fix: require qdreader user binding for manual access
This commit is contained in:
@@ -92,7 +92,10 @@ test('manual cookie save falls back to QDHeader embedded UserId before ywguid',
|
||||
});
|
||||
|
||||
test('manual sign and cron sign both call sign gateway then qidian checkin', () => {
|
||||
const store = { qdreader_cookie_json: JSON.stringify({ '12345': cookie }) };
|
||||
const store = {
|
||||
qdreader_cookie_json: JSON.stringify({ '12345': cookie }),
|
||||
qdreader_user_bind_json: JSON.stringify({ '12345': 'user-a' }),
|
||||
};
|
||||
const manual = runPlugin({ content: '启点签到', store: { ...store } });
|
||||
assert.equal(manual.calls.length, 2);
|
||||
assert.match(manual.calls[0].url, /api\.120399\.xyz\/qdreader\/sign$/);
|
||||
@@ -112,7 +115,7 @@ test('manual sign and cron sign both call sign gateway then qidian checkin', ()
|
||||
assert.equal(JSON.parse(cron.store.qdreader_last_run_json).source, 'cron');
|
||||
});
|
||||
|
||||
test('bucketGet/bucketSet fallback works when get/set are unavailable in Autman-like env', () => {
|
||||
test('bucketGet/bucketSet fallback requires identifiable user before saving', () => {
|
||||
const replies = [];
|
||||
const bucketStore = {};
|
||||
const ctx = {
|
||||
@@ -125,9 +128,8 @@ test('bucketGet/bucketSet fallback works when get/set are unavailable in Autman-
|
||||
};
|
||||
vm.createContext(ctx);
|
||||
vm.runInContext(code, ctx, { filename: pluginPath });
|
||||
assert.match(replies.join('\n'), /CK新增成功/);
|
||||
assert.equal(JSON.parse(bucketStore['hermes_qidian.qdreader_cookie_json'])['12345'], cookie);
|
||||
assert.equal(JSON.parse(bucketStore['hermes_qidian.qdreader_user_bind_json'])['12345'], undefined);
|
||||
assert.match(replies.join('\n'), /无法识别当前用户,拒绝保存/);
|
||||
assert.equal(bucketStore['hermes_qidian.qdreader_cookie_json'], '{}');
|
||||
});
|
||||
|
||||
test('hermes_qidian bucket values are read and written without legacy bucket fallback', () => {
|
||||
@@ -141,7 +143,7 @@ test('hermes_qidian bucket values are read and written without legacy bucket fal
|
||||
});
|
||||
|
||||
test('qidian request retries transient request errors', () => {
|
||||
const store = { qdreader_cookie_json: JSON.stringify({ '12345': cookie }), qdreader_retry_count: '2' };
|
||||
const store = { qdreader_cookie_json: JSON.stringify({ '12345': cookie }), qdreader_user_bind_json: JSON.stringify({ '12345': 'user-a' }), qdreader_retry_count: '2' };
|
||||
const r = runPlugin({
|
||||
content: '启点签到',
|
||||
store,
|
||||
@@ -290,3 +292,29 @@ test('manual sign only runs current user accounts while cron runs all accounts',
|
||||
assert.equal(cron.calls.length, 4);
|
||||
assert.match(cron.replies[0], /总计 2/);
|
||||
});
|
||||
|
||||
test('unbound global cookies are not visible or usable by normal users', () => {
|
||||
const store = { qdreader_cookie_json: JSON.stringify({ '12345': cookie }) };
|
||||
const account = runPlugin({ content: '启点账号', store: { ...store }, userId: 'user-a', listens: ['1'] });
|
||||
assert.match(account.replies.join('\n'), /当前用户还没有保存启点读书CK/);
|
||||
|
||||
const manual = runPlugin({ content: '启点签到', store: { ...store }, userId: 'user-a' });
|
||||
assert.equal(manual.calls.length, 0);
|
||||
assert.match(manual.replies[0], /还没有保存启点读书CK/);
|
||||
|
||||
const cron = runPlugin({ content: '', store: { ...store }, userId: 'cron' });
|
||||
assert.equal(cron.calls.length, 2);
|
||||
assert.match(cron.replies[0], /总计 1/);
|
||||
});
|
||||
|
||||
test('user cannot overwrite another user bound cookie', () => {
|
||||
const store = {
|
||||
qdreader_cookie_json: JSON.stringify({ '12345': cookie }),
|
||||
qdreader_user_bind_json: JSON.stringify({ '12345': 'user-a' }),
|
||||
};
|
||||
const newCookie = cookie.replace('sessionyw=s', 'sessionyw=changed');
|
||||
const r = runPlugin({ content: '启点ck ' + newCookie, store, userId: 'user-b' });
|
||||
assert.match(r.replies.join('\n'), /无权更新 uid: 12345/);
|
||||
assert.equal(JSON.parse(r.store.qdreader_cookie_json)['12345'], cookie);
|
||||
assert.equal(JSON.parse(r.store.qdreader_user_bind_json)['12345'], 'user-a');
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user