@actuate-media/cms-core 0.11.2 → 0.13.0

package/dist/__tests__/api/cron-routes.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cron-routes.test.d.ts.map

package/dist/__tests__/api/cron-routes.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cron-routes.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/api/cron-routes.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/api/cron-routes.test.js

@@ -0,0 +1,67 @@
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import { handleActuateAPI } from '../../api/index.js';
+import { initDB } from '../../db.js';
+const SECRET = 'test-secret-for-cron-routes-aaaaaaaaaaa';
+function createMockDB() {
+    return {
+        document: {
+            findMany: async () => [],
+            updateMany: async () => ({ count: 0 }),
+            deleteMany: async () => ({ count: 0 }),
+        },
+        session: { deleteMany: async () => ({ count: 0 }) },
+        auditLog: { deleteMany: async () => ({ count: 0 }) },
+        passwordResetToken: { deleteMany: async () => ({ count: 0 }) },
+    };
+}
+describe('cron route HTTP method (Vercel Cron compatibility)', () => {
+    const originalCronSecret = process.env.CRON_SECRET;
+    beforeEach(() => {
+        process.env.CMS_SECRET = SECRET;
+        process.env.CRON_SECRET = 'cron-secret-for-test-aaaaaaaaaaaaaaaa';
+        initDB(createMockDB());
+    });
+    afterEach(() => {
+        if (originalCronSecret === undefined)
+            delete process.env.CRON_SECRET;
+        else
+            process.env.CRON_SECRET = originalCronSecret;
+    });
+    // Bugbot review (PR #40, post-fix commit): Vercel Cron sends GET requests
+    // (https://vercel.com/docs/cron-jobs). The original implementation used
+    // router.post(...) which would have returned 405/404 for every Vercel
+    // invocation, leaving the cron jobs silently non-functional.
+    it.each(['/api/cms/cron/publish', '/api/cms/cron/cleanup', '/api/cms/cron/seo-scan'])('accepts GET %s with valid CRON_SECRET (Vercel Cron path)', async (path) => {
+        const handler = handleActuateAPI({ prismaClient: createMockDB() });
+        const response = await handler(new Request(`https://example.com${path}`, {
+            method: 'GET',
+            headers: { authorization: `Bearer ${process.env.CRON_SECRET}` },
+        }));
+        // Either 200 (handler ran) or 500 (handler ran but mock DB couldn't
+        // satisfy something) — both prove the route was matched. We must NOT
+        // get 404 or 405.
+        expect([200, 500]).toContain(response.status);
+    });
+    it.each(['/api/cms/cron/publish', '/api/cms/cron/cleanup', '/api/cms/cron/seo-scan'])('still accepts POST %s for self-hosted schedulers', async (path) => {
+        const handler = handleActuateAPI({ prismaClient: createMockDB() });
+        const response = await handler(new Request(`https://example.com${path}`, {
+            method: 'POST',
+            headers: { authorization: `Bearer ${process.env.CRON_SECRET}` },
+        }));
+        expect([200, 500]).toContain(response.status);
+    });
+    it.each(['/api/cms/cron/publish', '/api/cms/cron/cleanup', '/api/cms/cron/seo-scan'])('rejects GET %s without CRON_SECRET (401, not 405)', async (path) => {
+        const handler = handleActuateAPI({ prismaClient: createMockDB() });
+        const response = await handler(new Request(`https://example.com${path}`, { method: 'GET' }));
+        expect(response.status).toBe(401);
+    });
+    it.each(['/api/cms/cron/publish', '/api/cms/cron/cleanup', '/api/cms/cron/seo-scan'])('rejects GET %s with wrong CRON_SECRET (401)', async (path) => {
+        const handler = handleActuateAPI({ prismaClient: createMockDB() });
+        const response = await handler(new Request(`https://example.com${path}`, {
+            method: 'GET',
+            headers: { authorization: 'Bearer wrong-secret' },
+        }));
+        expect(response.status).toBe(401);
+    });
+});
+//# sourceMappingURL=cron-routes.test.js.map

