719c340735
- Implemented comprehensive tests for security toggle handlers in `security_toggles_test.go`, covering enable/disable functionality for ACL, WAF, Cerberus, CrowdSec, and RateLimit. - Added sample JSON response for CrowdSec decisions in `lapi_decisions_response.json`. - Created aggressive preset configuration for CrowdSec in `preset_aggressive.json`. - Documented backend coverage, security fixes, and E2E testing improvements in `2026-02-02_backend_coverage_security_fix.md`. - Developed a detailed backend test coverage restoration plan in `current_spec.md` to address existing gaps and improve overall test coverage to 86%+.
3.2 KiB
Backend Coverage, Security & E2E Fixes
Date: 2026-02-02 Context: Remediation of critical security vulnerabilities, backend test coverage improvements, and cross-browser E2E stability.
1. Architectural Constraint: Concrete Types vs Interfaces
Problem
Initial attempts to increase test coverage for ConfigLoader and ConfigManager relied on mocking interfaces (IConfigLoader, IConfigManager). This approach proved problematic:
- Brittleness: Mocks required constant updates whenever internal implementation details changed.
- False Confidence: Mocks masked actual integration issues, particularly with file system interactions.
- Complexity: The setup for mocks became more complex than the code being tested.
Solution: Real Dependency Pattern
We shifted strategy to test concrete types instead of mocks for these specific components.
- Why:
ConfigLoaderandConfigManagerare "leaf" nodes in the dependency graph responsible for IO. Testing them with real (temporary) files system operations provides higher value. - Implementation:
- Tests now create temporary directories using
t.TempDir(). - Concrete
NewConfigLoaderandNewConfigManagerare instantiated. - Assertions verify actual file creation and content on disk.
- Tests now create temporary directories using
2. Security Fix: SafeJoin Remediation
Vulnerability
Three critical vulnerabilities were identified where filepath.Join was used with user-controlled input, creating a risk of Path Traversal attacks.
Locations:
backend/internal/caddy/config_loader.gobackend/internal/caddy/config_manager.gobackend/internal/caddy/import_handler.go
Fix
Replaced all risky filepath.Join calls with utils.SafeJoin.
Mechanism:
utils.SafeJoin(base, path) performs the following checks:
- Joins the paths.
- Cleans the resulting path.
- Verifies that the resulting path still has the
basepath as a prefix. - Returns an error if the path attempts to traverse outside the base.
3. E2E Fix: WebKit/Firefox Switch Interaction
Issue
E2E tests involving the Switch component (shadcn/ui) were reliably passing in Chromium but failing in WebKit (Safari) and Firefox.
- Symptoms: Timeouts,
click interceptederrors, or assertions failing because the switch state didn't change. - Root Cause: The underlying
<input type="checkbox">is often visually hidden or covered by the styled toggle element. Chromium's event dispatching is slightly more forgiving, while WebKit/Firefox adhere strictly to visibility and hit-testing rules.
Fix
Refactored tests/utils/ui-helpers.ts to improve interaction reliability.
- Semantic Clicks: Instead of trying to force-click the input or specific coordinates, we now locate the accessible label or the wrapper element that handles the click event.
- Explicit State Verification: Replaced arbitrary
waitForTimeoutcalls with smart polling assertions:// Before await toggle.click(); await page.waitForTimeout(500); // After await toggle.click(); await expect(toggle).toBeChecked({ timeout: 5000 }); - Result: 100% pass rate across all three browser engines for System Settings and User Management tests.