Add tests

Author: akirk

packages/playground/storage/src/lib/git-sparse-checkout.spec.ts

@@ -3,7 +3,9 @@ import {
 	sparseCheckout,
 	listGitFiles,
 	resolveCommitHash,
+	type GitAdditionalHeaders,
 } from './git-sparse-checkout';
+import { vi } from 'vitest';
 
 describe('listRefs', () => {
 	it('should return the latest commit hash for a given ref', async () => {
@@ -190,3 +192,135 @@ describe('listGitFiles', () => {
 		);
 	});
 });
+
+describe('gitAdditionalHeaders callback', () => {
+	const repoUrl = 'https://github.com/WordPress/wordpress-playground.git';
+
+	it('should invoke callback with the actual URL being fetched', async () => {
+		const headerCallback = vi.fn<GitAdditionalHeaders>(() => ({}));
+
+		await listGitRefs(repoUrl, 'refs/heads/trunk', headerCallback);
+
+		expect(headerCallback).toHaveBeenCalledWith(repoUrl);
+	});
+
+	it('should successfully fetch when callback returns empty object', async () => {
+		const headerCallback: GitAdditionalHeaders = (url: string) => ({});
+
+		const refs = await listGitRefs(
+			repoUrl,
+			'refs/heads/trunk',
+			headerCallback
+		);
+
+		expect(refs).toHaveProperty('refs/heads/trunk');
+		expect(refs['refs/heads/trunk']).toMatch(/^[a-f0-9]{40}$/);
+	});
+
+	it('should pass callback through the full call chain', async () => {
+		const headerCallback = vi.fn<GitAdditionalHeaders>(() => ({}));
+
+		await resolveCommitHash(
+			repoUrl,
+			{ value: 'trunk', type: 'branch' },
+			headerCallback
+		);
+
+		expect(headerCallback).toHaveBeenCalledWith(repoUrl);
+	});
+});
+
+describe('authentication error handling', () => {
+	let originalFetch: typeof global.fetch;
+
+	beforeEach(() => {
+		originalFetch = global.fetch;
+	});
+
+	afterEach(() => {
+		global.fetch = originalFetch;
+	});
+
+	it('should throw GitAuthenticationError for 401 responses', async () => {
+		global.fetch = vi.fn().mockResolvedValue({
+			ok: false,
+			status: 401,
+			statusText: 'Unauthorized',
+		});
+
+		const headerCallback: GitAdditionalHeaders = (url: string) => ({
+			Authorization: 'Bearer token',
+		});
+
+		await expect(
+			listGitRefs(
+				'https://github.com/user/private-repo',
+				'refs/heads/main',
+				headerCallback
+			)
+		).rejects.toThrow(
+			'Authentication required to access private repository'
+		);
+	});
+
+	it('should throw GitAuthenticationError for 403 responses', async () => {
+		global.fetch = vi.fn().mockResolvedValue({
+			ok: false,
+			status: 403,
+			statusText: 'Forbidden',
+		});
+
+		const headerCallback: GitAdditionalHeaders = (url: string) => ({
+			Authorization: 'Bearer token',
+		});
+
+		await expect(
+			listGitRefs(
+				'https://github.com/user/private-repo',
+				'refs/heads/main',
+				headerCallback
+			)
+		).rejects.toThrow(
+			'Authentication required to access private repository'
+		);
+	});
+
+	it('should throw generic error for 404 even with auth token (ambiguous: repo not found OR no access)', async () => {
+		global.fetch = vi.fn().mockResolvedValue({
+			ok: false,
+			status: 404,
+			statusText: 'Not Found',
+		});
+
+		const headerCallback: GitAdditionalHeaders = (url: string) => ({
+			Authorization: 'Bearer token',
+		});
+
+		await expect(
+			listGitRefs(
+				'https://github.com/user/repo-or-no-access',
+				'refs/heads/main',
+				headerCallback
+			)
+		).rejects.toThrow(
+			'Failed to fetch git refs from https://github.com/user/repo-or-no-access: 404 Not Found'
+		);
+	});
+
+	it('should throw generic error for 404 without auth token', async () => {
+		global.fetch = vi.fn().mockResolvedValue({
+			ok: false,
+			status: 404,
+			statusText: 'Not Found',
+		});
+
+		await expect(
+			listGitRefs(
+				'https://github.com/user/nonexistent-repo',
+				'refs/heads/main'
+			)
+		).rejects.toThrow(
+			'Failed to fetch git refs from https://github.com/user/nonexistent-repo: 404 Not Found'
+		);
+	});
+});