package/dist/__tests__/api/cron-routes.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cron-routes.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/cron-routes.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAEpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAEpC,MAAM,MAAM,GAAG,yCAAyC,CAAA;AAExD,SAAS,YAAY;IACnB,OAAO;QACL,QAAQ,EAAE;YACR,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;YACxB,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;YACtC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;SACvC;QACD,OAAO,EAAE,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE;QACnD,QAAQ,EAAE,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE;QACpD,kBAAkB,EAAE,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE;KAC/D,CAAA;AACH,CAAC;AAED,QAAQ,CAAC,oDAAoD,EAAE,GAAG,EAAE;IAClE,MAAM,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAA;IAElD,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,MAAM,CAAA;QAC/B,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,uCAAuC,CAAA;QACjE,MAAM,CAAC,YAAY,EAAE,CAAC,CAAA;IACxB,CAAC,CAAC,CAAA;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,kBAAkB,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,CAAA;;YAC/D,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,kBAAkB,CAAA;IACnD,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,wEAAwE;IACxE,sEAAsE;IACtE,6DAA6D;IAE7D,EAAE,CAAC,IAAI,CAAC,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,wBAAwB,CAAC,CAAC,CACnF,0DAA0D,EAC1D,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,CAAC,CAAA;QAClE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,sBAAsB,IAAI,EAAE,EAAE;YACxC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE;SAChE,CAAC,CACH,CAAA;QACD,oEAAoE;QACpE,qEAAqE;QACrE,kBAAkB;QAClB,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAC/C,CAAC,CACF,CAAA;IAED,EAAE,CAAC,IAAI,CAAC,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,wBAAwB,CAAC,CAAC,CACnF,kDAAkD,EAClD,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,CAAC,CAAA;QAClE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,sBAAsB,IAAI,EAAE,EAAE;YACxC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE;SAChE,CAAC,CACH,CAAA;QACD,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAC/C,CAAC,CACF,CAAA;IAED,EAAE,CAAC,IAAI,CAAC,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,wBAAwB,CAAC,CAAC,CACnF,mDAAmD,EACnD,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,CAAC,CAAA;QAClE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,OAAO,CAAC,sBAAsB,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAA;QAC5F,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CACF,CAAA;IAED,EAAE,CAAC,IAAI,CAAC,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,wBAAwB,CAAC,CAAC,CACnF,6CAA6C,EAC7C,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,EAAE,CAAC,CAAA;QAClE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,sBAAsB,IAAI,EAAE,EAAE;YACxC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,aAAa,EAAE,qBAAqB,EAAE;SAClD,CAAC,CACH,CAAA;QACD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CACF,CAAA;AACH,CAAC,CAAC,CAAA"}

package/dist/__tests__/api/health.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=health.test.d.ts.map

package/dist/__tests__/api/health.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/api/health.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/api/health.test.js

@@ -0,0 +1,140 @@
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import { handleActuateAPI } from '../../api/index.js';
+import { setActuateConfig } from '../../config/runtime.js';
+import { initDB } from '../../db.js';
+const VALID_SECRET = 'a-real-cms-secret-of-at-least-32-characters';
+describe('/api/cms/health status derivation', () => {
+    // Snapshot every env var any test in this file mutates so we can restore
+    // them in `afterEach`. NOTE: `CMS_SESSION_SECRET` is included even though
+    // only one test sets it — Bugbot caught the original test where cleanup
+    // ran inline and was therefore skipped on assertion failure, leaking the
+    // legacy secret into the next `it.each` iteration and causing the
+    // config-file path test to pass for the wrong reason.
+    const original = {
+        CMS_SECRET: process.env.CMS_SECRET,
+        CMS_SESSION_SECRET: process.env.CMS_SESSION_SECRET,
+        CMS_ENCRYPTION_KEY: process.env.CMS_ENCRYPTION_KEY,
+        CRON_SECRET: process.env.CRON_SECRET,
+        DATABASE_URL: process.env.DATABASE_URL,
+    };
+    beforeEach(() => {
+        process.env.CMS_SECRET = VALID_SECRET;
+        process.env.DATABASE_URL = 'postgres://x';
+        delete process.env.CMS_SESSION_SECRET;
+        delete process.env.CMS_ENCRYPTION_KEY;
+        delete process.env.CRON_SECRET;
+    });
+    afterEach(() => {
+        for (const [k, v] of Object.entries(original)) {
+            if (v === undefined)
+                delete process.env[k];
+            else
+                process.env[k] = v;
+        }
+        // Tests within this file share `globalThis`, so explicitly clear any
+        // config a single test stashed (see `runtime.ts` doc — "Tests reset
+        // between suites").
