@brika/auth 0.1.1

package/src/__tests__/routes-profile.test.ts

@@ -0,0 +1,403 @@
+/**
+ * @brika/auth - Profile Route Tests (update, avatar, password)
+ */
+
+import { describe, expect, test } from 'bun:test';
+import { stub, useTestBed } from '@brika/di/testing';
+import type { Middleware } from '@brika/router';
+import { TestApp } from '@brika/router/testing';
+import { profileRoutes } from '../server/routes/profile';
+import { UserService } from '../services/UserService';
+import { Role, Scope, type Session, type User } from '../types';
+
+function withSession(session: Session): Middleware {
+  return async (c, next) => {
+    c.set('session', session);
+    await next();
+  };
+}
+
+const userSession: Session = {
+  id: 'sess-user',
+  userId: 'user-1',
+  userEmail: 'user@test.com',
+  userName: 'User',
+  userRole: Role.USER,
+  scopes: [Scope.WORKFLOW_READ, Scope.BOARD_READ],
+};
+
+const now = new Date();
+
+const mockUser: User = {
+  id: 'user-1',
+  email: 'user@test.com',
+  name: 'User',
+  role: Role.USER,
+  avatarHash: null,
+  createdAt: now,
+  updatedAt: now,
+  isActive: true,
+  scopes: [],
+};
+
+// ─── PUT /profile ───────────────────────────────────────────────────────────
+
+describe('PUT /profile — authenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      updateUser: (
+        _id: string,
+        updates: {
+          name?: string;
+        }
+      ) => ({
+        ...mockUser,
+        name: updates.name ?? mockUser.name,
+      }),
+    });
+    app = TestApp.create(profileRoutes, [withSession(userSession)]);
+  });
+
+  test('updates name and returns user', async () => {
+    const res = await app.put('/profile', {
+      name: 'New Name',
+    });
+    expect(res.status).toBe(200);
+    const body = res.body as {
+      user: User;
+    };
+    expect(body.user.name).toBe('New Name');
+  });
+});
+
+describe('PUT /profile — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService);
+    app = TestApp.create(profileRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.put('/profile', {
+      name: 'Test',
+    });
+    expect(res.status).toBe(401);
+  });
+});
+
+// ─── PUT /profile/avatar — JSON base64 ─────────────────────────────────────
+
+describe('PUT /profile/avatar — JSON base64 upload', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      setAvatar: () => 'abc12345',
+    });
+    app = TestApp.create(profileRoutes, [withSession(userSession)]);
+  });
+
+  test('uploads avatar from base64 JSON', async () => {
+    // PNG magic bytes + minimal padding
+    const pngHeader = Buffer.from([
+      0x89,
+      0x50,
+      0x4e,
+      0x47,
+      0x0d,
+      0x0a,
+      0x1a,
+      0x0a,
+      ...new Array(100).fill(0),
+    ]);
+    const imageData = pngHeader.toString('base64');
+    const res = await app.put('/profile/avatar', {
+      data: imageData,
+    });
+    expect(res.status).toBe(200);
+    const body = res.body as {
+      ok: boolean;
+    };
+    expect(body.ok).toBe(true);
+  });
+
+  test('returns 400 when data field is missing', async () => {
+    const res = await app.put('/profile/avatar', {});
+    expect(res.status).toBe(400);
+  });
+});
+
+// ─── PUT /profile/avatar — binary upload ────────────────────────────────────
+
+describe('PUT /profile/avatar — binary upload', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      setAvatar: () => 'bin12345',
+    });
+    app = TestApp.create(profileRoutes, [withSession(userSession)]);
+  });
+
+  test('uploads avatar from binary body', async () => {
+    const hono = app.hono;
+    // PNG magic bytes + minimal padding
+    const imageBuffer = Buffer.from([
+      0x89,
+      0x50,
+      0x4e,
+      0x47,
+      0x0d,
+      0x0a,
+      0x1a,
+      0x0a,
+      ...new Array(100).fill(0),
+    ]);
+    const res = await hono.fetch(
+      new Request('http://test/profile/avatar', {
+        method: 'PUT',
+        headers: {
+          'content-type': 'image/png',
+        },
+        body: imageBuffer,
+      })
+    );
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+    };
+    expect(body.ok).toBe(true);
+  });
+
+  test('returns 400 for empty binary body', async () => {
+    const hono = app.hono;
+    const res = await hono.fetch(
+      new Request('http://test/profile/avatar', {
+        method: 'PUT',
+        headers: {
+          'content-type': 'image/png',
+        },
+        body: new Uint8Array(0),
+      })
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test('returns 400 for oversized image (>5MB)', async () => {
+    const hono = app.hono;
+    const largeBuffer = Buffer.alloc(6 * 1024 * 1024); // 6MB
