CapaKraken/packages/api/src/__tests__/resource-router-auth.test.ts

import { SystemRole } from "@capakraken/shared";
import { beforeEach, describe, expect, it, vi } from "vitest";

vi.mock("../lib/anonymization.js", () => ({
  anonymizeResource: vi.fn((resource: Record<string, unknown>) => resource),
  anonymizeResources: vi.fn((resources: unknown[]) => resources),
  anonymizeSearchMatches: vi.fn((matches: unknown[]) => matches),
  getAnonymizationDirectory: vi.fn().mockResolvedValue(null),
  resolveResourceIdsByDisplayedEids: vi.fn().mockResolvedValue(new Map()),
}));

import { anonymizeResource, getAnonymizationDirectory } from "../lib/anonymization.js";
import { resourceRouter } from "../router/resource.js";
import { createCallerFactory } from "../trpc.js";

const createCaller = createCallerFactory(resourceRouter);

function createContext(
  db: Record<string, unknown>,
  options: {
    role?: SystemRole;
    session?: boolean;
  } = {},
) {
  const { role = SystemRole.USER, session = true } = options;

  return {
    session: session
      ? {
          user: { email: "user@example.com", name: "User", image: null },
          expires: "2099-01-01T00:00:00.000Z",
        }
      : null,
    db: db as never,
    dbUser: session
      ? {
          id: role === SystemRole.MANAGER ? "user_mgr" : "user_1",
          systemRole: role,
          permissionOverrides: null,
        }
      : null,
  };
}

describe("resource router authorization", () => {
  beforeEach(() => {
    vi.clearAllMocks();
  });

  it("requires authentication for chapter lookups", async () => {
    const findMany = vi.fn();
    const caller = createCaller(createContext({
      resource: {
        findMany,
      },
    }, { session: false }));

    await expect(caller.chapters()).rejects.toMatchObject({
      code: "UNAUTHORIZED",
      message: "Authentication required",
    });

    expect(findMany).not.toHaveBeenCalled();
  });

  it("keeps chapter lookups available to authenticated users as safe lookup data", async () => {
    const findMany = vi.fn().mockResolvedValue([
      { chapter: "Art Direction" },
      { chapter: "Project Management" },
    ]);
    const caller = createCaller(createContext({
      resource: {
        findMany,
      },
    }));

    const result = await caller.chapters();

    expect(result).toEqual(["Art Direction", "Project Management"]);
    expect(findMany).toHaveBeenCalledWith({
      where: { isActive: true, chapter: { not: null } },
      select: { chapter: true },
      distinct: ["chapter"],
      orderBy: { chapter: "asc" },
    });
  });

  it("requires authentication for self-service skill matrix imports", async () => {
    const findUnique = vi.fn();
    const update = vi.fn();
    const caller = createCaller(createContext({
      user: {
        findUnique,
      },
      resource: {
        update,
      },
    }, { session: false }));

    await expect(caller.importSkillMatrix({
      skills: [{ skill: "Maya", proficiency: 4 }],
    })).rejects.toMatchObject({
      code: "UNAUTHORIZED",
      message: "Authentication required",
    });

    expect(findUnique).not.toHaveBeenCalled();
    expect(update).not.toHaveBeenCalled();
  });

  it("requires authentication for self-service resource lookups", async () => {
    const findUnique = vi.fn();
    const caller = createCaller(createContext({
      user: {
        findUnique,
      },
    }, { session: false }));

    await expect(caller.getMyResource()).rejects.toMatchObject({
      code: "UNAUTHORIZED",
      message: "Authentication required",
    });

    expect(findUnique).not.toHaveBeenCalled();
  });

  it("returns null when the authenticated user has no linked resource", async () => {
    const findUnique = vi.fn().mockResolvedValue({ resource: null });
    const caller = createCaller(createContext({
      user: {
        findUnique,
      },
    }));

    const result = await caller.getMyResource();

    expect(result).toBeNull();
    expect(findUnique).toHaveBeenCalledWith({
      where: { email: "user@example.com" },
      select: {
        resource: {
          select: {
            id: true,
            displayName: true,
            eid: true,
            chapter: true,
          },
        },
      },
    });
    expect(getAnonymizationDirectory).toHaveBeenCalledOnce();
    expect(anonymizeResource).not.toHaveBeenCalled();
  });

  it("returns the linked resource for authenticated self-service callers", async () => {
    const resource = {
      id: "res_1",
      displayName: "Alice Example",
      eid: "E-001",
      chapter: "CGI",
    };
    const findUnique = vi.fn().mockResolvedValue({ resource });
    const caller = createCaller(createContext({
      user: {
        findUnique,
      },
    }));

    const result = await caller.getMyResource();

    expect(result).toEqual(resource);
    expect(getAnonymizationDirectory).toHaveBeenCalledOnce();
    expect(anonymizeResource).toHaveBeenCalledWith(resource, null);
  });
});