Skip to content

test(mono): add multi-user support and files-list API#1881

Merged
benjamin-747 merged 8 commits into
gitmono-dev:mainfrom
miliu2cc:main
Feb 2, 2026
Merged

test(mono): add multi-user support and files-list API#1881
benjamin-747 merged 8 commits into
gitmono-dev:mainfrom
miliu2cc:main

Conversation

@miliu2cc

@miliu2cc miliu2cc commented Feb 2, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@benjamin-747

Copy link
Copy Markdown
Collaborator

@claude

@github-actions

github-actions Bot commented Feb 2, 2026

Copy link
Copy Markdown

Claude finished @benjamin-747's task in 1m 51s —— View job


Code Review Complete ✓

I've reviewed the changes in this PR which adds multi-user support and files-list API integration to the CL merge integration test. Here's my comprehensive feedback:


Summary

This PR transforms the integration test from a single anonymous user setup to a proper multi-user authentication scenario. The changes are well-structured and improve test coverage significantly.

Key Changes:

  • Enabled HTTP authentication (enable_http_auth = true)
  • Added test user management with predefined tokens
  • Switched from files-changed API to files-list API
  • Added timing constants for better maintainability
  • Enhanced logging and debugging output

✅ Strengths

  1. Improved Test Design: The shift from anonymous users to authenticated multi-user testing is a significant improvement that better reflects real-world usage patterns.

  2. Security Input Validation: The existing validate_repo_name() and validate_file_path() functions properly prevent command injection and path traversal attacks (mono/tests/cl_merge_integration.rs:81-103).

  3. Better Documentation: Updated doc comments clearly explain the test design rationale and multi-user workflow (mono/tests/cl_merge_integration.rs:28-36).

  4. Maintainability: Introduced timing constants (CL_CREATE_WAIT_SECS, POST_MERGE_WAIT_SECS, etc.) making magic numbers self-documenting (mono/tests/cl_merge_integration.rs:55-60).

  5. Robust Error Handling: Comprehensive error messages with context throughout (mono/tests/cl_merge_integration.rs:567-572, 612-616).


🔍 Code Quality Issues

1. Hard-coded Test Tokens (Security Concern)

Location: mono/tests/cl_merge_integration.rs:68-69

The test tokens are hard-coded constants:

const TEST_TOKEN_A: &str = "a1b2c3d4-e5f6-7890-abcd-ef1234567890";
const TEST_TOKEN_B: &str = "b2c3d4e5-f6a7-8901-bcde-f12345678901";

Issue: While this is a test file, hard-coded tokens can be problematic if:

  • The test environment is accessible externally
  • These tokens leak into logs or error messages
  • Someone mistakes this pattern as acceptable for production code

Recommendation: Consider generating random tokens at runtime or adding a prominent comment warning against this pattern in production:

// WARNING: These are TEST-ONLY constant tokens for reproducible testing
// NEVER use hard-coded tokens in production code - always generate them securely
const TEST_TOKEN_A: &str = "a1b2c3d4-e5f6-7890-abcd-ef1234567890";

2. SQL Injection Prevention - Good but Could Be Better

Location: mono/tests/cl_merge_integration.rs:290-299

The code uses string formatting for SQL queries:

exec_check(vm, &format!(
    "PGPASSWORD={} psql -h 127.0.0.1 -U {} -d {} -c \"INSERT INTO access_token (id, username, token, created_at) VALUES (floor(random() * 1000000000000)::bigint, '{}', '{}', NOW());\"",
    POSTGRES_PASSWORD, POSTGRES_USER, POSTGRES_DB, TEST_USER_A, TEST_TOKEN_A
)).await?;

Issue: While the inputs are controlled constants in this test, the pattern demonstrates SQL string concatenation which is risky.

Recommendation: Add a comment explaining why this is safe here (controlled test inputs) and consider using parameterized queries if the test infrastructure supports it.

3. Random ID Generation

Location: mono/tests/cl_merge_integration.rs:291

VALUES (floor(random() * 1000000000000)::bigint, ...

