@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/sessions/__tests__/cleanup.integration.ts

@@ -0,0 +1,175 @@
+// Integration test for the sessions cleanup job. Pattern mirrors
+// secrets/retention.integration.ts — we hit the handler directly with a
+// minimal ctx, because the full setupTestStack + jobRunner path is
+// exercised by the framework's job tests. Here we pin the semantics: old
+// expired/revoked rows go, live rows stay, batching + signal work.
+
+import type { AppContext } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { sql } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createSessionsFeature } from "../feature";
+import { cleanupJob } from "../handlers/cleanup.job";
+import { userSessionEntity, userSessionTable } from "../schema/user-session";
+
+type Log = NonNullable<AppContext["log"]>;
+function silentLogger(): Log {
+  const noop = () => {};
+  const logger: Log = {
+    info: noop,
+    warn: noop,
+    error: noop,
+    debug: noop,
+    child: () => logger,
+  };
+  return logger;
+}
+
+const TENANT = testTenantId(1);
+
+let stack: TestStack;
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [createSessionsFeature()],
+  });
+  await createEntityTable(stack.db, userSessionEntity);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userSessionTable);
+});
+
+type JobCtx = Pick<AppContext, "db" | "registry" | "log">;
+function jobCtx(): Parameters<typeof cleanupJob>[1] {
+  const ctx: JobCtx = {
+    db: stack.db,
+    registry: stack.registry,
+    log: silentLogger(),
+  };
+  return ctx as unknown as Parameters<typeof cleanupJob>[1];
+}
+
+// Seed a session row at a specific age. `kind` picks which lifecycle column
+// to back-date: "expired" sets expiresAt in the past (session lived out its
+// window), "revoked" sets revokedAt (user logged out, time passed), "live"
+// leaves the row current (should never be deleted).
+async function seedSession(opts: {
+  id: string;
+  userId: string;
+  kind: "live" | "expired" | "revoked";
+  ageDays: number;
+}): Promise<void> {
+  const now = sql`now()`;
+  const pastCreated = sql`now() - ${sql.raw(`interval '${opts.ageDays + 1} days'`)}`;
+  const past = sql`now() - ${sql.raw(`interval '${opts.ageDays} days'`)}`;
+  const future = sql`now() + ${sql.raw(`interval '30 days'`)}`;
+
+  await stack.db.insert(userSessionTable).values({
+    id: opts.id,
+    tenantId: TENANT,
+    userId: opts.userId,
+    createdAt: pastCreated,
+    expiresAt: opts.kind === "expired" ? past : future,
+    revokedAt: opts.kind === "revoked" ? past : null,
+    ip: "test",
+    userAgent: "test",
+    modifiedAt: now,
+  });
+}
+
+async function countSessions(): Promise<number> {
+  const rows = await stack.db.select().from(userSessionTable);
+  return rows.length;
+}
+
+describe("sessions cleanup job — purge expired/revoked rows", () => {
+  test("deletes expired-past-cutoff rows but keeps live ones", async () => {
+    await seedSession({
+      id: "11111111-1111-1111-1111-111111111111",
+      userId: "aa000000-0000-0000-0000-000000000001",
+      kind: "expired",
+      ageDays: 45,
+    });
+    await seedSession({
+      id: "22222222-2222-2222-2222-222222222222",
+      userId: "aa000000-0000-0000-0000-000000000002",
+      kind: "live",
+      ageDays: 1,
+    });
+    expect(await countSessions()).toBe(2);
+
+    await cleanupJob({}, jobCtx());
+
+    expect(await countSessions()).toBe(1);
+    const [remaining] = await stack.db.select().from(userSessionTable);
+    expect(remaining?.["revokedAt"]).toBeNull();
+  });
+
+  test("deletes long-revoked rows", async () => {
+    await seedSession({
+      id: "33333333-3333-3333-3333-333333333333",
+      userId: "bb000000-0000-0000-0000-000000000001",