+        delete globalThis.__actuateConfig;
+    });
+    // Bugbot review (PR #41): the early-return DB-failure path hardcoded
+    // `status: 'degraded'`, ignoring the env validation result computed two
+    // lines above. A deploy with both a broken DB *and* a malformed CMS_SECRET
+    // would report `degraded` even though it's actually `unhealthy` —
+    // defeating M6's whole point of catching env misconfig at /health time.
+    it('returns "unhealthy" when env is misconfigured AND db() throws', async () => {
+        process.env.CMS_SECRET = 'too-short'; // triggers env error
+        // Force db() to throw by initializing with an object that the route's
+        // model probes will treat as unusable while leaving db() itself callable.
+        // The simplest way is to trip the catch by leaving DB uninitialized.
+        initDB(null); // db() will throw "Prisma client not initialised"
+        const handler = handleActuateAPI({ prismaClient: null });
+        const response = await handler(new Request('https://example.com/api/cms/health', { method: 'GET' }));
+        expect(response.status).toBe(200);
+        const payload = (await response.json());
+        expect(payload.data.databaseConnected).toBe(false);
+        expect(payload.data.status).toBe('unhealthy');
+    });
+    it('returns "degraded" when only db() throws (env is fine)', async () => {
+        initDB(null);
+        const handler = handleActuateAPI({ prismaClient: null });
+        const response = await handler(new Request('https://example.com/api/cms/health', { method: 'GET' }));
+        const payload = (await response.json());
+        expect(payload.data.status).toBe('degraded');
+    });
+    // Bugbot review (PR #41): the unauthenticated /health response embeds the
+    // full env validation, so any "ok" message that mentions the configured
+    // secret length leaks that length to anonymous callers. Validate the
+    // serialized response here so a regression in either the env module or the
+    // health route is caught.
+    it('does not leak exact secret lengths in the /health JSON', async () => {
+        process.env.CMS_SECRET = 'a'.repeat(45);
+        process.env.CRON_SECRET = 'a-real-cron-secret-with-known-length';
+        process.env.CMS_ENCRYPTION_KEY = 'a1b2'.repeat(16);
+        initDB({
+            document: { count: async () => 0 },
+            user: { count: async () => 0 },
+            media: { count: async () => 0 },
+        });
+        const handler = handleActuateAPI({
+            prismaClient: {
+                document: { count: async () => 0 },
+                user: { count: async () => 0 },
+                media: { count: async () => 0 },
+            },
+        });
+        const response = await handler(new Request('https://example.com/api/cms/health', { method: 'GET' }));
+        const text = await response.text();
+        // No "Configured (N chars)." anywhere. Use a regex broad enough to catch
+        // both "42 chars" and "42 chars." variants.
+        expect(text).not.toMatch(/\d+\s*chars?/i);
+        // And specifically, the configured lengths must not appear next to the
+        // secret names in the response body.
+        expect(text).not.toContain('45');
+    });
+    // Bugbot review (PR #43): `validateEnvShape()` only inspected
+    // `process.env.CMS_SECRET`, but `getSessionSecret()` also accepts the
+    // secret from the legacy `CMS_SESSION_SECRET` env var or `actuate.config.ts
+    // → secret`. Without the wrapping the route now applies, a deploy that
+    // configures the secret via the config file would get the contradictory
+    // response `secretConfigured: true` AND `status: "unhealthy"`, tripping
+    // monitoring / load-balancer health probes for no real fault.
+    it.each([
+        [
+            'CMS_SESSION_SECRET (legacy env var)',
+            () => {
+                delete process.env.CMS_SECRET;
+                process.env.CMS_SESSION_SECRET = 'a'.repeat(40);
+            },
+        ],
+        [
+            'actuate.config.ts → secret (config-file path)',
+            () => {
+                delete process.env.CMS_SECRET;
+                setActuateConfig({ secret: 'a'.repeat(40) });
+            },
+        ],
+    ])('does not report unhealthy when CMS_SECRET is supplied via %s', async (_label, setup) => {
+        setup();
+        initDB({
+            document: { count: async () => 0 },
+            user: { count: async () => 0 },
+            media: { count: async () => 0 },
+        });
+        const handler = handleActuateAPI({
+            prismaClient: {
+                document: { count: async () => 0 },
+                user: { count: async () => 0 },
+                media: { count: async () => 0 },
+            },
+        });
+        const response = await handler(new Request('https://example.com/api/cms/health', { method: 'GET' }));
+        const payload = (await response.json());
+        // Both signals must agree — no contradictory `secretConfigured: true`
+        // alongside `status: "unhealthy"`.