Issue: Using random() for ID generation could theoretically cause collisions, though unlikely.

Recommendation: Either use a sequence/serial type, or add error handling for unique constraint violations.

4. Clone URL Contains Credentials

Location: mono/tests/cl_merge_integration.rs:428-430, 468-470

let clone_url = format!(
    "http://{}:{}@127.0.0.1:8000/.git",
    auth_username, auth_token
);

Issue: Credentials in URLs can leak into logs. Git typically warns about this.

Current State: The code does log the clone output (mono/tests/cl_merge_integration.rs:432) which might expose credentials.

Recommendation: Either:

  • Redact credentials from logged output
  • Use git credential helpers
  • Add a comment acknowledging this is test-only and credentials are not sensitive

🎯 Testing Concerns

1. API Response Validation

Good: The code properly validates API responses:

if !json["req_result"].as_bool().unwrap_or(false) {
    anyhow::bail!(
        "files-list API returned error: {}",
        json["err_message"].as_str().unwrap_or("Unknown error")
    );
}

Suggestion: Consider adding validation for unexpected response structure to prevent panics on malformed JSON.

2. files-list API vs files-changed API

Location: mono/tests/cl_merge_integration.rs:596-598

The comment states:

// Use files-list API instead of files-changed API
// The files-changed API's total field is inaccurate, but files-list returns correct data

Concern: This suggests there's a bug in the files-changed API. While it's good that the test works around it, this warrants:

  • A tracking issue to fix the files-changed API
  • More context about why it's inaccurate

Recommendation: File a separate issue to investigate and fix the files-changed API accuracy problem.

3. Test Timing and Race Conditions

Location: mono/tests/cl_merge_integration.rs:544

The test uses fixed sleep durations to wait for async operations. While timing constants improve readability, fixed sleeps can cause flakiness:

  • Too short → test fails intermittently
  • Too long → slow tests

Current: The code does have a proper polling mechanism for service readiness (mono/tests/cl_merge_integration.rs:123-159), which is excellent.

Recommendation: Consider using similar polling for CL operations instead of fixed sleeps.


📝 Documentation

1. Well-Documented Test Design

The updated documentation clearly explains the multi-user approach (mono/tests/cl_merge_integration.rs:28-36). This is excellent.

2. Function Documentation

Most functions have clear doc comments. Great examples:

  • setup_test_users (mono/tests/cl_merge_integration.rs:281-285)
  • get_cl_files_count (mono/tests/cl_merge_integration.rs:595-598)

🔒 Security Analysis

Overall Security Posture: Good for a test file

Positive Security Measures:

  1. ✅ Input validation for repo names (mono/tests/cl_merge_integration.rs:81-95)
  2. ✅ Path traversal prevention (mono/tests/cl_merge_integration.rs:98-103)
  3. ✅ Proper error handling prevents information leakage

Security Notes:

  • This is test code running in isolated VMs, so security concerns are lower priority
  • The patterns used here should NOT be copied to production code without significant hardening

🚀 Performance

No significant performance concerns. The test is I/O bound (VM operations, database operations) and the code changes don't introduce performance regressions.


✨ Recommendations Summary

High Priority

  1. Add warning comments on hard-coded tokens to prevent production misuse
  2. File an issue to fix the files-changed API accuracy problem
  3. Consider adding credential redaction for logged git output

Medium Priority

  1. Add comments explaining why SQL string formatting is safe here (controlled inputs)
  2. Consider polling mechanisms instead of fixed sleeps for CL operations
  3. Add better handling for SQL ID conflicts

Low Priority

  1. Consider additional JSON structure validation for API responses

Final Verdict

Overall Assessment: ✅ Approved with Suggestions

This is a solid improvement to the test suite. The code is well-structured, properly documented, and significantly improves test coverage by adding multi-user scenarios. The security concerns are minor and specific to test code context.

