@powerhousedao/reactor-api 6.0.0-dev.15 → 6.0.0-dev.150

package/dist/src/utils/db.js.map

@@ -1 +1 @@
-{"version":3,"file":"db.js","sourceRoot":"","sources":["../../../src/utils/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAE9C,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,YAAY,MAAM,aAAa,CAAC;AACvC,OAAO,EAAkB,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AA8E7B,SAAS,IAAI,CAAC,gBAAwB;IACpC,IACE,gBAAgB,CAAC,UAAU,CAAC,eAAe,CAAC;QAC5C,gBAAgB,CAAC,UAAU,CAAC,aAAa,CAAC,EAC1C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,mBAAuC,SAAS;IAI1E,MAAM,IAAI,GAAG,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAE,YAAmC,CAAC;IAClE,MAAM,UAAU,GAAG,IAAI;QACrB,CAAC,CAAC,EAAE,gBAAgB,EAAE;QACtB,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;IAE7C,wDAAwD;IACxD,uCAAuC;IACvC,IAAI,gBAAgB,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC;QACrD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC;QACxB,MAAM;QACN,UAAU;KACX,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC;QAChC,OAAO,EAAE,IAAI,iBAAiB,CAAC;YAC7B,IAAI,EAAE,YAAY;YAClB,gBAAgB,EAAE,IAAI,aAAa,EAAE;SACtC,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC;;;;;;;;;;;KAWG;IACH;+BAC6B;IAC7B;oCACkC;IAClC;iCAC+B;IAC/B;qCACmC;IACnC;qCACmC;IACnC;oCACkC;IAClC;mCACiC;IACjC;oCACkC;IAClC;;;;;;;;KAQG;IACH;kCACgC;IAChC;2CACyC;IACzC;sCACoC;IACpC;;;;;;;;;;KAUG;IACH;6DAC2D;IAC3D;4DAC0D;CAC3D,CAAC"}
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../../../src/utils/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAE9C,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,YAAY,MAAM,aAAa,CAAC;AACvC,OAAO,EAAkB,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAuF7B,SAAS,IAAI,CAAC,gBAAwB;IACpC,IACE,gBAAgB,CAAC,UAAU,CAAC,eAAe,CAAC;QAC5C,gBAAgB,CAAC,UAAU,CAAC,aAAa,CAAC,EAC1C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,mBAAuC,SAAS;IAI1E,MAAM,IAAI,GAAG,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAE,YAAmC,CAAC;IAClE,MAAM,UAAU,GAAG,IAAI;QACrB,CAAC,CAAC,EAAE,gBAAgB,EAAE;QACtB,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;IAE7C,wDAAwD;IACxD,uCAAuC;IACvC,IAAI,gBAAgB,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC;QACrD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC;QACxB,MAAM;QACN,UAAU;KACX,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC;QAChC,OAAO,EAAE,IAAI,iBAAiB,CAAC;YAC7B,IAAI,EAAE,YAAY;YAClB,gBAAgB,EAAE,IAAI,aAAa,EAAE;SACtC,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC;;;;;;;;;;;KAWG;IACH;+BAC6B;IAC7B;oCACkC;IAClC;iCAC+B;IAC/B;qCACmC;IACnC;qCACmC;IACnC;oCACkC;IAClC;mCACiC;IACjC;oCACkC;IAClC;;;;;;;;KAQG;IACH;kCACgC;IAChC;2CACyC;IACzC;sCACoC;IACpC;;;;;;;;;;KAUG;IACH;6DAC2D;IAC3D;4DAC0D;CAC3D,CAAC"}

package/dist/test/auth-chain.test.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Integration tests for the full authentication chain:
+ *   AuthService → createAuthFetchMiddleware → downstream handler
+ *
+ * These tests wire together the real AuthService and the real auth middleware
+ * to verify the end-to-end authentication contract that was previously
+ * implemented as Express middleware mutating req.user/req.admins/req.auth_enabled.
+ *
+ * @renown/sdk is mocked to avoid real JWT verification and network calls.
+ */
+export {};
+//# sourceMappingURL=auth-chain.test.d.ts.map

package/dist/test/auth-chain.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-chain.test.d.ts","sourceRoot":"","sources":["../../test/auth-chain.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/dist/test/auth-chain.test.js

@@ -0,0 +1,157 @@
+/**
+ * Integration tests for the full authentication chain:
+ *   AuthService → createAuthFetchMiddleware → downstream handler
+ *
+ * These tests wire together the real AuthService and the real auth middleware
+ * to verify the end-to-end authentication contract that was previously
+ * implemented as Express middleware mutating req.user/req.admins/req.auth_enabled.
