Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

test(api): add 50 router tests for settings, webhook, and calculation rules

Browse Source 
Phase 3c continued: covers admin settings CRUD with secret handling,
webhook lifecycle with SSRF validation, and calculation rules with
controller/manager authorization boundaries.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-10 16:29:10 +02:00
parent efe3b96676
commit 2484eb9b9d
3 changed files with 947 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/__tests__/webhook-router.test.ts
+287
View File
@@ -0,0 +1,287 @@
import { SystemRole } from "@capakraken/shared";
import { describe, expect, it, vi, beforeEach } from "vitest";
import { webhookRouter } from "../router/webhook.js";
import { createCallerFactory } from "../trpc.js";
// ─── Hoisted mocks ────────────────────────────────────────────────────────────
const { assertWebhookUrlAllowed } = vi.hoisted(() => ({
assertWebhookUrlAllowed: vi.fn().mockResolvedValue(undefined),
}));
const { sendWebhookTestRequest } = vi.hoisted(() => ({
sendWebhookTestRequest: vi.fn(),
}));
vi.mock("../lib/ssrf-guard.js", () => ({ assertWebhookUrlAllowed }));
vi.mock("../router/webhook-support.js", async (importOriginal) => {
const original = await importOriginal<typeof import("../router/webhook-support.js")>();
return {
...original,
sendWebhookTestRequest,
};
});
vi.mock("../lib/audit.js", () => ({
createAuditEntry: vi.fn().mockResolvedValue(undefined),
}));
// ─── Caller factory ───────────────────────────────────────────────────────────
const createCaller = createCallerFactory(webhookRouter);
function createAdminCaller(db: Record<string, unknown>) {
return createCaller({
session: {
user: { email: "admin@example.com", name: "Admin", image: null },
expires: "2099-01-01T00:00:00.000Z",
},
db: db as never,
dbUser: {
id: "user_admin",
systemRole: SystemRole.ADMIN,
permissionOverrides: null,
},
roleDefaults: null,
});
}
function createManagerCaller(db: Record<string, unknown>) {
return createCaller({
session: {
user: { email: "manager@example.com", name: "Manager", image: null },
expires: "2099-01-01T00:00:00.000Z",
},
db: db as never,
dbUser: {
id: "user_manager",
systemRole: SystemRole.MANAGER,
permissionOverrides: null,
},
roleDefaults: null,
});
}
// ─── Fixtures ─────────────────────────────────────────────────────────────────
const webhookFixture = {
id: "wh_1",
name: "Deploy Notifier",
url: "https://hooks.example.com/deploy",
secret: null,
events: ["allocation.created"],
isActive: true,
createdAt: new Date("2025-01-01"),
};
// ─── Tests ────────────────────────────────────────────────────────────────────
describe("webhook.list", () => {
it("returns all webhooks ordered by creation date descending", async () => {
const findMany = vi.fn().mockResolvedValue([webhookFixture]);
const caller = createAdminCaller({ webhook: { findMany } });
const result = await caller.list();
expect(findMany).toHaveBeenCalledWith({ orderBy: { createdAt: "desc" } });
expect(result).toHaveLength(1);
expect(result[0]).toMatchObject({ id: "wh_1", name: "Deploy Notifier" });
});
it("returns an empty array when no webhooks exist", async () => {
const findMany = vi.fn().mockResolvedValue([]);
const caller = createAdminCaller({ webhook: { findMany } });
const result = await caller.list();
expect(result).toHaveLength(0);
});
it("rejects non-admin callers with FORBIDDEN", async () => {
const caller = createManagerCaller({ webhook: { findMany: vi.fn() } });
await expect(caller.list()).rejects.toMatchObject({ code: "FORBIDDEN" });
});
});
describe("webhook.getById", () => {
it("returns the webhook when it exists", async () => {
const findUnique = vi.fn().mockResolvedValue(webhookFixture);
const caller = createAdminCaller({ webhook: { findUnique } });
const result = await caller.getById({ id: "wh_1" });
expect(findUnique).toHaveBeenCalledWith({ where: { id: "wh_1" } });
expect(result).toMatchObject({ id: "wh_1", name: "Deploy Notifier" });
});
it("throws NOT_FOUND when the webhook does not exist", async () => {
const findUnique = vi.fn().mockResolvedValue(null);
const caller = createAdminCaller({ webhook: { findUnique } });
await expect(caller.getById({ id: "missing" })).rejects.toMatchObject({
code: "NOT_FOUND",
});
});
});
describe("webhook.create", () => {
beforeEach(() => {
assertWebhookUrlAllowed.mockReset().mockResolvedValue(undefined);
});
it("creates a webhook and returns it after SSRF validation", async () => {
const created = { ...webhookFixture };
const dbCreate = vi.fn().mockResolvedValue(created);
const caller = createAdminCaller({ webhook: { create: dbCreate } });
const result = await caller.create({
name: "Deploy Notifier",
url: "https://hooks.example.com/deploy",
