Add tests for denying access to .dev.vars in subdirectories (#9725)

jamesopstad · web-flow · commit fb84eaa4b160 · 2025-07-01T13:52:40.000Z
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/__tests__/sensitive-files.spec.ts b/packages/vite-plugin-cloudflare/playground/sensitive-files/__tests__/sensitive-files.spec.ts
@@ -22,6 +22,16 @@ describe.skipIf(isBuild)("denies access to sensitive files in dev", () => {
 		expect(response.status()).toBe(403);
 	});
 
+	test("denies access to .dev.vars in subdirectory", async () => {
+		const response = await getResponse("/worker-b/.dev.vars");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .dev.vars.* in subdirectory", async () => {
+		const response = await getResponse("/worker-b/.dev.vars.staging");
+		expect(response.status()).toBe(403);
+	});
+
 	test("denies access to custom-sensitive-file", async () => {
 		const response = await getResponse("/custom-sensitive-file");
 		expect(response.status()).toBe(403);
@@ -31,26 +41,26 @@ describe.skipIf(isBuild)("denies access to sensitive files in dev", () => {
 describe.runIf(isBuild)("doesn't serve sensitive files in preview", () => {
 	test("doesn't serve .env", async () => {
 		const response = await getTextResponse("/.env");
-		expect(response).toBe("Worker response");
+		expect(response).toBe("Worker A response");
 	});
 
 	test("doesn't serve .env.*", async () => {
 		const response = await getTextResponse("/.env.staging");
-		expect(response).toBe("Worker response");
+		expect(response).toBe("Worker A response");
 	});
 
 	test("doesn't serve .dev.vars", async () => {
 		const response = await getTextResponse("/.dev.vars");
-		expect(response).toBe("Worker response");
+		expect(response).toBe("Worker A response");
 	});
 
 	test("doesn't serve .dev.vars.*", async () => {
 		const response = await getTextResponse("/.dev.vars.staging");
-		expect(response).toBe("Worker response");
+		expect(response).toBe("Worker A response");
 	});
 
 	test("doesn't serve custom-sensitive-file", async () => {
 		const response = await getTextResponse("/custom-sensitive-file");
-		expect(response).toBe("Worker response");
+		expect(response).toBe("Worker A response");
 	});
 });
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/tsconfig.worker.json b/packages/vite-plugin-cloudflare/playground/sensitive-files/tsconfig.worker.json
@@ -1,4 +1,4 @@
 {
 	"extends": ["@cloudflare/workers-tsconfig/worker.json"],
-	"include": ["src"]
+	"include": ["worker-a", "worker-b"]
 }
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/vite.config.ts b/packages/vite-plugin-cloudflare/playground/sensitive-files/vite.config.ts
@@ -7,5 +7,11 @@ export default defineConfig({
 			deny: ["custom-sensitive-file"],
 		},
 	},
-	plugins: [cloudflare({ inspectorPort: false, persistState: false })],
+	plugins: [
+		cloudflare({
+			inspectorPort: false,
+			persistState: false,
+			auxiliaryWorkers: [{ configPath: "./worker-b/wrangler.jsonc" }],
+		}),
+	],
 });
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-a/index.ts b/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-a/index.ts
@@ -0,0 +1,15 @@
+interface Env {
+	WORKER_B: Fetcher;
+}
+
+export default {
+	async fetch(request, env) {
+		const url = new URL(request.url);
+
+		if (url.pathname === "/worker-b") {
+			return env.WORKER_B.fetch(request);
+		}
+
+		return new Response("Worker A response");
+	},
+} satisfies ExportedHandler<Env>;
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/.dev.vars b/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/.dev.vars
@@ -0,0 +1 @@
+DEV_VAR=dev-var
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/.dev.vars.staging b/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/.dev.vars.staging
@@ -0,0 +1 @@
+STAGING_DEV_VAR=staging-dev-var
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/index.ts b/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/index.ts
@@ -1,5 +1,5 @@
 export default {
 	async fetch() {
-		return new Response("Worker response");
+		return new Response("Worker B response");
 	},
 } satisfies ExportedHandler;
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/wrangler.jsonc b/packages/vite-plugin-cloudflare/playground/sensitive-files/worker-b/wrangler.jsonc
@@ -0,0 +1,5 @@
+{
+	"name": "worker-b",
+	"main": "./index.ts",
+	"compatibility_date": "2024-12-30",
+}
diff --git a/packages/vite-plugin-cloudflare/playground/sensitive-files/wrangler.jsonc b/packages/vite-plugin-cloudflare/playground/sensitive-files/wrangler.jsonc
@@ -1,5 +1,11 @@
 {
-	"name": "worker",
-	"main": "./src/index.ts",
+	"name": "worker-a",
+	"main": "./worker-a/index.ts",
 	"compatibility_date": "2024-12-30",
+	"services": [
+		{
+			"binding": "WORKER_B",
+			"service": "worker-b",
+		},
+	],
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`	`2`	`"extends": ["@cloudflare/workers-tsconfig/worker.json"],`
`3`		`- "include": ["src"]`
	`3`	`+ "include": ["worker-a", "worker-b"]`
`4`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,11 @@`
`1`	`1`	`{`
`2`		`- "name": "worker",`
`3`		`- "main": "./src/index.ts",`
	`2`	`+ "name": "worker-a",`
	`3`	`+ "main": "./worker-a/index.ts",`
`4`	`4`	`"compatibility_date": "2024-12-30",`
	`5`	`+ "services": [`
	`6`	`+ {`
	`7`	`+ "binding": "WORKER_B",`
	`8`	`+ "service": "worker-b",`
	`9`	`+ },`
	`10`	`+ ],`
`5`	`11`	`}`