@dismissible/nestjs-api 0.0.2-canary.c91edbc.0 → 0.0.2-canary.d2f56d7.0

package/test/jwt-auth.e2e-spec.ts

@@ -0,0 +1,353 @@
+import { INestApplication } from '@nestjs/common';
+import request from 'supertest';
+import { join } from 'path';
+import { createTestApp, cleanupTestData } from '../src/app-test.factory';
+import { JwtAuthService, IJwtValidationResult } from '@dismissible/nestjs-jwt-auth-hook';
+
+describe('JWT Authentication E2E', () => {
+  let app: INestApplication;
+  let mockValidateToken: jest.Mock;
+
+  // Helper to create a mock validation result
+  const createValidResult = (sub = 'test-user'): IJwtValidationResult => ({
+    valid: true,
+    payload: {
+      sub,
+      iss: 'https://auth.example.com',
+      aud: 'dismissible-api',
+      exp: Math.floor(Date.now() / 1000) + 3600,
+      iat: Math.floor(Date.now() / 1000),
+    },
+  });
+
+  const createInvalidResult = (error: string): IJwtValidationResult => ({
+    valid: false,
+    error,
+  });
+
+  beforeAll(async () => {
+    // Create the mock function before app initialization
+    mockValidateToken = jest.fn();
+
+    app = await createTestApp({
+      moduleOptions: {
+        // Use test-specific config directory with JWT auth enabled
+        configPath: join(__dirname, 'config-jwt-auth'),
+      },
+      customize: (builder) => {
+        // Override JwtAuthService to prevent real JWKS calls during onModuleInit
+        return builder.overrideProvider(JwtAuthService).useValue({
+          // Mock initializeJwksClient to do nothing
+          initializeJwksClient: jest.fn().mockResolvedValue(undefined),
+          // Use the real extractBearerToken logic
+          extractBearerToken: (authHeader: string | undefined) => {
+            if (!authHeader) return null;
+            const parts = authHeader.split(' ');
+            if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') return null;
+            return parts[1];
+          },
+          // Use our mock for validateToken
+          validateToken: mockValidateToken,
+        });
+      },
+    });
+
+    await cleanupTestData(app);
+  });
+
+  afterAll(async () => {
+    if (app) {
+      await cleanupTestData(app);
+      await app.close();
+    }
+  });
+
+  beforeEach(() => {
+    // Reset mock before each test
+    mockValidateToken.mockReset();
+  });
+
+  describe('Successful authentication scenarios', () => {
+    it('should allow GET request with valid bearer token', async () => {
+      mockValidateToken.mockResolvedValue(createValidResult('auth-user-1'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/auth-user-1/items/jwt-test-get')
+        .set('Authorization', 'Bearer valid-token-123')
+        .expect(200);
+
+      expect(response.body.data).toBeDefined();
+      expect(response.body.data.itemId).toBe('jwt-test-get');
+      expect(response.body.data.userId).toBe('auth-user-1');
+      expect(mockValidateToken).toHaveBeenCalledWith('valid-token-123');
+    });
+
+    it('should allow DELETE (dismiss) request with valid bearer token', async () => {
+      mockValidateToken.mockResolvedValue(createValidResult('auth-user-2'));
+
+      // First create the item
+      await request(app.getHttpServer())
+        .get('/v1/users/auth-user-2/items/jwt-test-dismiss')
+        .set('Authorization', 'Bearer valid-token-123')
+        .expect(200);
+
+      // Then dismiss it
+      const response = await request(app.getHttpServer())
+        .delete('/v1/users/auth-user-2/items/jwt-test-dismiss')
+        .set('Authorization', 'Bearer valid-token-123')
+        .expect(200);
+
+      expect(response.body.data).toBeDefined();
+      expect(response.body.data.dismissedAt).toBeDefined();
+    });
+
+    it('should allow POST (restore) request with valid bearer token', async () => {
+      mockValidateToken.mockResolvedValue(createValidResult('auth-user-3'));
+
+      // Create and dismiss the item
+      await request(app.getHttpServer())
+        .get('/v1/users/auth-user-3/items/jwt-test-restore')
+        .set('Authorization', 'Bearer valid-token-123')
+        .expect(200);
+
+      await request(app.getHttpServer())
+        .delete('/v1/users/auth-user-3/items/jwt-test-restore')
+        .set('Authorization', 'Bearer valid-token-123')
+        .expect(200);
+
+      // Restore it
+      const response = await request(app.getHttpServer())
+        .post('/v1/users/auth-user-3/items/jwt-test-restore')
+        .set('Authorization', 'Bearer valid-token-123')
+        .expect(201);
+
+      expect(response.body.data).toBeDefined();
+      expect(response.body.data.dismissedAt).toBeUndefined();
+    });
+
+    it('should handle lowercase bearer prefix', async () => {
+      mockValidateToken.mockResolvedValue(createValidResult('auth-user-4'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/auth-user-4/items/jwt-test-lowercase')
+        .set('Authorization', 'bearer lowercase-token')
+        .expect(200);
+
+      expect(response.body.data).toBeDefined();
+      expect(mockValidateToken).toHaveBeenCalledWith('lowercase-token');
+    });
+  });
+
+  describe('Failed authentication scenarios', () => {
+    it('should reject request without Authorization header', async () => {
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/noauth-user/items/jwt-test-noheader')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Missing or invalid bearer token');
+      expect(mockValidateToken).not.toHaveBeenCalled();
+    });
+
+    it('should reject request with empty Authorization header', async () => {
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/noauth-user/items/jwt-test-empty')
+        .set('Authorization', '')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Missing or invalid bearer token');
+    });
+
+    it('should reject request with non-Bearer auth scheme', async () => {
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/noauth-user/items/jwt-test-basic')
+        .set('Authorization', 'Basic dXNlcjpwYXNz')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Missing or invalid bearer token');
+    });
+
+    it('should reject request with Bearer but no token', async () => {
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/noauth-user/items/jwt-test-notoken')
