@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/auth-email-password/__tests__/multi-roles.integration.ts

@@ -0,0 +1,256 @@
+// Multi-Rollen — globale user.roles parallel zu tenant-membership.roles.
+//
+// Pin: ein User mit `users.roles = ["SystemAdmin"]` + Membership auf
+// Tenant A mit ["Admin"] hat in der Session BEIDE Rollen. Switch zu
+// Tenant B mit ["User"] → Session hat ["SystemAdmin", "User"]. Globale
+// Rollen bleiben tenant-unabhängig stabil.
+//
+// Gegen-Beweis: User OHNE globale Rollen verhält sich wie vorher
+// (nur tenant-membership-roles in der Session).
+
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  testTenantId,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { UserHandlers, UserQueries } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+import { hashPassword } from "../password-hashing";
+
+let stack: TestStack;
+const systemAdmin = TestUsers.systemAdmin;
+const tenantA: TenantId = testTenantId(1);
+const tenantB: TenantId = testTenantId(2);
+
+beforeAll(async () => {
+  const resolver = createConfigResolver();
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature(),
+    ],
+    extraContext: { configResolver: resolver },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      // KRITISCH: ohne userQuery wired ruft switch-tenant keinen
+      // user-row-lookup → globale Rollen leaken nicht durch zum neuen
+      // tenant. Hier explizit setzen damit der merge greift.
+      userQuery: UserQueries.findForAuth,
+      loginHandler: AuthHandlers.login,
+      loginErrorStatusMap: {
+        [AuthErrors.invalidCredentials]: 401,
+        [AuthErrors.noMembership]: 403,
+      },
+    },
+  });
+
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+});
+
+async function seedUser(
+  email: string,
+  password: string,
+  globalRoles: readonly string[] = [],
+): Promise<string> {
+  const hash = await hashPassword(password);
+  const created = await stack.http.writeOk<{ id: string }>(
+    UserHandlers.create,
+    {
+      email,
+      passwordHash: hash,
+      displayName: email.split("@")[0] ?? "user",
+      // user.roles im create wird privileged geprüft — systemAdmin hat
+      // SystemAdmin-Rolle (siehe TestUsers.systemAdmin).
+      roles: JSON.stringify(globalRoles),
+    },
+    systemAdmin,
+  );
+  return created.id;
+}
+
+async function addMembership(
+  userId: string,
+  tenantId: TenantId,
+  roles: readonly string[],
+): Promise<void> {
+  await stack.db.insert(tenantMembershipsTable).values({
+    userId,
+    tenantId,
+    roles: JSON.stringify(roles),
+  });
+}
+
+async function login(
+  email: string,
+  password: string,
+): Promise<{ token: string; user: { id: string; tenantId: string; roles: string[] } }> {
+  const res = await stack.http.raw("POST", "/api/auth/login", { email, password });
+  expect(res.status).toBe(200);
+  const body = (await res.json()) as {
+    token: string;
+    user: { id: string; tenantId: string; roles: string[] };
+  };
+  return body;
+}
+
+describe("multi-roles: login mergt globale + membership-roles", () => {
+  test("user mit ['SystemAdmin'] global + ['Admin'] auf tenantA → session hat beide", async () => {
+    const userId = await seedUser("syadmin@example.com", "pw-long-enough", ["SystemAdmin"]);
+    await addMembership(userId, tenantA, ["Admin"]);
+
+    // Pin write-path: roles MUSS in DB landen, sonst ist der session-merge
+    // nur Zufall (z.B. wenn login-handler hardcoded SystemAdmin reinpacken
+    // würde). Direct DB-read schließt das aus.
