Skip to content

test: Add grants explorer test suite and auth security fix#500

Draft
minimalsm wants to merge 3 commits intofeature/private-grants-explorerfrom
feature/grants-explorer-tests
Draft

test: Add grants explorer test suite and auth security fix#500
minimalsm wants to merge 3 commits intofeature/private-grants-explorerfrom
feature/grants-explorer-tests

Conversation

@minimalsm
Copy link
Contributor

@minimalsm minimalsm commented Jan 23, 2026

Summary

  • Add comprehensive test suite for grants explorer features (66 tests)
  • Fix critical auth security vulnerability (forgeable tokens → HMAC-SHA256 signed tokens)

Test Coverage

File Tests Purpose
fiscalYear.test.ts 22 Fiscal quarter derivation
grants.test.ts 17 SF record mapping
internal-auth.test.ts 19 Auth token security
grants-public.test.ts 8 Public data exposure prevention

Security Fix

  • Replaced base64 cookie (forgeable) with HMAC-SHA256 signed tokens
  • Added timing-safe comparison to prevent timing attacks
  • Added isAuthorizedEmail() domain validation
  • New env var required: INTERNAL_AUTH_SECRET

Dependencies

Merge after:

@minimalsm
test: Add test suite for grants explorer
4f31f10 
- Add fiscalYear utility tests (22 tests)
  - deriveFiscalQuarter for all quarters
  - getFiscalYearStart with date mocking
  - extractFiscalYear string parsing

- Add grants mapping tests (17 tests)
  - mapSFRecordToGrant field mapping
  - mapSFRecordToPrivateGrant with private fields
  - Null/undefined field handling
  - Type compliance verification

- Export mapping functions for testability
@minimalsm
security: Add signed auth tokens for internal grants access
1e18455 
BREAKING: Requires INTERNAL_AUTH_SECRET environment variable

Security improvements:
- Replace base64 cookies with HMAC-SHA256 signed tokens
- Forged cookies are now rejected (signature verification)
- Add isAuthorizedEmail() for strict @ethereum.org validation
- Double-check email domain in getServerSideProps

Tests (TDD):
- 19 auth security tests covering:
  - Token signing and verification
  - Forged token rejection
  - Tampered token detection
  - Email domain validation
  - Timing-safe signature comparison

New environment variable required:
- INTERNAL_AUTH_SECRET (min 32 chars)
@minimalsm
test: Add public grants data exposure prevention tests
c7bbe78 
Add tests specific to public grants explorer (#497):
- Verify GrantRecord type doesn't expose private fields
- Test PUBLIC_RECORD_TYPES whitelist configuration
- Ensure sensitive record types excluded from public view
- Verify EXCLUDED_STAGES for in-progress grants
- Test query security (no private fields in public query)
- Compare public vs private grant field structures
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wackerow wackerow Awaiting requested review from wackerow wackerow will be requested when the pull request is marked ready for review wackerow is a code owner

@pettinarip pettinarip Awaiting requested review from pettinarip pettinarip will be requested when the pull request is marked ready for review pettinarip is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minimalsm