@libredb/studio 0.9.7

package/tests/api/auth/logout.test.ts

@@ -0,0 +1,140 @@
+import { describe, test, expect, mock, beforeEach, afterEach } from 'bun:test';
+import { parseResponseJSON } from '../../helpers/mock-next';
+
+// ─── Mock @/lib/auth BEFORE importing the route ─────────────────────────────
+const mockLogout = mock(async () => {});
+
+mock.module('@/lib/auth', () => ({
+  login: mock(async () => {}),
+  signJWT: mock(async () => 'mock-token'),
+  verifyJWT: mock(async () => null),
+  getSession: mock(async () => null),
+  logout: mockLogout,
+}));
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+const mockBuildLogoutUrl = mock((_returnTo: string) => null as string | null);
+
+const mockGetPublicOrigin = mock(
+  (req: Request) => new URL(req.url).origin
+);
+
+mock.module('@/lib/oidc', () => ({
+  buildLogoutUrl: mockBuildLogoutUrl,
+  getPublicOrigin: mockGetPublicOrigin,
+  getOIDCConfig: mock(() => ({})),
+  discoverProvider: mock(async () => ({})),
+  generateAuthUrl: mock(async () => ({})),
+  encryptState: mock(async () => ''),
+  decryptState: mock(async () => ({})),
+  exchangeCode: mock(async () => ({})),
+  mapOIDCRole: mock(() => 'user'),
+  resetDiscoveryCache: mock(() => {}),
+}));
+
+// ─── Import route handler AFTER mocking ─────────────────────────────────────
+const { POST } = await import('@/app/api/auth/logout/route');
+
+function makeRequest(url = 'http://localhost:3000/api/auth/logout') {
+  return new Request(url, { method: 'POST' });
+}
+
+// ─── Tests (local auth mode) ────────────────────────────────────────────────
+describe('POST /api/auth/logout (local)', () => {
+  beforeEach(() => {
+    mockLogout.mockClear();
+    mockBuildLogoutUrl.mockClear();
+    process.env.NEXT_PUBLIC_AUTH_PROVIDER = 'local';
+  });
+
+  test('returns 200 with success true', async () => {
+    const res = await POST(makeRequest() as never);
+    const data = await parseResponseJSON<{ success: boolean }>(res);
+
+    expect(res.status).toBe(200);
+    expect(data.success).toBe(true);
+  });
+
+  test('calls logout() once', async () => {
+    await POST(makeRequest() as never);
+
+    expect(mockLogout).toHaveBeenCalledTimes(1);
+  });
+
+  test('does not return redirectUrl in local mode', async () => {
+    const res = await POST(makeRequest() as never);
+    const data = await parseResponseJSON<{ success: boolean; redirectUrl?: string }>(res);
+
+    expect(data.redirectUrl).toBeUndefined();
+  });
+
+  test('multiple logouts all succeed', async () => {
+    const res1 = await POST(makeRequest() as never);
+    const res2 = await POST(makeRequest() as never);
+    const res3 = await POST(makeRequest() as never);
+
+    const data1 = await parseResponseJSON<{ success: boolean }>(res1);
+    const data2 = await parseResponseJSON<{ success: boolean }>(res2);
+    const data3 = await parseResponseJSON<{ success: boolean }>(res3);
+
+    expect(data1.success).toBe(true);
+    expect(data2.success).toBe(true);
+    expect(data3.success).toBe(true);
+    expect(mockLogout).toHaveBeenCalledTimes(3);
+  });
+});
+
+// ─── Tests (OIDC auth mode) ─────────────────────────────────────────────────
+describe('POST /api/auth/logout (oidc)', () => {
+  beforeEach(() => {
+    mockLogout.mockClear();
+    mockBuildLogoutUrl.mockClear();
+    process.env.NEXT_PUBLIC_AUTH_PROVIDER = 'oidc';
+  });
+
+  afterEach(() => {
+    process.env.NEXT_PUBLIC_AUTH_PROVIDER = 'local';
+  });
+
+  test('returns redirectUrl when OIDC logout URL is available', async () => {
+    mockBuildLogoutUrl.mockReturnValue(
+      'https://auth0.com/v2/logout?client_id=abc&returnTo=http://localhost:3000/login'
+    );
+
+    const res = await POST(makeRequest() as never);
