import { describe, expect, it, vi } from 'vitest'; import { validateBridgeMessage, validateBridgeTyping } from '../bridge.dto.js'; import { AppserviceIntent, MatrixApiError } from '../intent.js'; import { buildRegistration, registrationToYaml } from '../registration.js'; import { TransactionHandler } from '../transactions.js'; import type { AppserviceConfig, MatrixEvent } from '../types.js'; const cfg: AppserviceConfig = { homeserverUrl: 'https://hs.example', domain: 'hs.example', asToken: 'as-secret', hsToken: 'hs-secret', }; const jsonResponse = (status: number, body: unknown): Response => new Response(JSON.stringify(body), { status, headers: { 'Content-Type': 'application/json' } }); describe('TransactionHandler', () => { const makeHandler = (onEvent = vi.fn()) => ({ onEvent, handler: new TransactionHandler({ hsToken: 'hs-secret', onEvent }), }); it('rejects a bad hs_token with M_FORBIDDEN', async () => { const { handler, onEvent } = makeHandler(); const res = await handler.handle( 't1', { events: [{ type: 'm.room.message' }] }, { authorizationHeader: 'Bearer wrong' }, ); expect(res.status).toBe(403); expect(res.body.errcode).toBe('M_FORBIDDEN'); expect(onEvent).not.toHaveBeenCalled(); }); it('accepts Bearer auth and legacy access_token param', async () => { const { handler } = makeHandler(); expect( (await handler.handle('t1', { events: [] }, { authorizationHeader: 'Bearer hs-secret' })) .status, ).toBe(200); expect( (await handler.handle('t2', { events: [] }, { accessTokenParam: 'hs-secret' })).status, ).toBe(200); }); it('processes events once per txnId (idempotent retries)', async () => { const { handler, onEvent } = makeHandler(); const body = { events: [{ type: 'm.room.message', event_id: '$e1' }] }; await handler.handle('t1', body, { authorizationHeader: 'Bearer hs-secret' }); const retry = await handler.handle('t1', body, { authorizationHeader: 'Bearer hs-secret' }); expect(retry.status).toBe(200); expect(onEvent).toHaveBeenCalledTimes(1); }); it('a throwing event handler does not fail the transaction', async () => { const onError = vi.fn(); const handler = new TransactionHandler({ hsToken: 'hs-secret', onEvent: () => { throw new Error('boom'); }, onError, }); const res = await handler.handle( 't1', { events: [{ type: 'x' }, { type: 'y' }] }, { authorizationHeader: 'Bearer hs-secret' }, ); expect(res.status).toBe(200); expect(onError).toHaveBeenCalledTimes(2); }); }); describe('AppserviceIntent', () => { it('derives namespaced user ids and rejects bad slugs', () => { const intent = new AppserviceIntent(cfg); expect(intent.agentUserId('pi0-web1')).toBe('@agent-pi0-web1:hs.example'); expect(intent.agentUserId('Pi0-Web1')).toBe('@agent-pi0-web1:hs.example'); expect(() => intent.agentUserId('../evil')).toThrow(); expect(() => intent.agentUserId('')).toThrow(); }); it('uses uuid transaction ids', async () => { const calls: string[] = []; const fetchMock = vi.fn(async (input: URL | string) => { calls.push(new URL(String(input)).pathname); return jsonResponse(200, {}); }); const intent = new AppserviceIntent(cfg, fetchMock as unknown as typeof fetch); await intent.sendAsAgent({ roomId: '!r:hs.example', agent: 'pi0', body: 'x' }); const send = calls.find((p) => p.includes('/send/m.room.message/')); expect(send).toMatch(/mosaic-as-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/); }); it('registers once, impersonates via user_id, threads replies', async () => { const calls: Array<{ url: URL; init: RequestInit }> = []; const fetchMock = vi.fn(async (input: URL | string, init?: RequestInit) => { calls.push({ url: new URL(String(input)), init: init ?? {} }); return jsonResponse(200, { event_id: '$sent' }); }); const intent = new AppserviceIntent(cfg, fetchMock as unknown as typeof fetch); const eventId = await intent.sendAsAgent({ roomId: '!room:hs.example', agent: 'pi0-web1', body: 'hello', threadRoot: '$req', }); await intent.sendAsAgent({ roomId: '!room:hs.example', agent: 'pi0-web1', body: 'again' }); expect(eventId).toBe('$sent'); const paths = calls.map((c) => c.url.pathname); expect(paths.filter((p) => p.endsWith('/register'))).toHaveLength(1); // cached