+ *
+ * @renown/sdk is mocked to avoid real JWT verification and network calls.
+ */
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createAuthFetchMiddleware, getAuthContext, } from "../src/graphql/gateway/auth-middleware.js";
+import { AuthService } from "../src/services/auth.service.js";
+// ── mock @renown/sdk ───────────────────────────────────────────────────────────
+const mockVerifyAuthBearerToken = vi.fn();
+vi.mock("@renown/sdk", () => ({
+    verifyAuthBearerToken: (...args) => mockVerifyAuthBearerToken(...args),
+}));
+// ── fixtures ──────────────────────────────────────────────────────────────────
+const ADMINS = ["0xadmin"];
+function makeVerified(address = "0xuser", chainId = 1, networkId = "eip155") {
+    return {
+        verifiableCredential: {
+            credentialSubject: { address, chainId, networkId },
+        },
+        issuer: "did:ethr:0xapp",
+    };
+}
+function makeRequest(method = "POST", headers = {}) {
+    return new Request("http://localhost/graphql", { method, headers });
+}
+// ── tests ─────────────────────────────────────────────────────────────────────
+describe("Auth chain integration (AuthService → authFetchMiddleware → handler)", () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    // ── auth enabled ─────────────────────────────────────────────────────────────
+    describe("when auth is enabled", () => {
+        const service = new AuthService({
+            enabled: true,
+            admins: ADMINS,
+            skipCredentialVerification: true,
+        });
+        function buildChain() {
+            const intercepted = [];
+            const next = vi.fn(async (req) => {
+                intercepted.push(req);
+                return new Response("handler ok", { status: 200 });
+            });
+            const handler = createAuthFetchMiddleware(service)(next);
+            return { handler, next, intercepted };
+        }
+        it("returns 401 without calling the handler when the token fails verification", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(false);
+            const { handler, next } = buildChain();
+            const res = await handler(makeRequest("POST", { authorization: "Bearer bad-token" }));
+            expect(res.status).toBe(401);
+            expect(next).not.toHaveBeenCalled();
+        });
+        it("returns 401 without calling the handler when verifyToken throws", async () => {
+            mockVerifyAuthBearerToken.mockRejectedValue(new Error("SDK error"));
+            const { handler, next } = buildChain();
+            const res = await handler(makeRequest("POST", { authorization: "Bearer broken" }));
+            expect(res.status).toBe(401);
+            expect(next).not.toHaveBeenCalled();
+        });
+        it("returns 401 without calling the handler when the verified credential is missing user fields", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue({
+                verifiableCredential: { credentialSubject: {} }, // no address/chainId/networkId
+                issuer: "did:ethr:0xapp",
+            });
+            const { handler, next } = buildChain();
+            const res = await handler(makeRequest("POST", { authorization: "Bearer incomplete" }));
+            expect(res.status).toBe(401);
+            expect(next).not.toHaveBeenCalled();
+        });
+        it("calls the handler and stores AuthContext with the authenticated user for a valid token", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(makeVerified("0xuser", 1, "eip155"));
+            const { handler, intercepted } = buildChain();
+            const req = makeRequest("POST", { authorization: "Bearer valid" });
+            const res = await handler(req);
+            expect(res.status).toBe(200);
+            expect(intercepted).toContain(req);
+            const ctx = getAuthContext(req);
+            expect(ctx?.user).toEqual({
+                address: "0xuser",
+                chainId: 1,
+                networkId: "eip155",
+            });
+            expect(ctx?.auth_enabled).toBe(true);
+            expect(ctx?.admins).toEqual(ADMINS);
+        });
+        it("passes OPTIONS requests through to the handler without token verification", async () => {
+            const { handler, intercepted } = buildChain();
+            const req = makeRequest("OPTIONS");
+            await handler(req);
+            expect(intercepted).toContain(req);
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+            const ctx = getAuthContext(req);
+            expect(ctx?.user).toBeUndefined();
+            expect(ctx?.auth_enabled).toBe(true);
+        });
+        it("passes GET requests through to the handler without token verification", async () => {
+            const { handler, intercepted } = buildChain();
+            const req = makeRequest("GET");
+            await handler(req);
+            expect(intercepted).toContain(req);
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+        });
+        it("passes anonymous POST requests through to the handler (no Authorization header)", async () => {
+            const { handler, intercepted } = buildChain();
+            const req = makeRequest("POST"); // no auth header
+            await handler(req);
+            expect(intercepted).toContain(req);
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+            const ctx = getAuthContext(req);
+            expect(ctx?.user).toBeUndefined();
+            expect(ctx?.auth_enabled).toBe(true);
