mirror of
https://github.com/cliffe/BreakEscape.git
synced 2026-02-21 11:18:08 +00:00
d3b31b4368
Created test suite with 34 tests covering all unlock scenarios and security: DOOR TESTS (10 tests): - PIN/password validation (correct/incorrect, case sensitivity) - Key unlocks (client-validated) - Unlocked doors (method='unlocked') CONTAINER TESTS (8 tests): - PIN/password validation - Key, lockpick, biometric, bluetooth, RFID unlocks - Unlocked containers NPC UNLOCK TESTS (6 tests): ✅ NPC can unlock door/container if encountered and has permission 🔒 SECURITY: Fails if NPC not encountered 🔒 SECURITY: Fails if NPC lacks permission for that target 🔒 SECURITY: Fails for non-existent NPC 🔒 SECURITY: Fails if unlockable is not an array SECURITY TESTS - BYPASS PREVENTION (4 tests): 🔒 CRITICAL: Locked door CANNOT be bypassed with method='unlocked' 🔒 CRITICAL: Locked container CANNOT be bypassed with method='unlocked' ✅ Unlocked door CAN use method='unlocked' ✅ Unlocked container CAN use method='unlocked' ERROR CASES (3 tests): - Non-existent doors/objects return 422 - Invalid methods return 422 DATA FILTERING (2 tests): - Verify 'requires' field filtered from responses - Verify recursive filtering of contents INTEGRATION (1 test): - Multiple sequential unlocks - Idempotent operations Test Results: 34 runs, 115 assertions, 0 failures Server Implementation: - validate_npc_unlock: Validates NPC encounter and permission list - find_npc_in_scenario: Searches all rooms for NPC - method='npc': New unlock method requiring NPC id as attempt Client Implementation: - Updated handleUnlockDoor to call server API with method='npc' - Server validates all NPC unlock requests - No client-side lock manipulation Security Principle: All unlock authorization is server-side. Client cannot bypass locks by manipulating state or claiming NPC unlocks.