Files
OpenFrontIO/tests/server/Archive.test.ts
T
Evan Pelle a7f992e9b0 refactor: convert to npm-workspaces monorepo (engine/core-public/shared/client/server)
Restructure the single src/ tree into an npm-workspaces monorepo under
packages/, rename core -> engine, extract a types-only core-public layer,
and break the pre-existing engine -> client dependency cycle.

Structure (packages/):
  core-public  public API/wire schemas + shared enums (clean leaf)
  shared       framework-agnostic helpers (clean leaf)
  engine       deterministic simulation (was src/core)
  client       rendering/UI (was src/client)
  server       coordination (was src/server)

Dependency DAG: engine -> {core-public, shared}; client -> {core-public,
shared, engine}; server -> {core-public, engine}.

- npm workspaces: root package.json workspaces + per-package package.json;
  tsconfig.base.json holds shared options + path aliases
  (core-public/* shared/* engine/* client/* server/*) resolved uniformly by
  tsc, Vite (resolve.tsconfigPaths), Vitest, and tsx. Lockfile regenerated.
- core-public: moved Schemas/ApiSchemas/CosmeticSchemas/StatsSchemas/
  ClanApiSchemas/WorkerSchemas/Base64/PatternDecoder; extracted the enums
  (GameTypes), GameEvent type, emoji table, and GraphicsOverrides schema.
  Engine re-exports the moved enums/types so existing imports keep working.
- Broke engine -> client cycle:
  - renderNumber/renderTroops -> shared/format
  - NameBoxCalculator moved into engine
  - username validation returns translation key + params; client translates
  - applyStateUpdate moved to client (operates on the render-only PlayerState)
  - Config/UnitGrid/execution-Util/GameImpl now use structural read
    interfaces (engine/game/ReadViews: PlayerLike/UnitLike/GameLike) instead
    of importing client view classes; client imports view classes from a new
    client/view barrel; deleted the engine/game/GameView re-export shim.
- Build/deploy updated: vite.config, index.html, eslint, Dockerfile
  (copies packages/ + tsconfig.base.json before npm ci), .vscode, tests.

Verified: tsc --noEmit clean; 1364 + 65 tests pass; production vite build
succeeds; engine has zero client/server imports; core-public and shared are
dependency leaves.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 16:51:03 +00:00

175 lines
4.7 KiB
TypeScript

import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
vi.mock("server/ServerEnv", () => ({
ServerEnv: {
jwtIssuer: () => "https://archive.test.invalid",
apiKey: () => "test-key",
gitCommit: () => "DEV",
subdomain: () => "test",
domain: () => "test",
},
}));
vi.mock("server/Logger", () => ({
logger: {
child: () => ({
info: vi.fn(),
warn: vi.fn(),
error: vi.fn(),
}),
},
}));
vi.mock("core-public/Schemas", async () => {
const actual = (await vi.importActual("core-public/Schemas")) as any;
return {
...actual,
GameRecordSchema: {
safeParse: (data: any) => ({ success: true, data }),
},
};
});
import { GameType } from "engine/game/Game";
import type { GameRecord } from "core-public/Schemas";
import { archive } from "server/Archive";
function buildRecord(gameType: GameType, flag: string | undefined): GameRecord {
return {
info: {
gameID: "TEST123456",
config: { gameType } as any,
players: [
{
clientID: "client-1",
username: "Test",
clanTag: null,
persistentID: "persist-1",
stats: {} as any,
cosmetics: flag ? { flag } : undefined,
} as any,
],
} as any,
version: "v0.0.2",
gitCommit: "DEV",
subdomain: "test",
domain: "test",
turns: [],
} as GameRecord;
}
function archivedBody(fetchMock: ReturnType<typeof vi.fn>): any {
expect(fetchMock).toHaveBeenCalledOnce();
return JSON.parse(fetchMock.mock.calls[0][1].body);
}
describe("archive() singleplayer flag sanitization", () => {
let fetchMock: ReturnType<typeof vi.fn>;
beforeEach(() => {
fetchMock = vi.fn().mockResolvedValue({ ok: true, statusText: "OK" });
vi.stubGlobal("fetch", fetchMock);
});
afterEach(() => {
vi.unstubAllGlobals();
});
it("preserves same-origin country flag paths", async () => {
await archive(
buildRecord(GameType.Singleplayer, "/flags/us.svg"),
new Set(),
);
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
"/flags/us.svg",
);
});
it("preserves manifest-resolved asset paths", async () => {
await archive(
buildRecord(GameType.Singleplayer, "/_assets/flags/us-abc123.svg"),
new Set(),
);
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
"/_assets/flags/us-abc123.svg",
);
});
it("preserves cosmetic flag URLs that are in the trusted set", async () => {
const trustedUrl = "https://example.com/cool.png";
await archive(
buildRecord(GameType.Singleplayer, trustedUrl),
new Set([trustedUrl]),
);
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
trustedUrl,
);
});
it("drops attacker-controlled URLs not in the trusted set", async () => {
await archive(
buildRecord(
GameType.Singleplayer,
"https://attacker.example/payload.png",
),
new Set(["https://example.com/cool.png"]),
);
expect(
archivedBody(fetchMock).info.players[0].cosmetics?.flag,
).toBeUndefined();
});
it("drops http URLs regardless of case", async () => {
await archive(
buildRecord(GameType.Singleplayer, "HTTP://attacker.example/x.png"),
new Set(),
);
expect(
archivedBody(fetchMock).info.players[0].cosmetics?.flag,
).toBeUndefined();
});
it("preserves untouched player when no flag is set", async () => {
await archive(buildRecord(GameType.Singleplayer, undefined), new Set());
expect(archivedBody(fetchMock).info.players[0].cosmetics).toBeUndefined();
});
it("drops absolute URLs even when the trusted set is omitted", async () => {
await archive(
buildRecord(GameType.Singleplayer, "https://example.com/cool.png"),
);
expect(
archivedBody(fetchMock).info.players[0].cosmetics?.flag,
).toBeUndefined();
});
});
describe("archive() multiplayer paths skip sanitization", () => {
let fetchMock: ReturnType<typeof vi.fn>;
beforeEach(() => {
fetchMock = vi.fn().mockResolvedValue({ ok: true, statusText: "OK" });
vi.stubGlobal("fetch", fetchMock);
});
afterEach(() => {
vi.unstubAllGlobals();
});
it("does not modify cosmetics for public games", async () => {
const attackerUrl = "https://attacker.example/payload.png";
await archive(buildRecord(GameType.Public, attackerUrl));
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
attackerUrl,
);
});
it("does not modify cosmetics for private games", async () => {
const attackerUrl = "https://attacker.example/payload.png";
await archive(buildRecord(GameType.Private, attackerUrl));
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
attackerUrl,
);
});
});