npm - @lobb-js/lobb-ext-auth - Versions diffs - 0.11.3 → 0.13.0 - Mend

@lobb-js/lobb-ext-auth 0.11.3 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/extensions/auth/tests/middlewares/adminAuthGuard.test.ts DELETED Viewed

@@ -1,157 +0,0 @@
-import { Lobb } from "@lobb-js/core";
-import { afterAll, beforeAll, describe, it, expect } from "bun:test";
-import { createArticles, removeArticles } from "../utils/addArticles.ts";
-import { authNoRolesConfig } from "../configs/auth_no_roles.ts";
-describe("Auth Guard for Admins", () => {
-  let lobb: Lobb;
-  let baseUrl: string;
-  let articlesIds: string[];
-  const authHeader = new Headers();
-  beforeAll(async () => {
-    lobb = await Lobb.init(authNoRolesConfig);
-    baseUrl = `http://127.0.0.1:${lobb.webServer.port}`;
-    articlesIds = await createArticles(lobb);
-    const response = await fetch(
-      `${baseUrl}/api/collections/auth_sessions`,
-      {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-        },
-        body: JSON.stringify({
-          data: {
-            email: "admin@test.com",
-            password: "admin",
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    authHeader.append(
-      "Authorization",
-      `Bearer ${result.data.access_token.token}`,
-    );
-  });
-  afterAll(async () => {
-    await removeArticles(lobb);
-    await lobb.close();
-  });
-  it("should allow admin users to create article", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles`,
-      {
-        method: "POST",
-        headers: authHeader,
-        body: JSON.stringify({
-          data: {
-            title: "Test Title",
-            body: "Test body",
-            published: true,
-            number_of_likes: 500,
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.data,
-    ).toMatchObject({
-        body: "Test body",
-        title: "Test Title",
-        number_of_likes: 500,
-        published: true,
-        user_id: null,
-    });
-    expect(response.status).toEqual(201);
-  });
-  it("should allow admin users to read articles", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles?sort=id`,
-      {
-        method: "GET",
-        headers: authHeader,
-      },
-    );
-    const result = await response.json();
-    const titles = result.data.map((article: any) => article.title);
-    expect(
-      titles,
-    ).toEqual([
-        "The Future of AI: Trends Shaping Tomorrow's Technology",
-        "Climate Change and Its Impact on Global Food Security",
-        "The Rise of Remote Work: Is the Office Dead?",
-        "Blockchain Beyond Cryptocurrency: Practical Applications in 2024",
-        "Mental Health in the Digital Age: Navigating the New Challenges",
-        "Understanding Quantum Computing: The Next Tech Revolution",
-        "Sustainable Fashion: How the Industry is Going Green",
-        "The Role of 5G in Revolutionizing Smart Cities",
-        "Digital Marketing in 2024: Emerging Strategies for Success",
-        "The Future of Renewable Energy: Innovations Driving a Clean Energy Revolution",
-        "Test Title",
-    ]);
-    expect(response.status).toEqual(200);
-  });
-  it("should allow admin users to update an article", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles/${articlesIds[0]}`,
-      {
-        method: "PATCH",
-        headers: authHeader,
-        body: JSON.stringify({
-          data: {
-            title: "Edited Title",
-            body: "Edited body",
-            published: true,
-            number_of_likes: 500,
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.data,
-    ).toMatchObject({
-        title: "Edited Title",
-        number_of_likes: 500,
-        published: true,
-        user_id: null,
-    });
-    expect(response.status).toEqual(200);
-  });
-  it("should allow admin users to delete an article", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles/${articlesIds[0]}`,
-      {
-        method: "DELETE",
-        headers: authHeader,
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.data,
-    ).toMatchObject({
-        title: "Edited Title",
-        number_of_likes: 500,
-        published: true,
-        user_id: null,
-    });
-    expect(response.status).toEqual(200);
-  });
-});