+        });
+        it("stores the admin list in the AuthContext so callers can perform admin checks", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(makeVerified());
+            const { handler } = buildChain();
+            const req = makeRequest("POST", { authorization: "Bearer valid" });
+            await handler(req);
+            const ctx = getAuthContext(req);
+            expect(ctx?.admins).toContain("0xadmin");
+            expect(ctx?.admins).not.toContain("0xother");
+        });
+        it("does not store AuthContext when authentication fails (no WeakMap leak)", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(false);
+            const { handler } = buildChain();
+            const req = makeRequest("POST", { authorization: "Bearer bad" });
+            await handler(req);
+            expect(getAuthContext(req)).toBeUndefined();
+        });
+    });
+    // ── auth disabled ─────────────────────────────────────────────────────────────
+    describe("when auth is disabled", () => {
+        const service = new AuthService({ enabled: false, admins: ADMINS });
+        it("always calls the handler and sets auth_enabled=false, regardless of token", async () => {
+            const intercepted = [];
+            const next = vi.fn(async (req) => {
+                intercepted.push(req);
+                return new Response("ok");
+            });
+            const handler = createAuthFetchMiddleware(service)(next);
+            const req = makeRequest("POST", { authorization: "Bearer anything" });
+            await handler(req);
+            expect(intercepted).toContain(req);
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+            const ctx = getAuthContext(req);
+            expect(ctx?.auth_enabled).toBe(false);
+            expect(ctx?.user).toBeUndefined();
+        });
+    });
+});
+//# sourceMappingURL=auth-chain.test.js.map

package/dist/test/auth-chain.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-chain.test.js","sourceRoot":"","sources":["../../test/auth-chain.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EACL,yBAAyB,EACzB,cAAc,GACf,MAAM,2CAA2C,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAE9D,kFAAkF;AAElF,MAAM,yBAAyB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAE1C,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;IAC5B,qBAAqB,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAC5C,yBAAyB,CAAC,GAAG,IAAI,CAAC;CACrC,CAAC,CAAC,CAAC;AAEJ,iFAAiF;AAEjF,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,CAAC;AAE3B,SAAS,YAAY,CAAC,OAAO,GAAG,QAAQ,EAAE,OAAO,GAAG,CAAC,EAAE,SAAS,GAAG,QAAQ;IACzE,OAAO;QACL,oBAAoB,EAAE;YACpB,iBAAiB,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE;SACnD;QACD,MAAM,EAAE,gBAAgB;KACzB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAClB,MAAM,GAAG,MAAM,EACf,UAAkC,EAAE;IAEpC,OAAO,IAAI,OAAO,CAAC,0BAA0B,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,iFAAiF;AAEjF,QAAQ,CAAC,sEAAsE,EAAE,GAAG,EAAE;IACpF,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,gFAAgF;IAEhF,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;YAC9B,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,MAAM;YACd,0BAA0B,EAAE,IAAI;SACjC,CAAC,CAAC;QAEH,SAAS,UAAU;YACjB,MAAM,WAAW,GAAc,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,GAAY,EAAE,EAAE;gBACxC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtB,OAAO,IAAI,QAAQ,CAAC,YAAY,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACrD,CAAC,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC;YACzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACxC,CAAC;QAED,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;YACzF,yBAAyB,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;YAEvC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,kBAAkB,EAAE,CAAC,CAC3D,CAAC;YAEF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;YAC/E,yBAAyB,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;YACpE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;YAEvC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CACxD,CAAC;YAEF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6FAA6F,EAAE,KAAK,IAAI,EAAE;YAC3G,yBAAyB,CAAC,iBAAiB,CAAC;gBAC1C,oBAAoB,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,EAAE,+BAA+B;gBAChF,MAAM,EAAE,gBAAgB;aACzB,CAAC,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;YAEvC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,mBAAmB,EAAE,CAAC,CAC5D,CAAC;YAEF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wFAAwF,EAAE,KAAK,IAAI,EAAE;YACtG,yBAAyB,CAAC,iBAAiB,CACzC,YAAY,CAAC,QAAQ,EAAE,CAAC,EAAE,QAAQ,CAAC,CACpC,CAAC;YACF,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE,CAAC;YAE9C,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,cAAc,EAAE,CAAC,CAAC;YACnE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAE/B,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YAChC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC;gBACxB,OAAO,EAAE,QAAQ;gBACjB,OAAO,EAAE,CAAC;gBACV,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YACH,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;YACzF,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE,CAAC;YAE9C,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;YACnC,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnB,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACzD,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YAChC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;YACrF,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE,CAAC;YAE9C,MAAM,GAAG,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;YAC/B,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnB,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iFAAiF,EAAE,KAAK,IAAI,EAAE;YAC/F,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE,CAAC;YAE9C,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB;YAClD,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnB,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACzD,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YAChC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;YAC5F,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5D,MAAM,EAAE,OAAO,EAAE,GAAG,UAAU,EAAE,CAAC;YAEjC,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,cAAc,EAAE,CAAC,CAAC;YACnE,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnB,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YAChC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACzC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACtF,yBAAyB,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,EAAE,OAAO,EAAE,GAAG,UAAU,EAAE,CAAC;YAEjC,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC,CAAC;YACjE,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnB,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,iFAAiF;IAEjF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAEpE,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;YACzF,MAAM,WAAW,GAAc,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,GAAY,EAAE,EAAE;gBACxC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtB,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC;YAEzD,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACtE,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnB,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACzD,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YAChC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/test/auth.service.test.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Unit tests for AuthService.authenticateRequest().
+ *
+ * verifyAuthBearerToken is mocked at the module level so tests run without
+ * real JWT verification or network calls. skipCredentialVerification=true is
+ * used on tests that only care about token verification, to avoid the Renown
+ * API fetch inside verifyCredentialExists().
+ */
+export {};
+//# sourceMappingURL=auth.service.test.d.ts.map

package/dist/test/auth.service.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.test.d.ts","sourceRoot":"","sources":["../../test/auth.service.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/test/auth.service.test.js

@@ -0,0 +1,141 @@
+/**
+ * Unit tests for AuthService.authenticateRequest().
+ *
+ * verifyAuthBearerToken is mocked at the module level so tests run without
+ * real JWT verification or network calls. skipCredentialVerification=true is
+ * used on tests that only care about token verification, to avoid the Renown
+ * API fetch inside verifyCredentialExists().
+ */
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { AuthService } from "../src/services/auth.service.js";
+// ─── mock @renown/sdk ─────────────────────────────────────────────────────────
+const mockVerifyAuthBearerToken = vi.fn();
+vi.mock("@renown/sdk", () => ({
+    verifyAuthBearerToken: (...args) => mockVerifyAuthBearerToken(...args),
+}));
+// ─── fixtures ─────────────────────────────────────────────────────────────────
+const ADMINS = ["0xadmin1", "0xadmin2"];
+/** A minimal verified-credential shape that AuthService.extractUserFromVerification() accepts. */
+function makeVerified(address = "0xuser", chainId = 1, networkId = "eip155") {
+    return {
+        verifiableCredential: {
+            credentialSubject: { address, chainId, networkId },
+        },
+        issuer: "did:ethr:0xapp",
+    };
+}
+function makeRequest(method = "POST", headers = {}) {
+    return new Request("http://localhost/graphql", { method, headers });
+}
+// ─── tests ────────────────────────────────────────────────────────────────────
+describe("AuthService.authenticateRequest()", () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    // ── auth disabled ───────────────────────────────────────────────────────────
+    describe("when auth is disabled", () => {
+        it("returns an AuthContext with auth_enabled=false regardless of method or token", async () => {
+            const service = new AuthService({ enabled: false, admins: ADMINS });
+            const ctx = await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer token" }));
+            expect(ctx).toEqual({ user: undefined, admins: [], auth_enabled: false });
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+        });
+    });
+    // ── passthrough methods ─────────────────────────────────────────────────────
+    describe("when auth is enabled", () => {
+        const service = new AuthService({
+            enabled: true,
+            admins: ADMINS,
+            skipCredentialVerification: true,
+        });
+        it("passes OPTIONS requests through without verification", async () => {
+            const result = await service.authenticateRequest(makeRequest("OPTIONS"));
+            expect(result).toEqual({
+                user: undefined,
+                admins: ADMINS,
+                auth_enabled: true,
+            });
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+        });
+        it("passes GET requests through without verification", async () => {