+    const data = await parseResponseJSON<{ success: boolean; redirectUrl?: string }>(res);
+
+    expect(res.status).toBe(200);
+    expect(data.success).toBe(true);
+    expect(data.redirectUrl).toBe(
+      'https://auth0.com/v2/logout?client_id=abc&returnTo=http://localhost:3000/login'
+    );
+  });
+
+  test('calls buildLogoutUrl with correct returnTo', async () => {
+    mockBuildLogoutUrl.mockReturnValue('https://auth0.com/v2/logout');
+
+    await POST(makeRequest('http://localhost:3000/api/auth/logout') as never);
+
+    expect(mockBuildLogoutUrl).toHaveBeenCalledWith('http://localhost:3000/login');
+  });
+
+  test('returns success without redirectUrl when buildLogoutUrl returns null', async () => {
+    mockBuildLogoutUrl.mockReturnValue(null);
+
+    const res = await POST(makeRequest() as never);
+    const data = await parseResponseJSON<{ success: boolean; redirectUrl?: string }>(res);
+
+    expect(res.status).toBe(200);
+    expect(data.success).toBe(true);
+    expect(data.redirectUrl).toBeUndefined();
+  });
+
+  test('calls logout() even in OIDC mode', async () => {
+    mockBuildLogoutUrl.mockReturnValue('https://auth0.com/v2/logout');
+
+    await POST(makeRequest() as never);
+
+    expect(mockLogout).toHaveBeenCalledTimes(1);
+  });
+});

package/tests/api/auth/me.test.ts

@@ -0,0 +1,73 @@
+import { describe, test, expect, mock, beforeEach } from 'bun:test';
+import { parseResponseJSON } from '../../helpers/mock-next';
+
+// ─── Mock @/lib/auth BEFORE importing the route ─────────────────────────────
+const mockGetSession = mock(async () => null as { role: string; username: string } | null);
+
+mock.module('@/lib/auth', () => ({
+  login: mock(async () => {}),
+  signJWT: mock(async () => 'mock-token'),
+  verifyJWT: mock(async () => null),
+  getSession: mockGetSession,
+  logout: mock(async () => {}),
+}));
+
+// ─── Import route handler AFTER mocking ─────────────────────────────────────
+const { GET } = await import('@/app/api/auth/me/route');
+
+// ─── Tests ──────────────────────────────────────────────────────────────────
+describe('GET /api/auth/me', () => {
+  beforeEach(() => {
+    mockGetSession.mockClear();
+  });
+
+  test('returns 200 with authenticated true when session exists', async () => {
+    mockGetSession.mockResolvedValueOnce({ role: 'admin', username: 'admin' });
+
+    const res = await GET();
+    const data = await parseResponseJSON<{
+      authenticated: boolean;
+      user: { role: string; username: string };
+    }>(res);
+
+    expect(res.status).toBe(200);
+    expect(data.authenticated).toBe(true);
+    expect(data.user).toEqual({ role: 'admin', username: 'admin' });
+  });
+
+  test('returns 401 with authenticated false when no session', async () => {
+    mockGetSession.mockResolvedValueOnce(null);
+
+    const res = await GET();
+    const data = await parseResponseJSON<{ authenticated: boolean }>(res);
+
+    expect(res.status).toBe(401);
+    expect(data.authenticated).toBe(false);
+  });
+
+  test('returns admin role session data', async () => {
+    mockGetSession.mockResolvedValueOnce({ role: 'admin', username: 'admin' });
+
+    const res = await GET();
+    const data = await parseResponseJSON<{
+      authenticated: boolean;
+      user: { role: string; username: string };
+    }>(res);
+
+    expect(data.user.role).toBe('admin');
+    expect(data.user.username).toBe('admin');
+  });
+
+  test('returns user role session data', async () => {
+    mockGetSession.mockResolvedValueOnce({ role: 'user', username: 'user' });
+
+    const res = await GET();
+    const data = await parseResponseJSON<{
+      authenticated: boolean;
+      user: { role: string; username: string };
+    }>(res);
+
