Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): harden runtime config and verification access

Browse Source
This commit is contained in:
zouantchaw
2026-03-19 16:36:28 +01:00
parent 8d0ef309e6
commit 2f25d10368
15 changed files with 262 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/command-api/test/app.test.js
View File

@@ -63,6 +63,16 @@ test('GET /readyz reports database not configured when no database env is presen
assert.equal(res.body.status, 'DATABASE_NOT_CONFIGURED');
});
test('createApp fails fast in protected env when auth bypass is enabled', async () => {
process.env.APP_ENV = 'staging';
process.env.AUTH_BYPASS = 'true';
assert.throws(() => createApp(), /AUTH_BYPASS must be disabled/);
delete process.env.APP_ENV;
process.env.AUTH_BYPASS = 'true';
});
test('command route requires idempotency key', async () => {
const app = createApp();
const res = await request(app)

10
backend/command-api/test/notification-worker.test.js
View File

@@ -12,6 +12,16 @@ test('GET /readyz returns healthy response', async () => {
assert.equal(res.body.service, 'notification-worker-v2');
});
test('createWorkerApp fails fast in protected env when push delivery is not live', async () => {
process.env.APP_ENV = 'staging';
process.env.PUSH_DELIVERY_MODE = 'log-only';
assert.throws(() => createWorkerApp(), /PUSH_DELIVERY_MODE must be live/);
delete process.env.APP_ENV;
delete process.env.PUSH_DELIVERY_MODE;
});
test('POST /tasks/dispatch-notifications returns dispatch summary', async () => {
const app = createWorkerApp({
dispatch: async () => ({