Promote GRO-2294 to UAT: Route Optimization security hardening (#194)
CI / Lint & Typecheck (push) Successful in 28s
CI / Test (push) Successful in 29s
CI / Build & Push Docker Images (push) Successful in 39s
CI / Test (pull_request) Successful in 25s
CI / Lint & Typecheck (pull_request) Successful in 37s
CI / Build & Push Docker Images (pull_request) Successful in 1m8s
CI / Lint & Typecheck (push) Successful in 28s
CI / Test (push) Successful in 29s
CI / Build & Push Docker Images (push) Successful in 39s
CI / Test (pull_request) Successful in 25s
CI / Lint & Typecheck (pull_request) Successful in 37s
CI / Build & Push Docker Images (pull_request) Successful in 1m8s
This commit was merged in pull request #194.
This commit is contained in:
@@ -0,0 +1,89 @@
|
||||
import { describe, it, expect, vi, beforeEach } from "vitest";
|
||||
import { Hono } from "hono";
|
||||
|
||||
// ─── Mocks ──────────────────────────────────────────────────────────────────
|
||||
// GRO-2294: the POST /clients/geocode-batch handler must clamp ?limit to the
|
||||
// documented maximum (500) before invoking the geocoding service. We mock the
|
||||
// service to capture the exact limit the route forwards.
|
||||
|
||||
const geocodeUngeocodedClients = vi.fn(async () => ({
|
||||
totalRemaining: 0,
|
||||
processed: 0,
|
||||
geocoded: 0,
|
||||
failed: 0,
|
||||
remaining: 0,
|
||||
}));
|
||||
|
||||
vi.mock("../services/clientGeocoding.js", () => ({
|
||||
geocodeUngeocodedClients,
|
||||
geocodeClient: vi.fn(),
|
||||
resolveClientGeocodingProvider: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock("@groombook/db", () => {
|
||||
const tableProxy = (name: string) =>
|
||||
new Proxy(
|
||||
{ _name: name },
|
||||
{ get: (_t, p) => (p === "_name" ? name : { table: name, column: p }) }
|
||||
);
|
||||
return {
|
||||
getDb: () => ({}),
|
||||
clients: tableProxy("clients"),
|
||||
appointments: tableProxy("appointments"),
|
||||
and: vi.fn(),
|
||||
eq: vi.fn(),
|
||||
or: vi.fn(),
|
||||
exists: vi.fn(),
|
||||
};
|
||||
});
|
||||
|
||||
const { clientsRouter } = await import("../routes/clients.js");
|
||||
|
||||
const app = new Hono();
|
||||
app.route("/clients", clientsRouter);
|
||||
|
||||
function postBatch(query: string) {
|
||||
return app.request(`/clients/geocode-batch${query}`, { method: "POST" });
|
||||
}
|
||||
|
||||
describe("POST /clients/geocode-batch — ?limit cap (GRO-2294)", () => {
|
||||
beforeEach(() => {
|
||||
geocodeUngeocodedClients.mockClear();
|
||||
});
|
||||
|
||||
it("defaults to 50 when no ?limit is supplied", async () => {
|
||||
const res = await postBatch("");
|
||||
expect(res.status).toBe(200);
|
||||
expect(geocodeUngeocodedClients).toHaveBeenCalledWith(expect.anything(), 50);
|
||||
});
|
||||
|
||||
it("passes through a value within the cap", async () => {
|
||||
const res = await postBatch("?limit=120");
|
||||
expect(res.status).toBe(200);
|
||||
expect(geocodeUngeocodedClients).toHaveBeenCalledWith(expect.anything(), 120);
|
||||
});
|
||||
|
||||
it("clamps an over-cap value to 500", async () => {
|
||||
const res = await postBatch("?limit=100000");
|
||||
expect(res.status).toBe(200);
|
||||
expect(geocodeUngeocodedClients).toHaveBeenCalledWith(expect.anything(), 500);
|
||||
});
|
||||
|
||||
it("floors a fractional value before clamping", async () => {
|
||||
const res = await postBatch("?limit=49.9");
|
||||
expect(res.status).toBe(200);
|
||||
expect(geocodeUngeocodedClients).toHaveBeenCalledWith(expect.anything(), 49);
|
||||
});
|
||||
|
||||
it("rejects a non-positive limit with 400", async () => {
|
||||
const res = await postBatch("?limit=0");
|
||||
expect(res.status).toBe(400);
|
||||
expect(geocodeUngeocodedClients).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("rejects a non-numeric limit with 400", async () => {
|
||||
const res = await postBatch("?limit=abc");
|
||||
expect(res.status).toBe(400);
|
||||
expect(geocodeUngeocodedClients).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,91 @@
|
||||
import { describe, it, expect, vi, beforeEach } from "vitest";
|
||||
import { Hono } from "hono";
|
||||
|
||||
// ─── Mocks ──────────────────────────────────────────────────────────────────
|
||||
// GRO-2294: GET /api/admin/settings must not return the encrypted
|
||||
// googleMapsApiKey ciphertext, on either the existing-row or auto-create branch.