+        expect(payload.data.secretConfigured).toBe(true);
+        expect(payload.data.status).not.toBe('unhealthy');
+        const cmsSecretCheck = payload.data.env.checks.find((c) => c.name === 'CMS_SECRET');
+        expect(cmsSecretCheck?.status).toBe('ok');
+    });
+});
+//# sourceMappingURL=health.test.js.map

package/dist/__tests__/api/health.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/health.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAEpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAEpC,MAAM,YAAY,GAAG,6CAA6C,CAAA;AAElE,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,yEAAyE;IACzE,0EAA0E;IAC1E,wEAAwE;IACxE,yEAAyE;IACzE,kEAAkE;IAClE,sDAAsD;IACtD,MAAM,QAAQ,GAAG;QACf,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;QAClC,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAClD,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAClD,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW;QACpC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;KACvC,CAAA;IAED,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,YAAY,CAAA;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,cAAc,CAAA;QACzC,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAA;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAA;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,CAAA;IAChC,CAAC,CAAC,CAAA;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,SAAS;gBAAE,OAAO,OAAO,CAAC,GAAG,CAAC,CAA0B,CAAC,CAAA;;gBAC9D,OAAO,CAAC,GAAG,CAAC,CAA0B,CAAC,GAAG,CAAC,CAAA;QAClD,CAAC;QACD,qEAAqE;QACrE,oEAAoE;QACpE,oBAAoB;QACpB,OAAQ,UAA4C,CAAC,eAAe,CAAA;IACtE,CAAC,CAAC,CAAA;IAEF,qEAAqE;IACrE,wEAAwE;IACxE,2EAA2E;IAC3E,kEAAkE;IAClE,wEAAwE;IACxE,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,WAAW,CAAA,CAAC,qBAAqB;QAC1D,sEAAsE;QACtE,0EAA0E;QAC1E,qEAAqE;QACrE,MAAM,CAAC,IAAa,CAAC,CAAA,CAAC,kDAAkD;QAExE,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,IAAa,EAAE,CAAC,CAAA;QACjE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,oCAAoC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CACrE,CAAA;QACD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACjC,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAErC,CAAA;QACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC/C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,CAAC,IAAa,CAAC,CAAA;QACrB,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,YAAY,EAAE,IAAa,EAAE,CAAC,CAAA;QACjE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,oCAAoC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CACrE,CAAA;QACD,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiC,CAAA;QACvE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,wEAAwE;IACxE,qEAAqE;IACrE,2EAA2E;IAC3E,0BAA0B;IAC1B,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QACvC,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,sCAAsC,CAAA;QAChE,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QAClD,MAAM,CAAC;YACL,QAAQ,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;YAClC,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;YAC9B,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;SACvB,CAAC,CAAA;QAEX,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;gBAClC,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;gBAC9B,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;aACvB;SACX,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,oCAAoC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CACrE,CAAA;QACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,yEAAyE;QACzE,4CAA4C;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;QACzC,uEAAuE;QACvE,qCAAqC;QACrC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;IAClC,CAAC,CAAC,CAAA;IAEF,8DAA8D;IAC9D,sEAAsE;IACtE,4EAA4E;IAC5E,uEAAuE;IACvE,wEAAwE;IACxE,wEAAwE;IACxE,8DAA8D;IAC9D,EAAE,CAAC,IAAI,CAAC;QACN;YACE,qCAAqC;YACrC,GAAG,EAAE;gBACH,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;gBAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;YACjD,CAAC;SACF;QACD;YACE,+CAA+C;YAC/C,GAAG,EAAE;gBACH,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;gBAC7B,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAW,CAAC,CAAA;YACvD,CAAC;SACF;KACF,CAAC,CAAC,8DAA8D,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE;QACzF,KAAK,EAAE,CAAA;QACP,MAAM,CAAC;YACL,QAAQ,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;YAClC,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;YAC9B,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;SACvB,CAAC,CAAA;QACX,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;gBAClC,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;gBAC9B,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE;aACvB;SACX,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,oCAAoC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CACrE,CAAA;QACD,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMrC,CAAA;QACD,sEAAsE;QACtE,mCAAmC;QACnC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACjD,MAAM,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAA;QACnF,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/__tests__/auth/oauth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauth.test.d.ts.map

package/dist/__tests__/auth/oauth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/auth/oauth.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/auth/oauth.test.js

@@ -0,0 +1,406 @@
+import { describe, it, expect, beforeEach, vi, afterEach } from 'vitest';
+import * as jose from 'jose';
+import { generateCodeVerifier, generateCodeChallenge, generateState, generateOAuthNonce, verifyState, getAuthorizationUrl, handleOAuthCallback, InvalidOAuthStateError, } from '../../auth/oauth.js';
+const TEST_SECRET = 'a-secret-key-that-is-at-least-32-chars-long!!';
+const RETURN_TO = '/admin/dashboard';
+const PROVIDER_CONFIG = {
+    clientId: 'client-id-123',
+    clientSecret: 'client-secret-abc',
+    redirectUri: 'https://example.com/api/cms/auth/oauth/google/callback',
+};
+// ─── PKCE primitives ────────────────────────────────────────────────────
+describe('generateCodeVerifier', () => {
+    it('returns a base64url string with no padding', () => {
+        const v = generateCodeVerifier();
+        // RFC 7636 §4.1: verifiers are 43..128 chars from the unreserved alphabet.
