@openparachute/hub 0.3.0-rc.1 → 0.5.1

package/src/__tests__/admin-handlers.test.ts

@@ -0,0 +1,530 @@
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  handleAdminConfigGet,
+  handleAdminConfigPost,
+  handleAdminLoginGet,
+  handleAdminLoginPost,
+  handleAdminLogoutPost,
+} from "../admin-handlers.ts";
+import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import type { ConfigSchema, ModuleManifest } from "../module-manifest.ts";
+import type { ServicesManifest } from "../services-manifest.ts";
+import { SESSION_TTL_MS, buildSessionCookie, createSession, findSession } from "../sessions.ts";
+import { createUser } from "../users.ts";
+
+const TEST_CSRF = "csrf-handlers-test-token";
+const CSRF_COOKIE = `${CSRF_COOKIE_NAME}=${TEST_CSRF}`;
+
+const VAULT_SCHEMA: ConfigSchema = {
+  type: "object",
+  required: ["transcribe_provider"],
+  properties: {
+    transcribe_provider: {
+      type: "string",
+      description: "Speech-to-text backend.",
+      enum: ["openai", "deepgram", "groq"],
+      default: "openai",
+    },
+    max_tags_per_note: { type: "integer", default: 10 },
+    public: { type: "boolean", default: false },
+  },
+};
+
+const VAULT_MANIFEST: ModuleManifest = {
+  name: "vault",
+  manifestName: "parachute-vault",
+  displayName: "Vault",
+  kind: "api",
+  port: 1940,
+  paths: ["/vault"],
+  health: "/health",
+  configSchema: VAULT_SCHEMA,
+};
+
+function vaultServices(): ServicesManifest {
+  return {
+    services: [
+      {
+        name: "vault",
+        port: 1940,
+        paths: ["/vault"],
+        health: "/health",
+        version: "0.0.0",
+        installDir: "/fake/vault",
+      },
+    ],
+  };
+}
+
+interface Harness {
+  db: Database;
+  configDir: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const configDir = mkdtempSync(join(tmpdir(), "phub-admin-handlers-"));
+  const db = openHubDb(hubDbPath(configDir));
+  return {
+    db,
+    configDir,
+    cleanup: () => {
+      db.close();
+      rmSync(configDir, { recursive: true, force: true });
+    },
+  };
+}
+
+async function cookieForUser(db: Database, username: string, password: string): Promise<string> {
+  const user = await createUser(db, username, password);
+  const session = createSession(db, { userId: user.id });
+  return `${CSRF_COOKIE}; ${buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000))}`;
+}
+
+function formBody(values: Record<string, string>): {
+  body: string;
+  headers: Record<string, string>;
+} {
+  const params = new URLSearchParams();
+  for (const [k, v] of Object.entries(values)) params.append(k, v);
+  return {
+    body: params.toString(),
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+  };
+}
+
+function fakeReadManifest(installDir: string): Promise<ModuleManifest | null> {
+  if (installDir === "/fake/vault") return Promise.resolve(VAULT_MANIFEST);
+  return Promise.resolve(null);
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+
+describe("handleAdminLoginGet", () => {
+  test("renders login form and mints a CSRF cookie when none is present", () => {
+    const req = new Request("http://hub.test/admin/login");
+    const res = handleAdminLoginGet(harness.db, req);
+    expect(res.status).toBe(200);
+    expect(res.headers.get("set-cookie") ?? "").toContain(CSRF_COOKIE_NAME);
+  });
+
+  test("echoes the next= query param into the form", async () => {
+    const req = new Request("http://hub.test/admin/login?next=/admin/config");
+    const res = handleAdminLoginGet(harness.db, req);
+    const html = await res.text();
+    expect(html).toContain('value="/admin/config"');
+  });
+
+  test("rewrites unsafe next= to /admin/config", async () => {
+    const req = new Request("http://hub.test/admin/login?next=https%3A%2F%2Fevil.example%2Fpwn");
+    const res = handleAdminLoginGet(harness.db, req);
+    const html = await res.text();
+    expect(html).toContain('value="/admin/config"');
+    expect(html).not.toContain("evil.example");
+  });
+
+  test("hidden __csrf input value matches the freshly-minted cookie value (#113)", async () => {
+    const req = new Request("http://hub.test/admin/login");
+    const res = handleAdminLoginGet(harness.db, req);
+    const setCookie = res.headers.get("set-cookie") ?? "";
+    const cookieMatch = setCookie.match(new RegExp(`${CSRF_COOKIE_NAME}=([A-Za-z0-9_-]+)`));
+    expect(cookieMatch).not.toBeNull();
+    const cookieToken = cookieMatch?.[1] ?? "";
+    expect(cookieToken.length).toBeGreaterThan(0);
+    const html = await res.text();
+    const formMatch = html.match(new RegExp(`name="${CSRF_FIELD_NAME}" value="([^"]+)"`));
+    expect(formMatch).not.toBeNull();
+    expect(formMatch?.[1]).toBe(cookieToken);
+  });
+});
+
+describe("handleAdminLoginPost", () => {
+  test("rejects when CSRF token doesn't match the cookie", async () => {
+    await createUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: "wrong",
+      username: "admin",
+      password: "pw",
+      next: "/admin/config",
+    });
+    const req = new Request("http://hub.test/admin/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(400);