+    expect(data.user.role).toBe('user');
+    expect(data.user.username).toBe('user');
+  });
+});

package/tests/api/auth/oidc-callback.test.ts

@@ -0,0 +1,215 @@
+import { describe, test, expect, mock, beforeEach } from 'bun:test';
+
+// ─── Mock dependencies ─────────────────────────────────────────────────────
+
+const mockDecryptState = mock(async () => ({
+  code_verifier: 'test-verifier',
+  state: 'test-state',
+  nonce: 'test-nonce',
+}));
+
+const mockGetOIDCConfig = mock(() => ({
+  issuer: 'https://example.auth0.com',
+  clientId: 'test-client-id',
+  clientSecret: 'test-client-secret',
+  scope: 'openid profile email',
+  roleClaim: 'roles',
+  adminRoles: ['admin'],
+}));
+
+const mockDiscoverProvider = mock(async () => 'mock-config');
+
+const defaultClaims = {
+  sub: 'user-123',
+  email: 'user@example.com',
+  preferred_username: 'testuser',
+};
+
+const mockExchangeCode = mock(async () => ({ ...defaultClaims }) as Record<string, unknown> | null);
+
+const mockMapOIDCRole = mock(
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  (_claims: Record<string, unknown>, _roleClaim: string, _adminRoles: string[]) =>
+    'user' as 'admin' | 'user'
+);
+
+const mockGetPublicOrigin = mock(
+  (req: Request) => new URL(req.url).origin
+);
+
+mock.module('@/lib/oidc', () => ({
+  getOIDCConfig: mockGetOIDCConfig,
+  discoverProvider: mockDiscoverProvider,
+  generateAuthUrl: mock(async () => ({})),
+  encryptState: mock(async () => ''),
+  decryptState: mockDecryptState,
+  exchangeCode: mockExchangeCode,
+  mapOIDCRole: mockMapOIDCRole,
+  resetDiscoveryCache: mock(() => {}),
+  getPublicOrigin: mockGetPublicOrigin,
+}));
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+const mockLogin = mock(async (_role: string, _username?: string) => {});
+
+mock.module('@/lib/auth', () => ({
+  login: mockLogin,
+  signJWT: mock(async () => 'mock-token'),
+  verifyJWT: mock(async () => null),
+  getSession: mock(async () => null),
+  logout: mock(async () => {}),
+}));
+
+const mockCookieGet = mock(
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  (_name: string) => ({ value: 'encrypted-state-cookie' }) as { value: string } | undefined
+);
+
+const mockCookieStore = {
+  get: mockCookieGet,
+  set: mock(() => {}),
+  delete: mock(() => {}),
+};
+
+mock.module('next/headers', () => ({
+  cookies: mock(async () => mockCookieStore),
+}));
+
+// ─── Import route handler AFTER mocking ─────────────────────────────────────
+
+const { GET } = await import('@/app/api/auth/oidc/callback/route');
+
+// ─── Tests ──────────────────────────────────────────────────────────────────
+
+describe('GET /api/auth/oidc/callback', () => {
+  beforeEach(() => {
+    mockDecryptState.mockClear();
+    mockGetOIDCConfig.mockClear();
+    mockDiscoverProvider.mockClear();
+    mockExchangeCode.mockClear();
+    mockMapOIDCRole.mockClear();
+    mockLogin.mockClear();
+    mockCookieGet.mockClear();
+    mockCookieStore.delete.mockClear();
+    mockGetPublicOrigin.mockClear();
+    mockGetPublicOrigin.mockImplementation((req: Request) => new URL(req.url).origin);
+
+    // Reset defaults
+    mockCookieGet.mockReturnValue({ value: 'encrypted-state-cookie' });
+    mockMapOIDCRole.mockReturnValue('user');
+    mockExchangeCode.mockImplementation(async () => ({ ...defaultClaims }));
+  });
+
+  test('exchanges code and creates local session', async () => {
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    const res = await GET(req);
+
+    expect(mockDecryptState).toHaveBeenCalledWith('encrypted-state-cookie');
+    expect(mockExchangeCode).toHaveBeenCalledTimes(1);
+    expect(mockLogin).toHaveBeenCalledWith('user', 'user@example.com');
+    expect(res.status).toBe(307);
