@dangao/bun-server 1.7.1 → 1.8.0

package/tests/security/guards/guards-integration.test.ts

@@ -0,0 +1,371 @@
+import { describe, expect, test, beforeEach, afterEach } from 'bun:test';
+import 'reflect-metadata';
+import { Application } from '../../../src/core/application';
+import { Controller } from '../../../src/controller';
+import { GET, POST } from '../../../src/router/decorators';
+import { Injectable } from '../../../src/di/decorators';
+import { Module } from '../../../src/di/module';
+import { SecurityModule } from '../../../src/security/security-module';
+import {
+  UseGuards,
+  Roles,
+  AuthGuard,
+  RolesGuard,
+  GuardRegistry,
+  type CanActivate,
+  type ExecutionContext,
+  GUARD_REGISTRY_TOKEN,
+} from '../../../src/security/guards';
+import { SecurityContextHolder } from '../../../src/security/context';
+
+// 获取随机端口
+function getTestPort(): number {
+  // 使用随机端口避免冲突
+  return 30000 + Math.floor(Math.random() * 10000);
+}
+
+// 自定义守卫
+@Injectable()
+class CustomGuard implements CanActivate {
+  public canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest();
+    const customHeader = request.getHeader('x-custom-guard');
+    return customHeader === 'allow';
+  }
+}
+
+// 异步守卫
+@Injectable()
+class AsyncValidationGuard implements CanActivate {
+  public async canActivate(context: ExecutionContext): Promise<boolean> {
+    // 模拟异步验证
+    await new Promise((resolve) => setTimeout(resolve, 10));
+    return true;
+  }
+}
+
+// 计数守卫（用于验证执行顺序）
+let guardExecutionOrder: string[] = [];
+
+class Guard1 implements CanActivate {
+  public canActivate(): boolean {
+    guardExecutionOrder.push('Guard1');
+    return true;
+  }
+}
+
+class Guard2 implements CanActivate {
+  public canActivate(): boolean {
+    guardExecutionOrder.push('Guard2');
+    return true;
+  }
+}
+
+class Guard3 implements CanActivate {
+  public canActivate(): boolean {
+    guardExecutionOrder.push('Guard3');
+    return true;
+  }
+}
+
+// 测试控制器
+@Controller('/api')
+@UseGuards(CustomGuard)
+class TestController {
+  @GET('/public')
+  public publicEndpoint() {
+    return { message: 'public' };
+  }
+
+  @GET('/protected')
+  @UseGuards(AuthGuard)
+  public protectedEndpoint() {
+    return { message: 'protected' };
+  }
+
+  @GET('/admin')
+  @UseGuards(AuthGuard, RolesGuard)
+  @Roles('admin')
+  public adminEndpoint() {
+    return { message: 'admin only' };
+  }
+
+  @GET('/order')
+  @UseGuards(Guard1, Guard2, Guard3)
+  public orderEndpoint() {
+    return { message: 'order test' };
+  }
+}
+
+// 无守卫控制器
+@Controller('/no-guards')
+class NoGuardsController {
+  @GET('/open')
+  public openEndpoint() {
+    return { message: 'open' };
+  }
+}
+
+describe('Guards Integration Tests', () => {
+  let app: Application;
+  let port: number;
+  let baseUrl: string;
+
+  beforeEach(async () => {
+    port = getTestPort();
+    baseUrl = `http://localhost:${port}`;
+    guardExecutionOrder = [];
+    
+    // 重置 SecurityModule 状态，避免测试间污染
+    SecurityModule.reset();
+    
+    app = new Application();
+    
+    // 注册 SecurityModule
+    app.registerModule(
+      SecurityModule.forRoot({
+        jwt: {
+          secret: 'test-secret-key-for-guards',
+          accessTokenExpiresIn: 3600,
+        },
+        excludePaths: ['/no-guards'],
+        defaultAuthRequired: false,
+      }),
+    );
+
+    // 注册自定义守卫到容器
+    const container = app.getContainer();
+    container.register(CustomGuard, CustomGuard);
+    container.register(AsyncValidationGuard, AsyncValidationGuard);
+
+    app.registerController(TestController);
+    app.registerController(NoGuardsController);
+
+    await app.listen(port);
+  });
+
+  afterEach(async () => {
+    await app.stop();
+  });
+
+  test('should allow access when custom guard header is present', async () => {
+    const response = await fetch(`${baseUrl}/api/public`, {
+      headers: {
+        'x-custom-guard': 'allow',
+      },
+    });
+
+    expect(response.status).toBe(200);
+    const data = await response.json();
+    expect(data.message).toBe('public');
+  });
+
+  test('should deny access when custom guard header is missing', async () => {
+    const response = await fetch(`${baseUrl}/api/public`);
+
+    expect(response.status).toBe(403);
+  });
+
+  test('should deny access when custom guard header has wrong value', async () => {
+    const response = await fetch(`${baseUrl}/api/public`, {
+      headers: {
+        'x-custom-guard': 'deny',
+      },
+    });
+
+    expect(response.status).toBe(403);
+  });
+
+  test('should require authentication for protected endpoint', async () => {
+    const response = await fetch(`${baseUrl}/api/protected`, {
+      headers: {
+        'x-custom-guard': 'allow',
+      },
+    });
+
+    expect(response.status).toBe(401);
+  });
+
+  test('should allow access with valid token', async () => {
+    // 首先获取 JWT token
+    const container = app.getContainer();
+    const { JWTUtil } = await import('../../../src/auth/jwt');
+    const jwtUtil = new JWTUtil({ secret: 'test-secret-key-for-guards', accessTokenExpiresIn: 3600 });
+    const token = await jwtUtil.generateAccessToken({ sub: '1', username: 'test' });
+
+    const response = await fetch(`${baseUrl}/api/protected`, {
+      headers: {
+        'x-custom-guard': 'allow',
+        'Authorization': `Bearer ${token}`,
+      },
+    });
+
+    expect(response.status).toBe(200);
+    const data = await response.json();
+    expect(data.message).toBe('protected');
+  });
+
+  test('should deny access to admin endpoint without admin role', async () => {
+    const { JWTUtil } = await import('../../../src/auth/jwt');
+    const jwtUtil = new JWTUtil({ secret: 'test-secret-key-for-guards', accessTokenExpiresIn: 3600 });
+    const token = await jwtUtil.generateAccessToken({ sub: '1', username: 'test', roles: ['user'] });
+
+    const response = await fetch(`${baseUrl}/api/admin`, {
+      headers: {
+        'x-custom-guard': 'allow',
+        'Authorization': `Bearer ${token}`,
+      },
+    });
+
+    expect(response.status).toBe(403);
+  });
+
+  test('should allow access to admin endpoint with admin role', async () => {
+    const { JWTUtil } = await import('../../../src/auth/jwt');
+    const jwtUtil = new JWTUtil({ secret: 'test-secret-key-for-guards', accessTokenExpiresIn: 3600 });
+    const token = await jwtUtil.generateAccessToken({ sub: '1', username: 'admin', roles: ['admin'] });
+
+    const response = await fetch(`${baseUrl}/api/admin`, {
+      headers: {
+        'x-custom-guard': 'allow',
+        'Authorization': `Bearer ${token}`,
+      },
+    });
+
+    expect(response.status).toBe(200);
+    const data = await response.json();
+    expect(data.message).toBe('admin only');
+  });
+
+  test('should execute guards in correct order (global -> controller -> method)', async () => {
+    // 清空执行记录
+    guardExecutionOrder.length = 0;
+    
+    const response = await fetch(`${baseUrl}/api/order`, {
+      headers: {
+        'x-custom-guard': 'allow',
+      },
+    });
+
+    expect(response.status).toBe(200);
+    // 执行顺序：CustomGuard (controller) -> Guard1, Guard2, Guard3 (method)
+    // 只检查最后一次请求的执行顺序
+    expect(guardExecutionOrder.slice(-3)).toEqual(['Guard1', 'Guard2', 'Guard3']);
+  });
+
+  test('should allow access to endpoints without guards', async () => {
+    const response = await fetch(`${baseUrl}/no-guards/open`);
+
+    expect(response.status).toBe(200);
+    const data = await response.json();
+    expect(data.message).toBe('open');
+  });
+});
+
+describe('Global Guards Integration Tests', () => {
+  let app: Application;
+  let port: number;
+  let baseUrl: string;
+
+  beforeEach(async () => {
+    port = getTestPort();
+    baseUrl = `http://localhost:${port}`;
+
+    app = new Application();
+  });
+
+  afterEach(async () => {
+    await app.stop();
+  });
+
+  test('should apply global guards to all endpoints', async () => {
+    let globalGuardCalled = false;
+
+    class GlobalTestGuard implements CanActivate {
+      public canActivate(): boolean {
+        globalGuardCalled = true;
+        return true;
+      }
+    }
+
+    // 注册 SecurityModule with global guards
+    app.registerModule(
+      SecurityModule.forRoot({
+        jwt: {
+          secret: 'test-secret-key',
+          accessTokenExpiresIn: 3600,
+        },
+        defaultAuthRequired: false,
+        globalGuards: [GlobalTestGuard],
+      }),
+    );
+
+    @Controller('/test')
+    class SimpleController {
+      @GET('/hello')
+      public hello() {
+        return { message: 'hello' };
+      }
+    }
+
+    app.registerController(SimpleController);
+    await app.listen(port);
+
+    const response = await fetch(`${baseUrl}/test/hello`);
+    expect(response.status).toBe(200);
+    expect(globalGuardCalled).toBe(true);
+  });
+});
+
+describe('Guards with Module Integration', () => {
+  let app: Application;
+  let port: number;
+  let baseUrl: string;
+
+  beforeEach(async () => {
+    port = getTestPort();
+    baseUrl = `http://localhost:${port}`;
+    app = new Application();
+  });
+
+  afterEach(async () => {
+    await app.stop();
+  });
+
+  test('should work with modular architecture', async () => {
+    // 使用 @Auth 装饰器代替 @UseGuards(AuthGuard)
+    // 因为 @Auth 已经被 SecurityFilter 支持
+    @Controller('/items')
+    class ItemController {
+      @GET('/:id')
+      public getItem() {
+        return { id: '1', name: 'Test Item' };
+      }
+    }
+
+    @Module({
+      controllers: [ItemController],
+    })
+    class ItemModule {}
+
+    // 简化测试：只验证模块可以正常工作
+    app.registerModule(
+      SecurityModule.forRoot({
+        jwt: {
+          secret: 'module-test-secret',
+          accessTokenExpiresIn: 3600,
+        },
+        defaultAuthRequired: false,
+      }),
+    );
+    app.registerModule(ItemModule);
+    await app.listen(port);
+
+    // 不需要认证的端点应该可以访问
+    const response = await fetch(`${baseUrl}/items/1`);
+    expect(response.status).toBe(200);
+    const data = await response.json();
+    expect(data.name).toBe('Test Item');
+  });
+});
+