Fix Gerrit connection bugs and improve validation

zuharz · claude · zuharz · commit 7adfc6a8393e · 2025-09-18T10:22:30.000+02:00
- Fix critical bug: empty projects array filtering out all repos - Add minLength validation for Gerrit usernames - Update Gerrit auth docs from "token" to "HTTP password" - Improve network error handling with better logging - Make XSSI prefix removal more resilient - Remove unused @testing-library/react-hooks dependency - Enhance test coverage with better assertions 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/packages/backend/src/gerrit.ts b/packages/backend/src/gerrit.ts
@@ -87,7 +87,7 @@ export const getGerritReposFromConfig = async (
    }
 
    // include repos by glob if specified in config
-   if (config.projects) {
+   if (config.projects?.length) {
       projects = projects.filter((project) => {
          return micromatch.isMatch(project.name, config.projects!);
       });
@@ -155,10 +155,11 @@ const fetchAllProjects = async (url: string, auth?: GerritAuthConfig): Promise<G
             throw err;
          }
 
-         const status = (err as any).code;
-         logger.error(`Failed to fetch projects from Gerrit at ${endpointWithParams} with status ${status}`);
+         const status = (err as any).code ?? 0;
+         const message = (err as Error)?.message ?? String(err);
+         logger.error(`Failed to fetch projects from Gerrit at ${endpointWithParams} with status ${status}: ${message}`);
          throw new BackendException(BackendError.CONNECTION_SYNC_FAILED_TO_FETCH_GERRIT_PROJECTS, {
-            status: status,
+            status,
             url: endpointWithParams,
             authenticated: !!auth
          });
@@ -168,7 +169,7 @@ const fetchAllProjects = async (url: string, auth?: GerritAuthConfig): Promise<G
       // Remove XSSI protection prefix that Gerrit adds to JSON responses
       // The regex /^\)\]\}'\n/ matches the literal string ")]}'" at the start of the response
       // followed by a newline character, which Gerrit adds to prevent JSON hijacking
-      const jsonText = text.startsWith(")]}'") ? text.replace(/^\)\]\}'\n/, '') : text;
+      const jsonText = text.replace(/^\)\]\}'\s*/, '');
       const data: GerritProjects = JSON.parse(jsonText);
 
       // Add fetched projects to allProjects
diff --git a/packages/crypto/src/tokenUtils.test.ts b/packages/crypto/src/tokenUtils.test.ts
@@ -35,6 +35,9 @@ describe('tokenUtils', () => {
             const result = await getTokenFromConfig(config, testOrgId, mockPrisma);
 
             expect(result).toBe('decrypted-secret-value');
+            // Verify we invoked decrypt with the secret's IV and encrypted value
+            const { decrypt } = await import('./index.js');
+            expect(decrypt).toHaveBeenCalledWith('test-iv', 'encrypted-value');
             expect(mockPrisma.secret.findUnique).toHaveBeenCalledWith({
                 where: { 
                     orgId_key: {
@@ -52,6 +55,7 @@ describe('tokenUtils', () => {
             const result = await getTokenFromConfig(config, testOrgId, mockPrisma);
 
             expect(result).toBe('env-token-value');
+            expect(mockPrisma.secret.findUnique).not.toHaveBeenCalled();
         });
 
         test('throws error for string tokens (security)', async () => {
@@ -75,6 +79,8 @@ describe('tokenUtils', () => {
 
             await expect(getTokenFromConfig(config, testOrgId, mockPrisma))
                 .rejects.toThrow('Secret with key non-existent-secret not found for org 1');
+            const { decrypt } = await import('./index.js');
+            expect(decrypt).not.toHaveBeenCalled();
         });
 
         test('throws error for missing environment variable', async () => {
diff --git a/packages/schemas/src/v3/connection.schema.ts b/packages/schemas/src/v3/connection.schema.ts
@@ -613,6 +613,7 @@ const schema = {
           "properties": {
             "username": {
               "type": "string",
+              "minLength": 1,
               "description": "Gerrit username for authentication",
               "examples": [
                 "john.doe"
@@ -635,7 +636,7 @@ const schema = {
                     "secret": {
                       "type": "string",
                       "minLength": 1,
-                      "description": "The name of the secret that contains the token."
+                      "description": "The name of the secret that contains the HTTP password."
                     }
                   },
                   "required": [
@@ -649,7 +650,7 @@ const schema = {
                     "env": {
                       "type": "string",
                       "minLength": 1,
-                      "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+                      "description": "The name of the environment variable that contains the HTTP password. Only supported in declarative connection configs."
                     }
                   },
                   "required": [
diff --git a/packages/schemas/src/v3/gerrit.schema.ts b/packages/schemas/src/v3/gerrit.schema.ts
@@ -23,6 +23,7 @@ const schema = {
       "properties": {
         "username": {
           "type": "string",
+          "minLength": 1,
           "description": "Gerrit username for authentication",
           "examples": [
             "john.doe"
@@ -45,7 +46,7 @@ const schema = {
                 "secret": {
                   "type": "string",
                   "minLength": 1,
-                  "description": "The name of the secret that contains the token."
+                  "description": "The name of the secret that contains the HTTP password."
                 }
               },
               "required": [
@@ -59,7 +60,7 @@ const schema = {
                 "env": {
                   "type": "string",
                   "minLength": 1,
-                  "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+                  "description": "The name of the environment variable that contains the HTTP password. Only supported in declarative connection configs."
                 }
               },
               "required": [
diff --git a/packages/web/package.json b/packages/web/package.json
@@ -193,7 +193,6 @@
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.7.0",
     "@testing-library/react": "^16.3.0",
-    "@testing-library/react-hooks": "^8.0.1",
     "@types/micromatch": "^4.0.9",
     "@types/node": "^20",
     "@types/nodemailer": "^6.4.17",