+        expect(v).toMatch(/^[A-Za-z0-9_-]{43,128}$/);
+        expect(v).not.toContain('=');
+        expect(v).not.toContain('+');
+        expect(v).not.toContain('/');
+    });
+    it('produces a unique value per call', () => {
+        const a = generateCodeVerifier();
+        const b = generateCodeVerifier();
+        const c = generateCodeVerifier();
+        expect(new Set([a, b, c]).size).toBe(3);
+    });
+});
+describe('generateCodeChallenge', () => {
+    it('returns a base64url SHA-256 of the verifier (RFC 7636 §4.2 S256 method)', async () => {
+        // Test vector from RFC 7636 §4.2: verifier "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+        // → challenge "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
+        const verifier = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
+        const challenge = await generateCodeChallenge(verifier);
+        expect(challenge).toBe('E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM');
+    });
+    it('produces base64url output (no padding)', async () => {
+        const challenge = await generateCodeChallenge('any-verifier-value-for-testing-only');
+        expect(challenge).toMatch(/^[A-Za-z0-9_-]+$/);
+        expect(challenge).not.toContain('=');
+    });
+});
+describe('generateOAuthNonce', () => {
+    it('returns a base64url 16-byte nonce', () => {
+        const n = generateOAuthNonce();
+        expect(n).toMatch(/^[A-Za-z0-9_-]+$/);
+        // 16 bytes → 22 base64url chars (no padding)
+        expect(n.length).toBe(22);
+    });
+    it('produces a unique value per call', () => {
+        const set = new Set(Array.from({ length: 50 }, () => generateOAuthNonce()));
+        expect(set.size).toBe(50);
+    });
+});
+// ─── State token (signed JWT with PKCE verifier) ────────────────────────
+describe('generateState / verifyState', () => {
+    it('round-trips a valid state through sign + verify', async () => {
+        const verifier = generateCodeVerifier();
+        const state = await generateState('google', verifier, RETURN_TO, TEST_SECRET);
+        const decoded = await verifyState(state, TEST_SECRET);
+        expect(decoded.provider).toBe('google');
+        expect(decoded.codeVerifier).toBe(verifier);
+        expect(decoded.returnTo).toBe(RETURN_TO);
+        expect(decoded.nonce).toBeUndefined();
+    });
+    it('round-trips a nonce when provided', async () => {
+        const nonce = generateOAuthNonce();
+        const state = await generateState('github', generateCodeVerifier(), '/admin', TEST_SECRET, nonce);
+        const decoded = await verifyState(state, TEST_SECRET);
+        expect(decoded.nonce).toBe(nonce);
+    });
+    it('strips standard JWT claims from the returned payload', async () => {
+        const verifier = generateCodeVerifier();
+        const state = await generateState('google', verifier, RETURN_TO, TEST_SECRET);
+        const decoded = await verifyState(state, TEST_SECRET);
+        // jose injects iat/exp/iss into the JWT but verifyState should only return
+        // the validated OAuthState fields.