+    const res = await hono.fetch(
+      new Request('http://test/profile/avatar', {
+        method: 'PUT',
+        headers: {
+          'content-type': 'image/png',
+        },
+        body: largeBuffer,
+      })
+    );
+    expect(res.status).toBe(400);
+  });
+});
+
+describe('PUT /profile/avatar — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService);
+    app = TestApp.create(profileRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.put('/profile/avatar', {
+      data: 'abc',
+    });
+    expect(res.status).toBe(401);
+  });
+});
+
+// ─── DELETE /profile/avatar ─────────────────────────────────────────────────
+
+describe('DELETE /profile/avatar — authenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      removeAvatar: () => {},
+    });
+    app = TestApp.create(profileRoutes, [withSession(userSession)]);
+  });
+
+  test('removes avatar and returns ok', async () => {
+    const res = await app.delete('/profile/avatar');
+    expect(res.status).toBe(200);
+    expect(
+      (
+        res.body as {
+          ok: boolean;
+        }
+      ).ok
+    ).toBe(true);
+  });
+});
+
+describe('DELETE /profile/avatar — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService);
+    app = TestApp.create(profileRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.delete('/profile/avatar');
+    expect(res.status).toBe(401);
+  });
+});
+
+// ─── PUT /profile/password ──────────────────────────────────────────────────
+
+describe('PUT /profile/password — valid current password', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      verifyPassword: async (_userId: string, password: string) => password === 'OldPass123!',
+      setPassword: async () => {},
+    });
+    app = TestApp.create(profileRoutes, [withSession(userSession)]);
+  });
+
+  test('changes password with valid current password', async () => {
+    const res = await app.put('/profile/password', {
+      currentPassword: 'OldPass123!',
+      newPassword: 'NewPass456!',
+    });
+    expect(res.status).toBe(200);
+    expect(
+      (
+        res.body as {
+          ok: boolean;
+        }
+      ).ok
+    ).toBe(true);
+  });
+
+  test('returns 400 when current password is wrong', async () => {
+    const res = await app.put('/profile/password', {
+      currentPassword: 'WrongPass',
+      newPassword: 'NewPass456!',
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test('returns 400 when fields are missing', async () => {
+    const res = await app.put('/profile/password', {});
+    expect(res.status).toBe(400);
+  });
+
+  test('returns 400 when only currentPassword is provided', async () => {
+    const res = await app.put('/profile/password', {
+      currentPassword: 'OldPass123!',
+    });
+    expect(res.status).toBe(400);
+  });
+});
+
+describe('PUT /profile/password — setPassword throws', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      verifyPassword: async () => true,
+      setPassword: async () => {
+        throw new Error('Password does not meet requirements');
+      },
+    });
+    app = TestApp.create(profileRoutes, [withSession(userSession)]);
+  });
+
+  test('returns 400 when setPassword throws (invalid new password)', async () => {
+    const res = await app.put('/profile/password', {
+      currentPassword: 'OldPass123!',
+      newPassword: 'weak',
+    });
+    expect(res.status).toBe(400);
+  });
+});
+
+describe('PUT /profile/password — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService);
+    app = TestApp.create(profileRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.put('/profile/password', {
+      currentPassword: 'OldPass123!',
+      newPassword: 'NewPass456!',
+    });
+    expect(res.status).toBe(401);
+  });
+});
+
+// ─── GET /avatar/:userId ────────────────────────────────────────────────────
+
+describe('GET /avatar/:userId — no avatar', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(UserService, {
+      getAvatarData: () => null,
+    });
+    // Avatar endpoint is public (no requireSession)
+    app = TestApp.create(profileRoutes);
+  });
+
+  test('returns 204 when user has no avatar', async () => {
+    const res = await app.get('/avatar/user-1');
+    expect(res.status).toBe(204);
+  });
+});
+
+describe('GET /avatar/:userId — with avatar', () => {
+  let app: ReturnType<typeof TestApp.create>;
+  const fakeImage = Buffer.from('PNG-FAKE');
+
+  useTestBed(() => {
+    stub(UserService, {
+      getAvatarData: () => ({
+        data: fakeImage,
+        mimeType: 'image/webp',
+      }),
+    });
+    app = TestApp.create(profileRoutes);
