@api-client/core 0.19.41 → 0.20.0

package/src/modeling/types.ts

@@ -356,12 +356,11 @@ export interface SessionConfiguration {
    */
   secret: string
   /**
-   * The properties from the `User` entity to be encoded into the session payload (JWT/cookie).
+   * The properties to be set on the session `User` object.
    * These properties become available in the `request.auth` object at runtime.
-   *
-   * In practice, these are the ids of the properties in the `User` entity.
+   * The properties are coming from the `User` entity (marked by the Semantic model).
    */
-  properties: string[]
+  properties: AssociationTarget[]
   /**
    * The cookie-based session transport configuration.
    */

package/src/modeling/validation/api_model_rules.ts

@@ -231,7 +231,7 @@ export function validateApiModelSecurity(model: ApiModel): ApiModelValidationIte
             break
           }
         }
-        if (roleProp && !model.session.properties.includes(roleProp.key)) {
+        if (roleProp && !model.session.properties.find((p) => p.key === roleProp?.key)) {
           issues.push({
             code: createCode('API', 'MISSING_RBAC_SESSION_PROPERTY'),
             message: 'The user role must be included in the session data for permissions to work.',

package/tests/unit/modeling/RuntimeApiModel.spec.ts

@@ -1,8 +1,10 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
 import { test } from '@japa/runner'
 import { ApiModel } from '../../../src/modeling/ApiModel.js'
-import { RuntimeApiModel, type RuntimeApiModelSchema } from '../../../src/modeling/RuntimeApiModel.js'
+import { RuleEvaluator, RuntimeApiModel, type RuntimeApiModelSchema } from '../../../src/modeling/RuntimeApiModel.js'
 import { DataDomain } from '../../../src/modeling/DataDomain.js'
 import { SemanticType } from '../../../src/modeling/Semantics.js'
+import { AccessRule, AccessRuleExecutionPhase } from '../../../src/modeling/index.js'
 
