Matt
d3960af340
Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
74 lines
2.3 KiB
TypeScript
74 lines
2.3 KiB
TypeScript
import { describe, it, expect, beforeAll } from 'vitest';
|
|
import { encrypt, decrypt } from '@/lib/utils/encryption';
|
|
|
|
const VALID_KEY = 'a'.repeat(64); // 64 hex chars = 32 bytes
|
|
|
|
beforeAll(() => {
|
|
process.env.EMAIL_CREDENTIAL_KEY = VALID_KEY;
|
|
});
|
|
|
|
describe('encrypt / decrypt', () => {
|
|
it('round-trips plaintext correctly', () => {
|
|
const plaintext = 'super secret password';
|
|
expect(decrypt(encrypt(plaintext))).toBe(plaintext);
|
|
});
|
|
|
|
it('different plaintexts produce different ciphertexts', () => {
|
|
const a = encrypt('hello');
|
|
const b = encrypt('world');
|
|
expect(a).not.toBe(b);
|
|
});
|
|
|
|
it('same plaintext produces different ciphertext on each call (random IV)', () => {
|
|
const a = encrypt('hello');
|
|
const b = encrypt('hello');
|
|
expect(a).not.toBe(b);
|
|
});
|
|
|
|
it('tampered data field throws on decrypt', () => {
|
|
const stored = JSON.parse(encrypt('tamper me')) as any;
|
|
// Flip the first hex byte of data
|
|
const originalByte = stored.data.slice(0, 2);
|
|
const flipped = originalByte === 'ff' ? '00' : 'ff';
|
|
stored.data = flipped + stored.data.slice(2);
|
|
|
|
expect(() => decrypt(JSON.stringify(stored))).toThrow();
|
|
});
|
|
|
|
it('tampered auth tag throws on decrypt', () => {
|
|
const stored = JSON.parse(encrypt('tamper tag')) as any;
|
|
const originalByte = stored.tag.slice(0, 2);
|
|
const flipped = originalByte === 'ff' ? '00' : 'ff';
|
|
stored.tag = flipped + stored.tag.slice(2);
|
|
|
|
expect(() => decrypt(JSON.stringify(stored))).toThrow();
|
|
});
|
|
|
|
it('round-trips an empty string', () => {
|
|
expect(decrypt(encrypt(''))).toBe('');
|
|
});
|
|
|
|
it('round-trips unicode text', () => {
|
|
const unicode = '日本語テスト 🚢 αβγ';
|
|
expect(decrypt(encrypt(unicode))).toBe(unicode);
|
|
});
|
|
|
|
it('throws when EMAIL_CREDENTIAL_KEY is missing', () => {
|
|
const savedKey = process.env.EMAIL_CREDENTIAL_KEY;
|
|
delete process.env.EMAIL_CREDENTIAL_KEY;
|
|
|
|
expect(() => encrypt('test')).toThrow('EMAIL_CREDENTIAL_KEY');
|
|
|
|
process.env.EMAIL_CREDENTIAL_KEY = savedKey;
|
|
});
|
|
|
|
it('throws when EMAIL_CREDENTIAL_KEY is wrong length', () => {
|
|
const savedKey = process.env.EMAIL_CREDENTIAL_KEY;
|
|
process.env.EMAIL_CREDENTIAL_KEY = 'tooshort';
|
|
|
|
expect(() => encrypt('test')).toThrow('EMAIL_CREDENTIAL_KEY');
|
|
|
|
process.env.EMAIL_CREDENTIAL_KEY = savedKey;
|
|
});
|
|
});
|