+        .set('Authorization', 'Bearer')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Missing or invalid bearer token');
+    });
+
+    it('should reject request with expired token', async () => {
+      mockValidateToken.mockResolvedValue(createInvalidResult('jwt expired'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/expired-user/items/jwt-test-expired')
+        .set('Authorization', 'Bearer expired-token')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('jwt expired');
+      expect(mockValidateToken).toHaveBeenCalledWith('expired-token');
+    });
+
+    it('should reject request with invalid token signature', async () => {
+      mockValidateToken.mockResolvedValue(createInvalidResult('invalid signature'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/invalid-user/items/jwt-test-invalid-sig')
+        .set('Authorization', 'Bearer tampered-token')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('invalid signature');
+    });
+
+    it('should reject request with malformed token', async () => {
+      mockValidateToken.mockResolvedValue(createInvalidResult('Invalid token format'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/malformed-user/items/jwt-test-malformed')
+        .set('Authorization', 'Bearer not.a.valid.jwt.token')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Invalid token format');
+    });
+
+    it('should reject request when token is missing key ID (kid)', async () => {
+      mockValidateToken.mockResolvedValue(createInvalidResult('Token missing key ID (kid)'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/nokid-user/items/jwt-test-nokid')
+        .set('Authorization', 'Bearer token-without-kid')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Token missing key ID');
+    });
+
+    it('should reject request when signing key cannot be found', async () => {
+      mockValidateToken.mockResolvedValue(createInvalidResult('Unable to find signing key'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/nokey-user/items/jwt-test-nokey')
+        .set('Authorization', 'Bearer token-with-unknown-kid')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Unable to find signing key');
+    });
+
+    it('should reject dismiss request without valid token', async () => {
+      // First create the item with a valid token
+      mockValidateToken.mockResolvedValue(createValidResult('dismiss-noauth-user'));
+
+      await request(app.getHttpServer())
+        .get('/v1/users/dismiss-noauth-user/items/jwt-test-dismiss-fail')
+        .set('Authorization', 'Bearer valid-token')
+        .expect(200);
+
+      // Reset mock and try to dismiss without token
+      mockValidateToken.mockReset();
+
+      const response = await request(app.getHttpServer())
+        .delete('/v1/users/dismiss-noauth-user/items/jwt-test-dismiss-fail')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Missing or invalid bearer token');
+    });
+
+    it('should reject restore request without valid token', async () => {
+      // First create and dismiss the item with a valid token
+      mockValidateToken.mockResolvedValue(createValidResult('restore-noauth-user'));
+
+      await request(app.getHttpServer())
+        .get('/v1/users/restore-noauth-user/items/jwt-test-restore-fail')
+        .set('Authorization', 'Bearer valid-token')
+        .expect(200);
+
+      await request(app.getHttpServer())
+        .delete('/v1/users/restore-noauth-user/items/jwt-test-restore-fail')
+        .set('Authorization', 'Bearer valid-token')
+        .expect(200);
+
+      // Reset mock and try to restore without token
+      mockValidateToken.mockReset();
+
+      const response = await request(app.getHttpServer())
+        .post('/v1/users/restore-noauth-user/items/jwt-test-restore-fail')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('Missing or invalid bearer token');
+    });
+  });
+
+  describe('Token validation edge cases', () => {
+    it('should validate token for each request independently', async () => {
+      // First request with valid token
+      mockValidateToken.mockResolvedValueOnce(createValidResult('multi-user'));
+
+      await request(app.getHttpServer())
+        .get('/v1/users/multi-user/items/jwt-test-multi-1')
+        .set('Authorization', 'Bearer token-1')
+        .expect(200);
+
+      // Second request with different valid token
+      mockValidateToken.mockResolvedValueOnce(createValidResult('multi-user'));
+
+      await request(app.getHttpServer())
+        .get('/v1/users/multi-user/items/jwt-test-multi-2')
+        .set('Authorization', 'Bearer token-2')
+        .expect(200);
+
+      expect(mockValidateToken).toHaveBeenCalledTimes(2);
+      expect(mockValidateToken).toHaveBeenNthCalledWith(1, 'token-1');
+      expect(mockValidateToken).toHaveBeenNthCalledWith(2, 'token-2');
+    });
+
+    it('should handle validation service errors gracefully', async () => {
+      mockValidateToken.mockRejectedValue(new Error('JWKS client error'));
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/error-user/items/jwt-test-error')
+        .set('Authorization', 'Bearer some-token')
+        .expect(500);
+
+      // Generic errors are handled by NestJS default exception filter
+      // which returns { statusCode, message, error } format
+      expect(response.body.statusCode).toBe(500);
+    });
+
+    it('should reject token with wrong issuer', async () => {
+      mockValidateToken.mockResolvedValue(
+        createInvalidResult('jwt issuer invalid. expected: https://auth.example.com'),
+      );
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/issuer-user/items/jwt-test-issuer')
+        .set('Authorization', 'Bearer wrong-issuer-token')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('issuer invalid');
+    });
+
+    it('should reject token with wrong audience', async () => {
+      mockValidateToken.mockResolvedValue(
+        createInvalidResult('jwt audience invalid. expected: dismissible-api'),
+      );
+
+      const response = await request(app.getHttpServer())
+        .get('/v1/users/audience-user/items/jwt-test-audience')
+        .set('Authorization', 'Bearer wrong-audience-token')
+        .expect(401);
+
+      expect(response.body.error).toBeDefined();
+      expect(response.body.error.message).toContain('audience invalid');
+    });
+  });
+});

package/test/restore.e2e-spec.ts

@@ -0,0 +1,63 @@
+import { INestApplication } from '@nestjs/common';
+import request from 'supertest';
+import { join } from 'path';
+import { createTestApp, cleanupTestData } from '../src/app-test.factory';
+
+describe('POST /v1/users/:userId/items/:id (restore)', () => {
+  let app: INestApplication;
+
+  beforeAll(async () => {
+    app = await createTestApp({
+      moduleOptions: {
+        configPath: join(__dirname, 'config'),
+      },
+    });
+    await cleanupTestData(app);
+  });
+
+  afterAll(async () => {
+    await cleanupTestData(app);
+    await app.close();
+  });
+
+  it('should restore a dismissed item', async () => {
+    const userId = 'user-restore-1';
+    // Create and dismiss the item
+    await request(app.getHttpServer()).get(`/v1/users/${userId}/items/restore-test-1`).expect(200);
+
+    await request(app.getHttpServer())
+      .delete(`/v1/users/${userId}/items/restore-test-1`)
+      .expect(200);
+
+    // Restore it
+    const response = await request(app.getHttpServer())
+      .post(`/v1/users/${userId}/items/restore-test-1`)
+      .expect(201);
+
+    expect(response.body.data).toBeDefined();
+    expect(response.body.data.dismissedAt).toBeUndefined();
+  });
+
+  it('should return 400 when restoring non-existent item', async () => {
+    const response = await request(app.getHttpServer())
+      .post('/v1/users/user-123/items/non-existent-restore')
+      .expect(400);
+
+    expect(response.body.error).toBeDefined();
+    expect(response.body.error.message).toContain('not found');
+  });
+
+  it('should return 400 when restoring non-dismissed item', async () => {
+    const userId = 'user-restore-2';
+    // Create item but don't dismiss it
+    await request(app.getHttpServer()).get(`/v1/users/${userId}/items/restore-test-2`).expect(200);
+
+    // Try to restore
+    const response = await request(app.getHttpServer())
+      .post(`/v1/users/${userId}/items/restore-test-2`)
+      .expect(400);
+
+    expect(response.body.error).toBeDefined();
+    expect(response.body.error.message).toContain('not dismissed');
+  });
+});

