Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
c65ae132d313f7a0168c96c60c07176e3575d806
CapaKraken/packages/api/src/__tests__/resource-router-auth.test.ts
T

321 lines
8.7 KiB
TypeScript
Raw Blame History

import { SystemRole } from "@capakraken/shared";
import { beforeEach, describe, expect, it, vi } from "vitest";
vi.mock("../lib/anonymization.js", () => ({
anonymizeResource: vi.fn((resource: Record<string, unknown>) => resource),
anonymizeResources: vi.fn((resources: unknown[]) => resources),
anonymizeSearchMatches: vi.fn((matches: unknown[]) => matches),
getAnonymizationDirectory: vi.fn().mockResolvedValue(null),
resolveResourceIdsByDisplayedEids: vi.fn().mockResolvedValue(new Map()),
}));
import { anonymizeResource, getAnonymizationDirectory } from "../lib/anonymization.js";
import { resourceRouter } from "../router/resource.js";
import { createCallerFactory } from "../trpc.js";
const createCaller = createCallerFactory(resourceRouter);
function createContext(
db: Record<string, unknown>,
options: {
role?: SystemRole;
session?: boolean;
} = {},
) {
const { role = SystemRole.USER, session = true } = options;
return {
session: session
? {
user: { email: "user@example.com", name: "User", image: null },
expires: "2099-01-01T00:00:00.000Z",
}
: null,
db: db as never,
dbUser: session
? {
id: role === SystemRole.MANAGER ? "user_mgr" : "user_1",
systemRole: role,
permissionOverrides: null,
}
: null,
};
}
describe("resource router authorization", () => {
beforeEach(() => {
vi.clearAllMocks();
});
it("requires authentication for chapter lookups", async () => {
const findMany = vi.fn();
const caller = createCaller(createContext({
resource: {
findMany,
},
}, { session: false }));
await expect(caller.chapters()).rejects.toMatchObject({
code: "UNAUTHORIZED",
message: "Authentication required",
});
expect(findMany).not.toHaveBeenCalled();
});
it("keeps chapter lookups available to authenticated users as safe lookup data", async () => {
const findMany = vi.fn().mockResolvedValue([
{ chapter: "Art Direction" },
{ chapter: "Project Management" },
]);
const caller = createCaller(createContext({
resource: {
findMany,
},
}));
const result = await caller.chapters();
expect(result).toEqual(["Art Direction", "Project Management"]);
expect(findMany).toHaveBeenCalledWith({
where: { isActive: true, chapter: { not: null } },
select: { chapter: true },
distinct: ["chapter"],
orderBy: { chapter: "asc" },
});
});
it("requires authentication for self-service skill matrix imports", async () => {
const findUnique = vi.fn();
const update = vi.fn();
const caller = createCaller(createContext({
user: {
findUnique,
},
resource: {
update,
},
}, { session: false }));
await expect(caller.importSkillMatrix({
skills: [{ skill: "Maya", proficiency: 4 }],
})).rejects.toMatchObject({
code: "UNAUTHORIZED",
message: "Authentication required",
});
expect(findUnique).not.toHaveBeenCalled();
expect(update).not.toHaveBeenCalled();
});
it("requires authentication for self-service resource lookups", async () => {
const findUnique = vi.fn();
const caller = createCaller(createContext({
user: {
findUnique,
},
}, { session: false }));
await expect(caller.getMyResource()).rejects.toMatchObject({
code: "UNAUTHORIZED",
message: "Authentication required",
});
expect(findUnique).not.toHaveBeenCalled();
});
it("returns null when the authenticated user has no linked resource", async () => {
const findUnique = vi.fn().mockResolvedValue({ resource: null });
const caller = createCaller(createContext({
user: {
findUnique,
},
}));
const result = await caller.getMyResource();
expect(result).toBeNull();
expect(findUnique).toHaveBeenCalledWith({
where: { id: "user_1" },
select: {
resource: {
select: {
id: true,
displayName: true,
eid: true,
chapter: true,
},
},
},
});
expect(getAnonymizationDirectory).toHaveBeenCalledOnce();
