const axios = require("axios"); const BASE_URL = process.env.TEST_URL || "http://localhost:3049"; async function testSecurityFeatures() { console.log("šŸ”’ Testing Security Features\n"); try { // Test 1: Rate Limiting console.log("1. Testing Rate Limiting..."); const promises = []; for (let i = 0; i < 15; i++) { promises.push(axios.get(`${BASE_URL}/health`)); } try { await Promise.all(promises); console.log(" āŒ Rate limiting not working (all requests succeeded)"); } catch (error) { if (error.response?.status === 429) { console.log(" āœ… Rate limiting working correctly"); } else { console.log(" āŒ Unexpected error:", error.message); } } // Test 2: Input Validation - Invalid Event ID console.log("\n2. Testing Input Validation..."); try { await axios.get(`${BASE_URL}/events/invalid`); console.log(" āŒ Invalid event ID accepted"); } catch (error) { if (error.response?.status === 400) { console.log(" āœ… Invalid event ID properly rejected"); } else { console.log(" āŒ Unexpected error:", error.message); } } // Test 3: Input Validation - Invalid Purchase ID try { await axios.get(`${BASE_URL}/tickets/invalid-uuid`); console.log(" āŒ Invalid purchase ID accepted"); } catch (error) { if (error.response?.status === 400) { console.log(" āœ… Invalid purchase ID properly rejected"); } else { console.log(" āŒ Unexpected error:", error.message); } } // Test 4: Security Headers console.log("\n3. Testing Security Headers..."); try { const response = await axios.get(`${BASE_URL}/health`); const headers = response.headers; const securityHeaders = { "X-Content-Type-Options": headers["x-content-type-options"], "X-Frame-Options": headers["x-frame-options"], "X-XSS-Protection": headers["x-xss-protection"], "Strict-Transport-Security": headers["strict-transport-security"], }; console.log(" Security Headers:"); Object.entries(securityHeaders).forEach(([header, value]) => { if (value) { console.log(` āœ… ${header}: ${value}`); } else { console.log(` āŒ ${header}: Missing`); } }); } catch (error) { console.log(" āŒ Error checking security headers:", error.message); } // Test 5: Admin Rate Limiting console.log("\n4. Testing Admin Rate Limiting..."); const adminPromises = []; for (let i = 0; i < 25; i++) { adminPromises.push(axios.get(`${BASE_URL}/admin/pdf-stats`)); } try { await Promise.all(adminPromises); console.log(" āŒ Admin rate limiting not working"); } catch (error) { if (error.response?.status === 429) { console.log(" āœ… Admin rate limiting working correctly"); } else { console.log(" āŒ Unexpected error:", error.message); } } // Test 6: Purchase Rate Limiting console.log("\n5. Testing Purchase Rate Limiting..."); const purchasePromises = []; for (let i = 0; i < 15; i++) { purchasePromises.push(axios.post(`${BASE_URL}/buy/1`)); } try { await Promise.all(purchasePromises); console.log(" āŒ Purchase rate limiting not working"); } catch (error) { if (error.response?.status === 429) { console.log(" āœ… Purchase rate limiting working correctly"); } else { console.log(" āŒ Unexpected error:", error.message); } } console.log("\nāœ… Security Tests Completed!"); } catch (error) { console.error("āŒ Test failed:", error.message); } } // Run the security tests testSecurityFeatures();