@checkstack/auth-backend 0.0.3 → 0.2.0

package/src/utils/user.test.ts

@@ -3,37 +3,38 @@ import { enrichUser } from "./user";
 import { User } from "better-auth/types";
 
 // Mock Drizzle DB
-const createMockDb = (data: { roles?: unknown[]; permissions?: unknown[] }) => {
-  const mockDb: any = {
+const createMockDb = (data: {
+  roles?: unknown[];
+  accessRules?: unknown[];
+  teams?: unknown[];
+}) => {
+  const mockDb: unknown = {
     select: mock(() => mockDb),
     from: mock(() => mockDb),
     innerJoin: mock(() => mockDb),
     where: mock(() => mockDb),
   };
 
-  // Mock thenable for different chains
-  // eslint-disable-next-line unicorn/no-thenable
-  mockDb.then = (resolve: (arg0: unknown) => void) => {
-    // Determine which call this is based on the 'from' call
-    // const lastFrom =
-    //   mockDb.from.mock.calls[mockDb.from.mock.calls.length - 1][0];
-
-    // We need to look at the schema name or some identifier.
-    // Since we are mocking the schema as well, we can check equality.
-    // However, for a simple mock, we can just alternate or use a counter.
-
-    // In enrichUser:
-    // 1. select from userRole (inner join role)
-    // 2. select from rolePermission (inner join permission) -> for each role
-
-    // Let's use a simpler approach: track call count for this specific mock instance
-    if (!mockDb._callCount) mockDb._callCount = 0;
-    mockDb._callCount++;
+  // Track call count for sequential responses
+  // Call order in enrichUser: 1=roles, 2+=access rules per role, final=teams
+  let callCount = 0;
+  const nonAdminRoles = (data.roles || []).filter(
+    (r) => (r as { roleId: string }).roleId !== "admin"
+  );
 
-    if (mockDb._callCount === 1) {
+  // eslint-disable-next-line unicorn/no-thenable
+  (mockDb as { then: unknown }).then = (resolve: (arg0: unknown) => void) => {
+    callCount++;
+    if (callCount === 1) {
+      // First call: get roles
       return resolve(data.roles || []);
     }
-    return resolve(data.permissions || []);
+    if (callCount <= 1 + nonAdminRoles.length && nonAdminRoles.length > 0) {
+      // Access rule calls for each non-admin role
+      return resolve(data.accessRules || []);
+    }
+    // Team memberships (final call)
+    return resolve(data.teams || []);
   };
 
   return mockDb;
@@ -49,51 +50,69 @@ describe("enrichUser", () => {
     updatedAt: new Date(),
   };
 
-  it("should enrich user with admin role and wildcard permission", async () => {
+  it("should enrich user with admin role and wildcard access", async () => {
     const mockDb = createMockDb({
       roles: [{ roleId: "admin" }],
+      teams: [{ teamId: "team-1" }],
     });
 
-    const result = await enrichUser(baseUser, mockDb);
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
 
     expect(result.roles).toContain("admin");
-    expect(result.permissions).toContain("*");
+    expect(result.accessRules).toContain("*");
+    expect(result.teamIds).toEqual(["team-1"]);
   });
 
-  it("should enrich user with custom roles and permissions", async () => {
+  it("should enrich user with custom roles and access rules", async () => {
     const mockDb = createMockDb({
-      roles: [{ roleId: "editor" }, { roleId: "viewer" }],
-      permissions: [{ permissionId: "blog.read" }],
+      roles: [{ roleId: "editor" }],
+      accessRules: [{ accessRuleId: "blog.edit" }],
+      teams: [],
     });
 