+  });
+
+  test('returns image data when avatar exists', async () => {
+    const res = await app.get('/avatar/user-1');
+    expect(res.status).toBe(200);
+    expect(res.headers.get('content-type')).toBe('image/webp');
+    expect(res.headers.get('cache-control')).toBe('public, max-age=31536000, immutable');
+    expect(res.headers.get('etag')).toBeTruthy();
+  });
+
+  test('returns 304 with matching ETag', async () => {
+    // First request to get the ETag
+    const first = await app.get('/avatar/user-1');
+    const etag = first.headers.get('etag') ?? '';
+    expect(etag).toBeTruthy();
+
+    // Second request with If-None-Match
+    const second = await app.get('/avatar/user-1', {
+      headers: {
+        'if-none-match': etag,
+      },
+    });
+    expect(second.status).toBe(304);
+  });
+});

package/src/__tests__/routes-scopes.test.ts

@@ -0,0 +1,64 @@
+/**
+ * @brika/auth - Scope Route Tests (list scopes)
+ */
+
+import { describe, expect, test } from 'bun:test';
+import { provide, useTestBed } from '@brika/di/testing';
+import { TestApp } from '@brika/router/testing';
+import { SCOPES_REGISTRY } from '../constants';
+import { scopeRoutes } from '../server/routes/scopes';
+import { ScopeService } from '../services/ScopeService';
+import { Scope } from '../types';
+
+describe('GET /scopes', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    // Use provide() instead of stub() to avoid deep-stub wrapping the SCOPES_REGISTRY object
+    provide(ScopeService, {
+      getRegistry: () => SCOPES_REGISTRY,
+    });
+    app = TestApp.create(scopeRoutes);
+  });
+
+  test('returns scopes registry and categories', async () => {
+    const res = await app.get('/scopes');
+    expect(res.status).toBe(200);
+
+    const body = res.body as {
+      scopes: Record<
+        string,
+        {
+          description: string;
+          category: string;
+        }
+      >;
+      categories: string[];
+    };
+
+    expect(body.categories).toEqual(['admin', 'workflow', 'board', 'plugin', 'settings']);
+    const adminScope = body.scopes[Scope.ADMIN_ALL];
+    expect(adminScope).toBeDefined();
+    if (!adminScope) {
+      throw new Error('Expected admin scope to be defined');
+    }
+    expect(adminScope.description).toBe('Full administrative access');
+    expect(adminScope.category).toBe('admin');
+  });
+
+  test('includes all defined scopes', async () => {
+    const res = await app.get('/scopes');
+    const body = res.body as {
+      scopes: Record<string, unknown>;
+    };
+
+    for (const scope of Object.values(Scope)) {
+      expect(body.scopes[scope]).toBeDefined();
+    }
+  });
+
+  test('is publicly accessible (no session required)', async () => {
+    const res = await app.get('/scopes');
+    expect(res.status).toBe(200);
+  });
+});

package/src/__tests__/routes-sessions.test.ts

@@ -0,0 +1,235 @@
+/**
+ * @brika/auth - Session Route Tests (list, revoke, revoke all)
+ */
+
+import { describe, expect, test } from 'bun:test';
+import { stub, useTestBed } from '@brika/di/testing';
+import type { Middleware } from '@brika/router';
+import { TestApp } from '@brika/router/testing';
+import { sessionRoutes } from '../server/routes/sessions';
+import { SessionService } from '../services/SessionService';
+import { Role, Scope, type Session, type SessionRecord } from '../types';
+
+function withSession(session: Session): Middleware {
+  return async (c, next) => {
+    c.set('session', session);
+    await next();
+  };
+}
+
+const adminSession: Session = {
+  id: 'sess-admin',
+  userId: 'user-admin',
+  userEmail: 'admin@test.com',
+  userName: 'Admin',
+  userRole: Role.ADMIN,
+  scopes: [Scope.ADMIN_ALL],
+};
+
+const userSession: Session = {
+  id: 'sess-user',
+  userId: 'user-regular',
+  userEmail: 'user@test.com',
+  userName: 'User',
+  userRole: Role.USER,
+  scopes: [Scope.WORKFLOW_READ, Scope.BOARD_READ],
+};
+
+const now = Date.now();
+
+const mockUserSessions: SessionRecord[] = [
+  {
+    id: 'sess-user',
+    userId: 'user-regular',
+    tokenHash: 'hash1',
+    ip: '127.0.0.1',
+    userAgent: 'TestBrowser',
+    createdAt: now - 10000,
+    lastSeenAt: now,
+    expiresAt: now + 604800000,
+    revokedAt: null,
+  },
+  {
+    id: 'sess-user-2',
+    userId: 'user-regular',
+    tokenHash: 'hash2',
+    ip: '10.0.0.1',
+    userAgent: 'OtherBrowser',
+    createdAt: now - 20000,
+    lastSeenAt: now - 5000,
+    expiresAt: now + 604800000,
+    revokedAt: null,
+  },
+];
+
+// ─── GET /sessions ──────────────────────────────────────────────────────────
+