+    expect(res.headers.get("set-cookie")).toBeNull();
+  });
+
+  test("rejects bad credentials with 401 and re-renders login", async () => {
+    await createUser(harness.db, "admin", "correct-pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "admin",
+      password: "wrong",
+      next: "/admin/config",
+    });
+    const req = new Request("http://hub.test/admin/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(401);
+    expect(await res.text()).toContain("Invalid credentials");
+  });
+
+  test("redirects to next= and sets session cookie on success", async () => {
+    await createUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "admin",
+      password: "pw",
+      next: "/admin/config",
+    });
+    const req = new Request("http://hub.test/admin/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/config");
+    expect(res.headers.get("set-cookie") ?? "").toContain("parachute_hub_session=");
+  });
+
+  test("ignores an absolute-URL next= from the form", async () => {
+    await createUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "admin",
+      password: "pw",
+      next: "https://evil.example/pwn",
+    });
+    const req = new Request("http://hub.test/admin/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/config");
+  });
+});
+
+describe("handleAdminLogoutPost (#113)", () => {
+  test("rejects when CSRF token doesn't match the cookie", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({ [CSRF_FIELD_NAME]: "wrong" });
+    const req = new Request("http://hub.test/admin/logout", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminLogoutPost(harness.db, req);
+    expect(res.status).toBe(400);
+    expect(res.headers.get("set-cookie")).toBeNull();
+  });
+
+  test("clears session cookie, deletes session row, and redirects to /admin/login", async () => {
+    const user = await createUser(harness.db, "admin", "pw");
+    const session = createSession(harness.db, { userId: user.id });
+    const cookie = `${CSRF_COOKIE}; ${buildSessionCookie(
+      session.id,
+      Math.floor(SESSION_TTL_MS / 1000),
+    )}`;
+    const { body, headers } = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF });
+    const req = new Request("http://hub.test/admin/logout", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminLogoutPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/login");
+    const setCookie = res.headers.get("set-cookie") ?? "";
+    expect(setCookie).toContain("parachute_hub_session=;");
+    expect(setCookie).toContain("Max-Age=0");
+    expect(findSession(harness.db, session.id)).toBeNull();
+  });
+
+  test("idempotent — clears cookie even with no active session", async () => {
+    const { body, headers } = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF });
+    const req = new Request("http://hub.test/admin/logout", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLogoutPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/login");
+    expect(res.headers.get("set-cookie") ?? "").toContain("parachute_hub_session=;");
+  });
+});
+
+describe("handleAdminConfigGet", () => {
+  test("redirects unauthenticated requests to /admin/login", async () => {
+    const req = new Request("http://hub.test/admin/config");
+    const res = await handleAdminConfigGet(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/login?next=%2Fadmin%2Fconfig");
+  });
+
+  test("renders the empty-state when no module declares a configSchema", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const req = new Request("http://hub.test/admin/config", {
+      headers: { cookie },
+    });
+    const res = await handleAdminConfigGet(harness.db, req, {
+      loadServicesManifest: () => ({ services: [] }),
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain("No installed module declares");
+  });
+
+  test("renders one section per configurable module", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const req = new Request("http://hub.test/admin/config", {
+      headers: { cookie },
+    });
+    const res = await handleAdminConfigGet(harness.db, req, {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('id="module-vault"');
+    expect(html).toContain("transcribe_provider");
+    expect(html).toContain('action="/admin/config/vault"');
+  });
+
+  test("surfaces flash success message after a saved redirect", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const req = new Request("http://hub.test/admin/config?_status=saved&_module=vault", {
+      headers: { cookie },
+    });
+    const res = await handleAdminConfigGet(harness.db, req, {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+    });
+    const html = await res.text();
+    expect(html).toContain("Saved and restarted Vault");
+  });
+});
+
+describe("handleAdminConfigPost", () => {
+  function postBody(values: Record<string, string>) {
+    return formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, ...values });
+  }
+
+  test("redirects unauthenticated requests to /admin/login", async () => {