events: ["allocation.created"],
isActive: true,
});
expect(assertWebhookUrlAllowed).toHaveBeenCalledWith("https://hooks.example.com/deploy");
expect(dbCreate).toHaveBeenCalled();
expect(result).toMatchObject({ id: "wh_1", name: "Deploy Notifier" });
});
it("rejects when the SSRF guard blocks the URL", async () => {
const { TRPCError } = await import("@trpc/server");
assertWebhookUrlAllowed.mockRejectedValue(
new TRPCError({ code: "BAD_REQUEST", message: "Webhook URLs must use HTTPS." }),
);
const caller = createAdminCaller({ webhook: { create: vi.fn() } });
await expect(
caller.create({
name: "Internal",
url: "https://192.168.1.1/hook",
events: ["project.created"],
isActive: true,
}),
).rejects.toMatchObject({ code: "BAD_REQUEST" });
});
it("rejects non-admin callers with FORBIDDEN", async () => {
const caller = createManagerCaller({ webhook: { create: vi.fn() } });
await expect(
caller.create({
name: "Test",
url: "https://example.com/hook",
events: ["allocation.created"],
isActive: true,
}),
).rejects.toMatchObject({ code: "FORBIDDEN" });
});
});
describe("webhook.update", () => {
beforeEach(() => {
assertWebhookUrlAllowed.mockReset().mockResolvedValue(undefined);
});
it("updates a webhook name and returns the updated record", async () => {
const updated = { ...webhookFixture, name: "CI Notifier" };
const findUnique = vi.fn().mockResolvedValue(webhookFixture);
const update = vi.fn().mockResolvedValue(updated);
const caller = createAdminCaller({ webhook: { findUnique, update } });
const result = await caller.update({ id: "wh_1", data: { name: "CI Notifier" } });
expect(update).toHaveBeenCalledWith(expect.objectContaining({ where: { id: "wh_1" } }));
expect(result).toMatchObject({ name: "CI Notifier" });
});
it("validates the new URL via SSRF guard when updating URL", async () => {
const updated = { ...webhookFixture, url: "https://new.example.com/hook" };
const findUnique = vi.fn().mockResolvedValue(webhookFixture);
const update = vi.fn().mockResolvedValue(updated);
const caller = createAdminCaller({ webhook: { findUnique, update } });
await caller.update({ id: "wh_1", data: { url: "https://new.example.com/hook" } });
expect(assertWebhookUrlAllowed).toHaveBeenCalledWith("https://new.example.com/hook");
});
it("throws NOT_FOUND when the webhook to update does not exist", async () => {
const findUnique = vi.fn().mockResolvedValue(null);
const caller = createAdminCaller({ webhook: { findUnique } });
await expect(caller.update({ id: "missing", data: { name: "Ghost" } })).rejects.toMatchObject({
code: "NOT_FOUND",
});
});
});
describe("webhook.delete", () => {
it("deletes the webhook and resolves without error", async () => {
const findUnique = vi.fn().mockResolvedValue(webhookFixture);
const dbDelete = vi.fn().mockResolvedValue(undefined);
const caller = createAdminCaller({ webhook: { findUnique, delete: dbDelete } });
await caller.delete({ id: "wh_1" });
expect(dbDelete).toHaveBeenCalledWith({ where: { id: "wh_1" } });
});
it("throws NOT_FOUND when the webhook does not exist", async () => {
const findUnique = vi.fn().mockResolvedValue(null);
const caller = createAdminCaller({ webhook: { findUnique } });
await expect(caller.delete({ id: "missing" })).rejects.toMatchObject({
code: "NOT_FOUND",
});
});
});
describe("webhook.test", () => {
beforeEach(() => {
assertWebhookUrlAllowed.mockReset().mockResolvedValue(undefined);
sendWebhookTestRequest.mockReset();
});
it("sends a test request and returns the result on success", async () => {
sendWebhookTestRequest.mockResolvedValue({
success: true,
statusCode: 200,
statusText: "OK",
});
const findUnique = vi.fn().mockResolvedValue(webhookFixture);
const caller = createAdminCaller({ webhook: { findUnique } });
const result = await caller.test({ id: "wh_1" });
expect(assertWebhookUrlAllowed).toHaveBeenCalledWith(webhookFixture.url);
expect(sendWebhookTestRequest).toHaveBeenCalledWith(webhookFixture);
expect(result).toMatchObject({ success: true, statusCode: 200 });
});
it("returns failure result when the remote endpoint rejects the request", async () => {
sendWebhookTestRequest.mockResolvedValue({
success: false,
statusCode: 500,
statusText: "Internal Server Error",
});
const findUnique = vi.fn().mockResolvedValue(webhookFixture);
const caller = createAdminCaller({ webhook: { findUnique } });
const result = await caller.test({ id: "wh_1" });
expect(result.success).toBe(false);
expect(result.statusCode).toBe(500);
});
it("throws NOT_FOUND when the webhook to test does not exist", async () => {
const findUnique = vi.fn().mockResolvedValue(null);
const caller = createAdminCaller({ webhook: { findUnique } });
await expect(caller.test({ id: "missing" })).rejects.toMatchObject({
code: "NOT_FOUND",
});
});
});