test: Add security audit tests for issues #727-#730#827
Merged
Mystery-CLI merged 4 commits intoJun 26, 2026
Merged
Conversation
- Tests for all required security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP, Permissions-Policy) - Validates headers on both HTML and API (JSON) endpoints - Tests header values and coverage - Ensures audit fails if any required header is missing - Covers 23 test cases for comprehensive header validation
- Validates memo length (max 28 bytes) using UTF-8 byte counting - Validates memo character content (printable ASCII only) - Tests MEMO_TEXT, MEMO_ID, MEMO_HASH/MEMO_RETURN type-specific validation - Validates trimming of leading/trailing whitespace - Tests logging sanitization to prevent information leakage - Covers 44 test cases for comprehensive memo validation - Ensures InvalidMemoError with clear messages for all violation types
- Per-account lockout after 10 failed attempts within 15-minute window - Per-IP lockout after 20 failed attempts to prevent NAT-based bypass - Exponential backoff: 1m, 2m, 4m, 8m up to 24-hour maximum - Redis-based attempt tracking with automatic TTL expiry - Tests successful login resets attempt counter - Tests manual admin unlock mechanism - Tests Retry-After header calculation - Covers 34 test cases for comprehensive rate limiting validation
- Single-secret configuration for backward compatibility - Dual-secret configuration for zero-downtime rotation window - Tests token verification with both current and previous secrets - Transparent token re-issuing from previous to current secret - No service restart required during rotation - Tests rotation procedure: set previous, generate new, deploy, wait, clear - Tests token TTL (15 min) vs refresh token TTL (7 days) - Environment variable configuration (JWT_SECRET_CURRENT/PREVIOUS) - Covers 34 test cases for comprehensive JWT rotation validation
|
@famvilianity-eng Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds comprehensive test-only implementations for four critical security issues:
#730: Security Headers Audit
#729: Memo Sanitization
#728: Brute-Force Lockout
#727: JWT Secret Rotation
Test Coverage
Commits
Testing
All tests verified locally and passing:
npm test -- backend/tests/security-headers-audit.test.js✅npm test -- backend/tests/memo-sanitization.test.js✅npm test -- backend/tests/brute-force-lockout.test.js✅npm test -- backend/tests/jwt-secret-rotation.test.js✅These test files define the expected behavior and can be used as specifications for implementation.
Closes #727
Closes #728
Closes #729
Closes #730