 test.group('RuntimeApiModel', () => {
   test('initializes from schema', ({ assert }) => {
@@ -150,4 +152,248 @@ test.group('RuntimeApiModel', () => {
     assert.equal(runtimeModel.cachedProperties.role?.key, roleProp.key)
     assert.equal(runtimeModel.cachedProperties.username?.key, usernameProp.key)
   }).tags(['@modeling', '@runtime'])
+
+  test('precomputes session properties correctly', ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const modelNode = domain.addModel({ key: 'users' })
+    const userEntity = modelNode.addEntity({ info: { name: 'User' }, semantics: [{ id: SemanticType.User }] })
+    const prop1 = userEntity.addProperty({ info: { name: 'Prop1' } })
+    const prop2 = userEntity.addProperty({ info: { name: 'Prop2' } })
+
+    const schema = {
+      key: 'api-1',
+      info: { name: 'Test API' },
+      routingMap: {},
+      session: {
+        properties: [{ key: prop1.key, domain: domain.key }, { key: prop2.key }],
+      },
+    }
+
+    const runtimeModel = new RuntimeApiModel(schema as any, domain.toJSON())
+
+    assert.equal(runtimeModel.sessionProperties.size, 2)
+    assert.equal(runtimeModel.sessionProperties.get(prop1.key)?.key, prop1.key)
+    assert.equal(runtimeModel.sessionProperties.get(prop2.key)?.key, prop2.key)
+  }).tags(['@modeling', '@runtime'])
+
+  test('throws exception if session property is missing from domain', ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const modelNode = domain.addModel({ key: 'users' })
+    const userEntity = modelNode.addEntity({ info: { name: 'User' }, semantics: [{ id: SemanticType.User }] })
+    userEntity.addProperty({ info: { name: 'Prop1' } })
+
+    const schema = {
+      key: 'api-1',
+      info: { name: 'Test API' },
+      routingMap: {},
+      session: {
+        properties: [{ key: 'missing-prop' }],
+      },
+    }
+
+    assert.throws(
+      () => new RuntimeApiModel(schema as any, domain.toJSON()),
+      'Session property missing-prop not found in domain'
+    )
+  }).tags(['@modeling', '@runtime'])
+
+  test('handles missing session configuration gracefully', ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+
+    const schema = {
+      key: 'api-1',
+      info: { name: 'Test API' },
+      routingMap: {},
+    }
+
+    const runtimeModel = new RuntimeApiModel(schema as any, domain.toJSON())
+
+    assert.equal(runtimeModel.sessionProperties.size, 0)
+  }).tags(['@modeling', '@runtime'])
+
+  test('evaluateAccess - rejects if any mandatory rule fails', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel(
+      { key: 'api-1', accessRule: [{ type: 'allowAuthenticated', mandatory: true }] },
+      domain
+    )
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: { accessRule: [], parent: undefined },
+      action: { kind: 'read', accessRule: [] },
+    } as any
+
+    const evaluator: RuleEvaluator = async (_rule: AccessRule): Promise<boolean> => false // Mandatory rule fails
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isFalse(result)
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - rejects by default if no rules hit', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel({ key: 'api-1' }, domain)
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: { kind: 'read', accessRule: [] },
+    } as any
+
+    const evaluator: RuleEvaluator = async (_rule: AccessRule): Promise<undefined> => undefined // No rules match
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isFalse(result)
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - evaluates from most specific to most general in permission phase', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel({ key: 'api-1', accessRule: [{ type: 'allowAuthenticated' }] }, domain)
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: {
+        kind: 'read',
+        accessRule: [{ type: 'matchEmailDomain', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+      },
+    } as any
+
+    const evaluatedOrder: string[] = []
+    const evaluator: RuleEvaluator = async (rule: AccessRule): Promise<undefined> => {
+      evaluatedOrder.push(rule.type)
+      return undefined // Continue to next rule
+    }
+
+    await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.deepEqual(evaluatedOrder, ['matchEmailDomain', 'allowPublic', 'allowAuthenticated'])
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - short-circuits on explicit allow or deny in permission phase', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel({ key: 'api-1', accessRule: [{ type: 'allowAuthenticated' }] }, domain)
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: {
+        kind: 'read',
+        accessRule: [{ type: 'matchEmailDomain', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+      },
+    } as any
+
+    const evaluatedOrder: string[] = []
+    const evaluator = async (rule: any) => {
+      evaluatedOrder.push(rule.type)
+      if (rule.type === 'allowPublic') return true
+      return undefined
+    }
+
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isTrue(result)
+    // Should not reach the api-rule
+    assert.deepEqual(evaluatedOrder, ['matchEmailDomain', 'allowPublic'])
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - passes mandatory phase and uses permission phase result', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel(
+      { key: 'api-1', accessRule: [{ type: 'allowAuthenticated', mandatory: true }] },
+      domain
+    )
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: { kind: 'read', accessRule: [] },
+    } as any
+
+    const evaluator = async (rule: any) => {
+      if (rule.mandatory) return true // passes mandatory check
+      if (rule.type === 'allowPublic') return false // explicitly denies
+      return undefined
+    }
+
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isFalse(result) // Denied by permission rule
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - shadows parent rules of the same type', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const model = domain.addModel({ key: 'mod-1' })
+    const entity = model.addEntity({ key: 'ent-1' })
+
+    // Create base model with exposing and actions directly in schema
+    const baseModel = new ApiModel(
+      {
+        key: 'api-1',
+        accessRule: [{ type: 'allowAuthenticated' }, { type: 'matchEmailDomain' }],
+        exposes: [
+          {
+            key: entity.key,
+            entity: { key: entity.key },
+            accessRule: [
+              { type: 'allowPublic', mandatory: false },
+              { type: 'matchEmailDomain', mandatory: true },
+            ],
+            actions: [
+              {
+                kind: 'read',
+                accessRule: [{ type: 'allowAuthenticated', mandatory: true }],
+              },
+            ],
+            hasCollection: true,
+            kind: 'Core#ExposedEntity',
+            resourcePath: '',
+          },
+        ],
+      },
+      domain
+    )
+
+    // Hierarchy will be:
+    // Action: allowAuthenticated (mandatory)
+    // Entity: allowPublic, matchEmailDomain (mandatory)
+    // API: allowAuthenticated, matchEmailDomain
+
+    // Effective Rules (with shadowing):
+    // Action's allowAuthenticated (mandatory) shadows API's allowAuthenticated
+    // Entity's matchEmailDomain (mandatory) shadows API's matchEmailDomain
+    // Entity's allowPublic is kept
+
+    // Mandatory: allowAuthenticated, matchEmailDomain
+    // Permission: allowPublic
+
+    const schema: RuntimeApiModelSchema = {
+      ...baseModel.toJSON(),
+      routingMap: {
+        GET: [{ path: '/test', lookup: { exposedEntityKey: entity.key, actionKind: 'read' } }],
+      },
+    }
+
+    const runtimeModel = new RuntimeApiModel(schema, domain.toJSON())
+    const mockAction = runtimeModel.lookupAction('GET', '/test')!
+
+    const evaluatedOrder: string[] = []
+    const evaluator: RuleEvaluator = async (rule: AccessRule): Promise<boolean | undefined> => {
+      evaluatedOrder.push(`${rule.type}${rule.mandatory ? '-mandatory' : ''}`)
+      if (rule.mandatory) return true
+      return undefined
+    }
+
+    await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+
+    // Check that we only evaluate the shadowed rules, exactly once per phase
+    assert.deepEqual(evaluatedOrder, ['allowAuthenticated-mandatory', 'matchEmailDomain-mandatory', 'allowPublic'])
+  }).tags(['@modeling', '@runtime', '@authorization'])
 })