+        expect(decoded.iat).toBeUndefined();
+        expect(decoded.exp).toBeUndefined();
+        expect(decoded.iss).toBeUndefined();
+    });
+    it('rejects a token signed with a different secret', async () => {
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        await expect(verifyState(state, 'a-different-secret-of-at-least-32-chars-x')).rejects.toThrow();
+    });
+    it('rejects a tampered token', async () => {
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        // Flip a character in the signature (last segment)
+        const parts = state.split('.');
+        parts[2] = parts[2].replace(/[A-Za-z0-9_-]/, (c) => (c === 'a' ? 'b' : 'a'));
+        const tampered = parts.join('.');
+        await expect(verifyState(tampered, TEST_SECRET)).rejects.toThrow();
+    });
+    it('rejects a token issued by a different application (issuer mismatch)', async () => {
+        // Sign a state-shaped JWT with the right key but a wrong `iss`.
+        const key = new TextEncoder().encode(TEST_SECRET);
+        const evil = await new jose.SignJWT({
+            provider: 'google',
+            codeVerifier: 'x'.repeat(43),
+            returnTo: '/',
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('10m')
+            .setIssuer('not-actuate-cms')
+            .sign(key);
+        await expect(verifyState(evil, TEST_SECRET)).rejects.toThrow();
+    });
+    it('rejects a state with a missing provider field', async () => {
+        const key = new TextEncoder().encode(TEST_SECRET);
+        const malformed = await new jose.SignJWT({
+            codeVerifier: 'x'.repeat(43),
+            returnTo: '/',
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('10m')
+            .setIssuer('actuate-cms')
+            .sign(key);
+        await expect(verifyState(malformed, TEST_SECRET)).rejects.toThrow(InvalidOAuthStateError);
+    });
+    it('rejects a state with a missing codeVerifier field', async () => {
+        const key = new TextEncoder().encode(TEST_SECRET);
+        const malformed = await new jose.SignJWT({
+            provider: 'google',
+            returnTo: '/',
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('10m')
+            .setIssuer('actuate-cms')
+            .sign(key);
+        await expect(verifyState(malformed, TEST_SECRET)).rejects.toThrow(InvalidOAuthStateError);
+    });
+    it('rejects a state where nonce is not a string', async () => {
+        const key = new TextEncoder().encode(TEST_SECRET);
+        const malformed = await new jose.SignJWT({
+            provider: 'google',
+            codeVerifier: 'x'.repeat(43),
+            returnTo: '/',
+            nonce: 12345,
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('10m')
+            .setIssuer('actuate-cms')
+            .sign(key);
+        await expect(verifyState(malformed, TEST_SECRET)).rejects.toThrow(InvalidOAuthStateError);
+    });
+});
+// ─── Authorization URL builder ──────────────────────────────────────────
+describe('getAuthorizationUrl', () => {
+    it('builds a Google authorize URL with PKCE params', () => {
+        const url = new URL(getAuthorizationUrl('google', PROVIDER_CONFIG, 'state-jwt', 'challenge-x'));
+        expect(url.origin + url.pathname).toBe('https://accounts.google.com/o/oauth2/v2/auth');
+        expect(url.searchParams.get('response_type')).toBe('code');
+        expect(url.searchParams.get('client_id')).toBe(PROVIDER_CONFIG.clientId);
+        expect(url.searchParams.get('redirect_uri')).toBe(PROVIDER_CONFIG.redirectUri);
+        expect(url.searchParams.get('state')).toBe('state-jwt');
+        expect(url.searchParams.get('code_challenge')).toBe('challenge-x');
+        expect(url.searchParams.get('code_challenge_method')).toBe('S256');
+        expect(url.searchParams.get('scope')).toContain('openid');
+    });
+    it('uses a github-specific authorize endpoint', () => {
+        const url = new URL(getAuthorizationUrl('github', PROVIDER_CONFIG, 's', 'c'));
+        expect(url.origin + url.pathname).toBe('https://github.com/login/oauth/authorize');
+    });
+});
+function createFakeDb(initial = {}) {
+    const users = initial.users ?? [];
+    const oauthAccounts = initial.oauthAccounts ?? [];
+    const sessions = [];
+    return {
+        users,
+        oauthAccounts,
+        sessions,
+        user: {
+            findFirst: vi.fn(async ({ where }) => {
+                const target = where.email.equals.toLowerCase();
+                return users.find((u) => u.email.toLowerCase() === target) ?? null;
+            }),
+            create: vi.fn(async ({ data }) => {
+                const u = { id: `u_${users.length + 1}`, ...data };
+                users.push(u);
+                return u;
+            }),
+        },
+        oAuthAccount: {
+            findUnique: vi.fn(async ({ where, }) => {
+                const w = where.provider_providerAccountId;