+      kind: "revoked",
+      ageDays: 60,
+    });
+    expect(await countSessions()).toBe(1);
+
+    await cleanupJob({}, jobCtx());
+
+    expect(await countSessions()).toBe(0);
+  });
+
+  test("recently-revoked rows stay around (inside retention window)", async () => {
+    await seedSession({
+      id: "44444444-4444-4444-4444-444444444444",
+      userId: "cc000000-0000-0000-0000-000000000001",
+      kind: "revoked",
+      ageDays: 10,
+    });
+
+    // Default 30d window: 10d-old revoked row stays
+    await cleanupJob({}, jobCtx());
+
+    expect(await countSessions()).toBe(1);
+  });
+
+  test("olderThanDays override respects custom windows", async () => {
+    await seedSession({
+      id: "55555555-5555-5555-5555-555555555555",
+      userId: "dd000000-0000-0000-0000-000000000001",
+      kind: "revoked",
+      ageDays: 5,
+    });
+
+    // Tight 3d window: the 5d row goes
+    await cleanupJob({ olderThanDays: 3 }, jobCtx());
+
+    expect(await countSessions()).toBe(0);
+  });
+
+  test("batching drains a large backlog across chunks", async () => {
+    for (let i = 0; i < 7; i++) {
+      await seedSession({
+        id: `99999999-9999-9999-9999-${String(i).padStart(12, "0")}`,
+        userId: "ee000000-0000-0000-0000-000000000001",
+        kind: "expired",
+        ageDays: 60,
+      });
+    }
+    expect(await countSessions()).toBe(7);
+
+    await cleanupJob({ olderThanDays: 30, batchSize: 2 }, jobCtx());
+
+    expect(await countSessions()).toBe(0);
+  });
+});

package/src/sessions/__tests__/password-auto-revoke.integration.ts

@@ -0,0 +1,202 @@
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createLateBoundHolder } from "@cosmicdrift/kumiko-framework/testing";
+import { afterAll, beforeAll, beforeEach, describe, expect, test, vi } from "vitest";
+import { AuthHandlers } from "../../auth-email-password/constants";
+import { createAuthEmailPasswordFeature } from "../../auth-email-password/feature";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { UserHandlers } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { createSessionsFeature } from "../feature";
+import { userSessionEntity, userSessionTable } from "../schema/user-session";
+import { createSessionCallbacks, type SessionCallbacks } from "../session-callbacks";
+import { sessionCallbacksFromLateBound } from "../testing";
+import { makeSessionHelpers } from "./test-helpers";
+
+// When a user changes their password, every live session for that user must
+// stop working — the industry-standard "signs you out everywhere" rule.
+// Proves the sessions-feature wires the user-entity postSave hook correctly
+// and the mass-revoker does the full sweep (including the caller's session).
+
+let stack: TestStack;
+let h: ReturnType<typeof makeSessionHelpers>;
+const callbacks = createLateBoundHolder<SessionCallbacks>("session-callbacks");
+
+// vi.fn spy for the revoker — lets us assert exact call counts and arguments
+// per test without leaking module-level mutable state across suites.
+const massRevokeSpy = vi.fn<(userId: string) => Promise<number>>();
+
+const encryptionKey = randomBytes(32).toString("base64");
+
+// Align with TestUsers.systemAdmin.tenantId so seed + change-password write
+// events onto the same stream. Mismatched tenants land create on A and
+// update on B — getStreamVersion returns 0 and optimistic-lock fails.
+const TENANT: TenantId = testTenantId(1);
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+  const bound = sessionCallbacksFromLateBound(callbacks);
+  const baseRevoker = bound.asMassRevoker();
+
+  // Wire the spy as the revoker passed to the feature; it forwards to the
+  // real one so the DB stays in sync, but also records the call.
+  massRevokeSpy.mockImplementation((userId) => baseRevoker(userId));
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature(),
+      createSessionsFeature({
+        autoRevokeOnPasswordChange: massRevokeSpy,
+      }),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      ...bound.asAuthConfig(),
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+    },
+  });
+  callbacks.set(createSessionCallbacks({ db: stack.db }));
+  h = makeSessionHelpers(stack, TENANT);
+
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await createEntityTable(stack.db, userSessionEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  await stack.db.delete(userSessionTable);
+  massRevokeSpy.mockClear();
+});
+
+describe("password change mass-revokes every live session", () => {
+  test("changing the password revokes ALL sessions including the caller's", async () => {
+    await h.seedUser("rotate@example.com", "first-password");
+
+    const a = await h.login("rotate@example.com", "first-password");
+    const b = await h.login("rotate@example.com", "first-password");
+    const c = await h.login("rotate@example.com", "first-password");
+
+    // Sanity: all three are currently live and queries go through
+    expect(
+      (await h.authedPost("/api/query", a.token, { type: "user:query:user:me", payload: {} }))
+        .status,
+    ).toBe(200);
+    expect(
+      (await h.authedPost("/api/query", b.token, { type: "user:query:user:me", payload: {} }))
+        .status,
+    ).toBe(200);
+    expect(
+      (await h.authedPost("/api/query", c.token, { type: "user:query:user:me", payload: {} }))
+        .status,
+    ).toBe(200);
+
+    // b changes the password via its own JWT
+    const change = await h.authedPost("/api/write", b.token, {
+      type: AuthHandlers.changePassword,
+      payload: { oldPassword: "first-password", newPassword: "second-password-long" },
+    });
+    expect(change.status).toBe(200);
+
+    // Revoker was called exactly once; the return-value reports the 3 live
+    // sessions it revoked (a + b + c, all for the same user).
+    expect(massRevokeSpy).toHaveBeenCalledTimes(1);
+    expect(await massRevokeSpy.mock.results[0]?.value).toBe(3);
+
+    // Every previously-live session — INCLUDING b — is now revoked
+    expect(
+      (await h.authedPost("/api/query", a.token, { type: "user:query:user:me", payload: {} }))
+        .status,
+    ).toBe(401);
+    expect(
+      (await h.authedPost("/api/query", b.token, { type: "user:query:user:me", payload: {} }))
+        .status,
+    ).toBe(401);
+    expect(
+      (await h.authedPost("/api/query", c.token, { type: "user:query:user:me", payload: {} }))
+        .status,
+    ).toBe(401);
+
+    // DB state confirms: zero live rows for this user
+    const liveRows = await stack.db.select().from(userSessionTable);
+    const stillLive = liveRows.filter((r) => r["revokedAt"] === null);
+    expect(stillLive).toHaveLength(0);
+
+    // And logging in again with the NEW password works
+    const loginAfter = await stack.http.raw("POST", "/api/auth/login", {
+      email: "rotate@example.com",
+      password: "second-password-long",
+    });
+    expect(loginAfter.status).toBe(200);
+  });
+
+  test("user:create does NOT trigger mass-revoke (isNew guard)", async () => {
+    // seedUser does a user:create — the hook fires, but the isNew guard
+    // should short-circuit before the mass-revoker runs. A future refactor
+    // that drops the guard would make the spy show a call here.
+    await h.seedUser("fresh@example.com", "pw-long-enough");
+    expect(massRevokeSpy).not.toHaveBeenCalled();
+  });
+
+  test("editing a non-password field does NOT trigger mass-revoke", async () => {
+    const { userId } = await h.seedUser("stable@example.com", "pw-long-enough");
+    const a = await h.login("stable@example.com", "pw-long-enough");
+
+    // Grab the version number so the user:update handler passes the
+    // optimistic-lock check. `me` returns the current row to the caller
+    // with version included.
+    const meRes = await h.authedPost("/api/query", a.token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(meRes.status).toBe(200);
+    const me = (await meRes.json()) as { data: { version: number } };
+
+    // The caller updates their own displayName — must NOT sign them out.
+    const update = await h.authedPost("/api/write", a.token, {
+      type: UserHandlers.update,
+      payload: {
+        id: userId,
+        version: me.data.version,
+        changes: { displayName: "New Name" },
+      },
+    });
+    expect(update.status).toBe(200);
+
+    // Revoker not called — the isNew guard + passwordHash guard both must
+    // have held off.
+    expect(massRevokeSpy).not.toHaveBeenCalled();
+
+    // Same JWT still works
+    const after = await h.authedPost("/api/query", a.token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(after.status).toBe(200);
+  });
+});