UNPKG

@mintlify/common

Version:

Commonly shared code within Mintlify

42 lines (41 loc) 2.34 kB
import { describe, expect, it } from 'vitest'; import { isAllowedRedirectUri } from './isAllowedRedirectUri.js'; describe('isAllowedRedirectUri', () => { it('allows loopback addresses', () => { expect(isAllowedRedirectUri('http://localhost:3000/callback', [])).toBe(true); expect(isAllowedRedirectUri('http://127.0.0.1:8080/callback', [])).toBe(true); expect(isAllowedRedirectUri('http://[::1]:3000/callback', [])).toBe(true); }); it('rejects dangerous protocols', () => { expect(isAllowedRedirectUri('javascript:alert(1)', [])).toBe(false); expect(isAllowedRedirectUri('data:text/html,<h1>hi</h1>', [])).toBe(false); expect(isAllowedRedirectUri('vbscript:msgbox', [])).toBe(false); expect(isAllowedRedirectUri('file:///etc/passwd', [])).toBe(false); expect(isAllowedRedirectUri('about:blank', [])).toBe(false); expect(isAllowedRedirectUri('blob:http://example.com/abc', [])).toBe(false); }); it('allows domains in the allowed list (plain hostname)', () => { expect(isAllowedRedirectUri('https://example.com/callback', ['example.com'])).toBe(true); }); it('rejects non-https for plain hostname entries', () => { expect(isAllowedRedirectUri('http://example.com/callback', ['example.com'])).toBe(false); }); it('allows domains in the allowed list (full URL entry)', () => { expect(isAllowedRedirectUri('https://example.com/callback', ['https://example.com'])).toBe(true); }); it('allows matching protocol+hostname for URL entries', () => { expect(isAllowedRedirectUri('http://example.com/callback', ['http://example.com'])).toBe(true); }); it('rejects mismatched protocol for URL entries', () => { expect(isAllowedRedirectUri('http://example.com/callback', ['https://example.com'])).toBe(false); }); it('rejects domains not in the allowed list', () => { expect(isAllowedRedirectUri('https://evil.com/callback', ['example.com'])).toBe(false); }); it('returns false for invalid URIs', () => { expect(isAllowedRedirectUri('not-a-url', ['example.com'])).toBe(false); }); it('returns false for invalid entries in allowed domains', () => { expect(isAllowedRedirectUri('https://example.com/cb', ['://invalid'])).toBe(false); }); });