+                const acc = oauthAccounts.find((a) => a.provider === w.provider && a.providerAccountId === w.providerAccountId);
+                if (!acc)
+                    return null;
+                const user = users.find((u) => u.id === acc.userId) ?? null;
+                return { ...acc, user };
+            }),
+            upsert: vi.fn(async ({ where, create }) => {
+                const w = where.provider_providerAccountId;
+                const existing = oauthAccounts.find((a) => a.provider === w.provider && a.providerAccountId === w.providerAccountId);
+                if (existing)
+                    return existing;
+                oauthAccounts.push({
+                    provider: w.provider,
+                    providerAccountId: w.providerAccountId,
+                    userId: create.userId,
+                });
+                return oauthAccounts[oauthAccounts.length - 1];
+            }),
+        },
+        session: {
+            create: vi.fn(async ({ data }) => {
+                const s = { id: `s_${sessions.length + 1}`, ...data };
+                sessions.push(s);
+                return s;
+            }),
+        },
+    };
+}
+describe('handleOAuthCallback', () => {
+    const PROVIDERS = { google: PROVIDER_CONFIG };
+    const originalFetch = globalThis.fetch;
+    const originalEncryptionKey = process.env.CMS_ENCRYPTION_KEY;
+    beforeEach(() => {
+        // Set a 64-hex-char encryption key so encryptSecret() doesn't throw.
+        process.env.CMS_ENCRYPTION_KEY = 'a'.repeat(64);
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+        if (originalEncryptionKey === undefined) {
+            delete process.env.CMS_ENCRYPTION_KEY;
+        }
+        else {
+            process.env.CMS_ENCRYPTION_KEY = originalEncryptionKey;
+        }
+        vi.restoreAllMocks();
+    });
+    function mockProviderResponses(opts) {
+        globalThis.fetch = vi.fn(async (input) => {
+            const url = typeof input === 'string' ? input : (input.url ?? input.toString());
+            if (url.includes('oauth2.googleapis.com/token')) {
+                return new Response(JSON.stringify({ access_token: opts.accessToken ?? 'access-tok', token_type: 'Bearer' }), { status: 200, headers: { 'Content-Type': 'application/json' } });
+            }
+            if (url.includes('googleapis.com/oauth2/v3/userinfo')) {
+                return new Response(JSON.stringify({
+                    sub: opts.profile.id,
+                    email: opts.profile.email,
+                    name: opts.profile.name,
+                }), { status: 200, headers: { 'Content-Type': 'application/json' } });
+            }
+            throw new Error(`Unexpected fetch in test: ${url}`);
+        });
+    }
+    it('rejects when the state.provider does not match the URL provider', async () => {
+        const state = await generateState('github', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb();
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db)).rejects.toThrow(/Provider mismatch/);
+    });
+    it('rejects when the nonce in state does not match the cookie nonce', async () => {
+        const nonce = generateOAuthNonce();
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET, nonce);
+        const db = createFakeDb();
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db, {
+            expectedNonce: 'a-different-nonce',
+        })).rejects.toThrow(/nonce mismatch/i);
+    });
+    it('rejects when state has a nonce but no cookie nonce was provided', async () => {
+        const nonce = generateOAuthNonce();
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET, nonce);
+        const db = createFakeDb();
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db, {
+            expectedNonce: null,
+        })).rejects.toThrow(/nonce mismatch/i);
+    });
+    it('rejects when the provider is not configured', async () => {
+        const state = await generateState('github', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb();
+        await expect(handleOAuthCallback('github', 'code-x', state, PROVIDERS, TEST_SECRET, db)).rejects.toThrow(/not configured/);
+    });
+    it('rejects when the OAuth provider returns no email', async () => {
+        mockProviderResponses({ profile: { id: '111', email: '', name: 'Nobody' } });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb();
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db)).rejects.toThrow(/email/);
+    });
+    it('rejects self-signup when allowSelfSignup is false (default)', async () => {
+        mockProviderResponses({ profile: { id: '222', email: 'new@example.com', name: 'New User' } });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb();
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db)).rejects.toThrow(/No account found/);
+        expect(db.user.create).not.toHaveBeenCalled();
+    });
+    it('refuses to silently link an OAuth login to a password-protected account', async () => {
+        mockProviderResponses({
