50 lines
1.8 KiB
TypeScript
50 lines
1.8 KiB
TypeScript
|
|
import { test } from 'node:test';
|
||
|
|
import assert from 'node:assert/strict';
|
||
|
|
import { MatrixCapabilities, Capability } from 'matrix-widget-api';
|
||
|
|
import {
|
||
|
|
validateWidgetUrl,
|
||
|
|
isWidgetUrlSafe,
|
||
|
|
filterWidgetCapabilities,
|
||
|
|
generateWidgetId,
|
||
|
|
} from './widgetUtils';
|
||
|
|
|
||
|
|
const APP = 'https://chat.lotusguild.org';
|
||
|
|
|
||
|
|
test('validateWidgetUrl accepts a cross-origin https url', () => {
|
||
|
|
assert.equal(validateWidgetUrl('https://pad.example.org/p/room', APP), undefined);
|
||
|
|
});
|
||
|
|
|
||
|
|
test('validateWidgetUrl rejects empty / invalid / http / same-origin', () => {
|
||
|
|
assert.equal(validateWidgetUrl(' ', APP), 'empty');
|
||
|
|
assert.equal(validateWidgetUrl('not a url', APP), 'invalid');
|
||
|
|
assert.equal(validateWidgetUrl('http://example.org', APP), 'not-https');
|
||
|
|
assert.equal(validateWidgetUrl('https://chat.lotusguild.org/evil', APP), 'same-origin');
|
||
|
|
});
|
||
|
|
|
||
|
|
test('isWidgetUrlSafe rejects same-origin + garbage, accepts cross-origin', () => {
|
||
|
|
assert.equal(isWidgetUrlSafe('https://chat.lotusguild.org/x', APP), false);
|
||
|
|
assert.equal(isWidgetUrlSafe('https://other.example/x', APP), true);
|
||
|
|
assert.equal(isWidgetUrlSafe('garbage', APP), false);
|
||
|
|
});
|
||
|
|
|
||
|
|
test('filterWidgetCapabilities keeps only the benign allowlist', () => {
|
||
|
|
const requested = new Set<Capability>([
|
||
|
|
MatrixCapabilities.AlwaysOnScreen,
|
||
|
|
'm.send.event:m.room.message',
|
||
|
|
'org.matrix.msc2762.receive.state_event:m.room.member',
|
||
|
|
MatrixCapabilities.Screenshots,
|
||
|
|
]);
|
||
|
|
const allowed = filterWidgetCapabilities(requested);
|
||
|
|
assert.ok(allowed.has(MatrixCapabilities.AlwaysOnScreen));
|
||
|
|
assert.ok(allowed.has(MatrixCapabilities.Screenshots));
|
||
|
|
assert.equal(allowed.has('m.send.event:m.room.message'), false);
|
||
|
|
assert.equal(allowed.size, 2);
|
||
|
|
});
|
||
|
|
|
||
|
|
test('generateWidgetId is prefixed and unique across calls', () => {
|
||
|
|
const a = generateWidgetId();
|
||
|
|
const b = generateWidgetId();
|
||
|
|
assert.match(a, /^lotus_/);
|
||
|
|
assert.notEqual(a, b);
|
||
|
|
});
|