packages/playground/website/src/github/git-auth-helpers.spec.ts

@@ -0,0 +1,168 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { createGitHubAuthHeaders, isGitHubUrl } from './git-auth-helpers';
+import { oAuthState } from './state';
+
+describe('isGitHubUrl', () => {
+	describe('direct GitHub URLs', () => {
+		it('returns true for github.com URLs', () => {
+			expect(isGitHubUrl('https://github.com/user/repo')).toBe(true);
+		});
+
+		it('returns true for api.github.com URLs', () => {
+			expect(isGitHubUrl('https://api.github.com/repos')).toBe(true);
+		});
+
+		it('returns false for non-GitHub URLs', () => {
+			expect(isGitHubUrl('https://gitlab.com/user/repo')).toBe(false);
+			expect(isGitHubUrl('https://bitbucket.org/user/repo')).toBe(false);
+		});
+	});
+
+	describe('security: rejects URLs with github.com in wrong places', () => {
+		it('returns false when github.com is in the path', () => {
+			expect(isGitHubUrl('https://evil.com/github.com/fake')).toBe(false);
+		});
+
+		it('returns false when github.com is in a query parameter', () => {
+			expect(isGitHubUrl('https://evil.com?redirect=github.com')).toBe(
+				false
+			);
+		});
+
+		it('returns false for look-alike domains', () => {
+			expect(isGitHubUrl('https://github.com.evil.com')).toBe(false);
+			expect(isGitHubUrl('https://mygithub.com')).toBe(false);
+			expect(isGitHubUrl('https://fakegithub.com')).toBe(false);
+		});
+	});
+
+	describe('CORS proxy URLs', () => {
+		it('returns true for GitHub URLs through CORS proxy', () => {
+			expect(
+				isGitHubUrl(
+					'https://playground.wordpress.net/cors-proxy.php?https://github.com/user/repo'
+				)
+			).toBe(true);
+			expect(
+				isGitHubUrl(
+					'http://127.0.0.1:5263/cors-proxy.php?https://github.com/user/repo'
+				)
+			).toBe(true);
+		});
+
+		it('returns false for non-GitHub URLs through CORS proxy', () => {
+			expect(
+				isGitHubUrl(
+					'https://playground.wordpress.net/cors-proxy.php?https://gitlab.com/user/repo'
+				)
+			).toBe(false);
+		});
+
+		it('returns false for malicious URLs through CORS proxy', () => {
+			expect(
+				isGitHubUrl(
+					'https://playground.wordpress.net/cors-proxy.php?https://evil.com/github.com/fake'
+				)
+			).toBe(false);
+			expect(
+				isGitHubUrl(
+					'http://127.0.0.1:5263/cors-proxy.php?https://github.com.evil.com'
+				)
+			).toBe(false);
+		});
+	});
+
+	describe('edge cases', () => {
+		it('returns false for invalid URLs', () => {
+			expect(isGitHubUrl('not-a-url')).toBe(false);
+			expect(isGitHubUrl('')).toBe(false);
+			expect(isGitHubUrl('github.com')).toBe(false);
+		});
+	});
+});
+
+describe('createGitHubAuthHeaders integration', () => {
+	beforeEach(() => {
+		oAuthState.value = { token: '', isAuthorizing: false };
+	});
+
+	describe('with GitHub token present', () => {
+		beforeEach(() => {
+			oAuthState.value = {
+				token: 'gho_TestToken123',
+				isAuthorizing: false,
+			};
+		});
+
+		it('includes Authorization header for github.com URLs', () => {
+			const getHeaders = createGitHubAuthHeaders();
+			const headers = getHeaders('https://github.com/user/repo');
+
+			expect(headers).toHaveProperty('Authorization');
+			expect(headers.Authorization).toMatch(/^Basic /);
+			expect(headers).toHaveProperty(
+				'X-Cors-Proxy-Allowed-Request-Headers',
+				'Authorization'
+			);
+		});
+
+		it('includes Authorization header for api.github.com URLs', () => {
+			const getHeaders = createGitHubAuthHeaders();
+			const headers = getHeaders('https://api.github.com/repos');
+
+			expect(headers).toHaveProperty('Authorization');
+		});
+
+		it('includes Authorization header for GitHub URLs through CORS proxy', () => {
+			const getHeaders = createGitHubAuthHeaders();
+			const headers = getHeaders(
+				'https://playground.wordpress.net/cors-proxy.php?https://github.com/user/repo'
+			);
+
+			expect(headers).toHaveProperty('Authorization');
+			expect(headers).toHaveProperty(
+				'X-Cors-Proxy-Allowed-Request-Headers'
+			);
+		});
+
+		it('does NOT include Authorization header for non-GitHub URLs', () => {
+			const getHeaders = createGitHubAuthHeaders();
+
+			expect(getHeaders('https://gitlab.com/user/repo')).toEqual({});
+			expect(getHeaders('https://bitbucket.org/user/repo')).toEqual({});
+			expect(getHeaders('https://evil.com/github.com/fake')).toEqual({});
+		});
+
+		it('does NOT include Authorization header for non-GitHub URLs through CORS proxy', () => {
+			const getHeaders = createGitHubAuthHeaders();
+			const headers = getHeaders(
+				'https://playground.wordpress.net/cors-proxy.php?https://gitlab.com/user/repo'
+			);
+
+			expect(headers).toEqual({});
+		});
+	});
+
+	describe('without GitHub token', () => {
+		beforeEach(() => {
+			oAuthState.value = { token: '', isAuthorizing: false };
+		});
+
+		it('returns empty headers even for GitHub URLs', () => {
+			const getHeaders = createGitHubAuthHeaders();
+
+			expect(getHeaders('https://github.com/user/repo')).toEqual({});
+		});
+	});
+
+	describe('token encoding', () => {
+		it('encodes token correctly as Basic auth', () => {
+			oAuthState.value = { token: 'test-token', isAuthorizing: false };
+			const getHeaders = createGitHubAuthHeaders();
+			const headers = getHeaders('https://github.com/user/repo');
+
+			const decoded = atob(headers.Authorization.replace('Basic ', ''));
+			expect(decoded).toBe('test-token:');
+		});
+	});
+});

packages/playground/website/src/github/git-auth-helpers.ts

@@ -17,7 +17,7 @@ export function isGitHubUrl(url: string): boolean {
 	try {
 		const urlObj = new URL(url);
 		const hostname = urlObj.hostname;
-		return hostname === 'github.com';
+		return hostname === 'github.com' || hostname === 'api.github.com';
 	} catch {
 		return false;
 	}
@@ -33,11 +33,10 @@ export function createGitHubAuthHeaders(): (
 			return {};
 		}
 
-		const headers = {
+		return {
 			Authorization: `Basic ${btoa(`${token}:`)}`,
 			// Tell the CORS proxy to forward the Authorization header
 			'X-Cors-Proxy-Allowed-Request-Headers': 'Authorization',
 		};
-		return headers;
 	};
 }