kaikai_test/test/access-password.test.js

import test from "node:test";
import assert from "node:assert/strict";
import { readFile } from "node:fs/promises";

const server = await readFile(new URL("../src/server.js", import.meta.url), "utf8");
const desktopHtml = await readFile(new URL("../public/index.html", import.meta.url), "utf8");
const desktopJs = await readFile(new URL("../public/app.js", import.meta.url), "utf8");
const desktopCss = await readFile(new URL("../public/styles.css", import.meta.url), "utf8");
const mobileHtml = await readFile(new URL("../public/mobile.html", import.meta.url), "utf8");
const mobileJs = await readFile(new URL("../public/mobile.js", import.meta.url), "utf8");
const mobileCss = await readFile(new URL("../public/mobile.css", import.meta.url), "utf8");
const rankingsJs = await readFile(new URL("../public/rankings.js", import.meta.url), "utf8");

test("server supports optional shared access password authentication", () => {
  assert.match(server, /HOTNESS_ACCESS_PASSWORD/);
  assert.match(server, /\/api\/auth\/status/);
  assert.match(server, /\/api\/auth\/login/);
  assert.match(server, /isAuthorizedRequest/);
  assert.match(server, /sendAuthRequired/);
  assert.match(server, /x-hotness-auth-token/i);
});

test("desktop page has a password gate and sends auth token with API calls", () => {
  assert.match(desktopHtml, /id="auth-gate"/);
  assert.match(desktopHtml, /id="auth-password"/);
  assert.match(desktopJs, /HOTNESS_AUTH_TOKEN_KEY/);
  assert.match(desktopJs, /ensureAccessAuth/);
  assert.match(desktopJs, /authHeaders/);
  assert.match(desktopJs, /x-hotness-auth-token/i);
  assert.match(desktopCss, /\.auth-gate/);
});

test("desktop login submit is bound before the rest of the app can fail", () => {
  const authBinding = desktopJs.indexOf('authForm?.addEventListener("submit"');
  const authClickBinding = desktopJs.indexOf('authSubmit?.addEventListener("click"');
  const collectBinding = desktopJs.indexOf('form.addEventListener("submit"');
  assert.ok(authBinding > -1, "auth submit binding should exist");
  assert.ok(authClickBinding > -1, "auth button click binding should exist");
  assert.ok(collectBinding > -1, "collect submit binding should exist");
  assert.ok(authBinding < collectBinding, "auth binding must run before normal app bindings");
  assert.ok(authClickBinding < collectBinding, "auth click binding must run before normal app bindings");
});

test("mobile page has the same password gate for cloud use", () => {
  assert.match(mobileHtml, /id="auth-gate"/);
  assert.match(mobileHtml, /id="auth-password"/);
  assert.match(mobileJs, /HOTNESS_AUTH_TOKEN_KEY/);
  assert.match(mobileJs, /ensureAccessAuth/);
  assert.match(mobileJs, /authHeaders/);
  assert.match(mobileJs, /x-hotness-auth-token/i);
  assert.match(mobileCss, /\.auth-gate/);
});

test("mobile login submit is bound before normal capture events", () => {
  const authBinding = mobileJs.indexOf('authForm?.addEventListener("submit"');
  const authClickBinding = mobileJs.indexOf('authSubmit?.addEventListener("click"');
  const collectBinding = mobileJs.indexOf('form.addEventListener("submit"');
  assert.ok(authBinding > -1, "auth submit binding should exist");
  assert.ok(authClickBinding > -1, "auth button click binding should exist");
  assert.ok(collectBinding > -1, "collect submit binding should exist");
  assert.ok(authBinding < collectBinding, "auth binding must run before normal app bindings");
  assert.ok(authClickBinding < collectBinding, "auth click binding must run before normal app bindings");
});

test("ranking radar requests respect the shared cloud login token", () => {
  assert.match(rankingsJs, /HOTNESS_AUTH_TOKEN_KEY/);
  assert.match(rankingsJs, /authHeaders/);
  assert.match(rankingsJs, /x-hotness-auth-token/i);
  assert.match(rankingsJs, /requires_auth/);
  assert.match(rankingsJs, /hotness:auth-updated/);
});

test("desktop login notifies secondary modules after auth succeeds", () => {
  assert.match(desktopJs, /hotness:auth-updated/);
});