fix(security): adds Turnstile domains to CSP, removes dead body.code path, adds rate limiter error test

wgordon17 · wgordon17 · commit a28a80de4624 · 2026-04-09T08:53:50.000-04:00
diff --git a/public/_headers b/public/_headers
@@ -1,5 +1,5 @@
 /*
-  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com ws://127.0.0.1:*; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
+  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y=' https://challenges.cloudflare.com; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com ws://127.0.0.1:*; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-src https://challenges.cloudflare.com; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
   Reporting-Endpoints: csp-endpoint="/api/csp-report"
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
diff --git a/src/app/lib/proxy.ts b/src/app/lib/proxy.ts
@@ -118,7 +118,7 @@ export async function sealApiToken(token: string, purpose: string): Promise<stri
     let message = "unknown_error";
     try {
       const body = (await res.json()) as { code?: string; error?: string };
-      message = body.code ?? body.error ?? message;
+      message = body.error ?? message;
     } catch {
       // ignore parse errors — keep default message
     }
diff --git a/tests/app/lib/proxy.test.ts b/tests/app/lib/proxy.test.ts
@@ -288,20 +288,6 @@ describe("sealApiToken", () => {
   it("throws { status, message } on 403 response", async () => {
     setupMockedTurnstile("turnstile-tok");
 
-    const mockFetch = vi.fn().mockResolvedValue(
-      new Response(JSON.stringify({ code: "turnstile_failed" }), { status: 403 }),
-    );
-    vi.stubGlobal("fetch", mockFetch);
-
-    await expect(mod.sealApiToken("my-token", "jira-api-token")).rejects.toMatchObject({
-      status: 403,
-      message: "turnstile_failed",
-    });
-  });
-
-  it("throws { status, message } on 403 response using error field", async () => {
-    setupMockedTurnstile("turnstile-tok");
-
     const mockFetch = vi.fn().mockResolvedValue(
       new Response(JSON.stringify({ error: "turnstile_failed" }), { status: 403 }),
     );
@@ -317,7 +303,7 @@ describe("sealApiToken", () => {
     setupMockedTurnstile("turnstile-tok");
 
     const mockFetch = vi.fn().mockResolvedValue(
-      new Response(JSON.stringify({ code: "rate_limited" }), { status: 429 }),
+      new Response(JSON.stringify({ error: "rate_limited" }), { status: 429 }),
     );
     vi.stubGlobal("fetch", mockFetch);
 
@@ -331,7 +317,7 @@ describe("sealApiToken", () => {
     setupMockedTurnstile("turnstile-tok");
 
     const mockFetch = vi.fn().mockResolvedValue(
-      new Response(JSON.stringify({ code: "seal_failed" }), { status: 500 }),
+      new Response(JSON.stringify({ error: "seal_failed" }), { status: 500 }),
     );
     vi.stubGlobal("fetch", mockFetch);
 
diff --git a/tests/worker/seal.test.ts b/tests/worker/seal.test.ts
@@ -171,6 +171,21 @@ describe("Worker /api/proxy/seal endpoint", () => {
     expect(res.headers.get("Retry-After")).toBe("60");
   });
 
+  it("request proceeds when rate limiter throws (fail-open)", async () => {
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ success: true }), { status: 200 })
+    );
+
+    const rateLimiter = { limit: vi.fn().mockRejectedValue(new Error("binding unavailable")) };
+    const req = makeSealRequest();
+    const res = await worker.fetch(req, makeEnv({ PROXY_RATE_LIMITER: rateLimiter }));
+
+    // Should NOT be 429 or 500 — rate limiter failure is fail-open
+    expect(res.status).toBe(200);
+    const json = await res.json() as Record<string, unknown>;
+    expect(json["sealed"]).toBeDefined();
+  });
+
   // ── Input validation ──────────────────────────────────────────────────────
 
   it("request with token exceeding 2048 chars returns 400 with invalid_request", async () => {

Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ export async function sealApiToken(token: string, purpose: string): Promise<stri`
`118`	`118`	`let message = "unknown_error";`
`119`	`119`	`try {`
`120`	`120`	`const body = (await res.json()) as { code?: string; error?: string };`
`121`		`- message = body.code ?? body.error ?? message;`
	`121`	`+ message = body.error ?? message;`
`122`	`122`	`} catch {`
`123`	`123`	`// ignore parse errors — keep default message`
`124`	`124`	`}`