Fix flaky forged-signature test: deterministic tamper instead of replace(/.$/, "0")
The previous form did `cookie.replace(/.$/, "0")` to forge the
signature. When the original last hex char was already "0" (~1 in 16
runs), the "tampered" cookie was *identical* to the original and
verifySession returned the username — making the toBeNull assertion
fail.
Surfaced on /reports/live/tests after the snapshot-tests deploy fix
landed in the previous commit ("1 failing · 1 placeholder" on a
193-test suite). Local runs masked it because the lottery hadn't
fallen on "0" yet.
Fix: read the last char and flip to "f" (or "0" if it's already "f").
Guaranteed-different, then assert that explicitly with
`expect(tampered).not.toBe(cookie)` so any future regression is loud.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
1 file changed · +7 −1
src/c32_session.test.ts
+7
−1
| @@ -143,7 +143,13 @@ describe("c32_session — signSession / verifySession round-trip", () => { | ||
| 143 | 143 | |
| 144 | 144 | test("verifySession rejects a cookie with a forged signature", async () => { |
| 145 | 145 | const cookie = await signSession("eve"); |
| 146 | - const tampered = cookie.replace(/.$/, "0"); | |
| 146 | + // Flip the LAST sig char to something *guaranteed* different — | |
| 147 | + // a fixed `replace(/.$/, "0")` collides when the original char is | |
| 148 | + // already "0" (~1 in 16 runs). Detect the original and flip to | |
| 149 | + // a hex digit it can never be. | |
| 150 | + const lastChar = cookie.slice(-1); | |
| 151 | + const tampered = cookie.slice(0, -1) + (lastChar === "f" ? "0" : "f"); | |
| 152 | + expect(tampered).not.toBe(cookie); | |
| 147 | 153 | const result = await verifySession(tampered); |
| 148 | 154 | expect(result).toBeNull(); |
| 149 | 155 | }); |