mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-18 20:22:42 -06:00
2ad9f54b8e
A dedicated public-API suite (boots the real server as a subprocess) so CI green proves the token layer, not just the pre-existing tests: - Partition firewall, derived from the SAME config/api-surface.js server.js mounts from: every JWT-only router 401s a token; a public-surface snapshot fails if any router is added to the token door; known-privileged routers asserted JWT-only. - Threat model: role-strip gates, workspace-binding both directions (token ignores X-Workspace-Id, JWT honors it), the scope ladder, the render bypass, token lifecycle, and JWT no-regression. - Device WS round-trip via socket.io-client (added as a devDep): valid device_token registers + receives its playlist; wrong token rejected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| config | ||
| db | ||
| lib | ||
| middleware | ||
| player | ||
| routes | ||
| scripts | ||
| services | ||
| test | ||
| ws | ||
| .gitignore | ||
| config.js | ||
| package-lock.json | ||
| package.json | ||
| server.js | ||
| version.js | ||