@jskit-ai/auth-core 0.1.4

package/test/plugin.test.js

@@ -0,0 +1,250 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createFakeFastifyPolicyRuntime } from "../../../tooling/testUtils/fakeFastify.mjs";
+
+import { authPolicyPlugin } from "../src/server/lib/index.js";
+
+test("requires resolveActor and hasPermission dependencies", () => {
+  assert.throws(() => authPolicyPlugin(), /resolveActor is required/);
+  assert.throws(() => authPolicyPlugin({ resolveActor() {} }), /hasPermission is required/);
+});
+
+test("resolves csrf token headers and skips auth for non-api/public routes", async () => {
+  let actorCalls = 0;
+  const { fastify, state } = createFakeFastifyPolicyRuntime();
+  const registerPlugin = authPolicyPlugin(
+    {
+      async resolveActor() {
+        actorCalls += 1;
+        return {
+          authenticated: false,
+          actor: null,
+          transientFailure: false
+        };
+      },
+      hasPermission() {
+        return true;
+      }
+    },
+    {
+      nodeEnv: "test"
+    }
+  );
+
+  await registerPlugin(fastify);
+  assert.ok(state.preHandler);
+  assert.ok(state.csrfOptions);
+  const getToken = state.csrfOptions.getToken;
+  assert.equal(getToken({ headers: { "csrf-token": "a" } }), "a");
+  assert.equal(getToken({ headers: { "x-csrf-token": "b" } }), "b");
+  assert.equal(getToken({ headers: { "x-xsrf-token": "c" } }), "c");
+  assert.equal(getToken({ headers: {} }), null);
+
+  await state.preHandler({ method: "GET", raw: { url: "/health" }, routeOptions: {} }, {});
+  await state.preHandler(
+    {
+      method: "GET",
+      raw: { url: "/api/public" },
+      routeOptions: {
+        config: {
+          authPolicy: "public"
+        }
+      }
+    },
+    {}
+  );
+  assert.equal(actorCalls, 0);
+});
+
+test("propagates csrf callback error", async () => {
+  const { fastify, state } = createFakeFastifyPolicyRuntime({
+    csrfHandler(_request, _reply, done) {
+      done(new Error("csrf callback failed"));
+    }
+  });
+
+  const registerPlugin = authPolicyPlugin({
+    async resolveActor() {
+      return {
+        authenticated: false,
+        actor: null,
+        transientFailure: false
+      };
+    },
+    hasPermission() {
+      return true;
+    }
+  });
+
+  await registerPlugin(fastify);
+  await assert.rejects(
+    () =>
+      state.preHandler(
+        {
+          method: "POST",
+          raw: { url: "/api/public-action" },
+          routeOptions: {
+            config: {
+              authPolicy: "public"
+            }
+          },
+          headers: {}
+        },
+        {}
+      ),
+    /csrf callback failed/
+  );
+});
+
+test("enforces own policy owner checks and invalid policy guard", async () => {
+  const denyEvents = [];
+  const { fastify, state } = createFakeFastifyPolicyRuntime();
+  const registerPlugin = authPolicyPlugin({
+    async resolveActor(request) {
+      if (request.headers?.["x-profile"] === "null") {
+        return {
+          authenticated: true,
+          actor: null,
+          transientFailure: false
+        };
+      }
+
+      return {
+        authenticated: true,
+        actor: {
+          id: 7
+        },
+        transientFailure: false
+      };
+    },
+    hasPermission() {
+      return true;
+    },
+    onPolicyDenied(event) {
+      denyEvents.push(event);
+    }
+  });
+
+  await registerPlugin(fastify);
+
+  await assert.rejects(
+    () =>
+      state.preHandler(
+        {
+          method: "GET",
+          raw: { url: "/api/own-a" },
+          headers: { "x-profile": "null" },
+          routeOptions: {
+            config: {
+              authPolicy: "own",
+              ownerResolver({ user }) {
+                assert.equal(user, null);
+                return 1;
+              }
+            }
+          }
+        },
+        {}
+      ),
+    /Route owner could not be resolved/
+  );
+
+  await assert.rejects(
+    () =>
+      state.preHandler(
+        {
+          method: "GET",
+          raw: { url: "/api/own-b" },
+          headers: {},
+          params: { id: 99 },
+          routeOptions: {
+            config: {
+              authPolicy: "own",
+              ownerParam: "id",
+              userField: "id"
+            }
+          }
+        },
+        {}
+      ),
+    /Forbidden/
+  );
+
+  await assert.rejects(
+    () =>
+      state.preHandler(
+        {
+          method: "GET",
+          raw: { url: "/api/bad-policy" },
+          headers: {},
+          routeOptions: {
+            config: {
+              authPolicy: "unknown-policy"
+            }
+          }
+        },
+        {}
+      ),
+    /Invalid route auth policy configuration/
+  );
+
+  assert.deepEqual(
+    denyEvents.map((event) => event.reason),
+    ["owner_unresolved", "forbidden_owner_mismatch", "invalid_auth_policy"]
+  );
+});
+
+test("enforces permission checks and resolves workspace context when requested", async () => {
+  const denyEvents = [];
+  const { fastify, state } = createFakeFastifyPolicyRuntime();
+  const registerPlugin = authPolicyPlugin({
+    async resolveActor() {
+      return {
+        authenticated: true,
+        actor: {
+          id: 7
+        },
+        transientFailure: false
+      };
+    },
+    async resolveContext() {
+      return {
+        workspace: {
+          id: 11
+        },
+        membership: {
+          roleId: "member"
+        },
+        permissions: []
+      };
+    },
+    hasPermission({ permission, permissions }) {
+      return Array.isArray(permissions) && permissions.includes(permission);
+    },
+    onPolicyDenied(event) {
+      denyEvents.push(event);
+    }
+  });
+
+  await registerPlugin(fastify);
+  await assert.rejects(
+    () =>
+      state.preHandler(
+        {
+          method: "GET",
+          raw: { url: "/api/workspace/projects" },
+          routeOptions: {
+            config: {
+              authPolicy: "required",
+              contextPolicy: "required",
+              permission: "projects.read"
+            }
+          }
+        },
+        {}
+      ),
+    /Forbidden/
+  );
+
+  assert.deepEqual(denyEvents.map((event) => event.reason), ["forbidden_permission"]);
+});

package/test/providerRuntime.test.js

@@ -0,0 +1,114 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { AUTH_POLICY_CONTEXT_RESOLVER_TOKEN } from "../src/server/lib/tokens.js";
+import { FastifyAuthPolicyServiceProvider } from "../src/server/providers/FastifyAuthPolicyServiceProvider.js";
+import { createFakeFastifyPolicyRuntime } from "../../../tooling/testUtils/fakeFastify.mjs";
+
+test("FastifyAuthPolicyServiceProvider registers auth policy plugin through provider boot", async () => {
+  const { fastify, state } = createFakeFastifyPolicyRuntime();
+  const bag = new Map([
+    [KERNEL_TOKENS.Fastify, fastify],
+    [KERNEL_TOKENS.Env, { NODE_ENV: "test" }],
+    [KERNEL_TOKENS.Logger, console],
+    [
+      "authService",
+      {
+        async authenticateRequest() {
+          return {
+            authenticated: false,
+            actor: null,
+            transientFailure: false
+          };
+        }
+      }
+    ]
+  ]);
+
+  const app = {
+    has(token) {
+      return bag.has(token);
+    },
+    make(token) {
+      if (!bag.has(token)) {
+        throw new Error(`Missing token ${String(token)}`);
+      }
+      return bag.get(token);
+    }
+  };
+
+  const provider = new FastifyAuthPolicyServiceProvider();
+  provider.register(app);
+  await provider.boot(app);
+
+  assert.ok(state.requestDecorators.has("user"));
+  assert.ok(state.requestDecorators.has("workspace"));
+  assert.ok(state.requestDecorators.has("membership"));
+  assert.ok(state.requestDecorators.has("permissions"));
+  assert.equal(typeof state.preHandler, "function");
+  assert.ok(state.registeredPlugins.length >= 3);
+});
+
+test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolver", async () => {
+  const { fastify, state } = createFakeFastifyPolicyRuntime();
+  const bag = new Map([
+    [KERNEL_TOKENS.Fastify, fastify],
+    [KERNEL_TOKENS.Env, { NODE_ENV: "test" }],
+    [KERNEL_TOKENS.Logger, console],
+    [
+      "authService",
+      {
+        async authenticateRequest() {
+          return {
+            authenticated: true,
+            actor: { id: 7 },
+            transientFailure: false
+          };
+        }
+      }
+    ],
+    [
+      AUTH_POLICY_CONTEXT_RESOLVER_TOKEN,
+      async ({ actor, request }) => ({
+        workspace: { id: 11, slug: String(request?.params?.workspaceSlug || "").toLowerCase() },
+        membership: { roleId: "member" },
+        permissions: actor?.id === 7 ? ["projects.read"] : []
+      })
+    ]
+  ]);
+
+  const app = {
+    has(token) {
+      return bag.has(token);
+    },
+    make(token) {
+      if (!bag.has(token)) {
+        throw new Error(`Missing token ${String(token)}`);
+      }
+      return bag.get(token);
+    }
+  };
+
+  const provider = new FastifyAuthPolicyServiceProvider();
+  provider.register(app);
+  await provider.boot(app);
+
+  const request = {
+    method: "GET",
