@lobb-js/lobb-ext-auth 0.11.0 → 0.11.2

package/extensions/auth/tests/collections/shares.test.ts

@@ -0,0 +1,657 @@
+import { Lobb } from "@lobb-js/core";
+import { afterAll, beforeAll, describe, it, expect } from "bun:test";
+import { authConfig } from "../configs/auth.ts";
+
+describe("auth_shares", () => {
+  let lobb: Lobb;
+  let baseUrl: string;
+  let adminUserId: number;
+  let publishedArticleId: number;
+
+  // Helper: create a share row via the service layer. Token is generated
+  // server-side by the auth_generateShareToken workflow and returned in
+  // the response — never supplied by the caller.
+  async function createShare(args: {
+    permissions: unknown;
+    expires_at?: string;
+    label?: string;
+  }): Promise<string> {
+    const created = await lobb.collectionService.createOne({
+      collectionName: "auth_shares",
+      data: {
+        label: args.label,
+        permissions: JSON.stringify(args.permissions),
+        expires_at: args.expires_at
+          ?? new Date(Date.now() + 60_000).toISOString(),
+        created_by: adminUserId,
+      },
+    });
+    return created.data.token;
+  }
+
+  // Helper: fetch with a Bearer token (share or session — same syntax).
+  function fetchAs(
+    token: string | null,
+    path: string,
+    init: RequestInit = {},
+  ) {
+    const headers = new Headers(init.headers ?? {});
+    if (token) headers.set("Authorization", `Bearer ${token}`);
+    return fetch(`${baseUrl}${path}`, { ...init, headers });
+  }
+
+  beforeAll(async () => {
+    lobb = await Lobb.init(authConfig);
+    baseUrl = `http://127.0.0.1:${lobb.webServer.port}`;
+    adminUserId = (await lobb.collectionService.findAll({
+      collectionName: "auth_users",
+      params: { filter: { email: "admin@test.com" } },
+    })).data[0].id;
+
+    // Seed a couple of articles so we can exercise read filters.
+    publishedArticleId = (await lobb.collectionService.createOne({
+      collectionName: "articles",
+      data: {
+        title: "Published article",
+        body: "public copy",
+        published: true,
+        number_of_likes: 0,
+        user_id: adminUserId,
+      },
+    })).data.id;
+    await lobb.collectionService.createOne({
+      collectionName: "articles",
+      data: {
+        title: "Draft article",
+        body: "internal copy",
+        published: false,
+        number_of_likes: 0,
+        user_id: adminUserId,
+      },
+    });
+  });
+
+  afterAll(async () => {
+    await lobb.collectionService.deleteMany({
+      collectionName: "auth_shares",
+    });
+    await lobb.collectionService.deleteMany({
+      collectionName: "articles",
+    });
+    await lobb.close();
+  });
+
+  it("strips function-valued permission entries when stored — the JSON serialisation boundary is the safety guarantee", async () => {
+    // Build a permissions object that mixes static data with dynamic function
+    // values (the kind that would exist for a role-backed permission set).
+    // We then `JSON.stringify` it the way share creation would, persist the
+    // result, and read it back. Anything function-typed must be gone.
+    const sourcePermissions: any = {
+      articles: {
+        read: {
+          filter: { id: ({ user }: any) => user?.id ?? null }, // function
+        },
+        create: {
+          fields: { title: true, body: true }, // static — should survive
+          payloadGuard: ({ payload }: any) => payload.title?.length > 0,
+          mutate: { author_id: ({ user }: any) => user.id },
+        },
+      },
+    };
+
+    const created = await lobb.collectionService.createOne({
+      collectionName: "auth_shares",
+      data: {
+        token: "share_strip_test_token",
+        permissions: JSON.stringify(sourcePermissions),
+        expires_at: new Date(Date.now() + 60_000).toISOString(),
+        created_by: adminUserId,
+      },
+    });
+
+    // Reload from the DB to be sure we're checking what's actually persisted.
+    const reloaded = await lobb.collectionService.findOne({
+      collectionName: "auth_shares",
+      id: created.data.id,
+    });
+
+    const stored = JSON.parse(reloaded.data.permissions);
+
+    // Static data survives intact.
+    expect(stored.articles.create.fields).toEqual({ title: true, body: true });
+
+    // Function values inside containers get dropped, leaving empty
+    // containers behind (e.g. `filter` and `mutate` are kept but their
+    // inner function entries are gone).
