chore: add additional tests

[RihanArfan]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nitro-app	Ready	Preview, Comment	Apr 21, 2026 1:16am

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds HTTP configuration and test infrastructure to a Nitro server. Changes include route rules for response headers, redirects, and basic authentication; new endpoint handlers for authentication and redirection targets; and corresponding test route handlers that verify these features work correctly. The server index is updated to include these new tests in its runner.

Changes

Cohort / File(s)	Summary
Configuration nitro.config.ts	Added routeRules to configure per-path HTTP behavior: /tests/headers sets multiple response headers with edge-case values; /redirect-source issues a redirect to /base/redirect-target; /basic-auth-protected enables basic authentication with credentials admin:nitrorunseverywhere.
Route Handlers server/routes/basic-auth-protected.ts, server/routes/redirect-target.ts	Added two simple endpoint handlers: basic-auth-protected echoes the authenticated username or returns "no-auth"; redirect-target returns "REDIRECTED".
Server Index server/routes/index.ts	Expanded test list from four entries to eight, adding basic-auth, headers, meta, and redirect to enable creation of test iframes and status tracking.
Test Handlers server/routes/tests/basic-auth.ts, server/routes/tests/headers.ts, server/routes/tests/meta.ts, server/routes/tests/redirect.ts	Added four test route handlers that verify HTTP features: basic authentication credentials are correctly extracted and echoed; response headers are set and retrieved correctly (case-insensitive); Nitro version metadata is exposed; HTTP redirects follow and preserve response data.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No description was provided by the author, making it impossible to verify relation to the changeset.	Add a pull request description explaining what tests were added and why they are important.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows conventional commits format with 'chore' prefix and clearly describes the main change: adding additional tests to the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/test-more-features

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

server/routes/tests/redirect.ts (1)

7-12: Consider asserting final status and URL too.

Optional enhancement: asserting res.status === 200 and that res.url ends with /redirect-target would make failure diagnostics clearer when the redirect misbehaves (e.g., lands on a 404 page whose body happens to not contain "REDIRECTED").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/tests/redirect.ts` around lines 7 - 12, Add assertions that
verify the final response status and URL after the redirect to improve
diagnostics: in the async test block (the anonymous async ({ assert }) => { ...
}) where you call fetch("/base/redirect-source") and inspect res, add assertions
such as assert(res.status === 200, ...) and
assert(res.url.endsWith("/redirect-target"), ...) so failures clearly show if
the redirect landed on the wrong page or returned a non-200 status.

server/routes/index.ts (1)

183-192: Guard against untrusted message events.

The message listener on window accepts data from any origin. Since the iframes are same-origin here this is functionally safe, but adding an event.source/event.origin check (e.g., ensure event.source is one of the spawned iframe's contentWindow) makes the runner more robust against stray postMessage traffic (e.g., browser extensions). Also, event.data.message is accessed without a guard — if some other poster sends { test: "x" } without message, .includes will throw.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/index.ts` around lines 183 - 192, The message handler added via
window.addEventListener('message', (event) => { ... }) must verify the event
source and shape before using event.data.message; update the handler to only
accept events from known iframe contentWindow/origin (compare event.source
against each spawned iframe.contentWindow or check event.origin), ensure
event.data is an object, confirm event.data.test exists and that
event.data.message is a string before calling .includes, and null-check the DOM
element returned by document.getElementById("tests-" + event.data.test +
"-status") before setting innerHTML; modify the existing anonymous listener (the
window.addEventListener callback) to perform these guards.

server/routes/tests/meta.ts (1)

8-8: Consider using an explicit URL instead of fetch("").

Using fetch("") relies on the current document's base URL resolution (same for the iframe's page). While it works in this context where the iframe loads /base/tests/meta, an explicit path like fetch("/base/tests/meta") (or a relative "./meta") is more self-documenting and robust if the test is ever moved or invoked outside the iframe runner. Same applies to server/routes/tests/headers.ts line 9.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/tests/meta.ts` at line 8, The test uses fetch("") which relies
on the iframe/document base URL; replace the empty-string fetch call (const res
= await fetch("") in server/routes/tests/meta.ts) with an explicit path (e.g.
fetch("/base/tests/meta") or a relative "./meta") so the request is
self-documenting and stable if tests move, and make the same change for the
analogous fetch call in server/routes/tests/headers.ts (line 9) to ensure both
tests use explicit URLs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nitro.config.ts`:
- Around line 21-23: The committed plaintext demo password is in the nitro
config under the "/basic-auth-protected" route
(basicAuth.username/basicAuth.password); change the code to read the password
from an environment variable (e.g., BASIC_AUTH_PASSWORD) with the existing
literal as a documented default so deployments can override it, update any docs
or .env.example to show the new env var, and ensure the code still falls back to
the demo string when the env var is not set.