+    raw: { url: "/api/w/acme/projects" },
+    params: { workspaceSlug: "ACME" },
+    routeOptions: {
+      config: {
+        authPolicy: "required",
+        contextPolicy: "required",
+        permission: "projects.read"
+      }
+    }
+  };
+
+  await state.preHandler(request, {});
+  assert.equal(request.workspace?.id, 11);
+  assert.equal(request.workspace?.slug, "acme");
+  assert.equal(request.membership?.roleId, "member");
+  assert.deepEqual(request.permissions, ["projects.read"]);
+});

package/test/routeMeta.test.js

@@ -0,0 +1,95 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import { mergeAuthPolicy, withAuthPolicy } from "../src/server/lib/index.js";
+
+test("withAuthPolicy applies stable defaults", () => {
+  const wrapped = withAuthPolicy();
+  assert.deepEqual(wrapped, {
+    config: {
+      authPolicy: "public",
+      contextPolicy: "none",
+      surface: "",
+      permission: "",
+      ownerParam: null,
+      userField: "id",
+      ownerResolver: null,
+      csrfProtection: true
+    }
+  });
+});
+
+test("mergeAuthPolicy preserves existing config fields and adds auth policy defaults", () => {
+  const merged = mergeAuthPolicy(
+    {
+      method: "GET",
+      url: "/api/example",
+      config: {
+        rateLimit: {
+          max: 5,
+          timeWindow: "1 minute"
+        }
+      }
+    },
+    {}
+  );
+
+  assert.deepEqual(merged.config, {
+    rateLimit: {
+      max: 5,
+      timeWindow: "1 minute"
+    },
+    authPolicy: "public",
+    contextPolicy: "none",
+    surface: "",
+    permission: "",
+    ownerParam: null,
+    userField: "id",
+    ownerResolver: null,
+    csrfProtection: true
+  });
+});
+
+test("mergeAuthPolicy normalizes policy metadata and keeps explicit settings", () => {
+  const resolver = () => 7;
+  const merged = mergeAuthPolicy(
+    {
+      config: {
+        authPolicy: "public",
+        contextPolicy: "none"
+      }
+    },
+    {
+      authPolicy: "own",
+      contextPolicy: "required",
+      surface: "admin",
+      permission: "workspace.members.manage",
+      ownerParam: "userId",
+      userField: "id",
+      ownerResolver: resolver,
+      csrfProtection: false
+    }
+  );
+
+  assert.equal(merged.config.authPolicy, "own");
+  assert.equal(merged.config.contextPolicy, "required");
+  assert.equal(merged.config.surface, "admin");
+  assert.equal(merged.config.permission, "workspace.members.manage");
+  assert.equal(merged.config.ownerParam, "userId");
+  assert.equal(merged.config.userField, "id");
+  assert.equal(merged.config.ownerResolver, resolver);
+  assert.equal(merged.config.csrfProtection, false);
+});
+
+test("mergeAuthPolicy coerces unsupported owner resolver values to null", () => {
+  const merged = mergeAuthPolicy(
+    {
+      config: {
+        ownerResolver: "not-a-function"
+      }
+    },
+    {}
+  );
+
+  assert.equal(merged.config.ownerResolver, null);
+});