+describe('GET /sessions — authenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(SessionService, {
+      listUserSessions: () => mockUserSessions,
+    });
+    app = TestApp.create(sessionRoutes, [withSession(userSession)]);
+  });
+
+  test('returns sessions for current user with current flag', async () => {
+    const res = await app.get('/sessions');
+    expect(res.status).toBe(200);
+
+    const body = res.body as {
+      sessions: Array<{
+        id: string;
+        ip: string | null;
+        userAgent: string | null;
+        createdAt: number;
+        lastSeenAt: number;
+        current: boolean;
+      }>;
+    };
+    expect(body.sessions).toHaveLength(2);
+
+    const current = body.sessions.find((s) => s.id === 'sess-user');
+    expect(current?.current).toBe(true);
+
+    const other = body.sessions.find((s) => s.id === 'sess-user-2');
+    expect(other?.current).toBe(false);
+  });
+
+  test('strips sensitive fields (tokenHash, expiresAt, revokedAt)', async () => {
+    const res = await app.get('/sessions');
+    const body = res.body as {
+      sessions: Array<Record<string, unknown>>;
+    };
+    for (const session of body.sessions) {
+      expect(session.tokenHash).toBeUndefined();
+      expect(session.expiresAt).toBeUndefined();
+      expect(session.revokedAt).toBeUndefined();
+    }
+  });
+});
+
+describe('GET /sessions — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(SessionService);
+    app = TestApp.create(sessionRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.get('/sessions');
+    expect(res.status).toBe(401);
+  });
+});
+
+// ─── DELETE /sessions/:id ───────────────────────────────────────────────────
+
+describe('DELETE /sessions/:id — as session owner', () => {
+  let app: ReturnType<typeof TestApp.create>;
+  let revokedId: string | undefined;
+
+  useTestBed(() => {
+    revokedId = undefined;
+    stub(SessionService, {
+      listUserSessions: () => mockUserSessions,
+      revokeSession: (id: string) => {
+        revokedId = id;
+      },
+    });
+    app = TestApp.create(sessionRoutes, [withSession(userSession)]);
+  });
+
+  test('revokes own session', async () => {
+    const res = await app.delete('/sessions/sess-user-2');
+    expect(res.status).toBe(200);
+    expect(revokedId).toBe('sess-user-2');
+  });
+
+  test('returns 403 when revoking another users session', async () => {
+    const res = await app.delete('/sessions/sess-foreign');
+    expect(res.status).toBe(403);
+  });
+});
+
+describe('DELETE /sessions/:id — as admin', () => {
+  let app: ReturnType<typeof TestApp.create>;
+  let revokedId: string | undefined;
+
+  useTestBed(() => {
+    revokedId = undefined;
+    stub(SessionService, {
+      // Admin's own sessions do NOT include 'sess-user-2', but admin can still revoke it
+      listUserSessions: () => [],
+      revokeSession: (id: string) => {
+        revokedId = id;
+      },
+    });
+    app = TestApp.create(sessionRoutes, [withSession(adminSession)]);
+  });
+
+  test('can revoke any session via admin scope', async () => {
+    const res = await app.delete('/sessions/sess-user-2');
+    expect(res.status).toBe(200);
+    expect(revokedId).toBe('sess-user-2');
+  });
+});
+
+describe('DELETE /sessions/:id — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(SessionService);
+    app = TestApp.create(sessionRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.delete('/sessions/sess-user');
+    expect(res.status).toBe(401);
+  });
+});
+
+// ─── DELETE /sessions ───────────────────────────────────────────────────────
+
+describe('DELETE /sessions — authenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+  let revokedUserId: string | undefined;
+
+  useTestBed(() => {
+    revokedUserId = undefined;
+    stub(SessionService, {
+      revokeAllUserSessions: (userId: string) => {
+        revokedUserId = userId;
+      },
+    });
+    app = TestApp.create(sessionRoutes, [withSession(userSession)]);
+  });
+
+  test('revokes all sessions for current user', async () => {
+    const res = await app.delete('/sessions');
+    expect(res.status).toBe(200);
+    expect(
+      (
+        res.body as {
+          ok: boolean;
+        }
+      ).ok
+    ).toBe(true);
+    expect(revokedUserId).toBe('user-regular');
+  });
+});
+
+describe('DELETE /sessions — unauthenticated', () => {
+  let app: ReturnType<typeof TestApp.create>;
+
+  useTestBed(() => {
+    stub(SessionService);
+    app = TestApp.create(sessionRoutes);
+  });
+
+  test('returns 401 without session', async () => {
+    const res = await app.delete('/sessions');
+    expect(res.status).toBe(401);
+  });
+});