test(api): harden estimate races and user auth boundaries

2026-03-30 12:32:51 +02:00
parent 3c4894a966
commit 019c267435
3 changed files with 192 additions and 1 deletions
@@ -34,6 +34,57 @@ function createContext(
 }

 describe("user router authorization", () => {
+  it("requires authentication for self-service profile lookups", async () => {
+    const findUnique = vi.fn();
+    const caller = createCaller(createContext({
+      user: {
+        findUnique,
+      },
+    }, { session: false }));
+
+    await expect(caller.me()).rejects.toMatchObject({
+      code: "UNAUTHORIZED",
+      message: "Authentication required",
+    });
+
+    expect(findUnique).not.toHaveBeenCalled();
+  });
+
+  it("requires authentication for dashboard layout reads", async () => {
+    const findUnique = vi.fn();
+    const caller = createCaller(createContext({
+      user: {
+        findUnique,
+      },
+    }, { session: false }));
+
+    await expect(caller.getDashboardLayout()).rejects.toMatchObject({
+      code: "UNAUTHORIZED",
+      message: "Authentication required",
+    });
+
+    expect(findUnique).not.toHaveBeenCalled();
+  });
+
+  it("requires authentication for favorite project toggles", async () => {
+    const findUnique = vi.fn();
+    const update = vi.fn();
+    const caller = createCaller(createContext({
+      user: {
+        findUnique,
+        update,
+      },
+    }, { session: false }));
+
+    await expect(caller.toggleFavoriteProject({ projectId: "project_1" })).rejects.toMatchObject({
+      code: "UNAUTHORIZED",
+      message: "Authentication required",
+    });
+
+    expect(findUnique).not.toHaveBeenCalled();
+    expect(update).not.toHaveBeenCalled();
+  });
+
  it("forbids regular users from listing assignable users", async () => {
    const findMany = vi.fn();
    const caller = createCaller(createContext({
@@ -105,6 +156,36 @@ describe("user router authorization", () => {
    expect(findUnique).not.toHaveBeenCalled();
  });

+  it("forbids non-admin users from linking resources", async () => {
+    const userFindUnique = vi.fn();
+    const resourceFindUnique = vi.fn();
+    const updateMany = vi.fn();
+    const update = vi.fn();
+    const caller = createCaller(createContext({
+      user: {
+        findUnique: userFindUnique,
+      },
+      resource: {
+        findUnique: resourceFindUnique,
+        updateMany,
+        update,
+      },
+    }, { role: SystemRole.MANAGER }));
+
+    await expect(caller.linkResource({
+      userId: "user_2",
+      resourceId: "resource_1",
+    })).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "Admin role required",
+    });
+
+    expect(userFindUnique).not.toHaveBeenCalled();
+    expect(resourceFindUnique).not.toHaveBeenCalled();
+    expect(updateMany).not.toHaveBeenCalled();
+    expect(update).not.toHaveBeenCalled();
+  });
+
  it("keeps TOTP verification public for the login flow", async () => {
    const findUniqueOrThrow = vi.fn().mockResolvedValue({
      id: "user_1",