From b002005a423b4d531768656776a85f8caac5585a Mon Sep 17 00:00:00 2001
From: mirivlad <mirvtop@yandex.ru>
Date: Tue, 9 Jun 2026 01:02:37 +0800
Subject: [PATCH] fix(browser-bridge): don't send X-Verstak-Secret when
 empty/undefined; add integration tests

---
 extension-firefox/background.js               |  11 +-
 extension-firefox/manifest.json               |   2 +-
 .../core/bridge/bridge_integration_test.go    | 144 ++++++++++++++++
 internal/core/bridge/bridge_nosecret_test.go  | 156 ++++++++++++++++++
 4 files changed, 308 insertions(+), 5 deletions(-)
 create mode 100644 internal/core/bridge/bridge_integration_test.go
 create mode 100644 internal/core/bridge/bridge_nosecret_test.go

diff --git a/extension-firefox/background.js b/extension-firefox/background.js
index 4c7e82e..9b2a9d3 100644
--- a/extension-firefox/background.js
+++ b/extension-firefox/background.js
@@ -175,6 +175,12 @@ function flushQueue() {
     const secret = config.secret || '';
     const deviceId = config.deviceId || DEFAULT_DEVICE_ID;
 
+    const headers = { 'Content-Type': 'application/json' };
+    // Only send secret header if it's a non-empty string
+    if (secret && typeof secret === 'string' && secret.length > 0) {
+      headers['X-Verstak-Secret'] = secret;
+    }
+
     const payload = {
       version: 1,
       device_id: 'firefox-' + deviceId,
@@ -183,10 +189,7 @@ function flushQueue() {
 
     fetch(`http://127.0.0.1:${port}/api/events`, {
       method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'X-Verstak-Secret': secret,
-      },
+      headers,
       body: JSON.stringify(payload),
       signal: AbortSignal.timeout(5000),
     })
diff --git a/extension-firefox/manifest.json b/extension-firefox/manifest.json
index 7012a1c..a02f270 100644
--- a/extension-firefox/manifest.json
+++ b/extension-firefox/manifest.json
@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "Verstak Bridge",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Отслеживает активные вкладки и отправляет события в Verstak",
   "author": "Verstak",
   "homepage_url": "https://git.mirv.top/mirivlad/verstak",
diff --git a/internal/core/bridge/bridge_integration_test.go b/internal/core/bridge/bridge_integration_test.go
new file mode 100644
index 0000000..5289dc8
--- /dev/null
+++ b/internal/core/bridge/bridge_integration_test.go
@@ -0,0 +1,144 @@
+package bridge
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+)
+
+// TestServer_Events_FullFlow simulates exact browser extension behavior:
+// starts server with empty secret, sends ping, then sends events with various header configurations
+func TestServer_Events_FullFlow(t *testing.T) {
+	received := make(chan []Event, 1)
+	s := NewServer("", func(evts []Event) {
+		received <- evts
+	})
+	port, err := s.Start(Config{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer s.Stop()
+
+	t.Logf("Server started on port %d (secret='%s')", port, s.Secret())
+
+	// Test 1: Ping
+	pingURL := fmt.Sprintf("http://127.0.0.1:%d/api/ping", port)
+	pingResp, err := http.Get(pingURL)
+	if err != nil {
+		t.Fatalf("ping failed: %v", err)
+	}
+	pingBody, _ := io.ReadAll(pingResp.Body)
+	pingResp.Body.Close()
+	t.Logf("Ping: status=%d body=%s", pingResp.StatusCode, string(pingBody))
+
+	if pingResp.StatusCode != 200 {
+		t.Fatalf("ping returned %d", pingResp.StatusCode)
+	}
+
+	// Test 2: Events WITHOUT any secret header (extension sends nothing when secret is empty)
+	events := []Event{
+		{ID: "evt_test_1", Type: "page_visit", URL: "https://example.com", Domain: "example.com", ActiveSeconds: 120},
+	}
+	batch := EventBatch{Version: 1, DeviceID: "firefox-test", Events: events}
+	b, _ := json.Marshal(batch)
+
+	eventsURL := fmt.Sprintf("http://127.0.0.1:%d/api/events", port)
+	req, _ := http.NewRequest("POST", eventsURL, bytes.NewReader(b))
+	req.Header.Set("Content-Type", "application/json")
+	// No X-Verstak-Secret header at all — empty secret on server should allow this
+
+	t.Logf("Sending %d events to %s (no auth header)", len(events), eventsURL)
+	t.Logf("Payload: %s", string(b))
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("events request failed: %v", err)
+	}
+	respBody, _ := io.ReadAll(resp.Body)
+	resp.Body.Close()
+
+	t.Logf("Events response: status=%d body=%s", resp.StatusCode, string(respBody))
+
+	if resp.StatusCode != 200 {
+		t.Errorf("expected 200, got %d. Body: %s", resp.StatusCode, string(respBody))
+	}
+
+	select {
+	case evts := <-received:
+		t.Logf("SUCCESS: handler received %d events", len(evts))
+	case <-time.After(2 * time.Second):
+		t.Fatal("TIMEOUT: handler did not receive events")
+	}
+
+	// Test 3: Events WITH undefined secret header (simulating JS undefined)
+	req2, _ := http.NewRequest("POST", eventsURL, bytes.NewReader(b))
+	req2.Header.Set("Content-Type", "application/json")
+	req2.Header.Set("X-Verstak-Secret", "undefined")  // JS: header when secret is undefined
+
+	resp2, err := http.DefaultClient.Do(req2)
+	if err != nil {
+		t.Fatalf("events request 2 failed: %v", err)
+	}
+	respBody2, _ := io.ReadAll(resp2.Body)
+	resp2.Body.Close()
+
+	t.Logf("Events with 'undefined' secret: status=%d body=%s", resp2.StatusCode, string(respBody2))
+
+	if resp2.StatusCode != 200 {
+		t.Errorf("expected 200 with 'undefined' secret, got %d", resp2.StatusCode)
+	}
+
+	// Test 4: Events WITH empty string secret header
+	req3, _ := http.NewRequest("POST", eventsURL, bytes.NewReader(b))
+	req3.Header.Set("Content-Type", "application/json")
+	req3.Header.Set("X-Verstak-Secret", "")
+
+	resp3, err := http.DefaultClient.Do(req3)
+	if err != nil {
+		t.Fatalf("events request 3 failed: %v", err)
+	}
+	respBody3, _ := io.ReadAll(resp3.Body)
+	resp3.Body.Close()
+
+	t.Logf("Events with empty secret: status=%d body=%s", resp3.StatusCode, string(respBody3))
+
+	if resp3.StatusCode != 200 {
+		t.Errorf("expected 200 with empty secret, got %d", resp3.StatusCode)
+	}
+}
+
+// TestServer_Events_WithTimeout tests that the server responds within timeout
+func TestServer_Events_WithTimeout(t *testing.T) {
+	s := NewServer("", func(evts []Event) {})
+	port, err := s.Start(Config{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer s.Stop()
+
+	batch := EventBatch{Version: 1, DeviceID: "test", Events: []Event{{ID: "1", Type: "page_visit"}}}
+	b, _ := json.Marshal(batch)
+
+	client := &http.Client{Timeout: 3 * time.Second}
+	req, _ := http.NewRequest("POST", fmt.Sprintf("http://127.0.0.1:%d/api/events", port), bytes.NewReader(b))
+	req.Header.Set("Content-Type", "application/json")
+
+	start := time.Now()
+	resp, err := client.Do(req)
+	elapsed := time.Since(start)
+
+	if err != nil {
+		t.Fatalf("request timed out after %v: %v", elapsed, err)
+	}
+	resp.Body.Close()
+
+	t.Logf("Response: %d in %v", resp.StatusCode, elapsed)
+
+	if resp.StatusCode != 200 {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+}
diff --git a/internal/core/bridge/bridge_nosecret_test.go b/internal/core/bridge/bridge_nosecret_test.go
new file mode 100644
index 0000000..9f3458d
--- /dev/null
+++ b/internal/core/bridge/bridge_nosecret_test.go
@@ -0,0 +1,156 @@
+package bridge
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"testing"
+	"time"
+)
+
+// TestServer_Events_NoSecret tests the exact scenario from the browser extension:
+// server with empty secret, POST /api/events without X-Verstak-Secret header
+func TestServer_Events_NoSecret(t *testing.T) {
+	received := make(chan []Event, 1)
+	s := NewServer("", func(evts []Event) {
+		received <- evts
+	})
+	port, err := s.Start(Config{Secret: ""})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer s.Stop()
+
