mirror of
https://github.com/openfrontio/OpenFrontIO.git
synced 2026-07-10 20:14:35 +00:00
a7f992e9b0
Restructure the single src/ tree into an npm-workspaces monorepo under
packages/, rename core -> engine, extract a types-only core-public layer,
and break the pre-existing engine -> client dependency cycle.
Structure (packages/):
core-public public API/wire schemas + shared enums (clean leaf)
shared framework-agnostic helpers (clean leaf)
engine deterministic simulation (was src/core)
client rendering/UI (was src/client)
server coordination (was src/server)
Dependency DAG: engine -> {core-public, shared}; client -> {core-public,
shared, engine}; server -> {core-public, engine}.
- npm workspaces: root package.json workspaces + per-package package.json;
tsconfig.base.json holds shared options + path aliases
(core-public/* shared/* engine/* client/* server/*) resolved uniformly by
tsc, Vite (resolve.tsconfigPaths), Vitest, and tsx. Lockfile regenerated.
- core-public: moved Schemas/ApiSchemas/CosmeticSchemas/StatsSchemas/
ClanApiSchemas/WorkerSchemas/Base64/PatternDecoder; extracted the enums
(GameTypes), GameEvent type, emoji table, and GraphicsOverrides schema.
Engine re-exports the moved enums/types so existing imports keep working.
- Broke engine -> client cycle:
- renderNumber/renderTroops -> shared/format
- NameBoxCalculator moved into engine
- username validation returns translation key + params; client translates
- applyStateUpdate moved to client (operates on the render-only PlayerState)
- Config/UnitGrid/execution-Util/GameImpl now use structural read
interfaces (engine/game/ReadViews: PlayerLike/UnitLike/GameLike) instead
of importing client view classes; client imports view classes from a new
client/view barrel; deleted the engine/game/GameView re-export shim.
- Build/deploy updated: vite.config, index.html, eslint, Dockerfile
(copies packages/ + tsconfig.base.json before npm ci), .vscode, tests.
Verified: tsc --noEmit clean; 1364 + 65 tests pass; production vite build
succeeds; engine has zero client/server imports; core-public and shared are
dependency leaves.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
175 lines
4.7 KiB
TypeScript
175 lines
4.7 KiB
TypeScript
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
|
|
|
vi.mock("server/ServerEnv", () => ({
|
|
ServerEnv: {
|
|
jwtIssuer: () => "https://archive.test.invalid",
|
|
apiKey: () => "test-key",
|
|
gitCommit: () => "DEV",
|
|
subdomain: () => "test",
|
|
domain: () => "test",
|
|
},
|
|
}));
|
|
|
|
vi.mock("server/Logger", () => ({
|
|
logger: {
|
|
child: () => ({
|
|
info: vi.fn(),
|
|
warn: vi.fn(),
|
|
error: vi.fn(),
|
|
}),
|
|
},
|
|
}));
|
|
|
|
vi.mock("core-public/Schemas", async () => {
|
|
const actual = (await vi.importActual("core-public/Schemas")) as any;
|
|
return {
|
|
...actual,
|
|
GameRecordSchema: {
|
|
safeParse: (data: any) => ({ success: true, data }),
|
|
},
|
|
};
|
|
});
|
|
|
|
import { GameType } from "engine/game/Game";
|
|
import type { GameRecord } from "core-public/Schemas";
|
|
import { archive } from "server/Archive";
|
|
|
|
function buildRecord(gameType: GameType, flag: string | undefined): GameRecord {
|
|
return {
|
|
info: {
|
|
gameID: "TEST123456",
|
|
config: { gameType } as any,
|
|
players: [
|
|
{
|
|
clientID: "client-1",
|
|
username: "Test",
|
|
clanTag: null,
|
|
persistentID: "persist-1",
|
|
stats: {} as any,
|
|
cosmetics: flag ? { flag } : undefined,
|
|
} as any,
|
|
],
|
|
} as any,
|
|
version: "v0.0.2",
|
|
gitCommit: "DEV",
|
|
subdomain: "test",
