ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-15 18:30:39 +09:00
Code Issues Projects Releases Packages Wiki Activity
paperclip/server/src/__tests__/agent-auth-jwt.test.ts

80 lines
2.8 KiB
TypeScript
Raw Normal View History

Implement local agent JWT authentication for adapters Add HS256 JWT-based authentication for local adapters (claude_local, codex_local) so agents authenticate automatically without manual API key configuration. The server mints short-lived JWTs per heartbeat run and injects them as PAPERCLIP_API_KEY. The auth middleware verifies JWTs alongside existing static API keys. Includes: CLI onboard/doctor JWT secret management, env command for deployment, config path resolution from ancestor directories, dotenv loading on server startup, event payload secret redaction, multi-status issue filtering, and adapter transcript parsing for thinking/user message kinds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 16:46:45 -06:00
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { createLocalAgentJwt, verifyLocalAgentJwt } from "../agent-auth-jwt.js";
describe("agent local JWT", () => {
const secretEnv = "PAPERCLIP_AGENT_JWT_SECRET";
const ttlEnv = "PAPERCLIP_AGENT_JWT_TTL_SECONDS";
const issuerEnv = "PAPERCLIP_AGENT_JWT_ISSUER";
const audienceEnv = "PAPERCLIP_AGENT_JWT_AUDIENCE";
const originalEnv = {
secret: process.env[secretEnv],
ttl: process.env[ttlEnv],
issuer: process.env[issuerEnv],
audience: process.env[audienceEnv],
};
beforeEach(() => {
process.env[secretEnv] = "test-secret";
process.env[ttlEnv] = "3600";
delete process.env[issuerEnv];
delete process.env[audienceEnv];
vi.useFakeTimers();
});
afterEach(() => {
vi.useRealTimers();
if (originalEnv.secret === undefined) delete process.env[secretEnv];
else process.env[secretEnv] = originalEnv.secret;
if (originalEnv.ttl === undefined) delete process.env[ttlEnv];
else process.env[ttlEnv] = originalEnv.ttl;
if (originalEnv.issuer === undefined) delete process.env[issuerEnv];
else process.env[issuerEnv] = originalEnv.issuer;
if (originalEnv.audience === undefined) delete process.env[audienceEnv];
else process.env[audienceEnv] = originalEnv.audience;
});
it("creates and verifies a token", () => {
vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
const token = createLocalAgentJwt("agent-1", "company-1", "claude_local", "run-1");
expect(typeof token).toBe("string");
const claims = verifyLocalAgentJwt(token!);
expect(claims).toMatchObject({
sub: "agent-1",
company_id: "company-1",
adapter_type: "claude_local",
run_id: "run-1",
iss: "paperclip",
aud: "paperclip-api",
});
});
it("returns null when secret is missing", () => {
process.env[secretEnv] = "";
const token = createLocalAgentJwt("agent-1", "company-1", "claude_local", "run-1");
expect(token).toBeNull();
expect(verifyLocalAgentJwt("abc.def.ghi")).toBeNull();
});
it("rejects expired tokens", () => {
process.env[ttlEnv] = "1";
vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
const token = createLocalAgentJwt("agent-1", "company-1", "claude_local", "run-1");
vi.setSystemTime(new Date("2026-01-01T00:00:05.000Z"));
expect(verifyLocalAgentJwt(token!)).toBeNull();
});
it("rejects issuer/audience mismatch", () => {
process.env[issuerEnv] = "custom-issuer";
process.env[audienceEnv] = "custom-audience";
vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
const token = createLocalAgentJwt("agent-1", "company-1", "codex_local", "run-1");
process.env[issuerEnv] = "paperclip";
process.env[audienceEnv] = "paperclip-api";
expect(verifyLocalAgentJwt(token!)).toBeNull();
});
});
Reference in a new issue Copy permalink