+            const result = await service.authenticateRequest(makeRequest("GET"));
+            expect(result).toEqual({
+                user: undefined,
+                admins: ADMINS,
+                auth_enabled: true,
+            });
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+        });
+        it("passes POST requests with no Authorization header through (anonymous reads allowed)", async () => {
+            const result = await service.authenticateRequest(makeRequest("POST"));
+            expect(result).toEqual({
+                user: undefined,
+                admins: ADMINS,
+                auth_enabled: true,
+            });
+            expect(mockVerifyAuthBearerToken).not.toHaveBeenCalled();
+        });
+        // ── token verification ──────────────────────────────────────────────────
+        it("returns a 401 Response when token verification returns false", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(false);
+            const result = await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer bad-token" }));
+            expect(result).toBeInstanceOf(Response);
+            expect(result.status).toBe(401);
+            const body = (await result.json());
+            expect(body.error).toBe("Verification failed");
+        });
+        it("returns a 401 Response when the verified credential has missing fields", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue({
+                verifiableCredential: { credentialSubject: {} }, // no address/chainId/networkId
+                issuer: "did:ethr:0xapp",
+            });
+            const result = await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer incomplete-token" }));
+            expect(result).toBeInstanceOf(Response);
+            expect(result.status).toBe(401);
+            const body = (await result.json());
+            expect(body.error).toBe("Missing credentials");
+        });
+        it("returns a 401 Response when verifyToken throws", async () => {
+            mockVerifyAuthBearerToken.mockRejectedValue(new Error("SDK failure"));
+            const result = await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer broken-token" }));
+            expect(result).toBeInstanceOf(Response);
+            expect(result.status).toBe(401);
+            const body = (await result.json());
+            expect(body.error).toBe("Authentication failed");
+        });
+        it("returns an AuthContext with the authenticated user when token is valid", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(makeVerified("0xuser", 1, "eip155"));
+            const result = await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer valid-token" }));
+            expect(result).toEqual({
+                user: { address: "0xuser", chainId: 1, networkId: "eip155" },
+                admins: ADMINS,
+                auth_enabled: true,
+            });
+        });
+        it("extracts the Bearer token from the Authorization header", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(makeVerified());
+            await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer my-secret-token" }));
+            expect(mockVerifyAuthBearerToken).toHaveBeenCalledWith("my-secret-token");
+        });
+    });
+    // ── credential verification (Renown API) ────────────────────────────────────
+    describe("credential existence check", () => {
+        it("returns 401 when the credential no longer exists on the Renown API", async () => {
+            mockVerifyAuthBearerToken.mockResolvedValue(makeVerified("0xuser", 1));
+            // Mock global fetch to simulate Renown API returning a non-200 or bad body
+            const fetchSpy = vi
+                .spyOn(globalThis, "fetch")
+                .mockRejectedValue(new Error("network error"));
+            const service = new AuthService({
+                enabled: true,
+                admins: ADMINS,
+                skipCredentialVerification: false,
+            });
+            const result = await service.authenticateRequest(makeRequest("POST", { authorization: "Bearer token" }));
+            expect(result).toBeInstanceOf(Response);
+            expect(result.status).toBe(401);
+            fetchSpy.mockRestore();
+        });
+    });
+});
+//# sourceMappingURL=auth.service.test.js.map

package/dist/test/auth.service.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.test.js","sourceRoot":"","sources":["../../test/auth.service.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAE9D,iFAAiF;AAEjF,MAAM,yBAAyB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAE1C,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;IAC5B,qBAAqB,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAC5C,yBAAyB,CAAC,GAAG,IAAI,CAAC;CACrC,CAAC,CAAC,CAAC;AAEJ,iFAAiF;AAEjF,MAAM,MAAM,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;AAExC,kGAAkG;AAClG,SAAS,YAAY,CAAC,OAAO,GAAG,QAAQ,EAAE,OAAO,GAAG,CAAC,EAAE,SAAS,GAAG,QAAQ;IACzE,OAAO;QACL,oBAAoB,EAAE;YACpB,iBAAiB,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE;SACnD;QACD,MAAM,EAAE,gBAAgB;KACzB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAClB,MAAM,GAAG,MAAM,EACf,UAAkC,EAAE;IAEpC,OAAO,IAAI,OAAO,CAAC,0BAA0B,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,iFAAiF;AAEjF,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;YAC5F,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YAEpE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAC3C,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,cAAc,EAAE,CAAC,CACvD,CAAC;YAEF,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;YAC1E,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;YAC9B,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,MAAM;YACd,0BAA0B,EAAE,IAAI;SACjC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;YAEzE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,MAAM;gBACd,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;YACH,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;YAChE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;YAErE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,MAAM;gBACd,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;YACH,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qFAAqF,EAAE,KAAK,IAAI,EAAE;YACnG,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;YAEtE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,MAAM;gBACd,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;YACH,MAAM,CAAC,yBAAyB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,2EAA2E;QAE3E,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;YAC5E,yBAAyB,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAEnD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAC9C,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,kBAAkB,EAAE,CAAC,CAC3D,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAE,MAAmB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,CAAC,MAAO,MAAmB,CAAC,IAAI,EAAE,CAAsB,CAAC;YACtE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACtF,yBAAyB,CAAC,iBAAiB,CAAC;gBAC1C,oBAAoB,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,EAAE,+BAA+B;gBAChF,MAAM,EAAE,gBAAgB;aACzB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAC9C,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,yBAAyB,EAAE,CAAC,CAClE,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAE,MAAmB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,CAAC,MAAO,MAAmB,CAAC,IAAI,EAAE,CAAsB,CAAC;YACtE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,yBAAyB,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC;YAEtE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAC9C,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,qBAAqB,EAAE,CAAC,CAC9D,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAE,MAAmB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,CAAC,MAAO,MAAmB,CAAC,IAAI,EAAE,CAAsB,CAAC;YACtE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACtF,yBAAyB,CAAC,iBAAiB,CACzC,YAAY,CAAC,QAAQ,EAAE,CAAC,EAAE,QAAQ,CAAC,CACpC,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAC9C,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,oBAAoB,EAAE,CAAC,CAC7D,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,IAAI,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE;gBAC5D,MAAM,EAAE,MAAM;gBACd,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE,CAAC,CAAC;YAE5D,MAAM,OAAO,CAAC,mBAAmB,CAC/B,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,wBAAwB,EAAE,CAAC,CACjE,CAAC;YAEF,MAAM,CAAC,yBAAyB,CAAC,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YAClF,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;YAEvE,2EAA2E;YAC3E,MAAM,QAAQ,GAAG,EAAE;iBAChB,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC;iBAC1B,iBAAiB,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;YAEjD,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;gBAC9B,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,MAAM;gBACd,0BAA0B,EAAE,KAAK;aAClC,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAC9C,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,cAAc,EAAE,CAAC,CACvD,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAE,MAAmB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAE9C,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/test/authorization.service.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=authorization.service.test.d.ts.map

package/dist/test/authorization.service.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.service.test.d.ts","sourceRoot":"","sources":["../../test/authorization.service.test.ts"],"names":[],"mappings":""}

package/dist/test/authorization.service.test.js

@@ -0,0 +1,252 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { AuthorizationService } from "../src/services/authorization.service.js";
+describe("AuthorizationService", () => {
+    let service;
+    let mockPermissionService;
+    const getParentIds = vi.fn().mockResolvedValue([]);
+    beforeEach(() => {
+        vi.clearAllMocks();
+        mockPermissionService = {
+            isDocumentProtected: vi.fn().mockResolvedValue(false),
+            isProtectedWithAncestors: vi.fn().mockResolvedValue(false),
+            getDocumentOwner: vi.fn().mockResolvedValue(null),
+            canRead: vi.fn().mockResolvedValue(false),
+            canWrite: vi.fn().mockResolvedValue(false),
+            canReadDocument: vi.fn().mockResolvedValue(false),
+            canWriteDocument: vi.fn().mockResolvedValue(false),
+            canManageDocument: vi.fn().mockResolvedValue(false),
+            isOperationRestricted: vi.fn().mockResolvedValue(false),
+            canExecuteOperation: vi.fn().mockResolvedValue(false),
+        };
+        service = new AuthorizationService(mockPermissionService, { admins: ["0xadmin"], defaultProtection: false });
+    });
+    describe("isSupremeAdmin", () => {
+        it("should return true for admin address", () => {
+            expect(service.isSupremeAdmin("0xadmin")).toBe(true);
+        });
+        it("should return true case-insensitively", () => {
+            expect(service.isSupremeAdmin("0xADMIN")).toBe(true);
+        });
+        it("should return false for non-admin", () => {
+            expect(service.isSupremeAdmin("0xuser")).toBe(false);
+        });
+        it("should return false for undefined", () => {
+            expect(service.isSupremeAdmin(undefined)).toBe(false);
+        });
+    });
+    describe("canRead", () => {
+        it("should allow supreme admin", async () => {
+            const result = await service.canRead("doc-1", "0xadmin");
+            expect(result).toBe(true);
+            expect(mockPermissionService.isDocumentProtected).not.toHaveBeenCalled();
+        });
+        it("should allow anonymous read on unprotected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canRead("doc-1", undefined);
+            expect(result).toBe(true);
+        });
+        it("should allow authenticated read on unprotected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canRead("doc-1", "0xuser");
+            expect(result).toBe(true);
+        });
+        it("should deny anonymous read on protected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            const result = await service.canRead("doc-1", undefined);
+            expect(result).toBe(false);
+        });
+        it("should allow owner read on protected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue("0xowner");
+            const result = await service.canRead("doc-1", "0xowner");
+            expect(result).toBe(true);
+        });
+        it("should check grants for protected document when user is not owner", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue("0xother");
+            vi.mocked(mockPermissionService.canReadDocument).mockResolvedValue(true);
+            const result = await service.canRead("doc-1", "0xuser");
+            expect(result).toBe(true);
+            expect(mockPermissionService.canReadDocument).toHaveBeenCalledWith("doc-1", "0xuser");
+        });
+        it("should deny read when no grant on protected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canReadDocument).mockResolvedValue(false);
+            const result = await service.canRead("doc-1", "0xuser");
+            expect(result).toBe(false);
+        });
+        it("should use hierarchy check when getParentIds is provided", async () => {
+            vi.mocked(mockPermissionService.isProtectedWithAncestors).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canRead).mockResolvedValue(true);
+            const result = await service.canRead("doc-1", "0xuser", getParentIds);
+            expect(result).toBe(true);
+            expect(mockPermissionService.isProtectedWithAncestors).toHaveBeenCalledWith("doc-1", getParentIds);
+            expect(mockPermissionService.canRead).toHaveBeenCalledWith("doc-1", "0xuser", getParentIds);
+        });
+    });
+    describe("canWrite", () => {
+        it("should allow supreme admin", async () => {
+            const result = await service.canWrite("doc-1", "0xadmin");
+            expect(result).toBe(true);
+        });
+        it("should allow anonymous write on unprotected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canWrite("doc-1", undefined);
+            expect(result).toBe(true);
+        });
+        it("should allow authenticated write on unprotected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canWrite("doc-1", "0xuser");
+            expect(result).toBe(true);
+        });
+        it("should deny anonymous write on protected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            const result = await service.canWrite("doc-1", undefined);
+            expect(result).toBe(false);
+        });
+        it("should deny authenticated write on protected document without grant", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canWriteDocument).mockResolvedValue(false);
+            const result = await service.canWrite("doc-1", "0xuser");
+            expect(result).toBe(false);
+        });
+        it("should allow owner write on protected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue("0xowner");
+            const result = await service.canWrite("doc-1", "0xowner");
+            expect(result).toBe(true);
+        });
+        it("should allow write with WRITE grant on protected document", async () => {
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canWriteDocument).mockResolvedValue(true);
+            const result = await service.canWrite("doc-1", "0xuser");
+            expect(result).toBe(true);
+        });
+    });
+    describe("canManage", () => {
+        it("should allow supreme admin", async () => {
+            const result = await service.canManage("doc-1", "0xadmin");
+            expect(result).toBe(true);
+        });
+        it("should deny unauthenticated", async () => {
+            const result = await service.canManage("doc-1", undefined);
+            expect(result).toBe(false);
+        });
+        it("should allow owner", async () => {
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue("0xowner");
+            const result = await service.canManage("doc-1", "0xowner");
+            expect(result).toBe(true);
+        });
+        it("should allow user with ADMIN grant", async () => {
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canManageDocument).mockResolvedValue(true);
+            const result = await service.canManage("doc-1", "0xuser");
+            expect(result).toBe(true);
+        });
+        it("should deny user without ADMIN grant", async () => {
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canManageDocument).mockResolvedValue(false);
+            const result = await service.canManage("doc-1", "0xuser");
+            expect(result).toBe(false);
+        });
+    });
+    describe("canExecuteOperation", () => {
+        it("should allow supreme admin", async () => {
+            const result = await service.canExecuteOperation("doc-1", "SET_NAME", "0xadmin");
+            expect(result).toBe(true);
+        });
+        it("should fall through to write check for unrestricted operations", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(false);
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canExecuteOperation("doc-1", "SET_NAME", "0xuser");
+            expect(result).toBe(true); // unprotected + authenticated = write allowed
+        });
+        it("should check operation grant for restricted operations", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(true);
+            const result = await service.canExecuteOperation("doc-1", "SPECIAL_OP", "0xuser");
+            expect(result).toBe(true);
+            expect(mockPermissionService.canExecuteOperation).toHaveBeenCalledWith("doc-1", "SPECIAL_OP", "0xuser");
+        });
+        it("should deny when restricted and no operation grant", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(false);
+            const result = await service.canExecuteOperation("doc-1", "SPECIAL_OP", "0xuser");
+            expect(result).toBe(false);
+        });
+    });
+    describe("canMutate", () => {
+        it("should allow supreme admin", async () => {
+            const result = await service.canMutate("doc-1", "SET_NAME", "0xadmin");
+            expect(result).toBe(true);
+        });
+        it("should allow write for unrestricted operations", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(false);
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canMutate("doc-1", "SET_NAME", "0xuser");
+            expect(result).toBe(true);
+        });
+        it("should allow READ-only user with operation grant for restricted ops", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(true);
+            // Even if user only has READ permission, the operation grant should suffice
+            const result = await service.canMutate("doc-1", "SPECIAL_OP", "0xreadonly");
+            expect(result).toBe(true);
+        });
+        it("should deny when restricted and no operation grant", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(false);
+            const result = await service.canMutate("doc-1", "SPECIAL_OP", "0xuser");
+            expect(result).toBe(false);
+        });
+        it("should allow anonymous for unrestricted operations on unprotected doc", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(false);
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(false);
+            const result = await service.canMutate("doc-1", "SET_NAME", undefined);
+            expect(result).toBe(true);
+        });
+        it("should deny anonymous for unrestricted operations on protected doc", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(false);
+            vi.mocked(mockPermissionService.isDocumentProtected).mockResolvedValue(true);
+            const result = await service.canMutate("doc-1", "SET_NAME", undefined);
+            expect(result).toBe(false);
+        });
+    });
+    describe("Address normalization", () => {
+        it("should normalize address in canExecuteOperation for restricted ops", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(true);
+            await service.canExecuteOperation("doc-1", "SPECIAL_OP", "0xMixedCase");
+            expect(mockPermissionService.canExecuteOperation).toHaveBeenCalledWith("doc-1", "SPECIAL_OP", "0xmixedcase");
+        });
+        it("should normalize address in canMutate for restricted ops", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(true);
+            await service.canMutate("doc-1", "SPECIAL_OP", "0xMixedCase");
+            expect(mockPermissionService.canExecuteOperation).toHaveBeenCalledWith("doc-1", "SPECIAL_OP", "0xmixedcase");
+        });
+        it("should handle undefined address in canExecuteOperation", async () => {
+            vi.mocked(mockPermissionService.isOperationRestricted).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.canExecuteOperation).mockResolvedValue(false);
+            const result = await service.canExecuteOperation("doc-1", "SPECIAL_OP", undefined);
+            expect(result).toBe(false);
+            expect(mockPermissionService.canExecuteOperation).toHaveBeenCalledWith("doc-1", "SPECIAL_OP", undefined);
+        });
+    });
+    describe("Protection inheritance", () => {
+        it("should treat document as protected when parent is protected", async () => {
+            // Document itself is not protected, but parent is
+            vi.mocked(mockPermissionService.isProtectedWithAncestors).mockResolvedValue(true);
+            vi.mocked(mockPermissionService.getDocumentOwner).mockResolvedValue(null);
+            vi.mocked(mockPermissionService.canRead).mockResolvedValue(false);
+            const result = await service.canRead("doc-1", "0xuser", getParentIds);
+            expect(result).toBe(false);
+            expect(mockPermissionService.isProtectedWithAncestors).toHaveBeenCalledWith("doc-1", getParentIds);
+        });
+    });
+});
+//# sourceMappingURL=authorization.service.test.js.map