expect(paths.filter((p) => p.includes('/join'))).toHaveLength(1); // cached const send = calls.find((c) => c.url.pathname.includes('/send/m.room.message/')); expect(send).toBeDefined(); expect(send!.url.searchParams.get('user_id')).toBe('@agent-pi0-web1:hs.example'); const content = JSON.parse(String(send!.init.body)) as Record; const rel = content['m.relates_to'] as Record; expect(rel.rel_type).toBe('m.thread'); expect(rel.event_id).toBe('$req'); expect(rel.is_falling_back).toBe(true); expect( calls.every( (c) => (c.init.headers as Record).Authorization === 'Bearer as-secret', ), ).toBe(true); }); it('tolerates M_USER_IN_USE and surfaces other register errors', async () => { const inUse = vi.fn(async () => jsonResponse(400, { errcode: 'M_USER_IN_USE', error: 'taken' }), ); const intent = new AppserviceIntent(cfg, inUse as unknown as typeof fetch); await expect(intent.ensureRegistered('pi0-web1')).resolves.toBe('@agent-pi0-web1:hs.example'); const denied = vi.fn(async () => jsonResponse(401, { errcode: 'M_UNKNOWN_TOKEN', error: 'nope' }), ); const intent2 = new AppserviceIntent(cfg, denied as unknown as typeof fetch); await expect(intent2.ensureRegistered('pi0-web1')).rejects.toThrow(MatrixApiError); }); it('invites then joins on M_FORBIDDEN join', async () => { const paths: string[] = []; const fetchMock = vi.fn(async (input: URL | string) => { const url = new URL(String(input)); paths.push(url.pathname); if (url.pathname.endsWith('/join') && paths.filter((p) => p.endsWith('/join')).length === 1) { return jsonResponse(403, { errcode: 'M_FORBIDDEN', error: 'not invited' }); } return jsonResponse(200, {}); }); const intent = new AppserviceIntent(cfg, fetchMock as unknown as typeof fetch); await intent.ensureJoined('!room:hs.example', 'pi0-web1'); expect(paths.filter((p) => p.endsWith('/invite'))).toHaveLength(1); expect(paths.filter((p) => p.endsWith('/join'))).toHaveLength(2); }); }); describe('registration', () => { it('builds an exclusive escaped user namespace', () => { const reg = buildRegistration(cfg, { url: 'http://mosaic-as:8008' }); expect(reg.namespaces.users[0]).toEqual({ regex: '@agent-.*:hs\\.example', exclusive: true, }); expect(reg.rate_limited).toBe(false); const yaml = registrationToYaml(reg); expect(yaml).toContain("sender_localpart: 'mosaic-as'"); expect(yaml).toContain("as_token: 'as-secret'"); expect(yaml).toContain('exclusive: true'); }); }); describe('registration hardening', () => { it('rejects control characters in registration values', () => { const reg = buildRegistration( { ...cfg, asToken: 'abc\nhttp_injected: true' }, { url: 'http://mosaic-as:8008' }, ); expect(() => registrationToYaml(reg)).toThrow(/control characters/); }); it('escapes single quotes in token values', () => { const reg = buildRegistration({ ...cfg, asToken: "it's" }, { url: 'http://mosaic-as:8008' }); expect(registrationToYaml(reg)).toContain("as_token: 'it''s'"); }); }); describe('bridge DTOs', () => { it('validates message and typing payloads', () => { expect(() => validateBridgeMessage({ room_id: '!r:hs', agent: 'pi0', body: 'x' }), ).not.toThrow(); expect(() => validateBridgeMessage({ room_id: 'bad', agent: 'pi0', body: 'x' })).toThrow(); expect(() => validateBridgeMessage({ room_id: '!r:hs', agent: '', body: 'x' })).toThrow(); expect(() => validateBridgeMessage({ room_id: '!r:hs', agent: '../evil', body: 'x' })).toThrow( /agent must match/, ); expect(() => validateBridgeTyping({ room_id: '!r:hs', agent: 'pi0', typing: true }), ).not.toThrow(); expect(() => validateBridgeTyping({ room_id: '!r:hs', agent: 'pi0', typing: 'yes' })).toThrow(); }); }); describe('event shape', () => { it('transaction events flow through to the handler', async () => { const seen: MatrixEvent[] = []; const handler = new TransactionHandler({ hsToken: 'hs-secret', onEvent: (e) => void seen.push(e), }); await handler.handle( 't1', { events: [ { type: 'm.room.message', room_id: '!r:hs', sender: '@u:hs', content: { body: 'hi' } }, ], }, { authorizationHeader: 'Bearer hs-secret' }, ); expect(seen).toHaveLength(1); expect(seen[0]!.content?.body).toBe('hi'); }); });