@mintlify/common
Version:
Commonly shared code within Mintlify
42 lines (41 loc) • 2.34 kB
JavaScript
import { describe, expect, it } from 'vitest';
import { isAllowedRedirectUri } from './isAllowedRedirectUri.js';
describe('isAllowedRedirectUri', () => {
it('allows loopback addresses', () => {
expect(isAllowedRedirectUri('http://localhost:3000/callback', [])).toBe(true);
expect(isAllowedRedirectUri('http://127.0.0.1:8080/callback', [])).toBe(true);
expect(isAllowedRedirectUri('http://[::1]:3000/callback', [])).toBe(true);
});
it('rejects dangerous protocols', () => {
expect(isAllowedRedirectUri('javascript:alert(1)', [])).toBe(false);
expect(isAllowedRedirectUri('data:text/html,<h1>hi</h1>', [])).toBe(false);
expect(isAllowedRedirectUri('vbscript:msgbox', [])).toBe(false);
expect(isAllowedRedirectUri('file:///etc/passwd', [])).toBe(false);
expect(isAllowedRedirectUri('about:blank', [])).toBe(false);
expect(isAllowedRedirectUri('blob:http://example.com/abc', [])).toBe(false);
});
it('allows domains in the allowed list (plain hostname)', () => {
expect(isAllowedRedirectUri('https://example.com/callback', ['example.com'])).toBe(true);
});
it('rejects non-https for plain hostname entries', () => {
expect(isAllowedRedirectUri('http://example.com/callback', ['example.com'])).toBe(false);
});
it('allows domains in the allowed list (full URL entry)', () => {
expect(isAllowedRedirectUri('https://example.com/callback', ['https://example.com'])).toBe(true);
});
it('allows matching protocol+hostname for URL entries', () => {
expect(isAllowedRedirectUri('http://example.com/callback', ['http://example.com'])).toBe(true);
});
it('rejects mismatched protocol for URL entries', () => {
expect(isAllowedRedirectUri('http://example.com/callback', ['https://example.com'])).toBe(false);
});
it('rejects domains not in the allowed list', () => {
expect(isAllowedRedirectUri('https://evil.com/callback', ['example.com'])).toBe(false);
});
it('returns false for invalid URIs', () => {
expect(isAllowedRedirectUri('not-a-url', ['example.com'])).toBe(false);
});
it('returns false for invalid entries in allowed domains', () => {
expect(isAllowedRedirectUri('https://example.com/cb', ['://invalid'])).toBe(false);
});
});