+    expect(stored.articles.read.filter).toEqual({});
+    expect(stored.articles.create.mutate).toEqual({});
+
+    // Top-level function values cause the entire key to vanish — there's no
+    // empty-shell to leave behind in that case.
+    expect(stored.articles.create.payloadGuard).toBeUndefined();
+
+    // The real safety guarantee: no function-typed value exists ANYWHERE
+    // in the stored permissions. If anyone ever changes share creation to
+    // use a serialiser that preserves functions, this assertion fires.
+    const containsFunction = (v: unknown): boolean => {
+      if (typeof v === "function") return true;
+      if (v && typeof v === "object") {
+        return Object.values(v).some(containsFunction);
+      }
+      return false;
+    };
+    expect(containsFunction(stored)).toBe(false);
+  });
+
+  describe("share token as bearer credential", () => {
+    it("rejects an unknown bearer token (no access)", async () => {
+      const res = await fetchAs(
+        "share_unknown_token_xyz",
+        "/api/collections/articles",
+      );
+      // Unknown token → no auth_user, no auth_share → treated as public,
+      // which has no articles permissions in this config.
+      expect(res.status).toBeGreaterThanOrEqual(400);
+    });
+
+    it("rejects an expired share", async () => {
+      const token = await createShare({
+        permissions: { articles: { read: true } },
+        expires_at: new Date(Date.now() - 60_000).toISOString(), // in the past
+      });
+
+      const res = await fetchAs(token, "/api/collections/articles");
+      expect(res.status).toBeGreaterThanOrEqual(400);
+    });
+
+    it("allows read on a collection the share permits (unconditional)", async () => {
+      const token = await createShare({
+        permissions: { articles: { read: true } },
+      });
+
+      const res = await fetchAs(token, "/api/collections/articles");
+      expect(res.status).toEqual(200);
+      const body = await res.json();
+      expect(body.data.length).toBeGreaterThanOrEqual(2);
+    });
+
+    it("denies read on a collection the share does NOT permit", async () => {
+      // Only grants articles.read; auth_users is not in the share.
+      const token = await createShare({
+        permissions: { articles: { read: true } },
+      });
+
+      const res = await fetchAs(token, "/api/collections/auth_users");
+      expect(res.status).toEqual(403);
+    });
+
+    it("applies the share's static filter on conditional read", async () => {
+      // Filter scopes the share to only the published article.
+      const token = await createShare({
+        permissions: {
+          articles: { read: { filter: { id: publishedArticleId } } },
+        },
+      });
+
+      const res = await fetchAs(token, "/api/collections/articles");
+      expect(res.status).toEqual(200);
+      const body = await res.json();
+      expect(body.data.length).toEqual(1);
+      expect(body.data[0].id).toEqual(publishedArticleId);
+    });
+
+    it("does NOT apply the self-row bypass for shares (no user identity)", async () => {
+      // A share with no auth_users perm should not be able to read any
+      // auth_users row — there's no `user` to match an id against, so the
+      // bypass doesn't apply. (The "/me" alias is exempt from this; it
+      // short-circuits with the share's permissions snapshot instead.)
+      const token = await createShare({
+        permissions: { articles: { read: true } },
+      });
+
+      const byIdRes = await fetchAs(
+        token,
+        `/api/collections/auth_users/${adminUserId}`,
+      );
+      expect(byIdRes.status).toBeGreaterThanOrEqual(400);
+    });
+
+    it("denies create when the share doesn't permit it", async () => {
+      // Share allows reading articles only — create should fail.
+      const token = await createShare({
+        permissions: { articles: { read: true } },
+      });
+
+      const res = await fetchAs(token, "/api/collections/articles", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          data: { title: "Should be rejected", body: "no perm" },
+        }),
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("allows create when the share unconditionally permits it", async () => {
+      const token = await createShare({
+        permissions: { articles: { create: true, read: true } },
+      });
+
+      const res = await fetchAs(token, "/api/collections/articles", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          data: {
+            title: "Created via share",
+            body: "by an external recipient",
+            published: true,
+            number_of_likes: 0,
+            user_id: adminUserId,
+          },
+        }),
+      });
+      expect(res.status).toBeLessThan(400);
+    });
+
+    it("enforces the share's fields allowlist on create", async () => {
+      // The share lets you create articles but only set title/body — anything
+      // else in the payload must be rejected.