package/tests/unit/modeling/actions/Action.spec.ts

@@ -60,7 +60,7 @@ test.group('Action', () => {
       notified = true
     })
 
-    action.accessRule = [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })]
+    action.accessRule = [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })]
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@observed'])
@@ -111,7 +111,7 @@ test.group('Action', () => {
 
   test('getAllRules() aggregates rules from action and parent', ({ assert }) => {
     const parent = {
-      getAllRules: () => [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })],
+      getAllRules: () => [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })],
       notifyChange: () => {},
     } as unknown as ExposedEntity
 

package/tests/unit/modeling/actions/CreateAction.spec.ts

@@ -59,7 +59,7 @@ test.group('CreateAction', () => {
     })
 
     // Modify inherited property
-    action.accessRule = [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })]
+    action.accessRule = [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })]
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@create-action', '@observed'])

package/tests/unit/modeling/actions/ReadAction.spec.ts

@@ -59,7 +59,7 @@ test.group('ReadAction', () => {
     })
 
     // Modify inherited property
-    action.accessRule = [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })]
+    action.accessRule = [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })]
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@read-action', '@observed'])
@@ -71,7 +71,7 @@ test.group('ReadAction', () => {
       notified = true
     })
 
-    action.accessRule.push(new AccessRule(mockExposedEntity(), { type: 'allowPublic' }))
+    action.accessRule.push(new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' }))
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@read-action', '@observed'])