|
||||
|
||||
let selectRows: Record<string, unknown>[] = [];
|
||||
let insertReturning: Record<string, unknown>[] = [];
|
||||
|
||||
function makeChainable(data: unknown[]): unknown {
|
||||
const arr = [...data];
|
||||
const chain = new Proxy(arr, {
|
||||
get(target, prop) {
|
||||
if (prop === "where" || prop === "orderBy" || prop === "limit") {
|
||||
return () => chain;
|
||||
}
|
||||
// @ts-expect-error proxy passthrough
|
||||
return target[prop];
|
||||
},
|
||||
});
|
||||
return chain;
|
||||
}
|
||||
|
||||
vi.mock("@groombook/db", () => {
|
||||
const businessSettings = new Proxy(
|
||||
{ _name: "business_settings" },
|
||||
{ get: (_t, p) => (p === "_name" ? "business_settings" : { column: p }) }
|
||||
);
|
||||
return {
|
||||
getDb: () => ({
|
||||
select: () => ({ from: () => makeChainable(selectRows) }),
|
||||
insert: () => ({
|
||||
values: () => ({ returning: () => insertReturning }),
|
||||
}),
|
||||
}),
|
||||
businessSettings,
|
||||
eq: vi.fn(),
|
||||
};
|
||||
});
|
||||
|
||||
vi.mock("../lib/s3.js", () => ({
|
||||
getPresignedUploadUrl: vi.fn(),
|
||||
deleteObject: vi.fn(),
|
||||
putObject: vi.fn(),
|
||||
getObject: vi.fn(),
|
||||
}));
|
||||
|
||||
const { settingsRouter } = await import("../routes/settings.js");
|
||||
|
||||
const app = new Hono();
|
||||
app.route("/settings", settingsRouter);
|
||||
|
||||
const FULL_ROW = {
|
||||
id: "settings-uuid-1",
|
||||
businessName: "GroomBook",
|
||||
primaryColor: "#4f8a6f",
|
||||
accentColor: "#8b7355",
|
||||
routeOptimizationProvider: "google",
|
||||
googleMapsApiKey: "ENCRYPTED::super-secret-ciphertext",
|
||||
createdAt: new Date(),
|
||||
updatedAt: new Date(),
|
||||
};
|
||||
|
||||
describe("GET /settings — googleMapsApiKey redaction (GRO-2294)", () => {
|
||||
beforeEach(() => {
|
||||
selectRows = [];
|
||||
insertReturning = [];
|
||||
});
|
||||
|
||||
it("omits googleMapsApiKey from an existing settings row", async () => {
|
||||
selectRows = [{ ...FULL_ROW }];
|
||||
const res = await app.request("/settings", { method: "GET" });
|
||||
expect(res.status).toBe(200);
|
||||
const body = (await res.json()) as Record<string, unknown>;
|
||||
expect(body).not.toHaveProperty("googleMapsApiKey");
|
||||
// Non-secret fields are still returned.