The changes demonstrate good software engineering practices:

  • Clear separation of concerns
  • Maintainable constants
  • Comprehensive error handling
  • Thoughtful documentation

Great work on improving the test infrastructure! 🎉


Tasks Completed

  • Read repository CLAUDE.md file(s)
  • Read the modified test file
  • Analyze the changes against origin/main
  • Review code quality and best practices
  • Check for security considerations
  • Evaluate test coverage and quality
  • Provide comprehensive feedback

@benjamin-747 benjamin-747 added this pull request to the merge queue Feb 2, 2026
Merged via the queue into gitmono-dev:main with commit 32d4129 Feb 2, 2026
11 checks passed
@benjamin-747

Copy link
Copy Markdown
Collaborator

link #1817

Chen-Rong-Zi pushed a commit to Chen-Rong-Zi/mega that referenced this pull request Feb 3, 2026
* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

---------

Signed-off-by: miliu2cc <miliu2cc@gmail.com>
Chen-Rong-Zi pushed a commit to Chen-Rong-Zi/mega that referenced this pull request Feb 3, 2026
* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

---------

Signed-off-by: miliu2cc <miliu2cc@gmail.com>
Chen-Rong-Zi pushed a commit to Chen-Rong-Zi/mega that referenced this pull request Feb 3, 2026
* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

---------

Signed-off-by: miliu2cc <miliu2cc@gmail.com>
AidCheng pushed a commit to AidCheng/mega that referenced this pull request Feb 5, 2026
* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

---------

Signed-off-by: miliu2cc <miliu2cc@gmail.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>
github-merge-queue Bot pushed a commit that referenced this pull request Feb 11, 2026
…d WebSocket (#1909)

* refactor: some modules (#4)

* feat: add refactor orion module for migration

Signed-off-by: Wangyan <topshihun@foxmail.com>

* fix: add CL for build

Signed-off-by: Wangyan <topshihun@foxmail.com>

* refactor: some modules

Signed-off-by: Wangyan <topshihun@foxmail.com>

---------

Signed-off-by: Wangyan <topshihun@foxmail.com>
Signed-off-by: Aid_C <57825561+AidCheng@users.noreply.github.com>
Co-authored-by: Aid_C <57825561+AidCheng@users.noreply.github.com>

* [orion]REFACTOR: Integrate generic jupiter model with refactored orion structure

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* fix: enforce mount_path semantics and stabilize builds (#1836)

* fix: enforce mount_path semantics and stabilize builds

Consolidate mount_path handling with buck2 prechecks and fix BuildDTO repo handling to avoid moves.

Signed-off-by: jerry609 <1772030600@qq.com>

style: format code with cargo fmt

Signed-off-by: jerry609 <1772030600@qq.com>

chore(orion): remove unused mount helpers

Signed-off-by: jerry609 <1772030600@qq.com>

fix(orion): retry buck2 targets once on failure

Signed-off-by: jerry609 <1772030600@qq.com>

fix(orion): remount and retry target discovery on failure

Signed-off-by: jerry609 <1772030600@qq.com>

style(orion): format buck_controller after retry changes

Signed-off-by: jerry609 <1772030600@qq.com>

fix(orion): annotate changes type for retry path

Signed-off-by: jerry609 <1772030600@qq.com>

fix(orion): appease clippy for mount guards

Signed-off-by: jerry609 <1772030600@qq.com>

test(common): avoid clippy field reassignment lint

Signed-off-by: jerry609 <1772030600@qq.com>

* test(ceres): fix clippy lints in tests

Signed-off-by: jerry609 <1772030600@qq.com>

---------

Signed-off-by: jerry609 <1772030600@qq.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* Feature/comment reanchor (#1874)

* refactor(code_review): add anchor and position to locat code thread

* feat: add reanchor thread function

* fix: seaORM repeated

* fix: rebase error

* fix: lcs_len error

* fix: fix CR problems

* fix: error

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* feat(theme): Complete theme color migration for multiple modules (#1875)

* feat(theme): Complete theme color system migration for CL, Issue, Queue, OrionClient, and Settings modules