+	events := []Event{
+		{ID: "evt_1", Type: "page_visit", URL: "https://example.com", Title: "Example", Domain: "example.com", ActiveSeconds: 120},
+	}
+	batch := EventBatch{Version: 1, DeviceID: "firefox-test", Events: events}
+	b, _ := json.Marshal(batch)
+
+	// Exactly what the browser extension does: POST without X-Verstak-Secret
+	req, _ := http.NewRequest("POST", fmt.Sprintf("http://127.0.0.1:%d/api/events", port), bytes.NewReader(b))
+	req.Header.Set("Content-Type", "application/json")
+	// NOTE: No X-Verstak-Secret header — extension doesn't send it when secret is empty
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	t.Logf("Status: %d", resp.StatusCode)
+
+	if resp.StatusCode != 200 {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+
+	select {
+	case evts := <-received:
+		if len(evts) != 1 {
+			t.Errorf("expected 1 event, got %d", len(evts))
+		}
+		if evts[0].ID != "evt_1" {
+			t.Errorf("expected event ID 'evt_1', got %s", evts[0].ID)
+		}
+		t.Logf("Handler received %d events", len(evts))
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for event handler")
+	}
+}
+
+// TestServer_Events_WithEmptySecretHeader tests what happens when extension
+// sends X-Verstak-Secret: "" (empty string) — some versions do this
+func TestServer_Events_WithEmptySecretHeader(t *testing.T) {
+	received := make(chan []Event, 1)
+	s := NewServer("", func(evts []Event) {
+		received <- evts
+	})
+	port, err := s.Start(Config{Secret: ""})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer s.Stop()
+
+	events := []Event{
+		{ID: "evt_2", Type: "page_visit", URL: "https://test.com", Domain: "test.com"},
+	}
+	batch := EventBatch{Version: 1, DeviceID: "firefox-test", Events: events}
+	b, _ := json.Marshal(batch)
+
+	req, _ := http.NewRequest("POST", fmt.Sprintf("http://127.0.0.1:%d/api/events", port), bytes.NewReader(b))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Verstak-Secret", "")  // Extension sends empty secret
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	t.Logf("Status: %d", resp.StatusCode)
+
+	if resp.StatusCode != 200 {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+
+	select {
+	case evts := <-received:
+		t.Logf("Handler received %d events", len(evts))
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for event handler")
+	}
+}
+
+// TestServer_Ping_Then_Events simulates the exact flow: ping first, then send events
+func TestServer_Ping_Then_Events(t *testing.T) {
+	received := make(chan []Event, 1)
+	s := NewServer("", func(evts []Event) {
+		received <- evts
+	})
+	port, err := s.Start(Config{Secret: ""})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer s.Stop()
+
+	// Step 1: Ping (like extension does)
+	pingResp, err := http.Get(fmt.Sprintf("http://127.0.0.1:%d/api/ping", port))
+	if err != nil {
+		t.Fatalf("ping failed: %v", err)
+	}
+	pingResp.Body.Close()
+	if pingResp.StatusCode != 200 {
+		t.Fatalf("ping returned %d", pingResp.StatusCode)
+	}
+	t.Log("Ping OK")
+
+	// Step 2: Send events (like extension does after ping)
+	events := []Event{
+		{ID: "evt_3", Type: "page_visit", URL: "https://flow-test.com", Domain: "flow-test.com", ActiveSeconds: 60},
+	}
+	batch := EventBatch{Version: 1, DeviceID: "firefox-abc123", Events: events}
+	b, _ := json.Marshal(batch)
+
+	req, _ := http.NewRequest("POST", fmt.Sprintf("http://127.0.0.1:%d/api/events", port), bytes.NewReader(b))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("events request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	t.Logf("Events status: %d", resp.StatusCode)
+
+	if resp.StatusCode != 200 {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+
+	select {
+	case evts := <-received:
+		t.Logf("Handler received %d events", len(evts))
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for event handler")
+	}
+}