10 KiB
10 KiB
Manual Integration Testing Checklist
Task 9: CORS Simplification and Mandatory Auth
Date: 2025-10-25 Implementation Plan: docs/plans/2025-10-25-simplify-cors-mandatory-auth.md Purpose: Verify that all code changes work correctly in a real Obsidian environment
Test 1: Fresh Install Test
Prerequisites
- Access to a test vault
- Built plugin files (main.js, manifest.json, styles.css)
Steps
- ✅ Remove plugin from test vault (if exists):
rm -rf .obsidian/plugins/obsidian-mcp-server/ - ✅ Build plugin:
npm run build - ✅ Copy built plugin files to vault:
.obsidian/plugins/obsidian-mcp-server/ - ✅ Enable plugin in Obsidian Settings → Community Plugins
- ✅ Open browser console (Ctrl+Shift+I)
- ✅ Verify log message: "Generating new API key..."
- ✅ Check
.obsidian/plugins/obsidian-mcp-server/data.json:- Key should be present
- Key should start with "encrypted:" (if encryption available)
- ✅ Verify server starts successfully (check plugin settings or console)
Expected Results
- API key auto-generated on first install
- Key is encrypted in data.json
- No CORS settings in data.json
- Server starts without errors
- No "enableCORS" or "allowedOrigins" fields in data.json
Test 2: Migration Test
Prerequisites
- Test vault with plugin already installed
- Access to data.json file
Steps
- ✅ Stop Obsidian
- ✅ Manually edit
.obsidian/plugins/obsidian-mcp-server/data.json:{ "port": 3000, "enableCORS": true, "allowedOrigins": ["*"], "enableAuth": false, "apiKey": "old-plaintext-key", "autoStart": false } - ✅ Save file
- ✅ Start Obsidian
- ✅ Open browser console
- ✅ Verify log message: "Migrating legacy CORS settings..."
- ✅ Check updated data.json:
- "enableCORS" should be removed
- "allowedOrigins" should be removed
- "enableAuth" should be true
- "apiKey" should be encrypted
- ✅ Verify server still works
Expected Results
- Legacy CORS settings removed from data.json
- enableAuth set to true
- API key encrypted (if not already)
- Other settings preserved (port, autoStart, notifications)
- Server functionality not affected
Test 3: API Key Encryption Test
Prerequisites
- Plugin installed and running
- Access to plugin settings UI
Steps
- ✅ Open plugin settings in Obsidian
- ✅ Locate "API Key Management" section
- ✅ Click "Copy Key" button
- ✅ Note the plaintext key (save to clipboard)
- ✅ Stop Obsidian completely
- ✅ Open
.obsidian/plugins/obsidian-mcp-server/data.json - ✅ Verify apiKey field starts with "encrypted:" (or is plaintext if encryption unavailable)
- ✅ Restart Obsidian
- ✅ Open plugin settings
- ✅ Verify API key display shows the same plaintext key from step 4
- ✅ Verify server starts and accepts the key
Expected Results
- API key displayed in plaintext in UI
- API key encrypted in data.json file
- Same key works after restart
- "Copy Key" button copies plaintext key
- Encryption status indicator shows correct state
Test 4: API Key Regeneration Test
Prerequisites
- Plugin installed with existing API key
- Access to plugin settings UI
Steps
- ✅ Open plugin settings
- ✅ Copy current API key (note it down)
- ✅ Click "Regenerate Key" button
- ✅ Verify success notification
- ✅ Verify displayed key has changed
- ✅ Copy new key
- ✅ Verify old key ≠ new key
- ✅ Stop Obsidian
- ✅ Check data.json - verify encrypted key has changed
- ✅ Restart Obsidian
- ✅ Verify new key is displayed correctly
- ✅ Verify server restart prompt if server was running
Expected Results
- Regenerate button generates a new key
- New key is different from old key
- New key is properly encrypted on disk
- New key persists across restart
- Server restart prompted if needed
Test 5: Authentication Test
Prerequisites
- Plugin installed and server running
- curl or similar HTTP client
Steps
- ✅ Start MCP server from plugin settings
- ✅ Copy API key from settings UI
- ✅ Try request WITHOUT auth:
curl -X POST http://127.0.0.1:3000/mcp \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"ping","id":1}' - ✅ Verify response is 401 Unauthorized
- ✅ Try request WITH correct Bearer token:
curl -X POST http://127.0.0.1:3000/mcp \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_API_KEY_HERE" \ -d '{"jsonrpc":"2.0","method":"ping","id":1}' - ✅ Verify response is 200 OK with pong result
- ✅ Try request with WRONG Bearer token:
curl -X POST http://127.0.0.1:3000/mcp \ -H "Content-Type: application/json" \ -H "Authorization: Bearer wrong-token" \ -d '{"jsonrpc":"2.0","method":"ping","id":1}' - ✅ Verify response is 401 Unauthorized
Expected Results
- Requests without auth rejected (401)
- Requests with invalid token rejected (401)
- Requests with valid token accepted (200)
- No way to bypass authentication
