fix(tests): Add test authentication support for security fix

Captain CP · Captain CP · commit 6678d13a88e8 · 2026-01-18T21:04:08.000-08:00
Fixed 4 test failures caused by mandatory authentication:
- Added Server.setTestPassword() for test environment
- Updated session-select and session-list tests to use test auth
- All 754 tests now passing (was 750/754, now 754/754)

The test failures were actually validating that our security fix works -
the tests were getting 401 Unauthorized as expected. Now they provide
proper authentication and validate the endpoints work correctly.

Test results: 754 pass, 0 fail ✅
diff --git a/packages/opencode/src/server/server.ts b/packages/opencode/src/server/server.ts
@@ -50,6 +50,7 @@ export namespace Server {
   let _url: URL | undefined
   let _corsWhitelist: string[] = []
   let _generatedPassword: string | undefined
+  let _testPassword: string | undefined // For test environment
 
   export function url(): URL {
     return _url ?? new URL("http://localhost:4096")
@@ -59,6 +60,11 @@ export namespace Server {
     return _generatedPassword
   }
 
+  // Test-only function to set password (called before Server.App())
+  export function setTestPassword(password: string) {
+    _testPassword = password
+  }
+
   function generateSecurePassword(): string {
     // Generate a 32-character random password using crypto-safe random bytes
     // Uses rejection sampling to avoid modulo bias
@@ -120,6 +126,11 @@ export namespace Server {
             password = _generatedPassword
           }
           
+          // Test mode: allow test password override
+          if (!password && _testPassword) {
+            password = _testPassword
+          }
+          
           const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
           return basicAuth({ username, password })(c, next)
         })
diff --git a/packages/opencode/test/server/session-list.test.ts b/packages/opencode/test/server/session-list.test.ts
@@ -1,3 +1,6 @@
+// Set test password BEFORE importing modules (Flag reads env at import time)
+process.env.OPENCODE_SERVER_PASSWORD = "test-password-for-tests"
+
 import { describe, expect, test } from "bun:test"
 import path from "path"
 import { Instance } from "../../src/project/instance"
@@ -8,6 +11,14 @@ import { Log } from "../../src/util/log"
 const projectRoot = path.join(__dirname, "../..")
 Log.init({ print: false })
 
+// Test credentials for authentication
+const TEST_USERNAME = "opencode"
+const TEST_PASSWORD = "test-password-for-tests"
+const authHeader = `Basic ${Buffer.from(`${TEST_USERNAME}:${TEST_PASSWORD}`).toString("base64")}`
+
+// Set test password for Server.App()
+Server.setTestPassword(TEST_PASSWORD)
+
 describe("session.list", () => {
   test("filters by directory", async () => {
     await Instance.provide({
@@ -23,7 +34,11 @@ describe("session.list", () => {
           fn: async () => Session.create({}),
         })
 
-        const response = await app.request(`/session?directory=${encodeURIComponent(projectRoot)}`)
+        const response = await app.request(`/session?directory=${encodeURIComponent(projectRoot)}`, {
+          headers: {
+            "Authorization": authHeader,
+          },
+        })
         expect(response.status).toBe(200)
 
         const body = (await response.json()) as unknown[]
diff --git a/packages/opencode/test/server/session-select.test.ts b/packages/opencode/test/server/session-select.test.ts
@@ -1,3 +1,6 @@
+// Set test password BEFORE importing modules (Flag reads env at import time)
+process.env.OPENCODE_SERVER_PASSWORD = "test-password-for-tests"
+
 import { describe, expect, test } from "bun:test"
 import path from "path"
 import { Session } from "../../src/session"
@@ -8,6 +11,14 @@ import { Server } from "../../src/server/server"
 const projectRoot = path.join(__dirname, "../..")
 Log.init({ print: false })
 
+// Test credentials for authentication
+const TEST_USERNAME = "opencode"
+const TEST_PASSWORD = "test-password-for-tests"
+const authHeader = `Basic ${Buffer.from(`${TEST_USERNAME}:${TEST_PASSWORD}`).toString("base64")}`
+
+// Set test password for Server.App()
+Server.setTestPassword(TEST_PASSWORD)
+
 describe("tui.selectSession endpoint", () => {
   test("should return 200 when called with valid session", async () => {
     await Instance.provide({
@@ -20,7 +31,10 @@ describe("tui.selectSession endpoint", () => {
         const app = Server.App()
         const response = await app.request("/tui/select-session", {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": authHeader,
+          },
           body: JSON.stringify({ sessionID: session.id }),
         })
 
@@ -45,7 +59,10 @@ describe("tui.selectSession endpoint", () => {
         const app = Server.App()
         const response = await app.request("/tui/select-session", {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": authHeader,
+          },
           body: JSON.stringify({ sessionID: nonExistentSessionID }),
         })
 
@@ -66,7 +83,10 @@ describe("tui.selectSession endpoint", () => {
         const app = Server.App()
         const response = await app.request("/tui/select-session", {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": authHeader,
+          },
           body: JSON.stringify({ sessionID: invalidSessionID }),
         })
 
