import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from 'bun:test'; import express from 'express'; import * as fs from 'fs'; import * as os from 'os'; import * as path from 'path'; import type { Server } from 'http'; import { usageRoutes } from '../../../src/web-server/usage/routes'; describe('usage-routes remote write guard', () => { let server: Server; let baseUrl = ''; let forcedRemoteAddress = '127.0.0.1'; let tempHome = ''; let originalDashboardAuthEnabled: string | undefined; let originalCcsHome: string | undefined; beforeAll(async () => { const app = express(); app.use(express.json()); app.use((req, _res, next) => { Object.defineProperty(req.socket, 'remoteAddress', { value: forcedRemoteAddress, configurable: true, }); next(); }); app.use('/api/usage', usageRoutes); await new Promise((resolve, reject) => { server = app.listen(0, '127.0.0.1'); server.once('error', reject); server.once('listening', () => resolve()); }); const address = server.address(); if (!address || typeof address === 'string') { throw new Error('Unable to resolve test server port'); } baseUrl = `http://127.0.0.1:${address.port}`; }); afterAll(async () => { await new Promise((resolve) => server.close(() => resolve())); }); beforeEach(() => { originalDashboardAuthEnabled = process.env.CCS_DASHBOARD_AUTH_ENABLED; originalCcsHome = process.env.CCS_HOME; tempHome = fs.mkdtempSync(path.join(os.tmpdir(), 'ccs-usage-routes-auth-')); process.env.CCS_HOME = tempHome; process.env.CCS_DASHBOARD_AUTH_ENABLED = 'false'; forcedRemoteAddress = '10.10.0.24'; }); afterEach(() => { if (originalDashboardAuthEnabled !== undefined) { process.env.CCS_DASHBOARD_AUTH_ENABLED = originalDashboardAuthEnabled; } else { delete process.env.CCS_DASHBOARD_AUTH_ENABLED; } if (originalCcsHome !== undefined) { process.env.CCS_HOME = originalCcsHome; } else { delete process.env.CCS_HOME; } if (tempHome && fs.existsSync(tempHome)) { fs.rmSync(tempHome, { recursive: true, force: true }); tempHome = ''; } }); it('allows remote read-only usage status requests when dashboard auth is disabled', async () => { const response = await fetch(`${baseUrl}/api/usage/status`); expect(response.status).toBe(200); }); it('blocks remote usage refresh when dashboard auth is disabled', async () => { const response = await fetch(`${baseUrl}/api/usage/refresh`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({}), }); expect(response.status).toBe(403); expect(await response.json()).toEqual({ error: 'Usage refresh requires localhost access when dashboard auth is disabled.', }); }); });