+      const token = await createShare({
+        permissions: {
+          articles: {
+            create: { fields: { title: true, body: true } },
+          },
+        },
+      });
+
+      const res = await fetchAs(token, "/api/collections/articles", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          data: {
+            title: "Allowed",
+            body: "Allowed too",
+            // disallowed: not in the fields allowlist
+            published: true,
+          },
+        }),
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("permissions: true on a share grants full access (like admin)", async () => {
+      const token = await createShare({ permissions: true });
+
+      const res = await fetchAs(token, "/api/collections/articles");
+      expect(res.status).toEqual(200);
+    });
+
+    it("accepts expires_in_seconds and converts it to expires_at", async () => {
+      // Caller passes a duration instead of computing an absolute timestamp.
+      // The auth_normalizeShareExpiry workflow converts before validation.
+      const before = Date.now();
+      const created = await lobb.collectionService.createOne({
+        collectionName: "auth_shares",
+        data: {
+          permissions: JSON.stringify({ articles: { read: true } }),
+          expires_in_seconds: 120,
+          created_by: adminUserId,
+        },
+      });
+      const after = Date.now();
+
+      const expiresAt = new Date(created.data.expires_at).getTime();
+      // Should be roughly 120s after `before` and at most 120s after `after`.
+      expect(expiresAt).toBeGreaterThanOrEqual(before + 120_000 - 1000);
+      expect(expiresAt).toBeLessThanOrEqual(after + 120_000 + 1000);
+
+      // The token works, confirming the row is otherwise valid.
+      const res = await fetchAs(created.data.token, "/api/collections/articles");
+      expect(res.status).toEqual(200);
+    });
+
+    it("rejects expires_in_seconds = 0 or negative", async () => {
+      await expect(
+        lobb.collectionService.createOne({
+          collectionName: "auth_shares",
+          data: {
+            permissions: JSON.stringify({ articles: { read: true } }),
+            expires_in_seconds: 0,
+            created_by: adminUserId,
+          },
+        }),
+      ).rejects.toThrow(/positive/);
+
+      await expect(
+        lobb.collectionService.createOne({
+          collectionName: "auth_shares",
+          data: {
+            permissions: JSON.stringify({ articles: { read: true } }),
+            expires_in_seconds: -5,
+            created_by: adminUserId,
+          },
+        }),
+      ).rejects.toThrow(/positive/);
+    });
+
+    it("rejects when neither expires_at nor expires_in_seconds is provided", async () => {
+      await expect(
+        lobb.collectionService.createOne({
+          collectionName: "auth_shares",
+          data: {
+            permissions: JSON.stringify({ articles: { read: true } }),
+            created_by: adminUserId,
+          },
+        }),
+      ).rejects.toThrow(/expires_at|expires_in_seconds/);
+    });
+
+    it("auto-generates a token server-side that's actually usable as a bearer", async () => {
+      // Confirms the generation workflow is firing and the returned token is
+      // not just stored but recognised by BearerTokenHandler.
+      const token = await createShare({
+        permissions: { articles: { read: true } },
+      });
+
+      // 64-char hex string from generateRandomId (32 random bytes).
+      expect(token).toMatch(/^[a-f0-9]{64}$/);
+
+      const res = await fetchAs(token, "/api/collections/articles");
+      expect(res.status).toEqual(200);
+    });
+  });
+
+  // Integration-level coverage for the intersection guard. The pure logic
+  // is covered in workflows/shareIntersection.test.ts — these tests confirm
+  // the guard is actually wired into the share creation flow and only fires
+  // for API-triggered creates (internal callers using the service layer
+  // remain trusted, which is what the suite above relies on).
+  describe("intersection guard on share creation", () => {
+    // The author role in authConfig has: auth_users read(conditional) +
+    // update/delete, articles read(conditional, fields) + create(fields),
+    // and auth_shares.create. We use it to exercise the guard.
+    const authorEmail = "share_creator@test.com";
+    const authorPassword = "test_password";
+    let authorToken: string;
+    let adminToken: string;
+
+    async function loginAs(email: string, password: string): Promise<string> {
+      const res = await fetch(`${baseUrl}/api/collections/auth_sessions`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ data: { email, password } }),
+      });
+      const body = await res.json();
+      return body.data.access_token.token;
+    }
+
+    async function postShareAs(
+      sessionToken: string,
+      permissions: unknown,
+    ): Promise<Response> {
+      return await fetch(`${baseUrl}/api/collections/auth_shares`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${sessionToken}`,
+        },
+        body: JSON.stringify({
+          data: {
+            permissions: JSON.stringify(permissions),
+            expires_at: new Date(Date.now() + 60_000).toISOString(),
+          },
+        }),
+      });
+    }
+
+    beforeAll(async () => {
+      // Create the author user up-front so each test can just login.
