Files
socraticode/tests
Giancarlo Erra 7cdf21a961 fix(docker): require HTTPS for QDRANT_API_KEY; deflake no-key test
Address CodeRabbit findings on PR #36:

1. The previous patch attached `QDRANT_API_KEY` as an `api-key` header
   regardless of URL scheme, which would leak the secret on the wire if
   a user configured an authenticated Qdrant over plain HTTP. Add a
   guard that rejects the combination and throws a specific error,
   placed before the readiness probe so its message is not masked by
   the generic "Cannot reach external Qdrant" handler. Loopback URLs
   (`localhost`, `127.0.0.1`, `[::1]`) are accepted on `http://` so
   local-dev workflows where users run authenticated Qdrant on plain
   HTTP keep working. The URL is parsed (rather than checked with
   startsWith) so hostnames like `http://localhost.evil.com` are not
   mistaken for loopback.

2. The "omits api-key header when QDRANT_API_KEY is not set" test
   relied on the spread of the real `constants.js` module, which means
   it would flake to a header-attached state on any developer machine
   with `QDRANT_API_KEY` exported in the shell. Pass
   `QDRANT_API_KEY: undefined` explicitly so the override always wins.

3. Add two tests covering the new guard: one asserting the rejection
   on plain HTTP for non-loopback hosts, and one asserting that the
   localhost exception still attaches the api-key header.

4. Document the HTTPS requirement (and localhost exception) in the
   `QDRANT_API_KEY` row of the README configuration table.
2026-04-28 13:58:00 +01:00
..