|
||||
expect(body.businessName).toBe("GroomBook");
|
||||
expect(body.routeOptimizationProvider).toBe("google");
|
||||
});
|
||||
|
||||
it("omits googleMapsApiKey from the auto-create branch", async () => {
|
||||
selectRows = [];
|
||||
insertReturning = [{ ...FULL_ROW, id: "settings-uuid-new" }];
|
||||
const res = await app.request("/settings", { method: "GET" });
|
||||
expect(res.status).toBe(200);
|
||||
const body = (await res.json()) as Record<string, unknown>;
|
||||
expect(body).not.toHaveProperty("googleMapsApiKey");
|
||||
expect(body.id).toBe("settings-uuid-new");
|
||||
});
|
||||
});
|
||||
+10
-1
@@ -12,6 +12,12 @@ import {
|
||||
|
||||
export const clientsRouter = new Hono<AppEnv>();
|
||||
|
||||
// Batch-geocode bounds (GRO-2294): default 50, hard cap 500. The cap bounds how
|
||||
// long one synchronous request stays open and the per-request external API cost
|
||||
// when routeOptimizationProvider = "google".
|
||||
const GEOCODE_BATCH_DEFAULT_LIMIT = 50;
|
||||
const GEOCODE_BATCH_MAX_LIMIT = 500;
|
||||
|
||||
type ClientRow = typeof clients.$inferSelect;
|
||||
|
||||
/**
|
||||
@@ -185,12 +191,15 @@ clientsRouter.post("/:clientId/geocode", async (c) => {
|
||||
clientsRouter.post("/geocode-batch", async (c) => {
|
||||
const db = getDb();
|
||||
const limitRaw = c.req.query("limit");
|
||||
let limit = 50;
|
||||
let limit = GEOCODE_BATCH_DEFAULT_LIMIT;
|
||||
if (limitRaw !== undefined) {
|
||||
limit = Number(limitRaw);
|
||||
if (!Number.isFinite(limit) || limit <= 0) {
|
||||
return c.json({ error: "limit must be a positive integer" }, 400);
|
||||
}
|
||||
// Clamp to the documented maximum to bound synchronous request duration
|
||||
// and (for the Google provider) per-request external API cost.
|
||||
limit = Math.min(Math.floor(limit), GEOCODE_BATCH_MAX_LIMIT);
|
||||
}
|
||||
const summary = await geocodeUngeocodedClients(db, limit);
|
||||
return c.json(summary);
|
||||
|
||||
+14
-2
@@ -7,6 +7,17 @@ import { requireSuperUser } from "../middleware/rbac.js";
|
||||
|
||||
export const settingsRouter = new Hono();
|
||||
|
||||
type BusinessSettingsRow = typeof businessSettings.$inferSelect;
|
||||
|
||||
// Strip the encrypted googleMapsApiKey ciphertext from settings responses
|
||||
// (GRO-2294, defense-in-depth). The secret is never needed client-side; it is
|
||||
// only written via the dedicated provider-config endpoint.
|
||||
function redactSettings(row: BusinessSettingsRow) {
|
||||
const rest: Partial<BusinessSettingsRow> = { ...row };
|
||||
delete rest.googleMapsApiKey;
|
||||
return rest;
|
||||
}
|
||||
|
||||
// GET /api/admin/settings — return current business settings
|
||||
settingsRouter.get("/", async (c) => {
|
||||
const db = getDb();
|
||||
@@ -14,9 +25,10 @@ settingsRouter.get("/", async (c) => {
|
||||
if (!row) {
|
||||
// Auto-create default settings if none exist
|
||||
const [created] = await db.insert(businessSettings).values({}).returning();
|
||||
return c.json(created);
|
||||
if (!created) throw new Error("Failed to create default settings");
|
||||
return c.json(redactSettings(created));
|
||||
}
|
||||
return c.json(row);
|
||||
return c.json(redactSettings(row));
|
||||
});
|
||||
|
||||
const hexColorRegex = /^#[0-9a-fA-F]{6}$/;
|
||||
|
||||
Reference in New Issue
Block a user