* feat(theme): Complete theme color system migration for CL, Issue, Queue, OrionClient, and Settings modules

* feat(theme): Complete theme color system migration for CL, Issue, Queue, OrionClient, and Settings modules

* feat(theme): Complete theme color system migration for CL, Issue, Queue, OrionClient, and Settings modules

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* refactor(mono): convert third-party and buckal-bundles init to script (#1876)

Signed-off-by: MYUU <1405758738@qq.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* chore: move log models under buck2 types (#1878)

Signed-off-by: lvy010 <17338770572@163.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* test(mono): add multi-user support and files-list API (#1881)

* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): Add CL merge and update-branch integration test

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

* test(mono): add multi-user support and files-list API

Signed-off-by: miliu2cc <miliu2cc@gmail.com>

---------

Signed-off-by: miliu2cc <miliu2cc@gmail.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* fix(script):cleanup per-repo .git after processing (#1884)

Signed-off-by: MYUU <1405758738@qq.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* feat: implement build trigger system (#1880)

* feat: implement build trigger system

Signed-off-by: allure <1550220889@qq.com>

* feat: refactor build trigger system and fix error

Signed-off-by: allure <1550220889@qq.com>

---------

Signed-off-by: allure <1550220889@qq.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* fix(orion): skip incompatible targets for buck2 builds (#1885)

Signed-off-by: jerry609 <1772030600@qq.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* fixed(cl): update UI for checks log section (#1887)

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* refactor: some modules (#4)

* feat: add refactor orion module for migration

Signed-off-by: Wangyan <topshihun@foxmail.com>

* fix: add CL for build

Signed-off-by: Wangyan <topshihun@foxmail.com>

* refactor: some modules

Signed-off-by: Wangyan <topshihun@foxmail.com>

---------

Signed-off-by: Wangyan <topshihun@foxmail.com>
Signed-off-by: Aid_C <57825561+AidCheng@users.noreply.github.com>
Co-authored-by: Aid_C <57825561+AidCheng@users.noreply.github.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* [buck2]REFACTOR: Integrate orion and orion server with generic api and model interface

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* FIX: use correct ProjectRelativePath crate

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* UPDATE: cargo fmt

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* [orion] Replace worker-server commun with WS msg

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* [orion]FIX: update branch and fix conflicts

* [Orion]FIX: workflow error

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* [orion]UPDATE: fix based on copilot suggestions

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* cargo fmt

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* UPDATE: temporary allow unused started at in build info

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* FIX: remove unused import

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* fmt

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

* [jupiter]REMOVE: duplicate migration

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Aid_C <57825561+AidCheng@users.noreply.github.com>

* [jupiter]FIX: temporary remove task.rs

Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>

---------

Signed-off-by: Wangyan <topshihun@foxmail.com>
Signed-off-by: Aid_C <57825561+AidCheng@users.noreply.github.com>
Signed-off-by: AidCheng <cn.aiden.cheng@gmail.com>
Signed-off-by: jerry609 <1772030600@qq.com>
Signed-off-by: MYUU <1405758738@qq.com>
Signed-off-by: lvy010 <17338770572@163.com>
Signed-off-by: miliu2cc <miliu2cc@gmail.com>
Signed-off-by: allure <1550220889@qq.com>
Co-authored-by: TOP <89700178+topshihun@users.noreply.github.com>
Co-authored-by: Jerry Zhang <1772030600@qq.com>
Co-authored-by: TianYi <2739022972@qq.com>
Co-authored-by: zhaokang <zhaokang.r2cn@isrc.iscas.ac.cn>
Co-authored-by: MYUU <52773565+zhoujiaqi30@users.noreply.github.com>
Co-authored-by: lvy010 <17338770572@163.com>
Co-authored-by: miliu2cc <98928567+miliu2cc@users.noreply.github.com>
Co-authored-by: Yao <1550220889@qq.com>
Co-authored-by: zyd123-cmd <yingdong.r2cn@isrc.iscas.ac.cn>
Co-authored-by: Tianxing Ye <benjamin.747@outlook.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants