@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts

@@ -0,0 +1,144 @@
+// Proves the L2 rate-limit (authEndpointRateLimit, Sprint G.5) actually
+// covers the public password-reset + email-verification routes. Without
+// this test the commit message's "Rate-Limit via L2" claim is just a
+// comment — a regression that silently moves the routes out of /api/auth/*
+// or tightens loginRateLimit but forgets these would sail through.
+
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+
+let stack: TestStack;
+const encryptionKey = randomBytes(32).toString("base64");
+const resetSecret = randomBytes(32).toString("base64");
+const verifySecret = randomBytes(32).toString("base64");
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature({
+        passwordReset: { hmacSecret: resetSecret, tokenTtlMinutes: 15 },
+        emailVerification: { hmacSecret: verifySecret, tokenTtlMinutes: 60, mode: "strict" },
+      }),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      passwordReset: {
+        requestHandler: AuthHandlers.requestPasswordReset,
+        confirmHandler: AuthHandlers.resetPassword,
+        appResetUrl: "https://app.example.com/reset",
+        sendResetEmail: async () => {},
+      },
+      emailVerification: {
+        requestHandler: AuthHandlers.requestEmailVerification,
+        confirmHandler: AuthHandlers.verifyEmail,
+        appVerifyUrl: "https://app.example.com/verify",
+        sendVerificationEmail: async () => {},
+      },
+    },
+    // Tight limit so the test trips it with a small number of requests,
+    // short window so a flaky re-run doesn't keep the bucket full.
+    rateLimit: {
+      auth: { limit: 2, windowSeconds: 60, onFailClosed: () => {} },
+    },
+  });
+
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+});
+
+// Unique IP per test so buckets don't cross-contaminate. L2 default bucket
+// is ip+path; we rely on that to keep password-reset and verify-email
+// independent in their own test.
+function withIp(ip: string): HeadersInit {
+  return { "Content-Type": "application/json", "x-forwarded-for": ip };
+}
+
+async function postFrom(path: string, ip: string, body: unknown): Promise<Response> {
+  return stack.app.request(path, {
+    method: "POST",
+    headers: withIp(ip),
+    body: JSON.stringify(body),
+  });
+}
+
+describe("L2 rate-limit covers public token routes", () => {
+  test("/auth/request-password-reset → 429 after 2 hits from same IP", async () => {
+    const ip = "10.50.0.1";
+    const path = "/api/auth/request-password-reset";
+
+    const a = await postFrom(path, ip, { email: "a@example.com" });
+    const b = await postFrom(path, ip, { email: "b@example.com" });
+    const c = await postFrom(path, ip, { email: "c@example.com" });
+
+    expect(a.status).toBe(200);
+    expect(b.status).toBe(200);
+    expect(c.status).toBe(429);
+  });
+
+  test("/auth/verify-email → 429 after 2 hits from same IP", async () => {
+    const ip = "10.50.0.2";
+    const path = "/api/auth/verify-email";
+
+    const a = await postFrom(path, ip, { token: "not-a-real-token.1.sig" });
+    const b = await postFrom(path, ip, { token: "not-a-real-token.1.sig" });
+    const c = await postFrom(path, ip, { token: "not-a-real-token.1.sig" });
+
+    // 422 / 400 for the first two — the handler rejects the garbage token.
+    // The important assertion: the THIRD hit comes back 429 before reaching
+    // the handler, proving the L2 middleware is in front of the route.
+    expect(a.status).not.toBe(429);
+    expect(b.status).not.toBe(429);
+    expect(c.status).toBe(429);
+  });
+
+  test("different IPs buckets independently — one flooder doesn't lock out another", async () => {
+    const attacker = "10.50.0.100";
+    const victim = "10.50.0.101";
+    const path = "/api/auth/request-password-reset";
+
+    // Burn the attacker's quota.
+    await postFrom(path, attacker, { email: "bad@example.com" });
+    await postFrom(path, attacker, { email: "bad@example.com" });
+    const attackerBlocked = await postFrom(path, attacker, { email: "bad@example.com" });
+    expect(attackerBlocked.status).toBe(429);
+
+    // Victim IP still has a fresh bucket.
+    const victimFirst = await postFrom(path, victim, { email: "good@example.com" });
+    expect(victimFirst.status).toBe(200);
+  });
+});

package/src/auth-email-password/__tests__/seed-admin.integration.ts

@@ -0,0 +1,176 @@
+// Tests für die seedAdmin-Convenience aus auth-email-password/testing.
+//
+// Wert: seedAdmin orchestriert seedTenant × N + seedUserWithPassword +
+// seedTenantMembership × N. Die Einzel-Helper haben jeweils eigene Tests
+// (tenant/seed-testing, user/seed-testing). Hier prüfen wir nur was
+// SEEDADMIN selber zusagt:
+//   1. Reihenfolge stimmt — Tenants vor User vor Memberships.
+//   2. Password wird mit argon2 gehasht und ist via verifyPassword(plain, hash) gültig.
+//   3. Re-Run ist idempotent (für persistent-DB-Modus im dev-server).
+//   4. Rollen pro Tenant landen korrekt (unterschiedliche Rollen-Listen
+//      pro Membership).
+
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { and, eq } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config/feature";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant/feature";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity, tenantTable } from "../../tenant/schema/tenant";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { verifyPassword } from "../password-hashing";
+import { seedAdmin } from "../testing";
+
+let stack: TestStack;
+
+const TENANT_DEV: TenantId = "00000000-0000-4000-8000-000000000d11" as TenantId;
+const TENANT_BETA: TenantId = "00000000-0000-4000-8000-000000000be1" as TenantId;
+
+beforeAll(async () => {
+  const resolver = createConfigResolver();
+  stack = await setupTestStack({
+    features: [createConfigFeature(), createUserFeature(), createTenantFeature()],
+    extraContext: { configResolver: resolver },
+  });
+  await createEntityTable(stack.db, tenantEntity);
+  await createEntityTable(stack.db, userEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(tenantMembershipsTable);
+  await stack.db.delete(tenantTable);
+  await stack.db.delete(userTable);
+  await stack.db.delete(eventsTable);
+});
+
+describe("seedAdmin", () => {
+  test("legt Tenants, User mit gehashtem Password und Memberships an — Login-Roundtrip funktioniert", async () => {
+    const userId = await seedAdmin(stack.db, {
+      email: "admin@example.com",
+      password: "secret-pw",
+      displayName: "Admin",
+      memberships: [
+        {
+          tenantId: TENANT_DEV,
+          tenantKey: "dev",
+          tenantName: "Dev",
+          roles: ["Admin"],
+        },
+        {
+          tenantId: TENANT_BETA,
+          tenantKey: "beta",
+          tenantName: "Beta",
+          roles: ["User"],
+        },
+      ],
+    });
+
+    // Tenants angelegt
+    const tenants = await stack.db.select().from(tenantTable);
+    expect(tenants.map((t) => t["id"]).sort()).toEqual([TENANT_DEV, TENANT_BETA].sort());
+
+    // User angelegt mit Hash (NICHT plain-Password)
+    const [user] = await stack.db
+      .select()
+      .from(userTable)
+      .where(eq(userTable["email"], "admin@example.com"));
+    expect(user?.["id"]).toBe(userId);
+    expect(user?.["passwordHash"]).not.toBe("secret-pw");
+    expect(user?.["passwordHash"]).toMatch(/^\$argon2/);
+
+    // verifyPassword(hash, plain) — Login-Pfad würde durchgehen.
+    const valid = await verifyPassword(user?.["passwordHash"] as string, "secret-pw");
+    expect(valid).toBe(true);
+    const invalid = await verifyPassword(user?.["passwordHash"] as string, "wrong-pw");
+    expect(invalid).toBe(false);
+
+    // Memberships pro Tenant mit unterschiedlichen Rollen
+    const devMembership = await stack.db
+      .select()
+      .from(tenantMembershipsTable)
+      .where(
+        and(
+          eq(tenantMembershipsTable.userId, userId),
+          eq(tenantMembershipsTable.tenantId, TENANT_DEV),
+        ),
+      );
+    expect(devMembership[0]?.["roles"]).toBe(JSON.stringify(["Admin"]));
+
+    const betaMembership = await stack.db
+      .select()
+      .from(tenantMembershipsTable)
+      .where(
+        and(
+          eq(tenantMembershipsTable.userId, userId),
+          eq(tenantMembershipsTable.tenantId, TENANT_BETA),
+        ),
+      );
+    expect(betaMembership[0]?.["roles"]).toBe(JSON.stringify(["User"]));
+  });
+
+  test("idempotent: zweiter Aufruf no-op (kein Crash, Stand bleibt)", async () => {
+    // Erstaufruf
+    const userId1 = await seedAdmin(stack.db, {
+      email: "admin@example.com",
+      password: "pw1",
+      displayName: "Admin",
+      memberships: [
+        { tenantId: TENANT_DEV, tenantKey: "dev", tenantName: "Dev", roles: ["Admin"] },
+      ],
+    });
+    // Zweiter Aufruf — gleicher Email, anderes Password (würde theoretisch
+    // einen neuen Hash erzeugen und neu schreiben, der idempotent-Check
+    // greift VOR dem Insert).
+    const userId2 = await seedAdmin(stack.db, {
+      email: "admin@example.com",
+      password: "pw2",
+      displayName: "Admin",
+      memberships: [
+        { tenantId: TENANT_DEV, tenantKey: "dev", tenantName: "Dev", roles: ["Admin"] },
+      ],
+    });
+    expect(userId2).toBe(userId1);
+
+    // Genau ein User-Row, original-Hash (passt zu pw1, nicht pw2).
+    const users = await stack.db.select().from(userTable);
+    expect(users).toHaveLength(1);
+    const valid = await verifyPassword(users[0]?.["passwordHash"] as string, "pw1");
+    expect(valid).toBe(true);
+    const invalid = await verifyPassword(users[0]?.["passwordHash"] as string, "pw2");
+    expect(invalid).toBe(false);
+
+    // Genau ein Membership-Row.
+    const memberships = await stack.db.select().from(tenantMembershipsTable);
+    expect(memberships).toHaveLength(1);
+
+    // Genau ein .created-Event pro Aggregat-Typ.
+    const events = await stack.db.select().from(eventsTable);
+    const createdByType = events
+      .filter((e) => e.type.endsWith(".created"))
+      .reduce<Record<string, number>>((acc, e) => {
+        acc[e.aggregateType] = (acc[e.aggregateType] ?? 0) + 1;
+        return acc;
+      }, {});
+    expect(createdByType).toEqual({
+      tenant: 1,
+      user: 1,
+      "tenant-membership": 1,
+    });
+  });
+});

package/src/auth-email-password/__tests__/session-callbacks.integration.ts

@@ -0,0 +1,310 @@
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+} from "@cosmicdrift/kumiko-framework/stack";
+import * as jose from "jose";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/testing";
+import { UserHandlers } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+import { hashPassword } from "../password-hashing";
+
+// In-memory fake of a real sessions-store — just enough to observe that the
+// framework calls the callbacks at the right moments and threads the sid back
+// through the JWT. The real sessions feature will persist to a table; this
+// test cares only about the wiring.
+type FakeStore = {
+  live: Set<string>;
+  created: Array<{ sid: string; userId: string; tenantId: TenantId; ip: string; ua: string }>;
+  revoked: string[];
+};
+
+function createFakeStore(): FakeStore {
+  return { live: new Set(), created: [], revoked: [] };
+}
+
+function createSessionCallbacks(
+  store: FakeStore,
+  idStream: Iterator<string>,
+): {
+  sessionCreator: (
+    user: { id: string; tenantId: TenantId },
+    meta: { ip: string; userAgent: string },
+  ) => Promise<string>;
+  sessionRevoker: (sid: string) => Promise<void>;
+} {
+  return {
+    async sessionCreator(user, meta) {
+      const next = idStream.next();
+      if (next.done) throw new Error("ran out of deterministic sids");
+      const sid = next.value;
+      store.live.add(sid);
+      store.created.push({
+        sid,
+        userId: user.id,
+        tenantId: user.tenantId,
+        ip: meta.ip,
+        ua: meta.userAgent,
+      });
+      return sid;
+    },
+    async sessionRevoker(sid) {
+      store.live.delete(sid);
+      store.revoked.push(sid);
+    },
+  };
+}
+
+function* deterministicSids(): Generator<string> {
+  let i = 1;
+  while (true) {
+    yield `sid-${String(i).padStart(4, "0")}`;
+    i++;
+  }
+}
+
+let stack: TestStack;
+let store: FakeStore;
+let sidStream: Generator<string>;
+
+const systemAdmin = TestUsers.systemAdmin;
+const encryptionKey = randomBytes(32).toString("base64");
+
+const TENANT_A: TenantId = "00000000-0000-4000-8000-0000000000a1";
+const TENANT_B: TenantId = "00000000-0000-4000-8000-0000000000b1";
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+
+  store = createFakeStore();
+  sidStream = deterministicSids();
+  const callbacks = createSessionCallbacks(store, sidStream);
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature(),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      loginErrorStatusMap: {
+        [AuthErrors.invalidCredentials]: 401,
+        [AuthErrors.noMembership]: 403,
+      },
+      sessionCreator: callbacks.sessionCreator,
+      sessionRevoker: callbacks.sessionRevoker,
+    },
+  });
+
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  // Reset the in-memory store but KEEP sidStream running — otherwise a test
+  // that leaks a sid into another test would produce confusing collisions.
+  store.live.clear();
+  store.created.length = 0;
+  store.revoked.length = 0;
+});
+
+async function seedUser(opts: {
+  email: string;
+  password: string;
+  tenants: { id: TenantId; roles: string[] }[];
+}): Promise<{ userId: string }> {
+  const hash = await hashPassword(opts.password);
+  const created = await stack.http.writeOk<{ id: string }>(
+    UserHandlers.create,
+    {
+      email: opts.email,
+      passwordHash: hash,
+      displayName: opts.email.split("@")[0] ?? "user",
+    },
+    systemAdmin,
+  );
+  for (const t of opts.tenants) {
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: t.id,
+      roles: t.roles,
+    });
+  }
+  return { userId: created.id };
+}
+
+async function login(email: string, password: string, headers?: Record<string, string>) {
+  const res = await stack.http.raw("POST", "/api/auth/login", { email, password }, headers);
+  expect(res.status).toBe(200);
+  const body = (await res.json()) as { token: string; user: { id: string; tenantId: TenantId } };
+  return body;
+}
+
+// Pure decode — we only care about the payload shape, not signature validity,
+// because the auth-middleware is the one that checks the signature. Using
+// jose.decodeJwt keeps the test from needing the secret.
+function decode(token: string): { sub: string; jti?: string; tenantId: TenantId } {
+  const payload = jose.decodeJwt(token);
+  const result: { sub: string; jti?: string; tenantId: TenantId } = {
+    sub: payload.sub ?? "",
+    tenantId: payload["tenantId"] as TenantId,
+  };
+  if (typeof payload.jti === "string") result.jti = payload.jti;
+  return result;
+}
+
+// --- scenario 1: login goes through sessionCreator + carries jti ---
+
+describe("login wires into sessionCreator and embeds jti", () => {
+  test("login creates a session, and the JWT carries that sid in its jti claim", async () => {
+    const { userId } = await seedUser({
+      email: "first@example.com",
+      password: "correct-horse-battery",
+      tenants: [{ id: TENANT_A, roles: ["User"] }],
+    });
+
+    const res = await login("first@example.com", "correct-horse-battery", {
+      "x-forwarded-for": "198.51.100.42",
+      "user-agent": "Mozilla/5.0 SessionTest",
+    });
+
+    // Creator was invoked exactly once with the right user + meta
+    expect(store.created).toHaveLength(1);
+    expect(store.created[0]).toMatchObject({
+      userId,
+      tenantId: TENANT_A,
+      ip: "198.51.100.42",
+      ua: "Mozilla/5.0 SessionTest",
+    });
+
+    // The sid ended up in the JWT's jti claim
+    const decoded = decode(res.token);
+    expect(decoded.jti).toBe(store.created[0]?.sid);
+    expect(decoded.sub).toBe(userId);
+
+    // And the session is live on the server side
+    expect(store.live.has(decoded.jti ?? "")).toBe(true);
+  });
+});
+
+// --- scenario 2: logout revokes the session via the revoker callback ---
+
+describe("logout routes through sessionRevoker", () => {
+  test("POST /auth/logout deletes the sid carried by the caller's JWT", async () => {
+    await seedUser({
+      email: "logout@example.com",
+      password: "bye-bye-session",
+      tenants: [{ id: TENANT_A, roles: ["User"] }],
+    });
+
+    const loginRes = await login("logout@example.com", "bye-bye-session");
+    const sidBefore = decode(loginRes.token).jti;
+    expect(sidBefore).toBeDefined();
+    expect(store.live.has(sidBefore ?? "")).toBe(true);
+
+    const logoutRes = await stack.http.raw("POST", "/api/auth/logout", undefined, {
+      Authorization: `Bearer ${loginRes.token}`,
+    });
+    expect(logoutRes.status).toBe(200);
+
+    // Revoker was called with exactly the sid from the caller's JWT
+    expect(store.revoked).toEqual([sidBefore]);
+    expect(store.live.has(sidBefore ?? "")).toBe(false);
+  });
+
+  test("logout without a bearer token → 401 (middleware blocks it)", async () => {
+    const res = await stack.http.raw("POST", "/api/auth/logout");
+    expect(res.status).toBe(401);
+    expect(store.revoked).toHaveLength(0);
+  });
+});
+
+// --- scenario 3: switch-tenant rotates the sid (old revoked, new created) ---
+
+describe("switch-tenant rotates the session", () => {
+  test("switching from A → B revokes the A-sid and creates a B-sid, in that order", async () => {
+    await seedUser({
+      email: "switcher@example.com",
+      password: "multi-tenant-life",
+      tenants: [
+        { id: TENANT_A, roles: ["User"] },
+        { id: TENANT_B, roles: ["Admin"] },
+      ],
+    });
+
+    const first = await login("switcher@example.com", "multi-tenant-life");
+    const sidA = decode(first.token).jti;
+    expect(sidA).toBeDefined();
+
+    // Ask to switch to tenant B
+    const switchRes = await stack.http.raw(
+      "POST",
+      "/api/auth/switch-tenant",
+      { tenantId: TENANT_B },
+      { Authorization: `Bearer ${first.token}` },
+    );
+    expect(switchRes.status).toBe(200);
+    const switched = (await switchRes.json()) as { token: string; tenantId: TenantId };
+    expect(switched.tenantId).toBe(TENANT_B);
+
+    const sidB = decode(switched.token).jti;
+    expect(sidB).toBeDefined();
+    expect(sidB).not.toBe(sidA);
+
+    // Old sid is revoked; new sid is live
+    expect(store.revoked).toContain(sidA);
+    expect(store.live.has(sidA ?? "")).toBe(false);
+    expect(store.live.has(sidB ?? "")).toBe(true);
+
+    // The B-session was created with tenant B on the user object — that's the
+    // whole point of running claims under the new tenant scope, so let's pin it.
+    const createdB = store.created.find((c) => c.sid === sidB);
+    expect(createdB?.tenantId).toBe(TENANT_B);
+  });
+});
+
+// --- scenario 4: meta forwarding — missing headers fall back to "unknown" ---
+
+describe("sessionMetadata falls back to 'unknown' on missing headers", () => {
+  test("no x-forwarded-for and no user-agent → both default to 'unknown'", async () => {
+    await seedUser({
+      email: "anon@example.com",
+      password: "hdr-less",
+      tenants: [{ id: TENANT_A, roles: ["User"] }],
+    });
+
+    // The test helper still injects Content-Type but not forwarded-for or UA.
+    await login("anon@example.com", "hdr-less");
+
+    const created = store.created.at(-1);
+    expect(created?.ip).toBe("unknown");
+    expect(created?.ua).toBe("unknown");
+  });
+});