-    // Note: Our simple mock returns the same permissions for ALL roles if there are multiple roles.
-    // In enrichUser, it loops through roles.
-    // If we have 2 roles, enrichUser will call select from rolePermission twice.
-    // Our mock needs to handle multiple calls if we want to be precise.
-
-    let callCount = 0;
-    // eslint-disable-next-line unicorn/no-thenable
-    mockDb.then = (resolve: (arg0: unknown) => void) => {
-      callCount++;
-      if (callCount === 1) return resolve([{ roleId: "editor" }]);
-      if (callCount === 2) return resolve([{ permissionId: "blog.edit" }]);
-      return resolve([]);
-    };
-
-    const result = await enrichUser(baseUser, mockDb);
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
 
     expect(result.roles).toContain("editor");
-    expect(result.permissions).toContain("blog.edit");
+    expect(result.accessRules).toContain("blog.edit");
+    expect(result.teamIds).toEqual([]);
   });
 
   it("should handle user with no roles", async () => {
     const mockDb = createMockDb({
       roles: [],
+      teams: [],
     });
 
-    const result = await enrichUser(baseUser, mockDb);
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
 
     expect(result.roles).toEqual([]);
-    expect(result.permissions).toEqual([]);
+    expect(result.accessRules).toEqual([]);
+    expect(result.teamIds).toEqual([]);
+  });
+
+  it("should include multiple team memberships", async () => {
+    const mockDb = createMockDb({
+      roles: [{ roleId: "admin" }],
+      teams: [{ teamId: "team-1" }, { teamId: "team-2" }, { teamId: "team-3" }],
+    });
+
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
+
+    expect(result.teamIds).toHaveLength(3);
+    expect(result.teamIds).toContain("team-1");
+    expect(result.teamIds).toContain("team-2");
+    expect(result.teamIds).toContain("team-3");
   });
 });

package/src/utils/user.ts

@@ -5,7 +5,7 @@ import type { RealUser } from "@checkstack/backend-api";
 import * as schema from "../schema";
 
 /**
- * Enriches a better-auth User with roles and permissions from the database.
+ * Enriches a better-auth User with roles, access rules, and team memberships from the database.
  * Returns a RealUser type for use in the RPC context.
  */
 export const enrichUser = async (
@@ -23,31 +23,38 @@ export const enrichUser = async (
     .where(eq(schema.userRole.userId, user.id));
 
   const roles = userRoles.map((r) => r.roleId);
-  const permissions = new Set<string>();
+  const accessRulesSet = new Set<string>();
 
-  // 2. Get Permissions for each role
+  // 2. Get access rules for each role
   for (const roleId of roles) {
     if (roleId === "admin") {
-      permissions.add("*");
+      accessRulesSet.add("*");
       continue;
     }
 
-    const rolePermissions = await db
+    const roleAccessRules = await db
       .select({
-        permissionId: schema.permission.id,
+        accessRuleId: schema.accessRule.id,
       })
-      .from(schema.rolePermission)
+      .from(schema.roleAccessRule)
       .innerJoin(
-        schema.permission,
-        eq(schema.permission.id, schema.rolePermission.permissionId)
+        schema.accessRule,
+        eq(schema.accessRule.id, schema.roleAccessRule.accessRuleId)
       )
-      .where(eq(schema.rolePermission.roleId, roleId));
+      .where(eq(schema.roleAccessRule.roleId, roleId));
 
-    for (const p of rolePermissions) {
-      permissions.add(p.permissionId);
+    for (const p of roleAccessRules) {
+      accessRulesSet.add(p.accessRuleId);
     }
   }
 
+  // 3. Get Team memberships
+  const userTeams = await db
+    .select({ teamId: schema.userTeam.teamId })
+    .from(schema.userTeam)
+    .where(eq(schema.userTeam.userId, user.id));
+  const teamIds = userTeams.map((t) => t.teamId);
+
   return {
     // Spread user first to preserve additional properties
     ...user,
@@ -57,6 +64,7 @@ export const enrichUser = async (
     email: user.email,
     name: user.name,
     roles,
-    permissions: [...permissions],
+    accessRules: [...accessRulesSet],
+    teamIds,
   };
 };