+    const { body, headers } = postBody({ transcribe_provider: "openai" });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+    });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toContain("/admin/login");
+  });
+
+  test("returns 400 when the CSRF token is wrong", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: "wrong",
+      transcribe_provider: "openai",
+    });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test("returns 404 for unknown module names", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const { body, headers } = postBody({});
+    const req = new Request("http://hub.test/admin/config/nope", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "nope", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+    });
+    expect(res.status).toBe(404);
+  });
+
+  test("re-renders with field errors (422) when validation fails", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const restarts: string[] = [];
+    const { body, headers } = postBody({
+      transcribe_provider: "whisper", // not in enum
+      max_tags_per_note: "10",
+    });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+      restartService: async (name) => {
+        restarts.push(name);
+        return 0;
+      },
+    });
+    expect(res.status).toBe(422);
+    const html = await res.text();
+    expect(html).toContain("must be one of");
+    expect(restarts).toEqual([]); // restart never called
+    // The on-disk config must not have been written.
+    expect(existsSync(join(harness.configDir, "vault", "config.json"))).toBe(false);
+  });
+
+  test("writes config + triggers restart + redirects with saved flash", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const restarts: string[] = [];
+    const { body, headers } = postBody({
+      transcribe_provider: "deepgram",
+      max_tags_per_note: "25",
+      // checkbox absent → public stays false
+    });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+      restartService: async (name) => {
+        restarts.push(name);
+        return 0;
+      },
+    });
+    expect(res.status).toBe(302);
+    const location = res.headers.get("location") ?? "";
+    expect(location).toContain("/admin/config?");
+    expect(location).toContain("_status=saved");
+    expect(location).toContain("_module=vault");
+    expect(location).toContain("#module-vault");
+    expect(restarts).toEqual(["vault"]);
+    const written = JSON.parse(
+      readFileSync(join(harness.configDir, "vault", "config.json"), "utf8"),
+    );
+    expect(written).toEqual({
+      transcribe_provider: "deepgram",
+      max_tags_per_note: 25,
+      public: false,
+    });
+  });
+
+  test("flashes saved-restart-failed when the restart returns non-zero", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const { body, headers } = postBody({
+      transcribe_provider: "openai",
+      max_tags_per_note: "5",
+    });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+      restartService: async () => 1,
+    });
+    expect(res.status).toBe(302);
+    const location = res.headers.get("location") ?? "";
+    expect(location).toContain("_status=saved-restart-failed");
+    // Config was still written before the restart attempt.
+    expect(existsSync(join(harness.configDir, "vault", "config.json"))).toBe(true);
+  });
+
+  test("flashes saved-restart-failed with err detail when restart throws", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const { body, headers } = postBody({
+      transcribe_provider: "openai",
+      max_tags_per_note: "5",
+    });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+      restartService: async () => {
+        throw new Error("launchctl unavailable");
+      },
+    });
+    expect(res.status).toBe(302);
+    const location = res.headers.get("location") ?? "";
+    expect(location).toContain("_status=saved-restart-failed");
+    const errParam = new URL(location, "http://hub.test").searchParams.get("_err") ?? "";
+    expect(errParam).toContain("launchctl unavailable");
+  });
+
+  test("checkbox-on translates to `public: true` in the written config", async () => {
+    const cookie = await cookieForUser(harness.db, "admin", "pw");
+    const { body, headers } = postBody({
+      transcribe_provider: "openai",
+      max_tags_per_note: "5",
+      public: "true",
+    });
+    const req = new Request("http://hub.test/admin/config/vault", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAdminConfigPost(harness.db, req, "vault", {
+      loadServicesManifest: vaultServices,
+      configDir: harness.configDir,
+      readManifest: fakeReadManifest,
+      restartService: async () => 0,
+    });
+    expect(res.status).toBe(302);
+    const written = JSON.parse(
+      readFileSync(join(harness.configDir, "vault", "config.json"), "utf8"),
+    );
+    expect(written.public).toBe(true);
+  });
+});

package/src/__tests__/admin-host-admin-token.test.ts

@@ -0,0 +1,115 @@
+/**
+ * Tests for the SPA's session→bearer mint endpoint. Covers:
+ *   - 401 when no admin session cookie is present.
