fix(security): removes dead script, adds remaining test coverage

wgordon17 · wgordon17 · commit f710deea8b1d · 2026-04-02T10:54:21.000-04:00
- deletes orphaned scripts/verify-csp-hash.mjs (replaced by inline CI shell)
- updates prek.toml and deploy.yml to use inline CSP hash check
- adds tests for returnTo preserved on validateToken failure and
  token exchange failure
- adds test for SENTRY_DSN: undefined (optional field coverage)
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -18,8 +18,16 @@ jobs:
       - run: pnpm install --frozen-lockfile
       - run: pnpm run typecheck
       - run: pnpm test
-      - name: Verify CSP hash
-        run: node scripts/verify-csp-hash.mjs
+      - name: Verify CSP inline script hash
+        run: |
+          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
+          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
+          if ! grep -q "sha256-$HASH" public/_headers; then
+            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
+            exit 1
+          fi
+          echo "CSP hash verified: sha256-$HASH"
       - name: WAF smoke tests
         run: pnpm test:waf
       - run: pnpm run build
diff --git a/prek.toml b/prek.toml
@@ -35,7 +35,7 @@ priority = 0
 id = "csp-hash"
 name = "CSP hash verification"
 language = "system"
-entry = "node scripts/verify-csp-hash.mjs"
+entry = "bash -c 'SCRIPT=$(sed -n \"s/.*<script>\\(.*\\)<\\/script>.*/\\1/p\" index.html) && HASH=$(printf \"%s\" \"$SCRIPT\" | openssl dgst -sha256 -binary | base64) && grep -q \"sha256-$HASH\" public/_headers && echo \"CSP hash OK: sha256-$HASH\" || { echo \"CSP hash mismatch! sha256-$HASH not in public/_headers\"; exit 1; }'"
 pass_filenames = false
 always_run = true
 priority = 0
diff --git a/scripts/verify-csp-hash.mjs b/scripts/verify-csp-hash.mjs
diff --git a/tests/components/OAuthCallback.test.tsx b/tests/components/OAuthCallback.test.tsx
@@ -341,6 +341,47 @@ describe("OAuthCallback", () => {
     expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
   });
 
+  it("OAUTH_RETURN_TO_KEY is preserved when validateToken returns false", async () => {
+    sessionStorage.setItem(OAUTH_RETURN_TO_KEY, "/settings");
+    setupValidState();
+    setWindowSearch({ code: "fakecode", state: "teststate" });
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue({
+        ok: true,
+        json: async () => ({ access_token: "tok123" }),
+      })
+    );
+    vi.mocked(authStore.validateToken).mockResolvedValue(false);
+
+    renderCallback();
+
+    await waitFor(() => {
+      screen.getByText(/Could not verify token/i);
+    });
+    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
+  });
+
+  it("OAUTH_RETURN_TO_KEY is preserved when token exchange fails", async () => {
+    sessionStorage.setItem(OAUTH_RETURN_TO_KEY, "/settings");
+    setupValidState();
+    setWindowSearch({ code: "fakecode", state: "teststate" });
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue({
+        ok: false,
+        json: async () => ({ error: "bad_verification_code" }),
+      })
+    );
+
+    renderCallback();
+
+    await waitFor(() => {
+      screen.getByText(/Failed to complete sign in/i);
+    });
+    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
+  });
+
   it("navigates to / when OAUTH_RETURN_TO_KEY is not set", async () => {
     setupSuccessfulCallback();
     renderCallback();
diff --git a/tests/worker/oauth.test.ts b/tests/worker/oauth.test.ts
@@ -955,12 +955,18 @@ describe("Worker OAuth endpoint", () => {
       expect(log!.level).toBe("warn");
     });
 
-    it("returns 404 when SENTRY_DSN is not configured", async () => {
+    it("returns 404 when SENTRY_DSN is empty string", async () => {
       const req = makeTunnelRequest(makeEnvelope(VALID_DSN));
       const res = await worker.fetch(req, makeEnv({ SENTRY_DSN: "" }));
       expect(res.status).toBe(404);
     });
 
+    it("returns 404 when SENTRY_DSN is undefined", async () => {
+      const req = makeTunnelRequest(makeEnvelope(VALID_DSN));
+      const res = await worker.fetch(req, makeEnv({ SENTRY_DSN: undefined as unknown as string }));
+      expect(res.status).toBe(404);
+    });
+
     it("returns 502 when Sentry is unreachable", async () => {
       globalThis.fetch = vi.fn().mockRejectedValue(new Error("connection refused"));
 