package/extensions/auth/tests/middlewares/adminProtection.test.ts DELETED Viewed

@@ -1,59 +0,0 @@
-import { Lobb } from "@lobb-js/core";
-import { afterAll, beforeAll, describe, it, expect } from "bun:test";
-import { authNoRolesConfig } from "../configs/auth_no_roles.ts";
-describe("Admin user protection", () => {
-  let lobb: Lobb;
-  let baseUrl: string;
-  const authHeader = new Headers();
-  beforeAll(async () => {
-    lobb = await Lobb.init(authNoRolesConfig);
-    baseUrl = `http://127.0.0.1:${lobb.webServer.port}`;
-    const response = await fetch(
-      `${baseUrl}/api/collections/auth_sessions`,
-      {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-          data: { email: "admin@test.com", password: "admin" },
-        }),
-      },
-    );
-    const result = await response.json();
-    authHeader.append("Authorization", `Bearer ${result.data.access_token.token}`);
-  });
-  afterAll(async () => {
-    await lobb.close();
-  });
-  it("should prevent deleting the admin user", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/auth_users/1`,
-      { method: "DELETE", headers: authHeader },
-    );
-    const result = await response.json();
-    expect(response.status).toEqual(403);
-    expect(result.message).toEqual("The admin user cannot be deleted.");
-  });
-  it("should prevent updating the admin user", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/auth_users/1`,
-      {
-        method: "PATCH",
-        headers: authHeader,
-        body: JSON.stringify({
-          data: { email: "hacked@example.com" },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(response.status).toEqual(403);
-    expect(result.message).toEqual("The admin user cannot be updated.");
-  });
-});

package/extensions/auth/tests/middlewares/publicAllowBasic.test.ts DELETED Viewed

@@ -1,137 +0,0 @@
-import { Lobb } from "@lobb-js/core";
-import { afterAll, beforeAll, describe, it, expect } from "bun:test";
-import { createArticles, removeArticles } from "../utils/addArticles.ts";
-import { authPublicFullAccessConfig } from "../configs/auth_public_full_access.ts";
-describe("Allow Guard For Public Users", () => {
-  let lobb: Lobb;
-  let baseUrl: string;
-  let articlesIds: string[];
-  beforeAll(async () => {
-    lobb = await Lobb.init(authPublicFullAccessConfig);
-    baseUrl = `http://127.0.0.1:${lobb.webServer.port}`;
-    articlesIds = await createArticles(lobb);
-  });
-  afterAll(async () => {
-    await removeArticles(lobb);
-    await lobb.close();
-  });
-  it("should allow public users to create an articles", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles`,
-      {
-        method: "POST",
-        body: JSON.stringify({
-          data: {
-            title: "Test Title",
-            body: "Test body",
-            published: true,
-            number_of_likes: 500,
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.data,
-    ).toMatchObject({
-        title: "Test Title",
-        body: "Test body",
-        published: true,
-        number_of_likes: 500,
-        user_id: null,
-    });
-    expect(response.status).toEqual(201);
-    await lobb.collectionService.deleteMany({
-      collectionName: "articles",
-      filter: {
-        title: "Test Title",
-      },
-    });
-  });
-  it("should allow public users to read an articles", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles?sort=id`,
-      {
-        method: "GET",
-      },
-    );
-    const result = await response.json();
-    const titles = result.data.map((article: any) => article.title);
-    expect(
-      titles,
-    ).toEqual([
-        "The Future of AI: Trends Shaping Tomorrow's Technology",
-        "Climate Change and Its Impact on Global Food Security",
-        "The Rise of Remote Work: Is the Office Dead?",
-        "Blockchain Beyond Cryptocurrency: Practical Applications in 2024",
-        "Mental Health in the Digital Age: Navigating the New Challenges",
-        "Understanding Quantum Computing: The Next Tech Revolution",
-        "Sustainable Fashion: How the Industry is Going Green",
-        "The Role of 5G in Revolutionizing Smart Cities",
-        "Digital Marketing in 2024: Emerging Strategies for Success",
-        "The Future of Renewable Energy: Innovations Driving a Clean Energy Revolution",
-    ]);
-    expect(response.status).toEqual(200);
-  });
-  it("should allow public users to update an articles", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles/${articlesIds[0]}`,
-      {
-        method: "PATCH",
-        body: JSON.stringify({
-          data: {
-            title: "Edited Title",
-            body: "Edited body",
-            published: false,
-            number_of_likes: 400,
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.data,
-    ).toMatchObject({
-        number_of_likes: 400,
-        published: false,
-        title: "Edited Title",
-        user_id: null,
-    });
-    expect(response.status).toEqual(200);
-  });
-  it("should allow public users to delete an articles", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles/${articlesIds[0]}`,
-      {
-        method: "DELETE",
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.data,
-    ).toMatchObject({
-        body: "Edited body",
-        number_of_likes: 400,
-        published: false,
-        title: "Edited Title",
-        user_id: null,
-    });
-    expect(response.status).toEqual(200);
-  });
-});

package/extensions/auth/tests/middlewares/publicPreventBasic.test.ts DELETED Viewed

