test: integration coverage for hostile returnPathname sanitization (CWE-601)

[nicknisi]

Summary

Closes the integration-level gap identified while reviewing v0.5.1 confidence. The existing coverage for the CWE-601 fix is split across two layers:

• Unit (src/utils.spec.ts): 21 cases prove sanitizeReturnPathname correctly neutralizes hostile input in isolation. ✓
• Integration (src/service/AuthService.spec.ts): exercises handleCallback but only with legitimate paths (/dashboard, /foo). No test feeds a hostile returnPathname through the full createAuthorization → handleCallback round-trip.

This means a future refactor that accidentally removed the sanitizeReturnPathname(...) call at AuthService.ts:387 would still pass all prior tests while reintroducing the open-redirect vulnerability. This PR adds a test that would catch that.

Changes

• 4 new it.each cases under handleCallback() — one per CWE-601 payload class: absolute URL, protocol-relative, backslash smuggle, javascript: scheme.
• Asserts the returned returnPathname starts with / and resolves to the trusted origin (the same invariant the unit tests use).

Test plan

• pnpm test src/service/AuthService.spec.ts — 40 tests pass (was 36)
• pnpm test — 247 tests pass (was 243), no regressions

[greptile-apps]

Greptile Summary

This PR adds four it.each integration test cases to AuthService.spec.ts covering the CWE-601 open-redirect sanitization across the full createAuthorization → handleCallback round-trip. The new tests complement the existing 21-case unit coverage in utils.spec.ts and would correctly catch a regression if the sanitizeReturnPathname call at AuthService.ts:387 were accidentally removed.

Confidence Score: 5/5

Test-only change with no production code modifications; safe to merge.

The PR adds four well-structured integration tests that follow established patterns, use correct assertions, and would reliably catch a regression in the CWE-601 sanitization path. No production code is modified.

No files require special attention.

Important Files Changed

Filename	Overview
src/service/AuthService.spec.ts	Adds 4 parametrized integration tests exercising hostile returnPathname inputs through the full service round-trip; assertions are sound and the test structure follows existing patterns correctly.

Sequence Diagram

sequenceDiagram
    participant T as Test (it.each)
    participant AS as AuthService
    participant S as makeStorage (in-memory)
    participant SU as sanitizeReturnPathname

    T->>AS: createAuthorization('res', { returnPathname: hostilePathname })
    AS->>S: setCookie(cookieName, sealedState)
    AS-->>T: { cookieName }

    T->>S: cookies.get(cookieName) → sealedState

    T->>AS: handleCallback('req', 'res', { code, state: sealedState })
    AS->>S: getCookie(req, cookieName)
    AS->>SU: sanitizeReturnPathname(returnPathname)
    SU-->>AS: sanitized path (starts with /, same origin)
    AS-->>T: { returnPathname }

    T->>T: expect(returnPathname.startsWith('/')).toBe(true)
    T->>T: expect(new URL(returnPathname, trusted).origin).toBe(trusted)

Loading

_{Reviews (1): Last reviewed commit: "test: integration coverage for hostile r..." | Re-trigger Greptile}