package/test/routeVisibilityResolver.test.js

@@ -0,0 +1,34 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createAuthRouteVisibilityResolver } from "../src/server/lib/routeVisibilityResolver.js";
+
+test("auth route visibility resolver contributes actor scope for core user visibility only", () => {
+  const resolver = createAuthRouteVisibilityResolver();
+
+  assert.deepEqual(
+    resolver.resolve({
+      visibility: "user",
+      context: {
+        actor: {
+          id: "user_7"
+        }
+      }
+    }),
+    {
+      userOwnerId: "user_7",
+      requiresActorScope: true
+    }
+  );
+
+  assert.deepEqual(
+    resolver.resolve({
+      visibility: "workspace_user",
+      context: {
+        actor: {
+          id: "user_7"
+        }
+      }
+    }),
+    {}
+  );
+});

package/test/serverUtils.test.js

@@ -0,0 +1,28 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import { normalizeReturnToPath } from "../src/server/utils.js";
+
+test("normalizeReturnToPath keeps internal paths", () => {
+  assert.equal(normalizeReturnToPath("/w/acme"), "/w/acme");
+});
+
+test("normalizeReturnToPath allows absolute urls for configured origins", () => {
+  assert.equal(
+    normalizeReturnToPath("https://app.example.com/w/acme", {
+      fallback: "/",
+      allowedOrigins: ["https://app.example.com", "https://admin.example.com"]
+    }),
+    "https://app.example.com/w/acme"
+  );
+});
+
+test("normalizeReturnToPath rejects absolute urls for unconfigured origins", () => {
+  assert.equal(
+    normalizeReturnToPath("https://evil.example.com/phishing", {
+      fallback: "/",
+      allowedOrigins: ["https://app.example.com"]
+    }),
+    "/"
+  );
+});

package/test/signOutFlow.test.js

@@ -0,0 +1,67 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import { runAuthSignOutFlow } from "../src/client/signOutFlow.js";
+
+test("runAuthSignOutFlow executes logout then cleanup hooks", async () => {
+  const calls = [];
+  await runAuthSignOutFlow({
+    authApi: {
+      async logout() {
+        calls.push("logout");
+      }
+    },
+    clearCsrfTokenCache() {
+      calls.push("clearCsrf");
+    },
+    async afterSignOut() {
+      calls.push("afterSignOut");
+    }
+  });
+
+  assert.deepEqual(calls, ["logout", "clearCsrf", "afterSignOut"]);
+});
+
+test("runAuthSignOutFlow runs cleanup hooks when logout fails and rethrows error", async () => {
+  const calls = [];
+  const expectedError = new Error("logout failed");
+
+  await assert.rejects(
+    () =>
+      runAuthSignOutFlow({
+        authApi: {
+          async logout() {
+            calls.push("logout");
+            throw expectedError;
+          }
+        },
+        clearCsrfTokenCache() {
+          calls.push("clearCsrf");
+        },
+        async afterSignOut() {
+          calls.push("afterSignOut");
+        }
+      }),
+    expectedError
+  );
+
+  assert.deepEqual(calls, ["logout", "clearCsrf", "afterSignOut"]);
+});
+
+test("runAuthSignOutFlow validates authApi logout shape", async () => {
+  await assert.rejects(
+    () =>
+      runAuthSignOutFlow({
+        authApi: null
+      }),
+    /requires authApi/
+  );
+
+  await assert.rejects(
+    () =>
+      runAuthSignOutFlow({
+        authApi: {}
+      }),
+    /requires authApi\.logout/
+  );
+});