expect(anonymizeResource).not.toHaveBeenCalled();
});
it("returns the linked resource for authenticated self-service callers", async () => {
const resource = {
id: "res_1",
displayName: "Alice Example",
eid: "E-001",
chapter: "CGI",
};
const findUnique = vi.fn().mockResolvedValue({ resource });
const caller = createCaller(createContext({
user: {
findUnique,
},
}));
const result = await caller.getMyResource();
expect(result).toEqual(resource);
expect(getAnonymizationDirectory).toHaveBeenCalledOnce();
expect(anonymizeResource).toHaveBeenCalledWith(resource, null);
});
it("uses the db user id for self-service resource lookups even when the session email is stale", async () => {
const findUnique = vi.fn().mockResolvedValue({ resource: null });
const caller = createCaller({
session: {
user: { email: "stale@example.com", name: "User", image: null },
expires: "2099-01-01T00:00:00.000Z",
},
db: {
user: {
findUnique,
},
} as never,
dbUser: {
id: "user_1",
systemRole: SystemRole.USER,
permissionOverrides: null,
},
roleDefaults: null,
});
await caller.getMyResource();
expect(findUnique).toHaveBeenCalledWith({
where: { id: "user_1" },
select: {
resource: {
select: {
id: true,
displayName: true,
eid: true,
chapter: true,
},
},
},
});
});
it("requires authentication for hover-card lookups", async () => {
const findUnique = vi.fn();
const caller = createCaller(createContext({
resource: {
findUnique,
},
}, { session: false }));
await expect(caller.getHoverCard({ id: "res_1" })).rejects.toMatchObject({
code: "UNAUTHORIZED",
message: "Authentication required",
});
expect(findUnique).not.toHaveBeenCalled();
});
it("blocks regular users from manager-only skill imports for arbitrary resources", async () => {
const findUnique = vi.fn();
const update = vi.fn();
const caller = createCaller(createContext({
resource: {
findUnique,
update,
},
}));
await expect(
caller.importSkillMatrixForResource({
resourceId: "res_1",
skills: [{ skill: "Houdini", proficiency: 5 }],
}),
).rejects.toMatchObject({
code: "FORBIDDEN",
});
expect(findUnique).not.toHaveBeenCalled();
expect(update).not.toHaveBeenCalled();
});
it("requires authentication for manager-only skill imports for arbitrary resources", async () => {
const findUnique = vi.fn();
const update = vi.fn();
const caller = createCaller(createContext({
resource: {
findUnique,
update,
},
}, { role: SystemRole.MANAGER, session: false }));
await expect(
caller.importSkillMatrixForResource({
resourceId: "res_1",
skills: [{ skill: "Houdini", proficiency: 5 }],
}),
).rejects.toMatchObject({
code: "UNAUTHORIZED",
message: "Authentication required",
});
expect(findUnique).not.toHaveBeenCalled();
expect(update).not.toHaveBeenCalled();
});
it("blocks non-admin users from batch skill matrix imports", async () => {
const findMany = vi.fn();
const transaction = vi.fn();
const caller = createCaller(createContext({
resource: {
findMany,
},
$transaction: transaction,
}, { role: SystemRole.MANAGER }));
await expect(
caller.batchImportSkillMatrices({
entries: [{ eid: "E-001", skills: [{ skill: "Maya", proficiency: 4 }] }],
}),
).rejects.toMatchObject({
code: "FORBIDDEN",
});
expect(findMany).not.toHaveBeenCalled();
expect(transaction).not.toHaveBeenCalled();
});
it("requires authentication for admin-only batch skill matrix imports", async () => {
const findMany = vi.fn();
const transaction = vi.fn();
const caller = createCaller(createContext({
resource: {
findMany,
},
$transaction: transaction,
}, { role: SystemRole.ADMIN, session: false }));
await expect(
caller.batchImportSkillMatrices({
entries: [{ eid: "E-001", skills: [{ skill: "Maya", proficiency: 4 }] }],
}),
).rejects.toMatchObject({
code: "UNAUTHORIZED",
message: "Authentication required",
});
expect(findMany).not.toHaveBeenCalled();
expect(transaction).not.toHaveBeenCalled();
});
});
Reference in New Issue View Git Blame Copy Permalink