harden browser routes with csrf checks and lock internal/dev endpoints

2026-02-18 15:27:47 +00:00
parent 4814342156
commit f672677d4f
7 changed files with 200 additions and 30 deletions
--- a/test/views.test.js
+++ b/test/views.test.js
@@ -45,6 +45,18 @@ test("app page renders stats and forms", () => {
  assert.match(html, /Hello/);
 });

+test("app page can hide developer actions", () => {
+  const html = renderAppPage({
+    userId: "u1",
+    summary: { balance: 4, totalJobs: 2, totalCreditsSpent: 2 },
+    jobs: [],
+    showDeveloperActions: false,
+  });
+
+  assert.doesNotMatch(html, /Developer Actions/);
+  assert.doesNotMatch(html, /\/app\/actions\/topup/);
+});
+
 test("audio page shows unlock action when payment is required", () => {
  const html = renderAudioPage({
    audio: { id: "1", storageKey: "audio/1.mp3", articleTitle: "A", durationSec: 30 },