mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-20 13:51:45 +00:00
Maurice
fc7d8b5d12
Brownfield strangler migration of the backend onto NestJS modules (auth, trips, days, places, assignments, packing, todo, budget, reservations, collab, files, photos, journey, share, settings, backup, oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories, tags, notifications, system-notices) served through a per-prefix dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT httpOnly cookie auth, with behavioural parity for every route. Client: React 19 upgrade, "page = wiring container + data hook" pattern across all pages, per-domain Zustand stores bound to @trek/shared contracts, and decomposition of the large components (DayPlanSidebar, PackingListPanel, CollabNotes, FileManager, MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal, BudgetPanel, PlaceFormModal, ...) into focused render units backed by in-file hooks. Apply the shared global request pipeline (helmet/CSP, CORS, HSTS, forced HTTPS, the global MFA policy and request logging) to the NestJS instance as well, so a migrated route is protected identically to the legacy fallback rather than bypassing it.
109 lines
5.1 KiB
TypeScript
109 lines
5.1 KiB
TypeScript
/**
|
|
* Auth e2e — exercises the migrated /api/auth endpoints through the real
|
|
* JwtAuthGuard/OptionalJwtGuard AND the real cookie service against a temp
|
|
* SQLite db. Only the authService (credential/MFA logic) + audit/notifications
|
|
* are mocked; this proves the httpOnly trek_session cookie is set on login and
|
|
* cleared on logout, that /me requires a session, and that /app-config is
|
|
* optional-auth.
|
|
*/
|
|
import { describe, it, expect, beforeAll, afterAll, beforeEach, vi } from 'vitest';
|
|
import request from 'supertest';
|
|
import cookieParser from 'cookie-parser';
|
|
import type { Server } from 'http';
|
|
import { Test } from '@nestjs/testing';
|
|
import { seedUser, sessionCookie } from './harness';
|
|
|
|
const { db } = vi.hoisted(() => {
|
|
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
|
const Database = require('better-sqlite3');
|
|
const tmp = new Database(':memory:');
|
|
tmp.exec('PRAGMA journal_mode = WAL');
|
|
tmp.exec(`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL,
|
|
email TEXT NOT NULL UNIQUE, role TEXT NOT NULL DEFAULT 'user', password_version INTEGER NOT NULL DEFAULT 0);`);
|
|
return { db: tmp };
|
|
});
|
|
|
|
vi.mock('../../src/db/database', () => ({ db, closeDb: () => {}, reinitialize: () => {} }));
|
|
vi.mock('../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4') }));
|
|
vi.mock('../../src/services/notifications', () => ({ getAppUrl: () => 'https://x', sendPasswordResetEmail: vi.fn().mockResolvedValue({ delivered: true }) }));
|
|
|
|
const { authSvc } = vi.hoisted(() => ({
|
|
authSvc: {
|
|
getAppConfig: vi.fn(), demoLogin: vi.fn(), validateInviteToken: vi.fn(), registerUser: vi.fn(), loginUser: vi.fn(),
|
|
requestPasswordReset: vi.fn(), resetPassword: vi.fn(), verifyMfaLogin: vi.fn(), getCurrentUser: vi.fn(),
|
|
changePassword: vi.fn(), deleteAccount: vi.fn(), updateMapsKey: vi.fn(), updateApiKeys: vi.fn(), updateSettings: vi.fn(),
|
|
getSettings: vi.fn(), saveAvatar: vi.fn(), deleteAvatar: vi.fn(), listUsers: vi.fn(), validateKeys: vi.fn(),
|
|
getAppSettings: vi.fn(), updateAppSettings: vi.fn(), getTravelStats: vi.fn(), setupMfa: vi.fn(), enableMfa: vi.fn(),
|
|
disableMfa: vi.fn(), listMcpTokens: vi.fn(), createMcpToken: vi.fn(), deleteMcpToken: vi.fn(), createWsToken: vi.fn(),
|
|
createResourceToken: vi.fn(),
|
|
},
|
|
}));
|
|
vi.mock('../../src/services/authService', () => authSvc);
|
|
|
|
import { AuthModule } from '../../src/nest/auth/auth.module';
|
|
import { TrekExceptionFilter } from '../../src/nest/common/trek-exception.filter';
|
|
|
|
describe('Auth e2e (real auth guard + real cookie service + temp SQLite)', () => {
|
|
let server: Server;
|
|
let app: Awaited<ReturnType<typeof build>>;
|
|
|
|
async function build() {
|
|
const moduleRef = await Test.createTestingModule({ imports: [AuthModule] }).compile();
|
|
const nest = moduleRef.createNestApplication();
|
|
nest.use(cookieParser());
|
|
nest.useGlobalFilters(new TrekExceptionFilter());
|
|
await nest.init();
|
|
return nest;
|
|
}
|
|
|
|
beforeAll(async () => {
|
|
seedUser(db as never, { id: 1, email: 'u@example.test' });
|
|
app = await build();
|
|
server = app.getHttpServer();
|
|
authSvc.getAppConfig.mockReturnValue({ version: '3' });
|
|
authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 } });
|
|
authSvc.getCurrentUser.mockReturnValue({ id: 1, email: 'u@example.test' });
|
|
});
|
|
|
|
beforeEach(() => vi.clearAllMocks());
|
|
|
|
afterAll(async () => {
|
|
await app.close();
|
|
});
|
|
|
|
it('GET /app-config is optional-auth (200 without a cookie)', async () => {
|
|
authSvc.getAppConfig.mockReturnValue({ version: '3' });
|
|
const res = await request(server).get('/api/auth/app-config');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual({ version: '3' });
|
|
});
|
|
|
|
it('GET /me requires a session (401 without a cookie)', async () => {
|
|
expect((await request(server).get('/api/auth/me')).status).toBe(401);
|
|
});
|
|
|
|
it('GET /me returns the user with a valid session', async () => {
|
|
authSvc.getCurrentUser.mockReturnValue({ id: 1, email: 'u@example.test' });
|
|
const res = await request(server).get('/api/auth/me').set('Cookie', sessionCookie(1));
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual({ user: { id: 1, email: 'u@example.test' } });
|
|
});
|
|
|
|
it('POST /login sets the httpOnly trek_session cookie', async () => {
|
|
authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 } });
|
|
const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw' });
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual({ token: 'jwt.token.value', user: { id: 1 } });
|
|
const setCookie = res.headers['set-cookie'] as unknown as string[];
|
|
expect(setCookie.some((c) => c.startsWith('trek_session=') && /HttpOnly/i.test(c))).toBe(true);
|
|
}, 10000);
|
|
|
|
it('POST /logout clears the session cookie', async () => {
|
|
const res = await request(server).post('/api/auth/logout');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual({ success: true });
|
|
const setCookie = res.headers['set-cookie'] as unknown as string[];
|
|
expect(setCookie.some((c) => c.startsWith('trek_session='))).toBe(true);
|
|
});
|
|
});
|