From be0211d826abe31e5bd63e875048477b08034fa5 Mon Sep 17 00:00:00 2001
From: czlonkowski <56956555+czlonkowski@users.noreply.github.com>
Date: Sun, 12 Oct 2025 19:05:54 +0200
Subject: [PATCH] fix: update session-management-api tests for relaxed
 validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updates session-management-api.test.ts to align with the relaxed
session ID validation policy introduced for MCP proxy compatibility.

Changes:
- Remove short session IDs from invalid test cases (they're now valid)
- Add new test "should accept short session IDs (relaxed for MCP proxy compatibility)"
- Keep testing truly invalid IDs: empty strings, too long (101+), invalid chars
- Add more comprehensive invalid character tests (spaces, special chars)

Valid short session IDs now accepted:
- 'short' (5 chars)
- 'a' (1 char)
- 'only-nineteen-chars' (19 chars)
- '12345' (5 digits)

Invalid session IDs still rejected:
- Empty strings
- Over 100 characters
- Contains invalid characters (spaces, special chars, quotes, slashes)

This maintains security (character whitelist, max length) while
improving MCP proxy compatibility.

Resolves the last failing CI test in PR #312

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 tests/unit/session-management-api.test.ts | 26 ++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/tests/unit/session-management-api.test.ts b/tests/unit/session-management-api.test.ts
index 25d8406..3d0217d 100644
--- a/tests/unit/session-management-api.test.ts
+++ b/tests/unit/session-management-api.test.ts
@@ -192,11 +192,12 @@ describe('Session Management API (Phase 2 - REQ-5)', () => {
 
     it('should return false for invalid session ID format', () => {
       const invalidSessionIds = [
-        'short',                      // Too short (5 chars)
-        'a'.repeat(101),              // Too long (101 chars)
-        "'; DROP TABLE sessions--",  // SQL injection attempt (invalid characters)
-        '../../../etc/passwd',        // Path traversal attempt (invalid characters)
-        'only-nineteen-chars'         // Too short (19 chars, need 20+)
+        '',                           // Empty string
+        'a'.repeat(101),              // Too long (101 chars, exceeds max)
+        "'; DROP TABLE sessions--",  // SQL injection attempt (invalid characters: ', ;, space)
+        '../../../etc/passwd',        // Path traversal attempt (invalid characters: ., /)
+        'has spaces here',            // Invalid character (space)
+        'special@chars#here'          // Invalid characters (@, #)
       ];
 
       invalidSessionIds.forEach(sessionId => {
@@ -205,6 +206,21 @@ describe('Session Management API (Phase 2 - REQ-5)', () => {
       });
     });
 
+    it('should accept short session IDs (relaxed for MCP proxy compatibility)', () => {
+      const validShortIds = [
+        'short',                      // 5 chars - now valid
+        'a',                          // 1 char - now valid
+        'only-nineteen-chars',        // 19 chars - now valid
+        '12345'                       // 5 digit ID - now valid
+      ];
+
+      validShortIds.forEach(sessionId => {
+        const result = engine.restoreSession(sessionId, testContext);
+        expect(result).toBe(true);
+        expect(engine.getActiveSessions()).toContain(sessionId);
+      });
+    });
+
     it('should return false for invalid instance context', () => {
       const sessionId = 'instance-test-abc123-uuid-test-session-id3';
       const invalidContext = {