Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cutover): Plan 8b — point void.hynesy.com at Void 2 (alpha.18)

Browse Source 
CF Access multi-aud: CF_ACCESS_AUD now accepts a comma-separated
allow-list so requests through either the void.hynesy.com or
void2-app.hynesy.com CF Access app are honoured as owner. Fails
closed; unlisted auds rejected. Adds multi-aud test.

Void 1 (CT 301) becomes legacy but stays running untouched as an
instant rollback. -alpha tag kept pending owner sign-off.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-05 00:50:57 +10:00
parent 191790098a
commit 147b4f514c
5 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
tests/auth/cf_access.test.js
View File

@@ -39,6 +39,12 @@ describe('verifyAccessJwt', () => {
it('rejects a wrong audience (another app cannot grant access)', async () => {
await expect(verifyAccessJwt(mintJwt({ ...valid, aud: 'someone-else' }), opts)).rejects.toThrow(/aud/);
});
it('accepts any aud from a comma-separated allow-list (8b cutover: two CF apps front one origin)', async () => {
const multi = { ...opts, aud: `void-app-aud, ${AUD}` };
const c = await verifyAccessJwt(mintJwt(valid), multi); // token carries AUD (the 2nd allowed)
expect(c.email).toBe(EMAIL);
await expect(verifyAccessJwt(mintJwt({ ...valid, aud: 'unlisted' }), multi)).rejects.toThrow(/aud/);
});
it('rejects an expired token', async () => {
await expect(verifyAccessJwt(mintJwt({ ...valid, exp: sec - 10 }), opts)).rejects.toThrow(/expired/);
});