🧮 refactor: Replace Eval with Safe Math Expression Parser (#11098)

* chore: Add mathjs dependency * refactor: Replace eval with mathjs for safer expression evaluation and improve session expiry handling to not environment variables from data-schemas package * test: Add integration tests for math function with environment variable expressions * refactor: Update test description for clarity on expiresIn behavior * refactor: Update test cases to clarify default expiration behavior for token generation * refactor: Improve error handling in math function for clearer evaluation errors
2026-02-07 18:14:22 +01:00 · 2025-12-25 12:25:41 -05:00 · 2025-12-25 12:25:41 -05:00 · 6ffb176056
commit 6ffb176056
parent d0863de8d4
14 changed files with 602 additions and 85 deletions
--- a/packages/data-schemas/src/methods/user.test.ts
+++ b/packages/data-schemas/src/methods/user.test.ts
@ -31,11 +31,10 @@ describe('User Methods', () => {
    } as IUser;

    afterEach(() => {
-      delete process.env.SESSION_EXPIRY;
      delete process.env.JWT_SECRET;
    });

-    it('should default to 15 minutes when SESSION_EXPIRY is not set', async () => {
+    it('should default to 15 minutes when expiresIn is not provided', async () => {
      process.env.JWT_SECRET = 'test-secret';
      mockSignPayload.mockResolvedValue('mocked-token');

@ -49,16 +48,15 @@ describe('User Methods', () => {
          email: mockUser.email,
        },
        secret: 'test-secret',
-        expirationTime: 900, // 15 minutes in seconds
+        expirationTime: 900, // 15 minutes in seconds (DEFAULT_SESSION_EXPIRY / 1000)
      });
    });

-    it('should default to 15 minutes when SESSION_EXPIRY is empty string', async () => {
-      process.env.SESSION_EXPIRY = '';
+    it('should default to 15 minutes when expiresIn is undefined', async () => {
      process.env.JWT_SECRET = 'test-secret';
      mockSignPayload.mockResolvedValue('mocked-token');

-      await userMethods.generateToken(mockUser);
+      await userMethods.generateToken(mockUser, undefined);

      expect(mockSignPayload).toHaveBeenCalledWith({
        payload: {
@ -68,16 +66,15 @@ describe('User Methods', () => {
          email: mockUser.email,
        },
        secret: 'test-secret',
-        expirationTime: 900, // 15 minutes in seconds
+        expirationTime: 900, // 15 minutes in seconds (DEFAULT_SESSION_EXPIRY / 1000)
      });
    });

-    it('should use custom expiry when SESSION_EXPIRY is set to a valid expression', async () => {
-      process.env.SESSION_EXPIRY = '1000 * 60 * 30'; // 30 minutes
+    it('should use custom expiry when expiresIn is provided', async () => {
      process.env.JWT_SECRET = 'test-secret';
      mockSignPayload.mockResolvedValue('mocked-token');

-      await userMethods.generateToken(mockUser);
+      await userMethods.generateToken(mockUser, 1000 * 60 * 30); // 30 minutes

      expect(mockSignPayload).toHaveBeenCalledWith({
        payload: {
@ -91,12 +88,12 @@ describe('User Methods', () => {
      });
    });

-    it('should default to 15 minutes when SESSION_EXPIRY evaluates to falsy value', async () => {
-      process.env.SESSION_EXPIRY = '0'; // This will evaluate to 0, which is falsy
+    it('should use 0 when expiresIn is 0', async () => {
      process.env.JWT_SECRET = 'test-secret';
      mockSignPayload.mockResolvedValue('mocked-token');

-      await userMethods.generateToken(mockUser);
+      // When 0 is passed, it should use 0 (caller's responsibility to pass valid value)
+      await userMethods.generateToken(mockUser, 0);

      expect(mockSignPayload).toHaveBeenCalledWith({
        payload: {
@ -106,7 +103,7 @@ describe('User Methods', () => {
          email: mockUser.email,
        },
        secret: 'test-secret',
-        expirationTime: 900, // 15 minutes in seconds
+        expirationTime: 0, // 0 seconds
      });
    });

@ -119,45 +116,13 @@ describe('User Methods', () => {
    });

    it('should return the token from signPayload', async () => {
-      process.env.SESSION_EXPIRY = '1000 * 60 * 60'; // 1 hour
      process.env.JWT_SECRET = 'test-secret';
      const expectedToken = 'generated-jwt-token';
      mockSignPayload.mockResolvedValue(expectedToken);

-      const token = await userMethods.generateToken(mockUser);
+      const token = await userMethods.generateToken(mockUser, 1000 * 60 * 60); // 1 hour

      expect(token).toBe(expectedToken);
    });
-
-    it('should handle invalid SESSION_EXPIRY expressions gracefully', async () => {
-      process.env.SESSION_EXPIRY = 'invalid expression';
-      process.env.JWT_SECRET = 'test-secret';
-      mockSignPayload.mockResolvedValue('mocked-token');
-
-      // Mock console.warn to verify it's called
-      const consoleWarnSpy = jest.spyOn(console, 'warn').mockImplementation();
-
-      await userMethods.generateToken(mockUser);
-
-      // Should use default value when eval fails
-      expect(mockSignPayload).toHaveBeenCalledWith({
-        payload: {
-          id: mockUser._id,
-          username: mockUser.username,
-          provider: mockUser.provider,
-          email: mockUser.email,
-        },
-        secret: 'test-secret',
-        expirationTime: 900, // 15 minutes in seconds (default)
-      });
-
-      // Verify warning was logged
-      expect(consoleWarnSpy).toHaveBeenCalledWith(
-        'Invalid SESSION_EXPIRY expression, using default:',
-        expect.any(SyntaxError),
-      );
-
-      consoleWarnSpy.mockRestore();
-    });
  });
 });