+      await fetch(`${baseUrl}/api/collections/auth_users`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          data: {
+            email: authorEmail,
+            password: authorPassword,
+            role: "author",
+          },
+        }),
+      });
+      authorToken = await loginAs(authorEmail, authorPassword);
+      adminToken = await loginAs("admin@test.com", "admin");
+    });
+
+    it("rejects an author granting a collection they don't have", async () => {
+      // The author role has no perm at all on a hypothetical extra collection;
+      // here we use auth_sessions which the author also can't read/write.
+      const res = await postShareAs(authorToken, {
+        auth_sessions: { read: true },
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("rejects an author granting unconditional read when their own read is conditional", async () => {
+      // Author's articles.read is conditional (only their own rows). Granting
+      // `articles: { read: true }` would let a share recipient read every row —
+      // strictly broader than the author can.
+      const res = await postShareAs(authorToken, {
+        articles: { read: true },
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("rejects an author granting an action they don't have on a collection", async () => {
+      // Author has articles.create + articles.read but no articles.update.
+      const res = await postShareAs(authorToken, {
+        articles: { update: true },
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("rejects an author granting a field they aren't allowed to write", async () => {
+      // Author's articles.create allows only {title, body}; `published` would
+      // be a new field the author themselves cannot set.
+      const res = await postShareAs(authorToken, {
+        articles: {
+          create: { fields: { title: true, published: true } },
+        },
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("rejects an author dropping a field allowlist when they have one", async () => {
+      // Removing the `fields` key entirely makes the share's create
+      // unconstrained — broader than the author's.
+      const res = await postShareAs(authorToken, {
+        articles: { create: {} },
+      });
+      expect(res.status).toEqual(403);
+    });
+
+    it("rejects `permissions: true` from a non-admin creator", async () => {
+      const res = await postShareAs(authorToken, true);
+      expect(res.status).toEqual(403);
+    });
+
+    it("accepts a strictly-narrower share from an author", async () => {
+      // Conditional share read with a filter; author also has conditional
+      // read so this is structurally a subset (we don't compare filters).
+      const res = await postShareAs(authorToken, {
+        articles: {
+          read: {
+            filter: { id: publishedArticleId },
+            fields: { id: true, title: true },
+          },
+        },
+      });
+      expect(res.status).toBeLessThan(400);
+    });
+
+    it("accepts a fields-allowlist share that subsets the creator's", async () => {
+      const res = await postShareAs(authorToken, {
+        articles: {
+          create: { fields: { title: true } },
+        },
+      });
+      expect(res.status).toBeLessThan(400);
+    });
+
+    it("admin can mint any share, including permissions: true", async () => {
+      const res = await postShareAs(adminToken, true);
+      expect(res.status).toBeLessThan(400);
+    });
+
+    it("admin can mint shares granting collections an author couldn't", async () => {
+      const res = await postShareAs(adminToken, {
+        auth_users: { read: true },
+      });
+      expect(res.status).toBeLessThan(400);
+    });
+
+    it("rejects an unauthenticated (public) request — public users can't mint shares", async () => {
+      // Defense in depth: the policy layer rejects first because public has
+      // no auth_shares.create perm. Even if that were misconfigured, the
+      // auth_setShareCreatedBy workflow only runs when there's an auth_user,
+      // so `created_by` would stay undefined and the required-field check
+      // would refuse the insert.
+      const res = await fetch(`${baseUrl}/api/collections/auth_shares`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          data: {
+            permissions: JSON.stringify({ articles: { read: true } }),
+            expires_at: new Date(Date.now() + 60_000).toISOString(),
+          },
+        }),
+      });
+      expect(res.status).toBeGreaterThanOrEqual(400);
+    });
+
+    it("rejects when permissions is not valid JSON", async () => {
+      const res = await fetch(`${baseUrl}/api/collections/auth_shares`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${authorToken}`,
+        },
+        body: JSON.stringify({
+          data: {
+            permissions: "not-json-at-all",
+            expires_at: new Date(Date.now() + 60_000).toISOString(),
+          },
+        }),
+      });
+      expect(res.status).toBeGreaterThanOrEqual(400);
+    });
+
+    // The earlier expires_in_seconds tests exercise the service layer
+    // directly. The studio UI hits the HTTP API instead, so we need a
+    // parallel check that the convenience field also works end-to-end:
+    // service-level normalize must convert it to expires_at BEFORE the
+    // store-level required check fires, otherwise callers see "Validation
+    // failed".