package/tsconfig.e2e.json

@@ -0,0 +1,12 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../dist/out-tsc",
+    "module": "commonjs",
+    "types": ["node", "jest"],
+    "emitDecoratorMetadata": true,
+    "experimentalDecorators": true,
+    "target": "ES2021"
+  },
+  "include": ["test/**/*.e2e-spec.ts", "src/**/*.ts"]
+}

package/tsconfig.spec.json

@@ -0,0 +1,12 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../dist/out-tsc",
+    "module": "commonjs",
+    "types": ["node", "jest"],
+    "emitDecoratorMetadata": true,
+    "experimentalDecorators": true,
+    "target": "ES2021"
+  },
+  "include": ["src/**/*.spec.ts", "src/**/*.test.ts"]
+}

package/src/app.e2e-spec.ts

@@ -1,221 +0,0 @@
-import { INestApplication } from '@nestjs/common';
-import request from 'supertest';
-import { join } from 'path';
-import { createTestApp, cleanupTestData } from './app-test.factory';
-
-describe('Dismissible API (e2e)', () => {
-  let app: INestApplication;
-
-  beforeAll(async () => {
-    app = await createTestApp({
-      moduleOptions: {
-        configPath: join(__dirname, '../config'),
-      },
-    });
-    await cleanupTestData(app);
-  });
-
-  afterAll(async () => {
-    await cleanupTestData(app);
-    await app.close();
-  });
-
-  describe('GET /v1/user/:userId/dismissible-item/:id (get-or-create)', () => {
-    it('should create a new item on first request', async () => {
-      const response = await request(app.getHttpServer())
-        .get('/v1/user/user-123/dismissible-item/test-banner-1')
-        .expect(200);
-
-      expect(response.body.data).toBeDefined();
-      expect(response.body.data.itemId).toBe('test-banner-1');
-      expect(response.body.data.userId).toBe('user-123');
-      expect(response.body.data.createdAt).toBeDefined();
-      expect(response.body.data.dismissedAt).toBeUndefined();
-    });
-
-    it('should return existing item on subsequent requests', async () => {
-      // First request - creates the item
-      const firstResponse = await request(app.getHttpServer())
-        .get('/v1/user/user-456/dismissible-item/test-banner-2')
-        .expect(200);
-
-      const createdAt = firstResponse.body.data.createdAt;
-
-      // Second request - returns existing item
-      const secondResponse = await request(app.getHttpServer())
-        .get('/v1/user/user-456/dismissible-item/test-banner-2')
-        .expect(200);
-
-      expect(secondResponse.body.data.itemId).toBe('test-banner-2');
-      expect(secondResponse.body.data.createdAt).toBe(createdAt);
-    });
-
-    it('should store and retrieve metadata', async () => {
-      const response = await request(app.getHttpServer())
-        .get('/v1/user/user-789/dismissible-item/test-banner-metadata')
-        .query({ metadata: ['version:2', 'category:promo'] })
-        .expect(200);
-
-      expect(response.body.data.metadata).toEqual({
-        version: 2,
-        category: 'promo',
-      });
-    });
-  });
-
-  describe('DELETE /v1/user/:userId/dismissible-item/:id (dismiss)', () => {
-    it('should dismiss an existing item', async () => {
-      const userId = 'user-dismiss-1';
-      // First create the item
-      await request(app.getHttpServer())
-        .get(`/v1/user/${userId}/dismissible-item/dismiss-test-1`)
-        .expect(200);
-
-      // Then dismiss it
-      const response = await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/dismiss-test-1`)
-        .expect(200);
-
-      expect(response.body.data).toBeDefined();
-      expect(response.body.data.dismissedAt).toBeDefined();
-    });
-
-    it('should return 400 when dismissing non-existent item', async () => {
-      const response = await request(app.getHttpServer())
-        .delete('/v1/user/user-123/dismissible-item/non-existent-item')
-        .expect(400);
-
-      expect(response.body.error).toBeDefined();
-      expect(response.body.error.message).toContain('not found');
-    });
-
-    it('should return 400 when dismissing already dismissed item', async () => {
-      const userId = 'user-dismiss-2';
-      // Create the item
-      await request(app.getHttpServer())
-        .get(`/v1/user/${userId}/dismissible-item/dismiss-test-2`)
-        .expect(200);
-
-      // Dismiss it first time
-      await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/dismiss-test-2`)
-        .expect(200);
-
-      // Try to dismiss again
-      const response = await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/dismiss-test-2`)
-        .expect(400);
-
-      expect(response.body.error).toBeDefined();
-      expect(response.body.error.message).toContain('already dismissed');
-    });
-  });
-
-  describe('POST /v1/user/:userId/dismissible-item/:id (restore)', () => {
-    it('should restore a dismissed item', async () => {
-      const userId = 'user-restore-1';
-      // Create and dismiss the item
-      await request(app.getHttpServer())
-        .get(`/v1/user/${userId}/dismissible-item/restore-test-1`)
-        .expect(200);
-
-      await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/restore-test-1`)
-        .expect(200);
-
-      // Restore it
-      const response = await request(app.getHttpServer())
-        .post(`/v1/user/${userId}/dismissible-item/restore-test-1`)
-        .expect(201);
-
-      expect(response.body.data).toBeDefined();
-      expect(response.body.data.dismissedAt).toBeUndefined();
-    });
-
-    it('should return 400 when restoring non-existent item', async () => {
-      const response = await request(app.getHttpServer())
-        .post('/v1/user/user-123/dismissible-item/non-existent-restore')
-        .expect(400);
-
-      expect(response.body.error).toBeDefined();
-      expect(response.body.error.message).toContain('not found');
-    });
-
-    it('should return 400 when restoring non-dismissed item', async () => {
-      const userId = 'user-restore-2';
-      // Create item but don't dismiss it
-      await request(app.getHttpServer())
-        .get(`/v1/user/${userId}/dismissible-item/restore-test-2`)
-        .expect(200);
-
-      // Try to restore
-      const response = await request(app.getHttpServer())
-        .post(`/v1/user/${userId}/dismissible-item/restore-test-2`)
-        .expect(400);
-
-      expect(response.body.error).toBeDefined();
-      expect(response.body.error.message).toContain('not dismissed');
-    });
-  });
-
-  describe('Full lifecycle flow', () => {
-    it('should handle create -> dismiss -> restore -> dismiss cycle', async () => {
-      const userId = 'lifecycle-user';
-      const itemId = 'lifecycle-test';
-
-      // Create
-      const createResponse = await request(app.getHttpServer())
-        .get(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .expect(200);
-
-      expect(createResponse.body.data.dismissedAt).toBeUndefined();
-
-      // Dismiss
-      const dismissResponse = await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .expect(200);
-
-      expect(dismissResponse.body.data.dismissedAt).toBeDefined();
-
-      // Restore
-      const restoreResponse = await request(app.getHttpServer())
-        .post(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .expect(201);
-
-      expect(restoreResponse.body.data.dismissedAt).toBeUndefined();
-
-      // Dismiss again
-      const dismissAgainResponse = await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .expect(200);
-
-      expect(dismissAgainResponse.body.data.dismissedAt).toBeDefined();
-    });
-
-    it('should preserve metadata through dismiss and restore', async () => {
-      const userId = 'user-metadata';
-      const itemId = 'metadata-preserve-test';
-
-      // Create with metadata
-      await request(app.getHttpServer())
-        .get(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .query({ metadata: ['key:value', 'count:42'] })
-        .expect(200);
-
-      // Dismiss
-      await request(app.getHttpServer())
-        .delete(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .expect(200);
-
-      // Restore and verify metadata
-      const restoreResponse = await request(app.getHttpServer())
-        .post(`/v1/user/${userId}/dismissible-item/${itemId}`)
-        .expect(201);
-
-      expect(restoreResponse.body.data.metadata).toEqual({
-        key: 'value',
-        count: 42,
-      });
-    });
-  });
-});

package/src/utils/index.ts

@@ -1,2 +0,0 @@
-export * from './transform-boolean.decorator';
-export * from './transform-comma-separated.decorator';