+    const { eq } = await import("drizzle-orm");
+    const dbRow = await stack.db
+      .select({ roles: userTable["roles"] })
+      .from(userTable)
+      .where(eq(userTable["id"], userId));
+    expect(dbRow[0]?.roles).toBe(JSON.stringify(["SystemAdmin"]));
+
+    const { user } = await login("syadmin@example.com", "pw-long-enough");
+    expect(user.tenantId).toBe(tenantA);
+    expect(user.roles.sort()).toEqual(["Admin", "SystemAdmin"]);
+  });
+
+  test("user OHNE globale rollen → nur membership-roles in der session", async () => {
+    const userId = await seedUser("plain@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["Admin"]);
+
+    const { user } = await login("plain@example.com", "pw-long-enough");
+    expect(user.roles).toEqual(["Admin"]);
+  });
+
+  test("globale rollen + tenant-rollen mit overlap → dedupliziert (kein doppeltes Admin)", async () => {
+    const userId = await seedUser("dup@example.com", "pw-long-enough", ["Admin", "SystemAdmin"]);
+    await addMembership(userId, tenantA, ["Admin", "User"]);
+
+    const { user } = await login("dup@example.com", "pw-long-enough");
+    expect(user.roles.sort()).toEqual(["Admin", "SystemAdmin", "User"]);
+  });
+});
+
+describe("multi-roles: privilege-escalation blocked via field-level write-access", () => {
+  test("Tenant-Admin (ohne SystemAdmin) kann user.roles NICHT setzen via update", async () => {
+    // Setup: User mit ["Admin"] auf tenantA (Tenant-Admin) + ein Target-User
+    // mit leeren globalRoles. Tenant-Admin versucht den Target via
+    // user:write:user:update auf SystemAdmin zu eskalieren.
+    const adminId = await seedUser("ta@example.com", "pw-long-enough");
+    await addMembership(adminId, tenantA, ["Admin"]);
+    const tenantAdminSession = { id: adminId, tenantId: tenantA, roles: ["Admin"] };
+
+    // Target user mit version 1 (frisch erstellt).
+    const targetId = await seedUser("victim@example.com", "pw-long-enough");
+
+    const res = await stack.http.write(
+      UserHandlers.update,
+      {
+        id: targetId,
+        version: 1,
+        changes: { roles: JSON.stringify(["SystemAdmin"]) },
+      },
+      tenantAdminSession,
+    );
+    // Field-level guard greift VOR dem handler — AccessDeniedError mit
+    // field=roles. Das pinst: kein "silent drop", sondern hard-fail.
+    expect(res.status).toBeGreaterThanOrEqual(400);
+    expect(res.status).toBeLessThan(500);
+    const body = (await res.json()) as {
+      error?: { details?: { field?: string; reason?: string } };
+    };
+    expect(body.error?.details?.field).toBe("roles");
+    expect(body.error?.details?.reason).toBe("field_access_denied");
+  });
+
+  test("Self-update mit roles → blocked (kein Privilege-Selbst-Erteilung)", async () => {
+    // Auch wenn isSelf-check im handler den ownership-guard umgeht,
+    // greift der field-level write-access auf roles unabhängig: User
+    // kann sich nicht selbst zum SystemAdmin machen.