@@ -1,108 +0,0 @@
-import { Lobb } from "@lobb-js/core";
-import { afterAll, beforeAll, describe, it, expect } from "bun:test";
-import { createArticles, removeArticles } from "../utils/addArticles.ts";
-import { authNoRolesConfig } from "../configs/auth_no_roles.ts";
-describe("Prevent Guard For Public Users", () => {
-  let lobb: Lobb;
-  let baseUrl: string;
-  let articlesIds: string[];
-  beforeAll(async () => {
-    lobb = await Lobb.init(authNoRolesConfig);
-    baseUrl = `http://127.0.0.1:${lobb.webServer.port}`;
-    articlesIds = await createArticles(lobb);
-  });
-  afterAll(async () => {
-    await removeArticles(lobb);
-    await lobb.close();
-  });
-  it("should prevent public users from creating article", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles`,
-      {
-        method: "POST",
-        body: JSON.stringify({
-          data: {
-            title: "Edited Title",
-            body: "Edited body",
-            number_of_likes: 500,
-            published: true,
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.message,
-    ).toEqual("You do not have permission to perform this action.");
-    expect(response.status).toEqual(403);
-  });
-  it("should prevent public users from reading users", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/auth_users`,
-      {
-        method: "GET",
-      },
-    );
-    const result = await response.json();
-    expect(
-      result.message,
-    ).toEqual("You do not have permission to perform this action.");
-    expect(response.status).toEqual(403);
-  });
-  it("should prevent public users from updating an article", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles/${articlesIds[0]}`,
-      {
-        method: "PATCH",
-        body: JSON.stringify({
-          data: {
-            title: "Edited Title",
-            body: "Edited body",
-            published: true,
-            number_of_likes: 500,
-          },
-        }),
-      },
-    );
-    const result = await response.json();
-    expect(
-      result,
-    ).toEqual({
-        status: 403,
-        code: "FORBIDDEN",
-        message: "You do not have permission to perform this action.",
-    });
-    expect(response.status).toEqual(403);
-  });
-  it("should prevent public users from deleting an article", async () => {
-    const response = await fetch(
-      `${baseUrl}/api/collections/articles/${articlesIds[0]}`,
-      {
-        method: "DELETE",
-      },
-    );
-    const result = await response.json();
-    expect(
-      result,
-    ).toEqual({
-        code: "FORBIDDEN",
-        message: "You do not have permission to perform this action.",
-        status: 403,
-    });
-    expect(response.status).toEqual(403);
-  });
-});