In `@server/routes/index.ts`:
- Line 20: The manualTests array contains a duplicate entry "headers" which is
already present in the automated tests array and rendered/checked via the iframe
with id "tests-headers"; remove "headers" from the manualTests array (the
constant manualTests) so only automated tests include it, leaving manualTests =
["env", "node-compat"] (update any related UI/labels if they reference
manualTests to ensure no leftover references to "headers").

---

Nitpick comments:
In `@server/routes/index.ts`:
- Around line 183-192: The message handler added via
window.addEventListener('message', (event) => { ... }) must verify the event
source and shape before using event.data.message; update the handler to only
accept events from known iframe contentWindow/origin (compare event.source
against each spawned iframe.contentWindow or check event.origin), ensure
event.data is an object, confirm event.data.test exists and that
event.data.message is a string before calling .includes, and null-check the DOM
element returned by document.getElementById("tests-" + event.data.test +
"-status") before setting innerHTML; modify the existing anonymous listener (the
window.addEventListener callback) to perform these guards.

In `@server/routes/tests/meta.ts`:
- Line 8: The test uses fetch("") which relies on the iframe/document base URL;
replace the empty-string fetch call (const res = await fetch("") in
server/routes/tests/meta.ts) with an explicit path (e.g.
fetch("/base/tests/meta") or a relative "./meta") so the request is
self-documenting and stable if tests move, and make the same change for the
analogous fetch call in server/routes/tests/headers.ts (line 9) to ensure both
tests use explicit URLs.

In `@server/routes/tests/redirect.ts`:
- Around line 7-12: Add assertions that verify the final response status and URL
after the redirect to improve diagnostics: in the async test block (the
anonymous async ({ assert }) => { ... }) where you call
fetch("/base/redirect-source") and inspect res, add assertions such as
assert(res.status === 200, ...) and assert(res.url.endsWith("/redirect-target"),
...) so failures clearly show if the redirect landed on the wrong page or
returned a non-200 status.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3ad4304a-aade-4d7d-b074-04440f2f024f

📥 Commits

Reviewing files that changed from the base of the PR and between 3603390 and 4ee747b.

📒 Files selected for processing (8)

• nitro.config.ts
• server/routes/basic-auth-protected.ts
• server/routes/index.ts
• server/routes/redirect-target.ts
• server/routes/tests/basic-auth.ts
• server/routes/tests/headers.ts
• server/routes/tests/meta.ts
• server/routes/tests/redirect.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid committing plaintext credentials, even for demo auth.

password: "nitrorunseverywhere" is committed to the repo. For a public test-deployment project this is likely intentional (the credential must be known to exercise the test), but it's worth noting: once public it can never be reused for anything sensitive, and it trains a pattern of inline secrets. Consider sourcing it from an env var with a documented default, e.g. password: process.env.BASIC_AUTH_PASSWORD ?? "nitrorunseverywhere", so real deployments can override it without code changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nitro.config.ts` around lines 21 - 23, The committed plaintext demo password
is in the nitro config under the "/basic-auth-protected" route
(basicAuth.username/basicAuth.password); change the code to read the password
from an environment variable (e.g., BASIC_AUTH_PASSWORD) with the existing
literal as a documented default so deployments can override it, update any docs
or .env.example to show the new env var, and ensure the code still falls back to
the demo string when the env var is not set.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Duplicate test name in manualTests.

"headers" is now present in both the automated tests array (line 13) and manualTests (line 20). Since automated tests already render an iframe with id="tests-headers" and assert PASS/FAIL, listing it again under manual tests is redundant and may confuse users. Consider removing it from manualTests.

Proposed fix

-const manualTests = ["env", "node-compat", "headers"];
+const manualTests = ["env", "node-compat"];

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const manualTests = ["env", "node-compat", "headers"];
	const manualTests = ["env", "node-compat"];

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/index.ts` at line 20, The manualTests array contains a
duplicate entry "headers" which is already present in the automated tests array
and rendered/checked via the iframe with id "tests-headers"; remove "headers"
from the manualTests array (the constant manualTests) so only automated tests
include it, leaving manualTests = ["env", "node-compat"] (update any related
UI/labels if they reference manualTests to ensure no leftover references to
"headers").