stack/apps/appservice/src/__tests__/server.test.ts

import { describe, expect, it, vi } from 'vitest';

import { AppserviceDaemon } from '../server.js';
import type { DaemonConfig, DaemonRequest } from '../server.js';

const cfg: DaemonConfig = {
  homeserverUrl: 'https://hs.example',
  domain: 'hs.example',
  asToken: 'as-secret',
  hsToken: 'hs-secret',
  bridgeTokens: ['bridge-secret'],
};

const jsonResponse = (status: number, body: unknown): Response =>
  new Response(JSON.stringify(body), { status, headers: { 'Content-Type': 'application/json' } });

const request = (overrides: Partial<DaemonRequest>): DaemonRequest => ({
  method: 'GET',
  path: '/',
  searchParams: new URLSearchParams(),
  body: undefined,
  ...overrides,
});

const makeDaemon = () => {
  const fetchMock = vi.fn(async (_input: URL | string) => jsonResponse(200, { event_id: '$sent' }));
  const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
  return { daemon, fetchMock };
};

describe('AppserviceDaemon routing', () => {
  it('serves health unauthenticated', async () => {
    const { daemon } = makeDaemon();
    expect((await daemon.handle(request({ path: '/health' }))).status).toBe(200);
  });

  it('404s unknown paths', async () => {
    const { daemon } = makeDaemon();
    expect((await daemon.handle(request({ path: '/nope' }))).status).toBe(404);
  });

  it('transactions require the hs_token', async () => {
    const { daemon } = makeDaemon();
    const bad = await daemon.handle(
      request({
        method: 'PUT',
        path: '/_matrix/app/v1/transactions/t1',
        authorizationHeader: 'Bearer wrong',
        body: { events: [] },
      }),
    );
    expect(bad.status).toBe(403);
    const ok = await daemon.handle(
      request({
        method: 'PUT',
        path: '/_matrix/app/v1/transactions/t1',
        authorizationHeader: 'Bearer hs-secret',
        body: { events: [{ type: 'm.room.message', event_id: '$e' }] },
      }),
    );
    expect(ok.status).toBe(200);
  });

  it('bridge requires a bridge token (hs/as tokens do not work)', async () => {
    const { daemon } = makeDaemon();
    for (const token of [undefined, 'Bearer hs-secret', 'Bearer as-secret', 'Bearer nope']) {
      const res = await daemon.handle(
        request({
          method: 'POST',
          path: '/bridge/v1/messages',
          authorizationHeader: token,
          body: {},
        }),
      );
      expect(res.status).toBe(403);
    }
  });

  it('bridge message sends as the agent and returns the event id', async () => {
    const { daemon, fetchMock } = makeDaemon();
    const res = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/messages',
        authorizationHeader: 'Bearer bridge-secret',
        body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi', thread_root: '$req' },
      }),
    );
    expect(res.status).toBe(200);
    expect(res.body.event_id).toBe('$sent');
    const sendCall = fetchMock.mock.calls
      .map((c) => new URL(String(c[0])))
      .find((u) => u.pathname.includes('/send/m.room.message/'));
    expect(sendCall).toBeDefined();
    expect(sendCall!.searchParams.get('user_id')).toBe('@agent-pi0-web1:hs.example');
  });

  it('bridge rejects invalid payloads with 400', async () => {
    const { daemon } = makeDaemon();
    const res = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/messages',
        authorizationHeader: 'Bearer bridge-secret',
        body: { room_id: 'bad', agent: 'pi0', body: 'x' },
      }),
    );
    expect(res.status).toBe(400);
  });

  it('bridge typing endpoint works', async () => {
    const { daemon, fetchMock } = makeDaemon();
    const res = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/typing',
        authorizationHeader: 'Bearer bridge-secret',
        body: { room_id: '!r:hs.example', agent: 'pi0-web1', typing: true },
      }),
    );
    expect(res.status).toBe(200);
    const typingCall = fetchMock.mock.calls
      .map((c) => new URL(String(c[0])))
      .find((u) => u.pathname.includes('/typing/'));
    expect(typingCall).toBeDefined();
  });

  it('authenticated unknown bridge sub-paths return 405, never fall through', async () => {
    const { daemon } = makeDaemon();
    const res = await daemon.handle(
      request({
        method: 'GET',
        path: '/bridge/v1/unknown',
        authorizationHeader: 'Bearer bridge-secret',
      }),
    );
    expect(res.status).toBe(405);
  });

  it('empty bridge token list denies everything', async () => {
    const daemon = new AppserviceDaemon({ ...cfg, bridgeTokens: [] }, undefined, () => {});
    const res = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/typing',
        authorizationHeader: 'Bearer bridge-secret',
        body: {},
      }),
    );
    expect(res.status).toBe(403);
  });
});