package/tests/unit/modeling/api_model.spec.ts

@@ -53,7 +53,7 @@ test.group('ApiModel.createSchema()', () => {
       dependencyList: [{ key: 'domain1', version: '1.0.0' }],
       authentication: { strategy: 'UsernamePassword' },
       authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
-      session: { secret: 'secret', properties: ['email'] },
+      session: { secret: 'secret', properties: [{ key: 'email' }] },
       accessRule: [{ type: 'public' }],
       rateLimiting: { rules: [] },
       termsOfService: 'https://example.com/terms',
@@ -72,7 +72,7 @@ test.group('ApiModel.createSchema()', () => {
     assert.deepEqual(schema.dependencyList, [{ key: 'domain1', version: '1.0.0' }])
     assert.deepEqual(schema.authentication, { strategy: 'UsernamePassword' })
     assert.deepEqual(schema.authorization, { strategy: 'RBAC' })
-    assert.deepEqual(schema.session, { secret: 'secret', properties: ['email'] })
+    assert.deepEqual(schema.session, { secret: 'secret', properties: [{ key: 'email' }] })
     assert.deepEqual(schema.accessRule, [{ type: 'public' }])
     assert.deepEqual(schema.rateLimiting, { rules: [] })
     assert.equal(schema.termsOfService, 'https://example.com/terms')
@@ -132,7 +132,7 @@ test.group('ApiModel.constructor()', () => {
       dependencyList: [{ key: 'domain1', version: '1.0.0' }],
       authentication: { strategy: 'UsernamePassword' },
       authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
-      session: { secret: 'secret', properties: ['email'] },
+      session: { secret: 'secret', properties: [{ key: 'email' }] },
       accessRule: [{ type: 'allowPublic' }],
       rateLimiting: { rules: [] },
       termsOfService: 'https://example.com/terms',
@@ -150,7 +150,7 @@ test.group('ApiModel.constructor()', () => {
     assert.deepEqual(model.dependencyList, [{ key: 'domain1', version: '1.0.0' }])
     assert.deepEqual(model.authentication, { strategy: 'UsernamePassword' })
     assert.deepEqual(model.authorization, { strategy: 'RBAC' })
-    assert.deepEqual(model.session, { secret: 'secret', properties: ['email'] })
+    assert.deepEqual(model.session, { secret: 'secret', properties: [{ key: 'email' }] })
     assert.deepEqual(model.accessRule, [new AllowPublicAccessRule(model)])
     assert.deepEqual(model.rateLimiting, new RateLimitingConfiguration())
     assert.equal(model.termsOfService, 'https://example.com/terms')
@@ -289,7 +289,7 @@ test.group('ApiModel.toJSON()', () => {
       dependencyList: [{ key: 'domain1', version: '1.0.0' }],
       authentication: { strategy: 'UsernamePassword' },
       authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
-      session: { secret: 'secret', properties: ['email'] },
+      session: { secret: 'secret', properties: [{ key: 'email' }] },
       accessRule: [{ type: 'allowPublic' }],
       rateLimiting: { rules: [] },
       termsOfService: 'https://example.com/terms',
@@ -308,7 +308,7 @@ test.group('ApiModel.toJSON()', () => {
     assert.deepEqual(json.dependencyList, [{ key: 'domain1', version: '1.0.0' }])
     assert.deepEqual(json.authentication, { strategy: 'UsernamePassword' })
     assert.deepEqual(json.authorization, { strategy: 'RBAC' })
-    assert.deepEqual(json.session, { secret: 'secret', properties: ['email'] })
+    assert.deepEqual(json.session, { secret: 'secret', properties: [{ key: 'email' }] })
     assert.deepEqual(json.accessRule, [{ type: 'allowPublic' }])
     assert.deepEqual(json.rateLimiting, { rules: [] })
     assert.equal(json.termsOfService, 'https://example.com/terms')

package/tests/unit/modeling/exposed_entity.spec.ts

@@ -308,7 +308,7 @@ test.group('ExposedEntity', () => {
 
   test('getAllRules() aggregates rules from entity, parent, and API', ({ assert }) => {
     const model = new ApiModel()
-    model.accessRule = [new AccessRule(model, { type: 'allowPublic' })]
+    model.accessRule = [new AccessRule(model, {}, { type: 'allowPublic' })]
 
     const rootEx = new ExposedEntity(model, {
       key: 'root',

package/tests/unit/modeling/generators/OasGenerator.spec.ts

@@ -129,7 +129,7 @@ test.group('OasGenerator', (group) => {
     }
     api.accessRule = [new AllowAuthenticatedAccessRule(api)]
     api.session = {
-      properties: [email.key],
+      properties: [{ key: email.key }],
       secret: 'test-secret',
       cookie: {
         enabled: true,

