/** * Unit tests for MFA enforcement via SystemSettings.requireMfaForRoles. * * Tests cover: * - requireMfaForRoles is returned by buildSystemSettingsViewModel * - buildSettingsUpdatePayload includes requireMfaForRoles in the DB payload * - buildSettingsUpdatePayload handles null (clear enforcement) * - Schema validation: valid roles accepted, invalid roles rejected */ import { describe, expect, it } from "vitest"; import { buildSettingsUpdatePayload, buildSystemSettingsViewModel, settingsUpdateInputSchema, } from "../router/settings-support.js"; import type { RuntimeSecretField, RuntimeSecretStatus } from "../lib/system-settings-runtime.js"; import { RUNTIME_SECRET_FIELDS } from "../lib/system-settings-runtime.js"; const emptyRuntimeSecrets = Object.fromEntries( RUNTIME_SECRET_FIELDS.map((field) => [ field, { configured: false, activeSource: "none", hasStoredValue: false, envVarNames: [] } satisfies RuntimeSecretStatus, ]), ) as Record; // Minimal stubs for required inputs function makeViewModelInput( requireMfaForRoles: string[] | null | undefined = undefined, ) { return { settings: { requireMfaForRoles, }, runtimeSettings: null, runtimeSecrets: emptyRuntimeSecrets, defaultSummaryPrompt: "", }; } describe("buildSystemSettingsViewModel — requireMfaForRoles", () => { it("returns null when requireMfaForRoles is not set in DB", () => { const vm = buildSystemSettingsViewModel(makeViewModelInput(undefined)); expect(vm.requireMfaForRoles).toBeNull(); }); it("returns null when requireMfaForRoles is explicitly null", () => { const vm = buildSystemSettingsViewModel(makeViewModelInput(null)); expect(vm.requireMfaForRoles).toBeNull(); }); it("returns the configured roles array", () => { const vm = buildSystemSettingsViewModel(makeViewModelInput(["ADMIN", "MANAGER"])); expect(vm.requireMfaForRoles).toEqual(["ADMIN", "MANAGER"]); }); }); describe("buildSettingsUpdatePayload — requireMfaForRoles", () => { it("includes requireMfaForRoles in DB payload when provided", () => { const { data } = buildSettingsUpdatePayload({ requireMfaForRoles: ["ADMIN"] }); expect(data.requireMfaForRoles).toEqual(["ADMIN"]); }); it("sets requireMfaForRoles to null when explicitly cleared", () => { const { data } = buildSettingsUpdatePayload({ requireMfaForRoles: null }); expect(data.requireMfaForRoles).toBeNull(); }); it("omits requireMfaForRoles from payload when not provided (no change)", () => { const { data } = buildSettingsUpdatePayload({}); expect("requireMfaForRoles" in data).toBe(false); }); }); describe("settingsUpdateInputSchema — requireMfaForRoles validation", () => { it("accepts a valid array of system roles", () => { const result = settingsUpdateInputSchema.safeParse({ requireMfaForRoles: ["ADMIN", "MANAGER"] }); expect(result.success).toBe(true); }); it("accepts an empty array (disable enforcement)", () => { const result = settingsUpdateInputSchema.safeParse({ requireMfaForRoles: [] }); expect(result.success).toBe(true); }); it("accepts null (clear enforcement)", () => { const result = settingsUpdateInputSchema.safeParse({ requireMfaForRoles: null }); expect(result.success).toBe(true); }); it("rejects an invalid role string", () => { const result = settingsUpdateInputSchema.safeParse({ requireMfaForRoles: ["SUPERUSER"] }); expect(result.success).toBe(false); }); it("accepts omitted field (no change)", () => { const result = settingsUpdateInputSchema.safeParse({}); expect(result.success).toBe(true); expect(result.data?.requireMfaForRoles).toBeUndefined(); }); });