Test 6: CORS Test (Optional - Requires Web Client)
Prerequisites
- MCP server running
- Simple HTML file or local web server
Steps
- ✅ Create test HTML file:
<!DOCTYPE html> <html> <body> <button onclick="testCORS()">Test CORS</button> <div id="result"></div> <script> async function testCORS() { const apiKey = 'YOUR_API_KEY_HERE'; try { const response = await fetch('http://localhost:3000/mcp', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${apiKey}` }, body: JSON.stringify({"jsonrpc":"2.0","method":"ping","id":1}) }); document.getElementById('result').innerText = `Success: ${response.status} ${await response.text()}`; } catch(e) { document.getElementById('result').innerText = `Error: ${e.message}`; } } </script> </body> </html> - ✅ Serve HTML from localhost:8080:
python3 -m http.server 8080 - ✅ Open http://localhost:8080 in browser
- ✅ Update apiKey in HTML with actual key
- ✅ Click "Test CORS" button
- ✅ Verify request succeeds (CORS allowed from localhost:8080)
- ✅ Try accessing from non-localhost origin (if possible)
- ✅ Verify CORS blocks non-localhost origins
Expected Results
- Requests from localhost origins succeed
- Requests from 127.0.0.1 origins succeed
- Requests from non-localhost origins blocked by CORS
- HTTPS localhost origins also work
Test 7: Settings UI Verification
Prerequisites
- Plugin installed
- Access to plugin settings
Steps
- ✅ Open Obsidian Settings → Community Plugins → Obsidian MCP Server
- ✅ Verify NO "Enable CORS" toggle is visible
- ✅ Verify NO "Allowed origins" text input is visible
- ✅ Verify NO "Enable authentication" toggle is visible
- ✅ Verify "Authentication" heading is present
- ✅ Verify description text mentions "mandatory" and "encrypted"
- ✅ Verify encryption status indicator is displayed:
- 🔒 "Encryption: Available" OR
- ⚠️ "Encryption: Unavailable"
- ✅ Verify "API Key Management" section is always visible
- ✅ Verify API key is displayed in monospace font
- ✅ Verify "Copy Key" and "Regenerate Key" buttons are visible
- ✅ Verify "MCP Client Configuration" section always includes Authorization header
Expected Results
- No CORS configuration options visible
- No authentication toggle (always enabled)
- Clear messaging about mandatory auth
- Encryption status displayed
- API key section always visible
- Configuration snippet includes auth header
Test 8: No Regressions Test
Prerequisites
- Plugin installed and server running
- Test vault with notes
Steps
- ✅ Test all MCP tools work:
read_note- Read an existing notecreate_note- Create a new noteupdate_note- Modify a notedelete_note- Delete a notelist- List notes in vaultsearch- Search for text- Other tools as applicable
- ✅ Test notifications (if enabled):
- Enable notifications in settings
- Call an MCP tool
- Verify notification appears in Obsidian
- ✅ Test server controls:
- Stop server
- Start server
- Restart server
- ✅ Test settings save/load:
- Change port number
- Toggle autoStart
- Restart Obsidian
- Verify settings preserved
Expected Results
- All MCP tools function correctly
- No errors in console related to CORS/auth changes
- Notifications work as before
- Server controls work correctly
- Settings persist across restarts
- No functionality regressions
Test 9: Error Handling Test
Prerequisites
- Plugin installed
Steps
- ✅ Test empty API key scenario:
- Stop Obsidian
- Edit data.json to set
apiKey: "" - Start Obsidian
- Verify new key is auto-generated
- ✅ Test decryption failure:
- Stop Obsidian
- Edit data.json to set
apiKey: "encrypted:invalid-base64!!!" - Start Obsidian
- Verify error notice displayed
- Verify user prompted to regenerate key
- ✅ Test server start with no API key:
- Stop Obsidian
- Edit data.json to remove apiKey field entirely
- Start Obsidian
- Verify key auto-generated
- Verify server can start
Expected Results
- Empty API key triggers auto-generation
- Invalid encrypted key shows error notice
- User can recover from decryption failures
- Server doesn't start with invalid key state
Summary Checklist
After completing all tests above, verify:
- Fresh install generates and encrypts API key
- Legacy CORS settings are migrated correctly
- API keys are encrypted at rest
- API key regeneration works
- Authentication is mandatory and enforced
- CORS allows localhost origins only
- Settings UI shows correct options (no CORS, no auth toggle)
- Encryption status is displayed
- All existing MCP tools work correctly
- No console errors related to changes
- Error scenarios handled gracefully
Test Results
Tester: [Name] Date: [Date] Obsidian Version: [Version] Plugin Version: [Version] Platform: [Windows/macOS/Linux]
Overall Status: [ ] PASS / [ ] FAIL Notes: