@openparachute/hub 0.5.10-rc.9 → 0.5.10

package/src/__tests__/users.test.ts

@@ -4,15 +4,21 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import {
+  PASSWORD_MIN_LEN,
   SingleUserModeError,
+  USERNAME_RESERVED,
   UserNotFoundError,
   UsernameTakenError,
   createUser,
+  deleteUser,
   getUserById,
   getUserByUsername,
+  getUserByUsernameCI,
   listUsers,
   setPassword,
   userCount,
+  validatePassword,
+  validateUsername,
   verifyPassword,
 } from "../users.ts";
 
@@ -29,6 +35,11 @@ function makeDb() {
 }
 
 describe("createUser", () => {
+  // Note: createUser doesn't call validatePassword directly (PR 2 wires
+  // it at the endpoint layer). These short passwords ("hunter2", "pw1",
+  // etc.) are deliberate for testing the argon2id round-trip + the
+  // INSERT shape in isolation; PR 2's endpoint tests will use full-
+  // length (12+ char) passwords against the validator-gated path.
   test("creates a user and stores an argon2id hash", async () => {
     const { db, cleanup } = makeDb();
     try {
@@ -39,6 +50,50 @@ describe("createUser", () => {
       expect(u.passwordHash.startsWith("$argon2id$")).toBe(true);
       expect(u.createdAt).toBe(u.updatedAt);
       expect(userCount(db)).toBe(1);
+      // Default multi-user-Phase-1 shape: unchanged password, no vault pin.
+      expect(u.passwordChanged).toBe(false);
+      expect(u.assignedVault).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("passwordChanged opt-in lands the bit set (wizard / env-seed path)", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "owner", "hunter2", { passwordChanged: true });
+      expect(u.passwordChanged).toBe(true);
+      // Round-trip through getUserById so we know it's persisted, not
+      // just returned by the in-memory createUser result.
+      const fresh = getUserById(db, u.id);
+      expect(fresh?.passwordChanged).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("assignedVault opt-in persists the column (admin-creates-user path)", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "pw1", {
+        allowMulti: true,
+        assignedVault: "alice",
+      });
+      expect(u.assignedVault).toBe("alice");
+      const fresh = getUserById(db, u.id);
+      expect(fresh?.assignedVault).toBe("alice");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("assignedVault explicit null is treated the same as omitted", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "admin1", "pw1", { assignedVault: null });
+      expect(u.assignedVault).toBeNull();
+      const fresh = getUserById(db, u.id);
+      expect(fresh?.assignedVault).toBeNull();
     } finally {
       cleanup();
     }
@@ -152,3 +207,144 @@ describe("listUsers / getUserByUsername", () => {
     }
   });
 });
+
+describe("getUserByUsernameCI", () => {
+  test("matches exact lowercase username", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      await createUser(db, "alice", "alice-strong-passphrase");
+      expect(getUserByUsernameCI(db, "alice")?.username).toBe("alice");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("matches case-insensitively (defense in depth for legacy mixed-case rows)", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      await createUser(db, "alice", "alice-strong-passphrase");
+      expect(getUserByUsernameCI(db, "Alice")?.username).toBe("alice");
+      expect(getUserByUsernameCI(db, "ALICE")?.username).toBe("alice");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("returns null when no row matches", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(getUserByUsernameCI(db, "ghost")).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("deleteUser", () => {
+  test("returns false when user does not exist", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(deleteUser(db, "no-such-id")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("returns true and drops the row", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "alice-strong-passphrase");
+      expect(deleteUser(db, u.id)).toBe(true);
+      expect(getUserById(db, u.id)).toBeNull();
+      expect(userCount(db)).toBe(0);
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("validateUsername", () => {
+  test("happy path — typical names", () => {
+    for (const name of ["alice", "bob_42", "user-1", "ab", "a-b-c", "x_y_z"]) {
+      const r = validateUsername(name);
+      expect(r.valid).toBe(true);
+      if (r.valid) expect(r.name).toBe(name);
+    }
+  });
+
+  test("length boundaries — 2 and 32 OK, 1 and 33 rejected", () => {
+    expect(validateUsername("ab").valid).toBe(true);
+    expect(validateUsername("a".repeat(32)).valid).toBe(true);
+    const tooShort = validateUsername("a");
+    expect(tooShort.valid).toBe(false);
+    if (!tooShort.valid) expect(tooShort.reason).toBe("length");
+    const tooLong = validateUsername("a".repeat(33));
+    expect(tooLong.valid).toBe(false);
+    if (!tooLong.valid) expect(tooLong.reason).toBe("length");
+    // Empty string is a length failure (not a format failure).
+    const empty = validateUsername("");
+    expect(empty.valid).toBe(false);
+    if (!empty.valid) expect(empty.reason).toBe("length");
+  });
+
+  test("format failures — uppercase, spaces, symbols rejected", () => {
+    for (const name of ["Alice", "bob smith", "user@domain", "name!", "user.name", "naïve"]) {
+      const r = validateUsername(name);
+      expect(r.valid).toBe(false);
+      if (!r.valid) expect(r.reason).toBe("format");
+    }
+  });
+
+  test("reserved words rejected — case-insensitive", () => {
+    for (const reserved of USERNAME_RESERVED) {
+      const r = validateUsername(reserved);
+      expect(r.valid).toBe(false);
+      if (!r.valid) expect(r.reason).toBe("reserved");
+    }
+    // Case variants — the regex pins lowercase so uppercase fails as
+    // "format" first; the case-insensitive reserved check is defense in
+    // depth. But within the lowercase-allowed set, mixed-case-spelled
+    // reserved words are blocked by the format gate (e.g. "Admin"
+    // fails format, not reserved). The regex catches case variants
+    // before reserved-check ever runs — that's correct order.
+    const mixed = validateUsername("Admin");
+    expect(mixed.valid).toBe(false);
+    if (!mixed.valid) expect(mixed.reason).toBe("format");
+  });
+
+  test("hyphens and underscores allowed; numbers allowed", () => {
+    expect(validateUsername("user_1").valid).toBe(true);
+    expect(validateUsername("user-2").valid).toBe(true);
+    expect(validateUsername("123").valid).toBe(true);
+    expect(validateUsername("_-_").valid).toBe(true);
+  });
+});
+
+describe("validatePassword", () => {
+  test("happy path — 12+ chars accepted", () => {
+    expect(validatePassword("twelvechars1").valid).toBe(true);
+    expect(validatePassword("a much longer passphrase here").valid).toBe(true);
+  });
+
+  test("boundary — exactly 12 chars accepted, 11 rejected", () => {
+    expect(PASSWORD_MIN_LEN).toBe(12);
+    expect(validatePassword("a".repeat(12)).valid).toBe(true);
+    const r = validatePassword("a".repeat(11));
+    expect(r.valid).toBe(false);
+    if (!r.valid) expect(r.reason).toBe("too_short");
+  });
+
+  test("empty string rejected as too_short", () => {
+    const r = validatePassword("");
+    expect(r.valid).toBe(false);
+    if (!r.valid) expect(r.reason).toBe("too_short");
+  });
+
+  test("no complexity rules — long but all-same-char accepted", () => {
+    // Phase 1 takes NIST 800-63B's lead: length over forced classes.
+    // Aaron settled on 12-min, no complexity. If we later want to nudge
+    // toward passphrases we'll layer it as a separate signal, not a
+    // hard gate.
+    expect(validatePassword("aaaaaaaaaaaa").valid).toBe(true);
+  });
+});

package/src/__tests__/vault-names.test.ts

@@ -0,0 +1,172 @@
+/**
+ * Tests for the shared `vault-names.ts` helper (multi-user Phase 1, PR 4).
+ *
+ * The shared helper lifted the two pre-PR-4 private copies (`oauth-handlers.ts`
+ * + `api-users.ts`) into one place. These tests pin the canonical behavior so
+ * both callers — the OAuth consent picker + the admin SPA's assigned-vault
+ * dropdown + the server-side defense in `handleConsentSubmit` — see the same
+ * name set.
+ */
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import type { ServicesManifest } from "../services-manifest.ts";
+import { listVaultNames, listVaultNamesFromPath } from "../vault-names.ts";
+
+describe("listVaultNames", () => {
+  test("returns empty list when no vault services are registered", () => {
+    const manifest: ServicesManifest = {
+      services: [
+        { name: "parachute-notes", port: 1942, paths: ["/notes"], health: "/h", version: "0.1.0" },
+        {
+          name: "parachute-scribe",
+          port: 1943,
+          paths: ["/scribe"],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    expect(listVaultNames(manifest)).toEqual([]);
+  });
+
+  test("single-entry-multi-path: emits one name per `/vault/<name>` path", () => {
+    const manifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/work", "/vault/personal"],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    expect(listVaultNames(manifest)).toEqual(["personal", "work"]);
+  });
+
+  test("per-vault entries: emits one name per `parachute-vault-<name>` entry", () => {
+    const manifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault-work",
+          port: 1940,
+          paths: ["/vault/work"],
+          health: "/h",
+          version: "0.1.0",
+        },
+        {
+          name: "parachute-vault-personal",
+          port: 1941,
+          paths: ["/vault/personal"],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    expect(listVaultNames(manifest)).toEqual(["personal", "work"]);
+  });
+
+  test("entry with no paths falls back to the manifest-suffix name (hub#143)", () => {
+    const manifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault-archived",
+          port: 1940,
+          paths: [],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    expect(listVaultNames(manifest)).toEqual(["archived"]);
+  });
+
+  test("deduplicates collisions across single-entry + per-vault shapes", () => {
+    const manifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/work"],
+          health: "/h",
+          version: "0.1.0",
+        },
+        {
+          name: "parachute-vault-work",
+          port: 1941,
+          paths: ["/vault/work"],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    expect(listVaultNames(manifest)).toEqual(["work"]);
+  });
+
+  test("output is sorted ascending — deterministic order for both callers", () => {
+    const manifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/zeta", "/vault/alpha", "/vault/middle"],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    expect(listVaultNames(manifest)).toEqual(["alpha", "middle", "zeta"]);
+  });
+});
+
+describe("listVaultNamesFromPath", () => {
+  test("reads from a services.json file and emits the same names", () => {
+    const dir = mkdtempSync(join(tmpdir(), "phub-vault-names-"));
+    const path = join(dir, "services.json");
+    writeFileSync(
+      path,
+      JSON.stringify({
+        services: [
+          {
+            name: "parachute-vault",
+            port: 1940,
+            paths: ["/vault/work"],
+            health: "/h",
+            version: "0.1.0",
+          },
+        ],
+      }),
+    );
+    try {
+      expect(listVaultNamesFromPath(path)).toEqual(["work"]);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("api-users.ts and oauth-handlers.ts read the same source through listVaultNamesFromPath / listVaultNames", () => {
+    // Cross-caller parity: the helper is the single source. Both code paths
+    // should see byte-identical output against the same services.json.
+    const dir = mkdtempSync(join(tmpdir(), "phub-vault-names-parity-"));
+    const path = join(dir, "services.json");
+    const manifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/work", "/vault/personal"],
+          health: "/h",
+          version: "0.1.0",
+        },
+      ],
+    };
+    writeFileSync(path, JSON.stringify(manifest));
+    try {
+      expect(listVaultNamesFromPath(path)).toEqual(listVaultNames(manifest));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});