test-security.js

const axios = require("axios");

const BASE_URL = process.env.TEST_URL || "http://localhost:3049";

async function testSecurityFeatures() {
  console.log("🔒 Testing Security Features\n");

  try {
    // Test 1: Rate Limiting
    console.log("1. Testing Rate Limiting...");
    const promises = [];
    for (let i = 0; i < 15; i++) {
      promises.push(axios.get(`${BASE_URL}/health`));
    }

    try {
      await Promise.all(promises);
      console.log("   ❌ Rate limiting not working (all requests succeeded)");
    } catch (error) {
      if (error.response?.status === 429) {
        console.log("   ✅ Rate limiting working correctly");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 2: Input Validation - Invalid Event ID
    console.log("\n2. Testing Input Validation...");
    try {
      await axios.get(`${BASE_URL}/events/invalid`);
      console.log("   ❌ Invalid event ID accepted");
    } catch (error) {
      if (error.response?.status === 400) {
        console.log("   ✅ Invalid event ID properly rejected");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 3: Input Validation - Invalid Purchase ID
    try {
      await axios.get(`${BASE_URL}/tickets/invalid-uuid`);
      console.log("   ❌ Invalid purchase ID accepted");
    } catch (error) {
      if (error.response?.status === 400) {
        console.log("   ✅ Invalid purchase ID properly rejected");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 4: Security Headers
    console.log("\n3. Testing Security Headers...");
    try {
      const response = await axios.get(`${BASE_URL}/health`);
      const headers = response.headers;

      const securityHeaders = {
        "X-Content-Type-Options": headers["x-content-type-options"],
        "X-Frame-Options": headers["x-frame-options"],
        "X-XSS-Protection": headers["x-xss-protection"],
        "Strict-Transport-Security": headers["strict-transport-security"],
      };

      console.log("   Security Headers:");
      Object.entries(securityHeaders).forEach(([header, value]) => {
        if (value) {
          console.log(`     ✅ ${header}: ${value}`);
        } else {
          console.log(`     ❌ ${header}: Missing`);
        }
      });
    } catch (error) {
      console.log("   ❌ Error checking security headers:", error.message);
    }

    // Test 5: Admin Rate Limiting
    console.log("\n4. Testing Admin Rate Limiting...");
    const adminPromises = [];
    for (let i = 0; i < 25; i++) {
      adminPromises.push(axios.get(`${BASE_URL}/admin/pdf-stats`));
    }

    try {
      await Promise.all(adminPromises);
      console.log("   ❌ Admin rate limiting not working");
    } catch (error) {
      if (error.response?.status === 429) {
        console.log("   ✅ Admin rate limiting working correctly");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 6: Purchase Rate Limiting
    console.log("\n5. Testing Purchase Rate Limiting...");
    const purchasePromises = [];
    for (let i = 0; i < 15; i++) {
      purchasePromises.push(axios.post(`${BASE_URL}/buy/1`));
    }

    try {
      await Promise.all(purchasePromises);
      console.log("   ❌ Purchase rate limiting not working");
    } catch (error) {
      if (error.response?.status === 429) {
        console.log("   ✅ Purchase rate limiting working correctly");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    console.log("\n✅ Security Tests Completed!");
  } catch (error) {
    console.error("❌ Test failed:", error.message);
  }
}

// Run the security tests
testSecurityFeatures();
feat: add integration and setup tests and complete code review fixes 2025-08-14 22:41:48 +01:00			`const axios = require("axios");`

			`const BASE_URL = process.env.TEST_URL \|\| "http://localhost:3049";`

			`async function testSecurityFeatures() {`
			`console.log("🔒 Testing Security Features\n");`

			`try {`
			`// Test 1: Rate Limiting`
			`console.log("1. Testing Rate Limiting...");`
			`const promises = [];`
			`for (let i = 0; i < 15; i++) {`
			promises.push(axios.get(`${BASE_URL}/health`));
			`}`

			`try {`
			`await Promise.all(promises);`
			`console.log(" ❌ Rate limiting not working (all requests succeeded)");`
			`} catch (error) {`
			`if (error.response?.status === 429) {`
			`console.log(" ✅ Rate limiting working correctly");`
			`} else {`
			`console.log(" ❌ Unexpected error:", error.message);`
			`}`
			`}`

			`// Test 2: Input Validation - Invalid Event ID`
			`console.log("\n2. Testing Input Validation...");`
			`try {`
			await axios.get(`${BASE_URL}/events/invalid`);
			`console.log(" ❌ Invalid event ID accepted");`
			`} catch (error) {`
			`if (error.response?.status === 400) {`
			`console.log(" ✅ Invalid event ID properly rejected");`
			`} else {`
			`console.log(" ❌ Unexpected error:", error.message);`
			`}`
			`}`

			`// Test 3: Input Validation - Invalid Purchase ID`
			`try {`
			await axios.get(`${BASE_URL}/tickets/invalid-uuid`);
			`console.log(" ❌ Invalid purchase ID accepted");`
			`} catch (error) {`
			`if (error.response?.status === 400) {`
			`console.log(" ✅ Invalid purchase ID properly rejected");`
			`} else {`
			`console.log(" ❌ Unexpected error:", error.message);`
			`}`
			`}`

			`// Test 4: Security Headers`
			`console.log("\n3. Testing Security Headers...");`
			`try {`
			const response = await axios.get(`${BASE_URL}/health`);
			`const headers = response.headers;`

			`const securityHeaders = {`
			`"X-Content-Type-Options": headers["x-content-type-options"],`
			`"X-Frame-Options": headers["x-frame-options"],`
			`"X-XSS-Protection": headers["x-xss-protection"],`
			`"Strict-Transport-Security": headers["strict-transport-security"],`
			`};`

			`console.log(" Security Headers:");`
			`Object.entries(securityHeaders).forEach(([header, value]) => {`
			`if (value) {`
			console.log(` ✅ ${header}: ${value}`);
			`} else {`
			console.log(` ❌ ${header}: Missing`);
			`}`
			`});`
			`} catch (error) {`
			`console.log(" ❌ Error checking security headers:", error.message);`
			`}`

			`// Test 5: Admin Rate Limiting`
			`console.log("\n4. Testing Admin Rate Limiting...");`
			`const adminPromises = [];`
			`for (let i = 0; i < 25; i++) {`
			adminPromises.push(axios.get(`${BASE_URL}/admin/pdf-stats`));
			`}`

			`try {`
			`await Promise.all(adminPromises);`
			`console.log(" ❌ Admin rate limiting not working");`
			`} catch (error) {`
			`if (error.response?.status === 429) {`
			`console.log(" ✅ Admin rate limiting working correctly");`
			`} else {`
			`console.log(" ❌ Unexpected error:", error.message);`
			`}`
			`}`

			`// Test 6: Purchase Rate Limiting`
			`console.log("\n5. Testing Purchase Rate Limiting...");`
			`const purchasePromises = [];`
			`for (let i = 0; i < 15; i++) {`
			purchasePromises.push(axios.post(`${BASE_URL}/buy/1`));
			`}`

			`try {`
			`await Promise.all(purchasePromises);`
			`console.log(" ❌ Purchase rate limiting not working");`
			`} catch (error) {`
			`if (error.response?.status === 429) {`
			`console.log(" ✅ Purchase rate limiting working correctly");`
			`} else {`
			`console.log(" ❌ Unexpected error:", error.message);`
			`}`
			`}`

			`console.log("\n✅ Security Tests Completed!");`
			`} catch (error) {`
			`console.error("❌ Test failed:", error.message);`
			`}`
			`}`

			`// Run the security tests`
			`testSecurityFeatures();`