+    expect(res.headers.get('location')).toContain('/');
+  });
+
+  test('redirects admin to /admin', async () => {
+    mockMapOIDCRole.mockReturnValue('admin');
+
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    const res = await GET(req);
+
+    expect(mockLogin).toHaveBeenCalledWith('admin', 'user@example.com');
+    expect(res.headers.get('location')).toContain('/admin');
+  });
+
+  test('deletes oidc-state cookie after success', async () => {
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    await GET(req);
+
+    expect(mockCookieStore.delete).toHaveBeenCalledWith('oidc-state');
+  });
+
+  test('redirects to /login?error=oidc_state_missing when no cookie', async () => {
+    mockCookieGet.mockReturnValue(undefined);
+
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    const res = await GET(req);
+
+    expect(res.status).toBe(307);
+    expect(res.headers.get('location')).toContain('error=oidc_state_missing');
+  });
+
+  test('redirects to /login?error=oidc_state_invalid when decrypt fails', async () => {
+    mockDecryptState.mockImplementationOnce(async () => {
+      throw new Error('Invalid token');
+    });
+
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    const res = await GET(req);
+
+    expect(res.status).toBe(307);
+    expect(res.headers.get('location')).toContain('error=oidc_state_invalid');
+    expect(mockCookieStore.delete).toHaveBeenCalledWith('oidc-state');
+  });
+
+  test('redirects to /login?error=oidc_no_claims when no claims', async () => {
+    mockExchangeCode.mockImplementationOnce(async () => null);
+
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    const res = await GET(req);
+
+    expect(res.status).toBe(307);
+    expect(res.headers.get('location')).toContain('error=oidc_no_claims');
+  });
+
+  test('redirects to /login?error=oidc_failed on exchange error', async () => {
+    mockExchangeCode.mockImplementationOnce(async () => {
+      throw new Error('Token exchange failed');
+    });
+
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    const res = await GET(req);
+
+    expect(res.status).toBe(307);
+    expect(res.headers.get('location')).toContain('error=oidc_failed');
+  });
+
+  test('uses sub as username fallback when email is missing', async () => {
+    mockExchangeCode.mockImplementationOnce(async () => ({
+      sub: 'user-123',
+    }));
+
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    await GET(req);
+
+    expect(mockLogin).toHaveBeenCalledWith('user', 'user-123');
+  });
+
+  test('passes claims to mapOIDCRole with correct config', async () => {
+    const req = new Request(
+      'http://localhost:3000/api/auth/oidc/callback?code=auth-code&state=test-state'
+    );
+    await GET(req);
+
+    expect(mockMapOIDCRole).toHaveBeenCalledWith(
+      expect.objectContaining({ sub: 'user-123', email: 'user@example.com' }),
+      'roles',
+      ['admin']
+    );
+  });
+});

package/tests/api/auth/oidc-login.test.ts

@@ -0,0 +1,127 @@
+import { describe, test, expect, mock, beforeEach } from 'bun:test';
+
+// ─── Mock dependencies ─────────────────────────────────────────────────────
+
+const mockGetOIDCConfig = mock(() => ({
+  issuer: 'https://example.auth0.com',
+  clientId: 'test-client-id',
+  clientSecret: 'test-client-secret',
+  scope: 'openid profile email',
+  roleClaim: '',
+  adminRoles: ['admin'],
+}));
+
+const mockDiscoverProvider = mock(async () => 'mock-config');
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+const mockGenerateAuthUrl = mock(async (_config: unknown, _redirectUri: string, _scope: string) => ({
+  url: new URL('https://example.auth0.com/authorize?state=abc&code_challenge=xyz'),
+  state: {
+    code_verifier: 'test-verifier',
