Skip to content

Commit b0f3077

Browse files
Jason Separovicclaude
Jason Separovic
and
claude
committed
test(ui): add insecure context auth test for GatewayBrowserClient
Verify that explicit token and password are sent in the connect frame when crypto.subtle is unavailable (plain HTTP contexts). Co-Authored-By: Claude <[email protected]>
1 parent 7e6d775 commit b0f3077

File tree

1 file changed

+40
-0
lines changed

1 file changed

+40
-0
lines changed

ui/src/ui/gateway.node.test.ts

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -374,6 +374,46 @@ describe("GatewayBrowserClient", () => {
374374
vi.useRealTimers();
375375
});
376376

377+
it("sends explicit token and password in insecure contexts without crypto.subtle", async () => {
378+
// Simulate insecure context (plain HTTP) where crypto.subtle is unavailable
379+
const origSubtle = crypto.subtle;
380+
Object.defineProperty(crypto, "subtle", { value: undefined, configurable: true });
381+
382+
try {
383+
const client = new GatewayBrowserClient({
384+
url: "ws://192.168.1.100:18789",
385+
token: "explicit-token",
386+
password: "explicit-password",
387+
});
388+
389+
client.start();
390+
const ws = getLatestWebSocket();
391+
ws.emitOpen();
392+
ws.emitMessage({
393+
type: "event",
394+
event: "connect.challenge",
395+
payload: { nonce: "nonce-1" },
396+
});
397+
await vi.waitFor(() => expect(ws.sent.length).toBeGreaterThan(0));
398+
399+
const connectFrame = JSON.parse(ws.sent.at(-1) ?? "{}") as {
400+
method?: string;
401+
params?: {
402+
auth?: { token?: string; password?: string; deviceToken?: string };
403+
device?: unknown;
404+
};
405+
};
406+
expect(connectFrame.method).toBe("connect");
407+
expect(connectFrame.params?.auth?.token).toBe("explicit-token");
408+
expect(connectFrame.params?.auth?.password).toBe("explicit-password");
409+
// No device identity in insecure context
410+
expect(connectFrame.params?.device).toBeUndefined();
411+
expect(loadOrCreateDeviceIdentityMock).not.toHaveBeenCalled();
412+
} finally {
413+
Object.defineProperty(crypto, "subtle", { value: origSubtle, configurable: true });
414+
}
415+
});
416+
377417
it("does not auto-reconnect on AUTH_TOKEN_MISSING", async () => {
378418
vi.useFakeTimers();
379419
localStorage.clear();

0 commit comments

Comments
 (0)