method: 'POST',
url: '/api/v1/workspaces',
payload: { root, name: 'My Pretty Name' },
});
expect(envelopeOf<Workspace>(res.json()).data!.name).toBe('My Pretty Name');
});
it('is idempotent on root (same id, updates last_opened_at on subsequent POST)', async () => {
const r = await bootDaemon();
const root = join(tmpDir, 'idempotent');
mkdirSync(root, { recursive: true });
const first = envelopeOf<Workspace>(
(await appOf(r).inject({ method: 'POST', url: '/api/v1/workspaces', payload: { root } })).json(),
).data!;
// Sleep 5ms so the second touch's last_opened_at differs from the first.
await new Promise((resolve) => setTimeout(resolve, 5));
const second = envelopeOf<Workspace>(
(await appOf(r).inject({ method: 'POST', url: '/api/v1/workspaces', payload: { root } })).json(),
).data!;
expect(second.id).toBe(first.id);
expect(second.created_at).toBe(first.created_at);
expect(second.last_opened_at >= first.last_opened_at).toBe(true);
});
it('returns 40409 when root does not exist', async () => {
const r = await bootDaemon();
const res = await appOf(r).inject({
method: 'POST',
url: '/api/v1/workspaces',
payload: { root: join(tmpDir, 'does-not-exist') },
});
expect(envelopeOf(res.json()).code).toBe(40409);
});
it('returns 40001 when root is empty', async () => {
const r = await bootDaemon();
const res = await appOf(r).inject({
method: 'POST',
url: '/api/v1/workspaces',
payload: { root: '' },
});
expect(envelopeOf(res.json()).code).toBe(40001);
});
});
describe('GET /api/v1/workspaces — list', () => {
it('returns sorted-by-last-opened-desc list with git probe', async () => {
const r = await bootDaemon();
const a = join(tmpDir, 'alpha');
const b = join(tmpDir, 'beta');
mkdirSync(a, { recursive: true });
mkdirSync(b, { recursive: true });
makeGitRepo(a, 'feature/x');
await appOf(r).inject({ method: 'POST', url: '/api/v1/workspaces', payload: { root: a } });
await new Promise((resolve) => setTimeout(resolve, 5));
await appOf(r).inject({ method: 'POST', url: '/api/v1/workspaces', payload: { root: b } });
const res = await appOf(r).inject({ method: 'GET', url: '/api/v1/workspaces' });
const items = envelopeOf<{ items: Workspace[] }>(res.json()).data!.items;
expect(items).toHaveLength(2);
// Newest first
expect(items[0]!.name).toBe('beta');
expect(items[1]!.name).toBe('alpha');
expect(items[1]!.is_git_repo).toBe(true);
expect(items[1]!.branch).toBe('feature/x');
});
it('returns empty list when no workspaces are registered', async () => {
const r = await bootDaemon();
const res = await appOf(r).inject({ method: 'GET', url: '/api/v1/workspaces' });
expect(envelopeOf<{ items: Workspace[] }>(res.json()).data!.items).toEqual([]);
});
});
describe('PATCH /api/v1/workspaces/{id} — rename', () => {
it('updates the display name', async () => {
const r = await bootDaemon();
const root = join(tmpDir, 'renameme');
mkdirSync(root, { recursive: true });
const created = envelopeOf<Workspace>(
(
await appOf(r).inject({
method: 'POST',
url: '/api/v1/workspaces',
payload: { root },
})
).json(),
).data!;
const renamed = envelopeOf<Workspace>(
(
await appOf(r).inject({
method: 'PATCH',
url: `/api/v1/workspaces/${created.id}`,
payload: { name: 'New Name' },
})
).json(),
).data!;
expect(renamed.name).toBe('New Name');
expect(renamed.id).toBe(created.id);
});
it('returns 40410 for unknown workspace id', async () => {
const r = await bootDaemon();
const res = await appOf(r).inject({
method: 'PATCH',
url: '/api/v1/workspaces/wd_nonexistent_0123456789ab',
payload: { name: 'X' },
});
expect(envelopeOf(res.json()).code).toBe(40410);
});
it('returns 40001 for invalid workspace_id shape', async () => {
const r = await bootDaemon();
const res = await appOf(r).inject({
method: 'PATCH',
url: '/api/v1/workspaces/not-a-wd-id',
payload: { name: 'X' },
});
expect(envelopeOf(res.json()).code).toBe(40001);
});
});
describe('DELETE /api/v1/workspaces/{id} — unregister', () => {
it('removes the registry entry but keeps the session bucket on disk', async () => {
const r = await bootDaemon();
const root = join(tmpDir, 'deleteme');
mkdirSync(root, { recursive: true });
const created = envelopeOf<Workspace>(
(
await appOf(r).inject({
method: 'POST',
url: '/api/v1/workspaces',
payload: { root },
})
).json(),
).data!;
expect(readRegistry().workspaces[created.id]).toBeDefined();
const deletedRes = await appOf(r).inject({
method: 'DELETE',
url: `/api/v1/workspaces/${created.id}`,
});
expect(envelopeOf<{ deleted: true }>(deletedRes.json()).data).toEqual({ deleted: true });
expect(readRegistry().workspaces[created.id]).toBeUndefined();
expect(existsSync(bucketDir(created.id))).toBe(true);
const listRes = await appOf(r).inject({ method: 'GET', url: '/api/v1/workspaces' });
expect(envelopeOf<{ items: Workspace[] }>(listRes.json()).data!.items).toEqual([]);
});
it('returns 40410 for unknown workspace id', async () => {
const r = await bootDaemon();
const res = await appOf(r).inject({
method: 'DELETE',
url: '/api/v1/workspaces/wd_nonexistent_0123456789ab',
});
expect(envelopeOf(res.json()).code).toBe(40410);
});
});