test: fix issues raised by test fialures

Author: abose

src-electron/ipc-security.js

@@ -30,10 +30,15 @@ function isTrustedOrigin(url) {
         }
     }
 
-    // In dev stage, also allow localhost URLs
+    // In dev stage, also allow localhost URLs (but NOT asset:// protocol)
+    // asset:// is for static file serving only and should never have API access
     if (stage === 'dev') {
         try {
             const parsed = new URL(url);
+            // Exclude asset:// protocol - it's sandboxed like Tauri's asset protocol
+            if (parsed.protocol === 'asset:') {
+                return false;
+            }
             if (parsed.hostname === 'localhost' || parsed.hostname === '127.0.0.1') {
                 return true;
             }

src-electron/main-cred-ipc.js

@@ -48,7 +48,8 @@ function registerCredIpcHandlers() {
         const stored = windowTrustMap.get(webContentsId);
 
         if (!stored) {
-            throw new Error('No trust established for this window.');
+            // Match Tauri's error message
+            throw new Error('No trust association found for this window.');
         }
         if (stored.key !== key || stored.iv !== iv) {
             throw new Error('Provided key and IV do not match.');
@@ -59,14 +60,22 @@ function registerCredIpcHandlers() {
         console.log(`AES trust removed for window: ${getWindowLabel(webContentsId)} (webContentsId: ${webContentsId})`);
     });
 
+    // Special marker for empty string credentials (keytar doesn't allow empty passwords)
+    // Using a unique string that's unlikely to be a real credential value
+    const EMPTY_CREDENTIAL_MARKER = '___PHCODE_EMPTY_CREDENTIAL_MARKER___';
+
     // Store credential in system keychain
     ipcMain.handle('store-credential', async (event, scopeName, secretVal) => {
         assertTrusted(event);
         if (!keytar) {
             throw new Error('keytar module not available.');
         }
         const service = PHOENIX_CRED_PREFIX + scopeName;
-        await keytar.setPassword(service, process.env.USER || 'user', secretVal);
+        // Handle empty strings by storing a special marker (keytar requires non-empty passwords)
+        // Check for empty string, null, or undefined - all become the marker
+        const isEmpty = secretVal === '' || secretVal === null || secretVal === undefined;
+        const valueToStore = isEmpty ? EMPTY_CREDENTIAL_MARKER : secretVal;
+        await keytar.setPassword(service, process.env.USER || 'user', valueToStore);
     });
 
     // Get credential (encrypted with window's AES key)
@@ -79,15 +88,22 @@ function registerCredIpcHandlers() {
         const webContentsId = event.sender.id;
         const trustData = windowTrustMap.get(webContentsId);
         if (!trustData) {
-            throw new Error('Trust needs to be established first.');
+            // Match Tauri's error message
+            throw new Error('Trust needs to be first established for this window to get or set credentials.');
         }
 
         const service = PHOENIX_CRED_PREFIX + scopeName;
-        const credential = await keytar.getPassword(service, process.env.USER || 'user');
-        if (!credential) {
+        const account = process.env.USER || 'user';
+        let credential = await keytar.getPassword(service, account);
+        if (credential === null || credential === undefined) {
             return null;
         }
 
+        // Convert empty credential marker back to empty string
+        if (credential === EMPTY_CREDENTIAL_MARKER) {
+            credential = '';
+        }
+
         // Encrypt with AES-256-GCM (same as Tauri)
         const keyBytes = Buffer.from(trustData.key, 'hex');
         const ivBytes = Buffer.from(trustData.iv, 'hex');
@@ -96,7 +112,9 @@ function registerCredIpcHandlers() {
         encrypted += cipher.final('hex');
         const authTag = cipher.getAuthTag().toString('hex');
 
-        return encrypted + authTag; // Return ciphertext + authTag as hex string
+        // For empty credentials, encrypted will be empty string, but authTag will still be present
+        const result = encrypted + authTag;
+        return result;
     });
 
     // Delete credential from system keychain
@@ -106,7 +124,11 @@ function registerCredIpcHandlers() {
             throw new Error('keytar module not available.');
         }
         const service = PHOENIX_CRED_PREFIX + scopeName;
-        await keytar.deletePassword(service, process.env.USER || 'user');
+        const deleted = await keytar.deletePassword(service, process.env.USER || 'user');
+        // Match Tauri's behavior: throw if credential didn't exist
+        if (!deleted) {
+            throw new Error('No matching entry found in secure storage');
+        }
     });
 }
 

src-electron/main-window-ipc.js

@@ -167,6 +167,17 @@ function registerWindowIpcHandlers() {
         }
     });
 
+    // Close a window by its label
+    ipcMain.handle('close-window-by-label', async (event, label) => {
+        assertTrusted(event);
+        const win = windowRegistry.get(label);
+        if (win && !win.isDestroyed()) {
+            win.close();
+            return true;
+        }
+        return false;
+    });
+
     // Focus current window and bring to front
     ipcMain.handle('focus-window', (event) => {
         assertTrusted(event);

src-electron/main.js

@@ -26,7 +26,7 @@ if (process.argv.includes('-v') || process.argv.includes('--version')) {
     process.exit(0);
 }
 
-// Register phtauri:// as a privileged scheme (must be done before app ready)
+// Register custom schemes as privileged (must be done before app ready)
 // This enables standard web features: fetch, localStorage, cookies, etc.
 protocol.registerSchemesAsPrivileged([
     {
@@ -38,6 +38,15 @@ protocol.registerSchemesAsPrivileged([
             corsEnabled: true,
             stream: true
         }
+    },
+    {
+        // asset:// is for serving static files only - minimal privileges to match Tauri's security posture
+        // No standard/secure/corsEnabled - just enough for fetch() to read local assets
+        scheme: 'asset',
+        privileges: {
+            supportFetchAPI: true,
+            stream: true
+        }
     }
 ]);
 

src-electron/preload.js

@@ -105,6 +105,7 @@ contextBridge.exposeInMainWorld('electronAPI', {
     getCurrentWindowLabel: () => ipcRenderer.invoke('get-current-window-label'),
     createPhoenixWindow: (url, options) => ipcRenderer.invoke('create-phoenix-window', url, options),
     closeWindow: () => ipcRenderer.invoke('close-window'),
+    closeWindowByLabel: (label) => ipcRenderer.invoke('close-window-by-label', label),
     quitApp: (exitCode) => ipcRenderer.invoke('quit-app', exitCode),
     focusWindow: () => ipcRenderer.invoke('focus-window'),