|
|
domain: "test",
|
|
turns: [],
|
|
} as GameRecord;
|
|
}
|
|
|
|
function archivedBody(fetchMock: ReturnType<typeof vi.fn>): any {
|
|
expect(fetchMock).toHaveBeenCalledOnce();
|
|
return JSON.parse(fetchMock.mock.calls[0][1].body);
|
|
}
|
|
|
|
describe("archive() singleplayer flag sanitization", () => {
|
|
let fetchMock: ReturnType<typeof vi.fn>;
|
|
|
|
beforeEach(() => {
|
|
fetchMock = vi.fn().mockResolvedValue({ ok: true, statusText: "OK" });
|
|
vi.stubGlobal("fetch", fetchMock);
|
|
});
|
|
|
|
afterEach(() => {
|
|
vi.unstubAllGlobals();
|
|
});
|
|
|
|
it("preserves same-origin country flag paths", async () => {
|
|
await archive(
|
|
buildRecord(GameType.Singleplayer, "/flags/us.svg"),
|
|
new Set(),
|
|
);
|
|
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
|
|
"/flags/us.svg",
|
|
);
|
|
});
|
|
|
|
it("preserves manifest-resolved asset paths", async () => {
|
|
await archive(
|
|
buildRecord(GameType.Singleplayer, "/_assets/flags/us-abc123.svg"),
|
|
new Set(),
|
|
);
|
|
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
|
|
"/_assets/flags/us-abc123.svg",
|
|
);
|
|
});
|
|
|
|
it("preserves cosmetic flag URLs that are in the trusted set", async () => {
|
|
const trustedUrl = "https://example.com/cool.png";
|
|
await archive(
|
|
buildRecord(GameType.Singleplayer, trustedUrl),
|
|
new Set([trustedUrl]),
|
|
);
|
|
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
|
|
trustedUrl,
|
|
);
|
|
});
|
|
|
|
it("drops attacker-controlled URLs not in the trusted set", async () => {
|
|
await archive(
|
|
buildRecord(
|
|
GameType.Singleplayer,
|
|
"https://attacker.example/payload.png",
|
|
),
|
|
new Set(["https://example.com/cool.png"]),
|
|
);
|
|
expect(
|
|
archivedBody(fetchMock).info.players[0].cosmetics?.flag,
|
|
).toBeUndefined();
|
|
});
|
|
|
|
it("drops http URLs regardless of case", async () => {
|
|
await archive(
|
|
buildRecord(GameType.Singleplayer, "HTTP://attacker.example/x.png"),
|
|
new Set(),
|
|
);
|
|
expect(
|
|
archivedBody(fetchMock).info.players[0].cosmetics?.flag,
|
|
).toBeUndefined();
|
|
});
|
|
|
|
it("preserves untouched player when no flag is set", async () => {
|
|
await archive(buildRecord(GameType.Singleplayer, undefined), new Set());
|
|
expect(archivedBody(fetchMock).info.players[0].cosmetics).toBeUndefined();
|
|
});
|
|
|
|
it("drops absolute URLs even when the trusted set is omitted", async () => {
|
|
await archive(
|
|
buildRecord(GameType.Singleplayer, "https://example.com/cool.png"),
|
|
);
|
|
expect(
|
|
archivedBody(fetchMock).info.players[0].cosmetics?.flag,
|
|
).toBeUndefined();
|
|
});
|
|
});
|
|
|
|
describe("archive() multiplayer paths skip sanitization", () => {
|
|
let fetchMock: ReturnType<typeof vi.fn>;
|
|
|
|
beforeEach(() => {
|
|
fetchMock = vi.fn().mockResolvedValue({ ok: true, statusText: "OK" });
|
|
vi.stubGlobal("fetch", fetchMock);
|
|
});
|
|
|
|
afterEach(() => {
|
|
vi.unstubAllGlobals();
|
|
});
|
|
|
|
it("does not modify cosmetics for public games", async () => {
|
|
const attackerUrl = "https://attacker.example/payload.png";
|
|
await archive(buildRecord(GameType.Public, attackerUrl));
|
|
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
|
|
attackerUrl,
|
|
);
|
|
});
|
|
|
|
it("does not modify cosmetics for private games", async () => {
|
|
const attackerUrl = "https://attacker.example/payload.png";
|
|
await archive(buildRecord(GameType.Private, attackerUrl));
|
|
expect(archivedBody(fetchMock).info.players[0].cosmetics.flag).toBe(
|
|
attackerUrl,
|
|
);
|
|
});
|
|
});
|