+ *   - 401 when the cookie names a deleted/expired session.
+ *   - 200 + JWT carrying parachute:host:admin when the session is valid.
+ *   - Token validates against the hub's own keys and the configured issuer.
+ *   - Method-not-allowed on POST.
+ */
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { HOST_ADMIN_TOKEN_TTL_SECONDS, handleHostAdminToken } from "../admin-host-admin-token.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { validateAccessToken } from "../jwt-sign.ts";
+import { SESSION_TTL_MS, buildSessionCookie, createSession, deleteSession } from "../sessions.ts";
+import { createUser } from "../users.ts";
+
+const ISSUER = "https://hub.test";
+
+interface Harness {
+  db: Database;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-host-admin-token-"));
+  const db = openHubDb(hubDbPath(dir));
+  return {
+    db,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+
+async function withSession(): Promise<{ cookie: string; userId: string }> {
+  const user = await createUser(harness.db, "operator", "hunter2");
+  const session = createSession(harness.db, { userId: user.id });
+  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+  return { cookie, userId: user.id };
+}
+
+describe("handleHostAdminToken", () => {
+  test("401 when no session cookie is present", async () => {
+    const req = new Request(`${ISSUER}/admin/host-admin-token`);
+    const res = await handleHostAdminToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("unauthenticated");
+  });
+
+  test("401 when the cookie names a deleted session", async () => {
+    const { cookie } = await withSession();
+    // Pluck the session id back out of the cookie + delete its row.
+    const sid = cookie.match(/parachute_hub_session=([^;]+)/)?.[1] ?? "";
+    deleteSession(harness.db, sid);
+    const req = new Request(`${ISSUER}/admin/host-admin-token`, {
+      headers: { cookie },
+    });
+    const res = await handleHostAdminToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(401);
+  });
+
+  test("405 on POST", async () => {
+    const { cookie } = await withSession();
+    const req = new Request(`${ISSUER}/admin/host-admin-token`, {
+      method: "POST",
+      headers: { cookie },
+    });
+    const res = await handleHostAdminToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(405);
+  });
+
+  test("200 mints a JWT carrying parachute:host:admin and the configured issuer", async () => {
+    const { cookie, userId } = await withSession();
+    const req = new Request(`${ISSUER}/admin/host-admin-token`, {
+      headers: { cookie },
+    });
+    const res = await handleHostAdminToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("cache-control")).toBe("no-store");
+
+    const body = (await res.json()) as {
+      token: string;
+      expires_at: string;
+      scopes: string[];
+    };
+    expect(body.scopes).toEqual(["parachute:host:admin"]);
+    expect(body.token.length).toBeGreaterThan(20);
+
+    // expires_at is roughly TTL_SECONDS in the future.
+    const expMs = new Date(body.expires_at).getTime();
+    const skew = expMs - Date.now();
+    expect(skew).toBeGreaterThan((HOST_ADMIN_TOKEN_TTL_SECONDS - 30) * 1000);
+    expect(skew).toBeLessThan((HOST_ADMIN_TOKEN_TTL_SECONDS + 30) * 1000);
+
+    // JWT verifies against the hub's own signing key + issuer.
+    const validated = await validateAccessToken(harness.db, body.token, ISSUER);
+    expect(validated.payload.sub).toBe(userId);
+    expect(validated.payload.iss).toBe(ISSUER);
+    const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
+    expect(scopeClaim.split(/\s+/)).toContain("parachute:host:admin");
+  });
+});