stealth-req-api/test-security.ts at main · CloverLabsAI/stealth-req-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import { createStealthClient } from './src/index.js';

const SERVER_URL = 'http://localhost:3000';

async function testSecurity() {
  console.log('🔒 Testing Proxy Secret Authentication\n');

  // Test 1: Without secret (should fail if PROXY_SECRET is set)
  console.log('Test 1: Request without secret...');
  try {
    const clientNoSecret = createStealthClient({
      baseURL: SERVER_URL,
      timeout: 5000
    });
    await clientNoSecret.get('https://httpbin.org/get');
    console.log('✓ Request succeeded (PROXY_SECRET not set on server)\n');
  } catch (error: any) {
    if (error.response?.status === 401) {
      console.log('✓ Request blocked with 401 Unauthorized (security working!)\n');
    } else {
      console.log(`✗ Unexpected error: ${error.message}\n`);
    }
  }

  // Test 2: With wrong secret (should fail)
  console.log('Test 2: Request with wrong secret...');
  try {
    const clientWrongSecret = createStealthClient({
      baseURL: SERVER_URL,
      proxySecret: 'wrong-secret-12345',
      timeout: 5000
    });
    await clientWrongSecret.get('https://httpbin.org/get');
    console.log('✗ Request succeeded with wrong secret (security issue!)\n');
  } catch (error: any) {
    if (error.response?.status === 401) {
      console.log('✓ Request blocked with 401 Unauthorized (security working!)\n');
    } else {
      console.log(`✗ Unexpected error: ${error.message}\n`);
    }
  }

  // Test 3: With correct secret (should succeed)
  console.log('Test 3: Request with correct secret...');
  try {
    const clientCorrectSecret = createStealthClient({
      baseURL: SERVER_URL,
      proxySecret: process.env.PROXY_SECRET,
      timeout: 5000
    });
    const response = await clientCorrectSecret.get('https://httpbin.org/get');
    if (response.status === 200) {
      console.log('✓ Request succeeded with correct secret!\n');
    }
  } catch (error: any) {
    if (error.response?.status === 401) {
      console.log('✗ Request blocked even with correct secret\n');
      console.log('   Make sure PROXY_SECRET env var matches server\n');
    } else {
      console.log(`✗ Error: ${error.message}\n`);
    }
  }

  console.log('🔒 Security test complete!');
  process.exit(0);
}

testSecurity().catch(console.error);