package/tests/unit/modeling/helpers/runtime.spec.ts

@@ -0,0 +1,48 @@
+import { test } from '@japa/runner'
+import { truncateIdentifier } from '../../../../src/modeling/helpers/runtime.js'
+
+test.group('modeling / helpers / runtime', () => {
+  test('returns the original identifier if it is exactly 63 characters long', ({ assert }) => {
+    const input = 'a'.repeat(63)
+    const result = truncateIdentifier(input)
+    assert.equal(result, input)
+    assert.equal(result.length, 63)
+  }).tags(['@modeling', '@helpers'])
+
+  test('returns the original identifier if it is less than 63 characters long', ({ assert }) => {
+    const input = 'short_identifier'
+    const result = truncateIdentifier(input)
+    assert.equal(result, input)
+    assert.equal(result.length, 16)
+  }).tags(['@modeling', '@helpers'])
+
+  test('truncates identifier to 63 characters if it is longer', ({ assert }) => {
+    const input = 'a'.repeat(64)
+    const result = truncateIdentifier(input)
+    assert.equal(result.length, 63)
+    assert.notEqual(result, input)
+  }).tags(['@modeling', '@helpers'])
+
+  test('generates deterministic hash for the same long identifier', ({ assert }) => {
+    const input = 'very_long_identifier_that_exceeds_the_limit_of_63_characters_which_is_too_long'
+    const result1 = truncateIdentifier(input)
+    const result2 = truncateIdentifier(input)
+    assert.equal(result1, result2)
+  }).tags(['@modeling', '@helpers'])
+
+  test('generates different hashes for different long identifiers', ({ assert }) => {
+    const input1 = 'very_long_identifier_that_exceeds_the_limit_of_63_characters_which_is_too_long_1'
+    const input2 = 'very_long_identifier_that_exceeds_the_limit_of_63_characters_which_is_too_long_2'
+    const result1 = truncateIdentifier(input1)
+    const result2 = truncateIdentifier(input2)
+    assert.notEqual(result1, result2)
+  }).tags(['@modeling', '@helpers'])
+
+  test('truncates keeping the first 54 characters', ({ assert }) => {
+    const prefix = 'this_is_exactly_54_characters_long_string_prefix_hello'
+    const input = `${prefix}_and_some_more_characters_to_exceed_63`
+    const result = truncateIdentifier(input)
+    assert.isTrue(result.startsWith(`${prefix}_`))
+    assert.equal(result.length, 63)
+  }).tags(['@modeling', '@helpers'])
+})

package/tests/unit/modeling/rules/AccessRule.spec.ts

@@ -4,24 +4,24 @@ import { mockExposedEntity } from '../actions/helpers.js'
 
 test.group('AccessRule', () => {
   test('initializes with default values', ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity())
+    const rule = new AccessRule(mockExposedEntity(), {})
     assert.equal(rule.type, '')
   }).tags(['@modeling', '@access-rule'])
 
   test('initializes with provided values', ({ assert }) => {
     const schema: AccessRuleSchema = { type: 'public' }
-    const rule = new AccessRule(mockExposedEntity(), schema)
+    const rule = new AccessRule(mockExposedEntity(), {}, schema)
     assert.equal(rule.type, 'public')
   }).tags(['@modeling', '@access-rule'])
 
   test('serializes to JSON', ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity(), { type: 'authenticated' })
+    const rule = new AccessRule(mockExposedEntity(), {}, { type: 'authenticated' })
     const json = rule.toJSON()
     assert.deepEqual(json, { type: 'authenticated' })
   }).tags(['@modeling', '@access-rule'])
 
   test('notifies change', async ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity(), { type: 'public' })
+    const rule = new AccessRule(mockExposedEntity(), {}, { type: 'public' })
     let notified = false
     rule.addEventListener('change', () => {
       notified = true
@@ -32,7 +32,7 @@ test.group('AccessRule', () => {
   }).tags(['@modeling', '@access-rule'])
 
   test('toJSON returns safe copy (immutability)', ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity(), { type: 'public' })
+    const rule = new AccessRule(mockExposedEntity(), {}, { type: 'public' })
     const json = rule.toJSON()
 
     // Modify JSON (simulate runtime mutation)

package/tests/unit/modeling/rules/LifecycleStatus.spec.ts

@@ -0,0 +1,55 @@
+import { test } from '@japa/runner'
+import { LifecycleStatusAccessRule } from '../../../../src/modeling/rules/LifecycleStatus.js'
+import { mockExposedEntity } from '../actions/helpers.js'
+
+test.group('LifecycleStatusAccessRule', () => {
+  test('initializes with default values', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity())
+    assert.equal(rule.type, 'lifecycleStatus')
+    assert.deepEqual(rule.allowedStatuses, [])
+    assert.deepEqual(rule.deniedStatuses, [])
+  }).tags(['@modeling', '@rule', '@lifecycle-status'])
+
+  test('initializes with provided values', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity(), {
+      allowedStatuses: ['published'],
+      deniedStatuses: ['archived'],
+    })
+
+    assert.equal(rule.type, 'lifecycleStatus')
+    assert.deepEqual(rule.allowedStatuses, ['published'])
+    assert.deepEqual(rule.deniedStatuses, ['archived'])
+  }).tags(['@modeling', '@rule', '@lifecycle-status'])
+
+  test('toJSON returns valid schema', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity(), {
+      allowedStatuses: ['active', 'pending'],
+    })
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'lifecycleStatus')
+    assert.deepEqual(json.allowedStatuses, ['active', 'pending'])
+    assert.isUndefined(json.deniedStatuses)
+  }).tags(['@modeling', '@rule', '@lifecycle-status', '@serialization'])
+
+  test('toJSON omits empty arrays', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity())
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'lifecycleStatus')
+    assert.isUndefined(json.allowedStatuses)
+    assert.isUndefined(json.deniedStatuses)
+  }).tags(['@modeling', '@rule', '@lifecycle-status', '@serialization'])
+
+  test('notifies change when allowedStatuses changes', async ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity())
+    let notified = false
+    rule.addEventListener('change', () => {
+      notified = true
+    })
+
+    rule.allowedStatuses.push('draft')
+    await Promise.resolve()
+    assert.isTrue(notified)
+  }).tags(['@modeling', '@rule', '@lifecycle-status', '@observed'])
+})

package/tests/unit/modeling/rules/MatchResourceAttribute.spec.ts

@@ -0,0 +1,66 @@
+import { test } from '@japa/runner'
+import { MatchResourceAttributeAccessRule } from '../../../../src/modeling/rules/MatchResourceAttribute.js'
+import { mockExposedEntity } from '../actions/helpers.js'
+
+test.group('MatchResourceAttributeAccessRule', () => {
+  test('initializes with default values', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity())
+    assert.equal(rule.type, 'matchResourceAttribute')
+    assert.equal(rule.attribute, '')
+    assert.equal(rule.value, '')
+    assert.equal(rule.operator, 'equal')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute'])
+
+  test('initializes with provided values', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity(), {
+      attribute: 'status',
+      value: 'published',
+      operator: 'notEqual',
+    })
+
+    assert.equal(rule.type, 'matchResourceAttribute')
+    assert.equal(rule.attribute, 'status')
+    assert.equal(rule.value, 'published')
+    assert.equal(rule.operator, 'notEqual')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute'])
+
+  test('toJSON returns valid schema', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity(), {
+      attribute: 'age',
+      value: 18,
+      operator: 'greaterThanOrEqual',
+    })
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'matchResourceAttribute')
+    assert.equal(json.attribute, 'age')
+    assert.equal(json.value, 18)
+    assert.equal(json.operator, 'greaterThanOrEqual')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute', '@serialization'])
+
+  test('toJSON omits operator when it is equal', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity(), {
+      attribute: 'isPublic',
+      value: true,
+      operator: 'equal',
+    })
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'matchResourceAttribute')
+    assert.equal(json.attribute, 'isPublic')
+    assert.equal(json.value, true)
+    assert.equal(json.operator, 'equal')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute', '@serialization'])
+
+  test('notifies change when attribute changes', async ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity())
+    let notified = false
+    rule.addEventListener('change', () => {
+      notified = true
+    })
+
+    rule.attribute = 'visibility'
+    await Promise.resolve()
+    assert.isTrue(notified)
+  }).tags(['@modeling', '@rule', '@match-resource-attribute', '@observed'])
+})

package/tests/unit/modeling/validation/api_model_rules.spec.ts

@@ -67,7 +67,7 @@ test.group('ApiModel Validation', () => {
         authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
         session: {
           secret: 'super-secret',
-          properties: ['id', 'role'],
+          properties: [{ key: 'id' }, { key: 'role' }],
           cookie: {
             enabled: true,
             kind: 'cookie',
@@ -401,7 +401,7 @@ test.group('ApiModel Validation', () => {
         authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
         session: {
           secret: 'super-secret',
-          properties: ['id', 'role'],
+          properties: [{ key: 'id' }, { key: 'role' }],
           cookie: {
             enabled: true,
             kind: 'cookie',