+            profile: { id: '333', email: 'pwd@example.com', name: 'Pwd User' },
+        });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb({
+            users: [
+                {
+                    id: 'u_existing',
+                    email: 'pwd@example.com',
+                    name: 'Pwd User',
+                    role: 'CLIENT',
+                    passwordHash: 'pbkdf2:600000:abc:def',
+                },
+            ],
+        });
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db)).rejects.toThrow(/already exists/);
+    });
+    it('reuses an existing OAuth-only account (passwordHash null) when emails match', async () => {
+        mockProviderResponses({
+            profile: { id: '444', email: 'oauth@example.com', name: 'OAuth User' },
+        });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb({
+            users: [
+                {
+                    id: 'u_oauth_only',
+                    email: 'oauth@example.com',
+                    name: 'OAuth User',
+                    role: 'CLIENT',
+                    passwordHash: null,
+                },
+            ],
+        });
+        const result = await handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db);
+        expect(result.user.id).toBe('u_oauth_only');
+        expect(db.user.create).not.toHaveBeenCalled();
+        expect(db.session.create).toHaveBeenCalledOnce();
+    });
+    it('provisions a new user when allowSelfSignup is true and no account exists', async () => {
+        mockProviderResponses({
+            profile: { id: '555', email: 'fresh@example.com', name: 'Fresh User' },
+        });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb();
+        const onProvision = vi.fn();
+        const result = await handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db, { allowSelfSignup: true, onProvision });
+        expect(onProvision).toHaveBeenCalledOnce();
+        expect(db.user.create).toHaveBeenCalledOnce();
+        expect(db.user.create.mock.calls[0][0].data.passwordHash).toBeNull();
+        expect(result.user.email).toBe('fresh@example.com');
+        expect(result.user.role).toBe('CLIENT');
+    });
+    it('lets onProvision throw to reject self-signup', async () => {
+        mockProviderResponses({
+            profile: { id: '666', email: 'blocked@evil.com', name: 'Blocked' },
+        });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb();
+        const onProvision = vi.fn(() => {
+            throw new Error('Email domain not allowed');
+        });
+        await expect(handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db, {
+            allowSelfSignup: true,
+            onProvision,
+        })).rejects.toThrow(/domain not allowed/);
+        expect(db.user.create).not.toHaveBeenCalled();
+    });
+    it('returns an existing user found via OAuthAccount even if email differs', async () => {
+        mockProviderResponses({
+            profile: { id: '777', email: 'now@example.com', name: 'Linked User' },
+        });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb({
+            users: [
+                {
+                    id: 'u_linked',
+                    email: 'old@example.com', // different from current OAuth email
+                    name: 'Linked',
+                    role: 'ADMIN',
+                    passwordHash: 'pbkdf2:600000:a:b',
+                },
+            ],
+            oauthAccounts: [{ provider: 'google', providerAccountId: '777', userId: 'u_linked' }],
+        });
+        const result = await handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db);
+        // Even though the email matches a *different* user, the existing
+        // OAuthAccount link wins and we return the linked user.
+        expect(result.user.id).toBe('u_linked');
+        expect(result.user.role).toBe('ADMIN');
+    });
+    it('creates a session row for the authenticated user', async () => {
+        mockProviderResponses({
+            profile: { id: '888', email: 'session@example.com', name: 'Session User' },
+        });
+        const state = await generateState('google', generateCodeVerifier(), RETURN_TO, TEST_SECRET);
+        const db = createFakeDb({
+            users: [
+                {
+                    id: 'u_sess',
+                    email: 'session@example.com',
+                    name: 'Session',
+                    role: 'CLIENT',
+                    passwordHash: null,
+                },
+            ],
+        });
+        await handleOAuthCallback('google', 'code-x', state, PROVIDERS, TEST_SECRET, db);
+        expect(db.session.create).toHaveBeenCalledOnce();
+        const call = db.session.create.mock.calls[0][0];
+        expect(call.data.userId).toBe('u_sess');
+        // Default 7-day expiry — verify the date is in the future
+        expect(call.data.expiresAt.getTime()).toBeGreaterThan(Date.now());
+    });
+});
+//# sourceMappingURL=oauth.test.js.map