+    it("accepts expires_in_seconds via HTTP and round-trips a working token", async () => {
+      const before = Date.now();
+      const res = await fetch(`${baseUrl}/api/collections/auth_shares`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${adminToken}`,
+        },
+        body: JSON.stringify({
+          data: {
+            permissions: JSON.stringify({ articles: { read: true } }),
+            expires_in_seconds: 120,
+          },
+        }),
+      });
+      expect(res.status).toEqual(201);
+      const body = await res.json();
+      const after = Date.now();
+
+      // expires_at was computed server-side from the seconds the caller sent.
+      const expiresAt = new Date(body.data.expires_at).getTime();
+      expect(expiresAt).toBeGreaterThanOrEqual(before + 120_000 - 1000);
+      expect(expiresAt).toBeLessThanOrEqual(after + 120_000 + 1000);
+
+      // expires_in_seconds is virtual and must NOT round-trip back to the client.
+      expect("expires_in_seconds" in body.data).toBe(false);
+
+      // The token is usable as a bearer credential — confirms the row was
+      // actually inserted with valid created_by/token/permissions.
+      const useRes = await fetchAs(body.data.token, "/api/collections/articles");
+      expect(useRes.status).toEqual(200);
+    });
+
+    it("rejects via HTTP when neither expires_at nor expires_in_seconds is provided", async () => {
+      const res = await fetch(`${baseUrl}/api/collections/auth_shares`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${adminToken}`,
+        },
+        body: JSON.stringify({
+          data: {
+            permissions: JSON.stringify({ articles: { read: true } }),
+          },
+        }),
+      });
+      expect(res.status).toBeGreaterThanOrEqual(400);
+    });
+
+    it("rejects via HTTP when expires_in_seconds is zero or negative", async () => {
+      for (const seconds of [0, -5]) {
+        const res = await fetch(`${baseUrl}/api/collections/auth_shares`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": `Bearer ${adminToken}`,
+          },
+          body: JSON.stringify({
+            data: {
+              permissions: JSON.stringify({ articles: { read: true } }),
+              expires_in_seconds: seconds,
+            },
+          }),
+        });
+        expect(res.status).toBeGreaterThanOrEqual(400);
+      }
+    });
+
+    // /api/collections/auth_users/me also serves share bearers: when there's
+    // no user but a valid share, meAlias short-circuits with the share's
+    // permissions snapshot. The studio uses this single endpoint to learn
+    // what the current bearer can do, regardless of bearer type.
+    describe("GET /api/collections/auth_users/me with a share bearer", () => {
+      it("returns { data: null, permissions } with the share's snapshot", async () => {
+        const sharePermissions = {
+          articles: { read: { filter: { id: publishedArticleId } } },
+        };
+        const token = await createShare({ permissions: sharePermissions });
+
+        const res = await fetch(
+          `${baseUrl}/api/collections/auth_users/me`,
+          { headers: { Authorization: `Bearer ${token}` } },
+        );
+        expect(res.status).toEqual(200);
+        const body = await res.json();
+        expect(body.data).toBeNull();
+        expect(body.permissions).toEqual(sharePermissions);
+      });
+
+      it("still returns the user row + role permissions for a session bearer", async () => {
+        const res = await fetch(
+          `${baseUrl}/api/collections/auth_users/me`,
+          { headers: { Authorization: `Bearer ${authorToken}` } },
+        );
+        expect(res.status).toEqual(200);
+        const body = await res.json();
+        expect(body.data.email).toEqual("share_creator@test.com");
+        expect(body.permissions.articles.create.fields).toEqual({
+          title: true,
+          body: true,
+        });
+      });
+    });
+  });
+});

package/extensions/auth/tests/configs/auth.ts

@@ -50,6 +50,23 @@ export const authConfig: Config = {
               update: true,
               delete: true,
             },
+            articles: {
+              read: {
+                filter: { user_id: ({ user }: any) => user?.id ?? null },
+                fields: { id: true, title: true, body: true },
+              },
+              create: { fields: { title: true, body: true } },
+            },
+            auth_shares: {
+              create: true,
+            },
+          },
+        },
+        // Role with no auth_users perm at all — used to test that /me still
+        // works for a logged-in user whose role can't generally read auth_users.
+        reader: {
+          permissions: {
+            articles: { read: true },
           },
         },
       },