+    const userId = await seedUser("selfescalate@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["User"]);
+    const userSession = { id: userId, tenantId: tenantA, roles: ["User"] };
+
+    const res = await stack.http.write(
+      UserHandlers.update,
+      {
+        id: userId,
+        version: 1,
+        changes: { roles: JSON.stringify(["SystemAdmin"]) },
+      },
+      userSession,
+    );
+    expect(res.status).toBeGreaterThanOrEqual(400);
+    expect(res.status).toBeLessThan(500);
+    const body = (await res.json()) as {
+      error?: { details?: { field?: string } };
+    };
+    expect(body.error?.details?.field).toBe("roles");
+  });
+});
+
+describe("multi-roles: switch-tenant erhält globale rollen", () => {
+  test("switch von tenantA → tenantB → SystemAdmin bleibt, tenant-roles wechseln", async () => {
+    const userId = await seedUser("syadmin2@example.com", "pw-long-enough", ["SystemAdmin"]);
+    await addMembership(userId, tenantA, ["Admin"]);
+    await addMembership(userId, tenantB, ["User"]);
+
+    const { token } = await login("syadmin2@example.com", "pw-long-enough");
+
+    const switchRes = await stack.http.raw(
+      "POST",
+      "/api/auth/switch-tenant",
+      { tenantId: tenantB },
+      { authorization: `Bearer ${token}` },
+    );
+    expect(switchRes.status).toBe(200);
+    const switchBody = (await switchRes.json()) as { tenantId: string; roles: string[] };
+    expect(switchBody.tenantId).toBe(tenantB);
+    expect([...switchBody.roles].sort()).toEqual(["SystemAdmin", "User"]);
+  });
+
+  test("switch ohne globale rollen → roles wechseln 1:1 zu membership", async () => {
+    const userId = await seedUser("plain2@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["Admin"]);
+    await addMembership(userId, tenantB, ["User"]);
+
+    const { token } = await login("plain2@example.com", "pw-long-enough");
+
+    const switchRes = await stack.http.raw(
+      "POST",
+      "/api/auth/switch-tenant",
+      { tenantId: tenantB },
+      { authorization: `Bearer ${token}` },
+    );
+    expect(switchRes.status).toBe(200);
+    const switchBody = (await switchRes.json()) as { roles: string[] };
+    expect(switchBody.roles).toEqual(["User"]);
+  });
+});

package/src/auth-email-password/__tests__/password-reset.integration.ts

@@ -0,0 +1,346 @@
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { Temporal } from "temporal-polyfill";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createSessionsFeature, userSessionTable } from "../../sessions";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/testing";
+import { UserHandlers } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+import { hashPassword, verifyPassword } from "../password-hashing";
+import { signResetToken } from "../reset-token";
+
+// Signed tokens are forwarded out-of-band (email). In the test we grab them
+// from the sendResetEmail callback instead.
+const capturedEmails: Array<{ email: string; resetUrl: string; expiresAt: string }> = [];
+
+// Records the userId every time the sessions feature's auto-revoke hook
+// fires after a password change. The session-revoke tests assert on this
+// list — we don't need a full session store, just proof the hook fired.
+const autoRevokeCalls: string[] = [];
+
+let stack: TestStack;
+const systemAdmin = TestUsers.systemAdmin;
+const encryptionKey = randomBytes(32).toString("base64");
+const resetSecret = randomBytes(32).toString("base64");
+const appResetUrl = "https://app.example.com/reset";
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature({
+        passwordReset: { hmacSecret: resetSecret, tokenTtlMinutes: 15 },
+      }),
+      // Sessions feature wires the cross-feature entityHook on
+      // "user.postSave" that triggers autoRevokeOnPasswordChange whenever
+      // the passwordHash delta is present. Integration-test proves the
+      // reset-flow's changes.passwordHash triggers the same hook.
+      createSessionsFeature({
+        autoRevokeOnPasswordChange: async (userId) => {
+          autoRevokeCalls.push(userId);
+          return 0; // no real session store behind this spy
+        },
+      }),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      passwordReset: {
+        requestHandler: AuthHandlers.requestPasswordReset,
+        confirmHandler: AuthHandlers.resetPassword,
+        appResetUrl,
+        sendResetEmail: async (args) => {
+          capturedEmails.push(args);
+        },
+      },
+    },
+  });
+
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, {
+    configValuesTable,
+    tenantMembershipsTable,
+    userSessionTable,
+  });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  await stack.db.delete(userSessionTable);
+  capturedEmails.length = 0;
+  autoRevokeCalls.length = 0;
+});
+
+async function seedUser(opts: {
+  email: string;
+  password: string;
+  tenantId?: TenantId;
+}): Promise<{ id: string; tenantId: TenantId }> {
+  const hash = await hashPassword(opts.password);
+  const created = await stack.http.writeOk<{ id: string }>(
+    UserHandlers.create,
+    {
+      email: opts.email,
+      passwordHash: hash,
+      displayName: opts.email.split("@")[0] ?? "user",
+    },
+    systemAdmin,
+  );
+  const tenantId = opts.tenantId ?? "00000000-0000-4000-8000-000000000001";
+  await seedTenantMembership(stack.db, {
+    userId: created.id,
+    tenantId,
+    roles: ["User"],
+  });
+  return { id: created.id, tenantId };
+}
+
+async function post(path: string, body: unknown): Promise<Response> {
+  return stack.http.raw("POST", path, body);
+}
+
+// --- request-password-reset -----------------------------------------------
+
+describe("POST /auth/request-password-reset", () => {
+  test("known email → 200, email callback invoked with reset URL", async () => {
+    await seedUser({ email: "alice@example.com", password: "initial-pw!" });
+
+    const res = await post("/api/auth/request-password-reset", { email: "alice@example.com" });
+
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ isSuccess: true });
+    expect(capturedEmails).toHaveLength(1);
+    const [captured] = capturedEmails;
+    if (!captured) throw new Error("no email captured");
+    expect(captured.email).toBe("alice@example.com");
+    expect(captured.resetUrl.startsWith(`${appResetUrl}?token=`)).toBe(true);
+    expect(typeof captured.expiresAt).toBe("string");
+  });
+
+  test("unknown email → 200 with NO sendResetEmail side-effect (enumeration-safe)", async () => {
+    const res = await post("/api/auth/request-password-reset", { email: "ghost@example.com" });
+
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ isSuccess: true });
+    expect(capturedEmails).toHaveLength(0);
+  });
+
+  test("malformed body → 200 (silent success, no enumeration via error shape)", async () => {
+    const res = await post("/api/auth/request-password-reset", { wrong: "shape" });
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ isSuccess: true });
+    expect(capturedEmails).toHaveLength(0);
+  });
+});
+
+// --- reset-password --------------------------------------------------------
+
+describe("POST /auth/reset-password", () => {
+  test("valid token → password set; login works with new password", async () => {
+    const seed = await seedUser({ email: "bob@example.com", password: "old-pw-1234" });
+
+    // Generate the token the same way the handler does — bypassing the email
+    // hop keeps the test deterministic.
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+
+    const res = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "brand-new-pw-9876",
+    });
+
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ isSuccess: true });
+
+    // Proof: the new password actually hashes in. Read the row, verify the
+    // hash matches the new plaintext.
+    const row = (await stack.db.select().from(userTable)).find((r) => r["id"] === seed.id);
+    if (!row?.["passwordHash"]) throw new Error("user row / hash missing");
+    expect(await verifyPassword(row["passwordHash"] as string, "brand-new-pw-9876")).toBe(true);
+    expect(await verifyPassword(row["passwordHash"] as string, "old-pw-1234")).toBe(false);
+  });
+
+  test("tampered token → 422 invalid_reset_token", async () => {
+    const seed = await seedUser({ email: "carol@example.com", password: "keep-me!" });
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+    const tampered = `${token.slice(0, -3)}XXX`;
+
+    const res = await post("/api/auth/reset-password", {
+      token: tampered,
+      newPassword: "new-password-1234",
+    });
+
+    expect(res.status).toBe(422);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidResetToken);
+
+    // Old password still wins.
+    const row = (await stack.db.select().from(userTable)).find((r) => r["id"] === seed.id);
+    if (!row?.["passwordHash"]) throw new Error("user row / hash missing");
+    expect(await verifyPassword(row["passwordHash"] as string, "keep-me!")).toBe(true);
+  });
+
+  test("token signed with different secret → 422 (not auth via other deployments' tokens)", async () => {
+    const seed = await seedUser({ email: "dave@example.com", password: "original" });
+    const { token } = signResetToken(seed.id, 15, "wrong-secret-wrong-secret-wrong!!");
+
+    const res = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "should-not-stick-1234",
+    });
+
+    expect(res.status).toBe(422);
+  });
+
+  test("too-short newPassword → 400 (schema rejects <8 chars)", async () => {
+    const seed = await seedUser({ email: "eve@example.com", password: "original" });
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+
+    const res = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "tiny",
+    });
+
+    expect(res.status).toBe(400);
+  });
+
+  test("expired token via the route → 422 invalid_reset_token", async () => {
+    const seed = await seedUser({ email: "time@example.com", password: "once-valid-1234" });
+    // Sign with now set far in the past so expiry already fired.
+    const past = Temporal.Now.instant().subtract({ minutes: 30 });
+    const { token } = signResetToken(seed.id, 15, resetSecret, past);
+
+    const res = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "brand-new-pw-time",
+    });
+
+    expect(res.status).toBe(422);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidResetToken);
+  });
+
+  test("reset that fails before the write is retryable (burn is released on failure)", async () => {
+    // The burn marker goes down BEFORE the state change so a racing replay
+    // can't slip through. But if the state change itself fails — e.g. no
+    // memberships in the row, every tenant stream rejected, DB error —
+    // the token was never actually consumed. The handler releases the
+    // burn in those branches so the user can click the link again
+    // without hitting a stuck "already-used".
+    //
+    // Repro: drop the user's membership → tenantOrder is empty →
+    // invalidToken + unburn. Re-insert membership → second attempt
+    // with the same token succeeds (proves the burn was released).
+    const seed = await seedUser({ email: "retry@example.com", password: "pw-retry-1234" });
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+
+    await stack.db.delete(tenantMembershipsTable);
+    const firstAttempt = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "never-lands-1234",
+    });
+    expect(firstAttempt.status).toBe(422);
+
+    // Re-insert the membership. Same userId, same token still valid.
+    await seedTenantMembership(stack.db, {
+      userId: seed.id,
+      tenantId: seed.tenantId,
+      roles: ["User"],
+    });
+
+    const secondAttempt = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "finally-lands-1234",
+    });
+    expect(secondAttempt.status).toBe(200);
+  });
+
+  test("replayed reset-token → 422 invalid_reset_token (single-use burn)", async () => {
+    // Reset tokens are single-use: the handler burns them in Redis via
+    // SETNX before the state change. First click wins; replay within TTL
+    // collapses to the same invalid_reset_token code as a tampered or
+    // expired token — no leak that "this token was legitimately used".
+    const seed = await seedUser({ email: "twice@example.com", password: "first-pw-1234" });
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+
+    const first = await post("/api/auth/reset-password", { token, newPassword: "next-pw-1234" });
+    expect(first.status).toBe(200);
+
+    const second = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "yet-another-pw-1234",
+    });
+    expect(second.status).toBe(422);
+    const body = await second.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidResetToken);
+  });
+});
+
+// --- session auto-revoke (H.3 cross-feature hook) -------------------------
+
+describe("reset-password triggers session auto-revoke", () => {
+  test("successful reset fires the sessions-feature entityHook on user", async () => {
+    const seed = await seedUser({
+      email: "revokeme@example.com",
+      password: "hack-exposed-1234",
+    });
+    const { token } = signResetToken(seed.id, 15, resetSecret);
+
+    const res = await post("/api/auth/reset-password", {
+      token,
+      newPassword: "fresh-secure-1234",
+    });
+    expect(res.status).toBe(200);
+
+    // The sessions feature registered r.entityHook("postSave", "user", ...)
+    // with autoRevokeOnPasswordChange. Reset writes changes.passwordHash
+    // through user:update → hook fires → spy records the userId. Without
+    // this assertion the commit's "session revocation" claim is unverified.
+    expect(autoRevokeCalls).toEqual([seed.id]);
+  });
+
+  test("failed reset (invalid token) does NOT trigger auto-revoke", async () => {
+    const seed = await seedUser({
+      email: "keepme@example.com",
+      password: "still-mine-1234",
+    });
+
+    const res = await post("/api/auth/reset-password", {
+      token: "fake.1234567890.whatever",
+      newPassword: "does-not-matter-1234",
+    });
+    expect(res.status).toBe(422);
+    // No passwordHash write → no hook → no revoke. Otherwise a garbage-
+    // token spammer could log everyone out.
+    expect(autoRevokeCalls).toEqual([]);
+    expect(seed.id).toBeTruthy(); // silence lint on unused var
+  });
+});