import { test } from 'node:test'; import assert from 'node:assert/strict'; import { MatrixCapabilities, Capability } from 'matrix-widget-api'; import { validateWidgetUrl, isWidgetUrlSafe, filterWidgetCapabilities, generateWidgetId, } from './widgetUtils'; const APP = 'https://chat.lotusguild.org'; test('validateWidgetUrl accepts a cross-origin https url', () => { assert.equal(validateWidgetUrl('https://pad.example.org/p/room', APP), undefined); }); test('validateWidgetUrl rejects empty / invalid / http / same-origin', () => { assert.equal(validateWidgetUrl(' ', APP), 'empty'); assert.equal(validateWidgetUrl('not a url', APP), 'invalid'); assert.equal(validateWidgetUrl('http://example.org', APP), 'not-https'); assert.equal(validateWidgetUrl('https://chat.lotusguild.org/evil', APP), 'same-origin'); }); test('isWidgetUrlSafe rejects same-origin + garbage, accepts cross-origin', () => { assert.equal(isWidgetUrlSafe('https://chat.lotusguild.org/x', APP), false); assert.equal(isWidgetUrlSafe('https://other.example/x', APP), true); assert.equal(isWidgetUrlSafe('garbage', APP), false); }); test('filterWidgetCapabilities keeps only the benign allowlist', () => { const requested = new Set([ MatrixCapabilities.AlwaysOnScreen, 'm.send.event:m.room.message', 'org.matrix.msc2762.receive.state_event:m.room.member', MatrixCapabilities.Screenshots, ]); const allowed = filterWidgetCapabilities(requested); assert.ok(allowed.has(MatrixCapabilities.AlwaysOnScreen)); assert.ok(allowed.has(MatrixCapabilities.Screenshots)); assert.equal(allowed.has('m.send.event:m.room.message'), false); assert.equal(allowed.size, 2); }); test('generateWidgetId is prefixed and unique across calls', () => { const a = generateWidgetId(); const b = generateWidgetId(); assert.match(a, /^lotus_/); assert.notEqual(a, b); });