+    state: 'test-state',
+    nonce: 'test-nonce',
+  },
+}));
+
+const mockEncryptState = mock(async () => 'encrypted-state-token');
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+const mockCookieSet = mock((_name: string, _value: string, _options?: Record<string, unknown>) => {});
+
+const mockGetPublicOrigin = mock(
+  (req: Request) => new URL(req.url).origin
+);
+
+mock.module('@/lib/oidc', () => ({
+  getOIDCConfig: mockGetOIDCConfig,
+  discoverProvider: mockDiscoverProvider,
+  generateAuthUrl: mockGenerateAuthUrl,
+  encryptState: mockEncryptState,
+  decryptState: mock(async () => ({})),
+  exchangeCode: mock(async () => ({})),
+  mapOIDCRole: mock(() => 'user'),
+  resetDiscoveryCache: mock(() => {}),
+  getPublicOrigin: mockGetPublicOrigin,
+}));
+
+const mockCookieStore = {
+  get: mock(() => undefined),
+  set: mockCookieSet,
+  delete: mock(() => {}),
+};
+
+mock.module('next/headers', () => ({
+  cookies: mock(async () => mockCookieStore),
+}));
+
+// ─── Import route handler AFTER mocking ─────────────────────────────────────
+
+const { GET } = await import('@/app/api/auth/oidc/login/route');
+
+// ─── Tests ──────────────────────────────────────────────────────────────────
+
+describe('GET /api/auth/oidc/login', () => {
+  beforeEach(() => {
+    mockGetOIDCConfig.mockClear();
+    mockDiscoverProvider.mockClear();
+    mockGenerateAuthUrl.mockClear();
+    mockEncryptState.mockClear();
+    mockCookieSet.mockClear();
+    mockGetPublicOrigin.mockClear();
+    mockGetPublicOrigin.mockImplementation((req: Request) => new URL(req.url).origin);
+  });
+
+  test('redirects to OIDC provider authorization URL', async () => {
+    const req = new Request('http://localhost:3000/api/auth/oidc/login');
+    const res = await GET(req);
+
+    expect(res.status).toBe(307);
+    const location = res.headers.get('location');
+    expect(location).toBe('https://example.auth0.com/authorize?state=abc&code_challenge=xyz');
+  });
+
+  test('sets oidc-state cookie', async () => {
+    const req = new Request('http://localhost:3000/api/auth/oidc/login');
+    await GET(req);
+
+    expect(mockCookieSet).toHaveBeenCalledTimes(1);
+    const [name, value, options] = mockCookieSet.mock.calls[0];
+    expect(name).toBe('oidc-state');
+    expect(value).toBe('encrypted-state-token');
+    expect(options!.httpOnly).toBe(true);
+    expect(options!.maxAge).toBe(300);
+  });
+
+  test('uses correct redirect URI based on request origin', async () => {
+    const req = new Request('https://app.example.com/api/auth/oidc/login');
+    await GET(req);
+
+    expect(mockGenerateAuthUrl).toHaveBeenCalledTimes(1);
+    const [, redirectUri] = mockGenerateAuthUrl.mock.calls[0];
+    expect(redirectUri).toBe('https://app.example.com/api/auth/oidc/callback');
+  });
+
+  test('uses public origin from getPublicOrigin for redirect_uri', async () => {
+    mockGetPublicOrigin.mockReturnValue('https://app.libredb.org');
+
+    const req = new Request('http://0.0.0.0:10000/api/auth/oidc/login');
+    await GET(req);
+
+    expect(mockGenerateAuthUrl).toHaveBeenCalledTimes(1);
+    const [, redirectUri] = mockGenerateAuthUrl.mock.calls[0];
+    expect(redirectUri).toBe('https://app.libredb.org/api/auth/oidc/callback');
+  });
+
+  test('redirects to /login?error=oidc_config when config fails', async () => {
+    mockGetOIDCConfig.mockImplementationOnce(() => {
+      throw new Error('Missing OIDC config');
+    });
+
+    const req = new Request('http://localhost:3000/api/auth/oidc/login');
+    const res = await GET(req);
+
+    expect(res.status).toBe(307);
+    const location = res.headers.get('location');
+    expect(location).toContain('/login?error=oidc_config');
+  });
+});