import { SystemRole } from "@capakraken/shared"; import { beforeEach, describe, expect, it, vi } from "vitest"; vi.mock("../lib/anonymization.js", () => ({ anonymizeResource: vi.fn((resource: Record) => resource), anonymizeResources: vi.fn((resources: unknown[]) => resources), anonymizeSearchMatches: vi.fn((matches: unknown[]) => matches), getAnonymizationDirectory: vi.fn().mockResolvedValue(null), resolveResourceIdsByDisplayedEids: vi.fn().mockResolvedValue(new Map()), })); import { anonymizeResource, getAnonymizationDirectory } from "../lib/anonymization.js"; import { resourceRouter } from "../router/resource.js"; import { createCallerFactory } from "../trpc.js"; const createCaller = createCallerFactory(resourceRouter); function createContext( db: Record, options: { role?: SystemRole; session?: boolean; } = {}, ) { const { role = SystemRole.USER, session = true } = options; return { session: session ? { user: { email: "user@example.com", name: "User", image: null }, expires: "2099-01-01T00:00:00.000Z", } : null, db: db as never, dbUser: session ? { id: role === SystemRole.MANAGER ? "user_mgr" : "user_1", systemRole: role, permissionOverrides: null, } : null, }; } describe("resource router authorization", () => { beforeEach(() => { vi.clearAllMocks(); }); it("requires authentication for chapter lookups", async () => { const findMany = vi.fn(); const caller = createCaller(createContext({ resource: { findMany, }, }, { session: false })); await expect(caller.chapters()).rejects.toMatchObject({ code: "UNAUTHORIZED", message: "Authentication required", }); expect(findMany).not.toHaveBeenCalled(); }); it("keeps chapter lookups available to authenticated users as safe lookup data", async () => { const findMany = vi.fn().mockResolvedValue([ { chapter: "Art Direction" }, { chapter: "Project Management" }, ]); const caller = createCaller(createContext({ resource: { findMany, }, })); const result = await caller.chapters(); expect(result).toEqual(["Art Direction", "Project Management"]); expect(findMany).toHaveBeenCalledWith({ where: { isActive: true, chapter: { not: null } }, select: { chapter: true }, distinct: ["chapter"], orderBy: { chapter: "asc" }, }); }); it("requires authentication for self-service skill matrix imports", async () => { const findUnique = vi.fn(); const update = vi.fn(); const caller = createCaller(createContext({ user: { findUnique, }, resource: { update, }, }, { session: false })); await expect(caller.importSkillMatrix({ skills: [{ skill: "Maya", proficiency: 4 }], })).rejects.toMatchObject({ code: "UNAUTHORIZED", message: "Authentication required", }); expect(findUnique).not.toHaveBeenCalled(); expect(update).not.toHaveBeenCalled(); }); it("requires authentication for self-service resource lookups", async () => { const findUnique = vi.fn(); const caller = createCaller(createContext({ user: { findUnique, }, }, { session: false })); await expect(caller.getMyResource()).rejects.toMatchObject({ code: "UNAUTHORIZED", message: "Authentication required", }); expect(findUnique).not.toHaveBeenCalled(); }); it("returns null when the authenticated user has no linked resource", async () => { const findUnique = vi.fn().mockResolvedValue({ resource: null }); const caller = createCaller(createContext({ user: { findUnique, }, })); const result = await caller.getMyResource(); expect(result).toBeNull(); expect(findUnique).toHaveBeenCalledWith({ where: { id: "user_1" }, select: { resource: { select: { id: true, displayName: true, eid: true, chapter: true, }, }, }, }); expect(getAnonymizationDirectory).toHaveBeenCalledOnce(); expect(anonymizeResource).not.toHaveBeenCalled(); }); it("returns the linked resource for authenticated self-service callers", async () => { const resource = { id: "res_1", displayName: "Alice Example", eid: "E-001", chapter: "CGI", }; const findUnique = vi.fn().mockResolvedValue({ resource }); const caller = createCaller(createContext({ user: { findUnique, }, })); const result = await caller.getMyResource(); expect(result).toEqual(resource); expect(getAnonymizationDirectory).toHaveBeenCalledOnce(); expect(anonymizeResource).toHaveBeenCalledWith(resource, null); }); it("uses the db user id for self-service resource lookups even when the session email is stale", async () => { const findUnique = vi.fn().mockResolvedValue({ resource: null }); const caller = createCaller({ session: { user: { email: "stale@example.com", name: "User", image: null }, expires: "2099-01-01T00:00:00.000Z", }, db: { user: { findUnique, }, } as never, dbUser: { id: "user_1", systemRole: SystemRole.USER, permissionOverrides: null, }, roleDefaults: null, }); await caller.getMyResource(); expect(findUnique).toHaveBeenCalledWith({ where: { id: "user_1" }, select: { resource: { select: { id: true, displayName: true, eid: true, chapter: true, }, }, }, }); }); it("requires authentication for hover-card lookups", async () => { const findUnique = vi.fn(); const caller = createCaller(createContext({ resource: { findUnique, }, }, { session: false })); await expect(caller.getHoverCard({ id: "res_1" })).rejects.toMatchObject({ code: "UNAUTHORIZED", message: "Authentication required", }); expect(findUnique).not.toHaveBeenCalled(); }); it("blocks regular users from manager-only skill imports for arbitrary resources", async () => { const findUnique = vi.fn(); const update = vi.fn(); const caller = createCaller(createContext({ resource: { findUnique, update, }, })); await expect( caller.importSkillMatrixForResource({ resourceId: "res_1", skills: [{ skill: "Houdini", proficiency: 5 }], }), ).rejects.toMatchObject({ code: "FORBIDDEN", }); expect(findUnique).not.toHaveBeenCalled(); expect(update).not.toHaveBeenCalled(); }); it("requires authentication for manager-only skill imports for arbitrary resources", async () => { const findUnique = vi.fn(); const update = vi.fn(); const caller = createCaller(createContext({ resource: { findUnique, update, }, }, { role: SystemRole.MANAGER, session: false })); await expect( caller.importSkillMatrixForResource({ resourceId: "res_1", skills: [{ skill: "Houdini", proficiency: 5 }], }), ).rejects.toMatchObject({ code: "UNAUTHORIZED", message: "Authentication required", }); expect(findUnique).not.toHaveBeenCalled(); expect(update).not.toHaveBeenCalled(); }); it("blocks non-admin users from batch skill matrix imports", async () => { const findMany = vi.fn(); const transaction = vi.fn(); const caller = createCaller(createContext({ resource: { findMany, }, $transaction: transaction, }, { role: SystemRole.MANAGER })); await expect( caller.batchImportSkillMatrices({ entries: [{ eid: "E-001", skills: [{ skill: "Maya", proficiency: 4 }] }], }), ).rejects.toMatchObject({ code: "FORBIDDEN", }); expect(findMany).not.toHaveBeenCalled(); expect(transaction).not.toHaveBeenCalled(); }); it("requires authentication for admin-only batch skill matrix imports", async () => { const findMany = vi.fn(); const transaction = vi.fn(); const caller = createCaller(createContext({ resource: { findMany, }, $transaction: transaction, }, { role: SystemRole.ADMIN, session: false })); await expect( caller.batchImportSkillMatrices({ entries: [{ eid: "E-001", skills: [{ skill: "Maya", proficiency: 4 }] }], }), ).rejects.toMatchObject({ code: "UNAUTHORIZED", message: "Authentication required", }); expect(findMany).not.toHaveBeenCalled(); expect(transaction).not.toHaveBeenCalled(); }); });