package/extensions/auth/tests/permissions.test.ts DELETED Viewed

@@ -1,127 +0,0 @@
-import { describe, it, expect } from "bun:test";
-import { isActionAllowed } from "../studio/shared/permissions.ts";
-// Default-deny is the contract: only explicit `true` or an object that
-// actually lists at least one constraint counts as a grant. Anything empty
-// (`undefined`, `{}`, `null`) at ANY level — role / collection / action —
-// must collapse to "no grant". These tests pin that invariant so a future
-// refactor can't accidentally turn `{}` back into "allow".
-describe("isActionAllowed — empty {} means false at every level", () => {
-  describe("role permissions level", () => {
-    it("returns false for undefined permissions", () => {
-      expect(isActionAllowed("articles", "read", undefined)).toBe(false);
-      expect(isActionAllowed("articles", "create", undefined)).toBe(false);
-      expect(isActionAllowed("articles", "update", undefined)).toBe(false);
-      expect(isActionAllowed("articles", "delete", undefined)).toBe(false);
-    });
-    it("returns false for an empty {} permissions object", () => {
-      expect(isActionAllowed("articles", "read", {})).toBe(false);
-      expect(isActionAllowed("articles", "create", {})).toBe(false);
-      expect(isActionAllowed("articles", "update", {})).toBe(false);
-      expect(isActionAllowed("articles", "delete", {})).toBe(false);
-    });
-    it("returns true only for the explicit `true` shortcut (admin)", () => {
-      expect(isActionAllowed("articles", "read", true)).toBe(true);
-      expect(isActionAllowed("any_collection_name", "delete", true)).toBe(true);
-    });
-  });
-  describe("collection level", () => {
-    it("returns false when the collection is missing from permissions", () => {
-      const perms = { articles: { read: true } };
-      expect(isActionAllowed("auth_users", "read", perms)).toBe(false);
-      expect(isActionAllowed("auth_users", "create", perms)).toBe(false);
-    });
-    it("returns false when the collection's value is explicitly undefined", () => {
-      const perms = { articles: undefined };
-      expect(isActionAllowed("articles", "read", perms)).toBe(false);
-      expect(isActionAllowed("articles", "create", perms)).toBe(false);
-    });
-    it("returns false when the collection is an empty {}", () => {
-      const perms = { articles: {} };
-      expect(isActionAllowed("articles", "read", perms)).toBe(false);
-      expect(isActionAllowed("articles", "create", perms)).toBe(false);
-      expect(isActionAllowed("articles", "update", perms)).toBe(false);
-      expect(isActionAllowed("articles", "delete", perms)).toBe(false);
-    });
-    it("returns true when the collection is explicitly `true`", () => {
-      const perms = { articles: true as const };
-      expect(isActionAllowed("articles", "read", perms)).toBe(true);
-      expect(isActionAllowed("articles", "create", perms)).toBe(true);
-      expect(isActionAllowed("articles", "update", perms)).toBe(true);
-      expect(isActionAllowed("articles", "delete", perms)).toBe(true);
-    });
-  });
-  describe("action level", () => {
-    it("returns false when the action is missing from the collection", () => {
-      const perms = { articles: { read: true } };
-      expect(isActionAllowed("articles", "create", perms)).toBe(false);
-      expect(isActionAllowed("articles", "update", perms)).toBe(false);
-      expect(isActionAllowed("articles", "delete", perms)).toBe(false);
-    });
-    it("returns false when the action is an empty {} — no constraints listed", () => {
-      // This is the footgun the rule fixes: an empty constraint object used
-      // to count as "conditional grant with no constraints" → effectively
-      // unconditional allow. Now it collapses to no grant.
-      expect(isActionAllowed("articles", "read", { articles: { read: {} } })).toBe(false);
-      expect(isActionAllowed("articles", "create", { articles: { create: {} } })).toBe(false);
-      expect(isActionAllowed("articles", "update", { articles: { update: {} } })).toBe(false);
-      expect(isActionAllowed("articles", "delete", { articles: { delete: {} } })).toBe(false);
-    });
-    it("returns false when the action is explicitly undefined", () => {
-      const perms = { articles: { read: undefined, create: undefined } };
-      expect(isActionAllowed("articles", "read", perms)).toBe(false);
-      expect(isActionAllowed("articles", "create", perms)).toBe(false);
-    });
-    it("returns true when the action is explicitly `true`", () => {
-      expect(isActionAllowed("articles", "read", { articles: { read: true } })).toBe(true);
-      expect(isActionAllowed("articles", "create", { articles: { create: true } })).toBe(true);
-    });
-    it("returns true when the action has at least one real constraint", () => {
-      // `filter` for read
-      expect(
-        isActionAllowed("articles", "read", {
-          articles: { read: { filter: { id: 1 } } },
-        }),
-      ).toBe(true);
-      // `fields` allowlist for read
-      expect(
-        isActionAllowed("articles", "read", {
-          articles: { read: { fields: { title: true } } },
-        }),
-      ).toBe(true);
-      // `fields` allowlist for create
-      expect(
-        isActionAllowed("articles", "create", {
-          articles: { create: { fields: { title: true } } },
-        }),
-      ).toBe(true);
-    });
-  });
-  describe("cross-level: only the relevant level needs to grant", () => {
-    it("an empty {} at any single level kills the chain regardless of siblings", () => {
-      // Other collections have grants, but `articles` is `{}` → no articles access.
-      const perms = { auth_users: { read: true }, articles: {} };
-      expect(isActionAllowed("articles", "read", perms)).toBe(false);
-      // Sibling still works.
-      expect(isActionAllowed("auth_users", "read", perms)).toBe(true);
-    });
-    it("an empty {} action doesn't bleed into other actions on the same collection", () => {
-      const perms = { articles: { read: true, create: {} } };
-      expect(isActionAllowed("articles", "read", perms)).toBe(true);
-      expect(isActionAllowed("articles", "create", perms)).toBe(false);
-    });
-  });
-});