feat: implement mcpd core server framework with Fastify

Add Fastify server with config validation (Zod), health/healthz endpoints, auth middleware (Bearer token + session lookup), security plugins (CORS, Helmet, rate limiting), error handler, audit logging, and graceful shutdown. 36 tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 04:22:01 +00:00
parent 1b66e235fc
commit d2a682a460
23 changed files with 860 additions and 10 deletions
--- a/src/mcpd/tests/auth.test.ts
+++ b/src/mcpd/tests/auth.test.ts
@@ -0,0 +1,101 @@
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import Fastify from 'fastify';
+import type { FastifyInstance } from 'fastify';
+import { createAuthMiddleware } from '../src/middleware/auth.js';
+
+let app: FastifyInstance;
+
+afterEach(async () => {
+  if (app) await app.close();
+});
+
+function setupApp(findSession: (token: string) => Promise<{ userId: string; expiresAt: Date } | null>) {
+  app = Fastify({ logger: false });
+  const authMiddleware = createAuthMiddleware({ findSession });
+
+  app.addHook('preHandler', authMiddleware);
+  app.get('/protected', async (request) => {
+    return { userId: request.userId };
+  });
+
+  return app.ready();
+}
+
+describe('auth middleware', () => {
+  it('returns 401 when no Authorization header', async () => {
+    await setupApp(async () => null);
+    const res = await app.inject({ method: 'GET', url: '/protected' });
+    expect(res.statusCode).toBe(401);
+    expect(res.json<{ error: string }>().error).toContain('Authorization');
+  });
+
+  it('returns 401 when header is not Bearer', async () => {
+    await setupApp(async () => null);
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Basic abc123' },
+    });
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('returns 401 when token is empty', async () => {
+    await setupApp(async () => null);
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer ' },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(res.json<{ error: string }>().error).toContain('Empty');
+  });
+
+  it('returns 401 when token not found', async () => {
+    await setupApp(async () => null);
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer invalid-token' },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(res.json<{ error: string }>().error).toContain('Invalid');
+  });
+
+  it('returns 401 when token is expired', async () => {
+    const pastDate = new Date(Date.now() - 86400_000);
+    await setupApp(async () => ({ userId: 'user-1', expiresAt: pastDate }));
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer expired-token' },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(res.json<{ error: string }>().error).toContain('expired');
+  });
+
+  it('passes valid token and sets userId', async () => {
+    const futureDate = new Date(Date.now() + 86400_000);
+    await setupApp(async () => ({ userId: 'user-42', expiresAt: futureDate }));
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer valid-token' },
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.json<{ userId: string }>().userId).toBe('user-42');
+  });
+
+  it('calls findSession with the token', async () => {
+    const findSession = vi.fn(async () => ({
+      userId: 'user-1',
+      expiresAt: new Date(Date.now() + 86400_000),
+    }));
+    await setupApp(findSession);
+    await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer my-token' },
+    });
+    expect(findSession).toHaveBeenCalledWith('my-token');
+  });
+});