npm - @ramonclaudio/create-vexpo - Versions diffs - 0.1.0 → 0.1.2 - Mend

@ramonclaudio/create-vexpo 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

package/dist/templates/default/__tests__/convex/_auth-harness.test.ts ADDED Viewed

@@ -0,0 +1,112 @@
+/// <reference types="vite/client" />
+/**
+ * Authenticated convexTest harness.
+ *
+ * Proves we can drive the authed Convex functions (authMutation/authQuery)
+ * end to end under convex-test by seeding a Better Auth session + user and
+ * setting a matching identity.
+ *
+ * How auth resolves (convex/auth.ts -> @convex-dev/better-auth):
+ *   safeGetAuthUser(ctx):
+ *     1. identity = ctx.auth.getUserIdentity()            (root ctx)
+ *     2. component.adapter.findOne(session) where
+ *          _id == identity.sessionId AND expiresAt > now  (betterAuth db)
+ *     3. component.adapter.findOne(user) where
+ *          _id == identity.subject                        (betterAuth db)
+ *   Both findOne calls resolve `_id` via ctx.db.get(value), so the values
+ *   MUST be the REAL component doc ids we seed. Then auth.ts looks up the app
+ *   `users` row by index "authId" == authUser._id.
+ *
+ * So three rows + one identity:
+ *   - betterAuth `user`    (real id -> identity.subject)
+ *   - betterAuth `session` (real id -> identity.sessionId, expiresAt future)
+ *   - app `users`          (authId == betterAuth user id)
+ */
+import { ConvexError } from "convex/values";
+import { describe, expect, test } from "vitest";
+import { api } from "@/convex/_generated/api";
+import { identityFor, initConvexTest, seedAuthedUser } from "./_harness";
+describe("authenticated convexTest harness", () => {
+  test("baseline: an unauthed public query still works", async () => {
+    const t = initConvexTest();
+    const providers = await t.query(api.auth.getEnabledProviders, {});
+    expect(providers).toMatchObject({ apple: expect.any(Boolean) });
+  });
+  test("getMe returns the seeded user when authenticated", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId, name, email } = await seedAuthedUser(t, {
+      name: "Grace Hopper",
+      email: "grace@example.com",
+    });
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const me = await asUser.query(api.users.getMe, {});
+    expect(me).not.toBeNull();
+    expect(me!._id).toBe(appUserId);
+    expect(me!.authUserId).toBe(authUserId);
+    expect(me!.name).toBe(name); // merged from better-auth user record
+    expect(me!.email).toBe(email);
+    expect(me!.emailVerified).toBe(true);
+  });
+  test("getMe returns null when unauthenticated", async () => {
+    const t = initConvexTest();
+    await seedAuthedUser(t); // data exists, but we call without identity
+    const me = await t.query(api.users.getMe, {});
+    expect(me).toBeNull();
+  });
+  test("updateProfile writes bio to the real app users row", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const returnedId = await asUser.mutation(api.users.updateProfile, {
+      bio: "Countess of computing.",
+    });
+    expect(returnedId).toBe(appUserId);
+    // Assert the REAL DB effect, read straight from the users table.
+    const row = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(row?.bio).toBe("Countess of computing.");
+    // And it surfaces through the authed read path too.
+    const me = await asUser.query(api.users.getMe, {});
+    expect(me!.bio).toBe("Countess of computing.");
+  });
+  test("authMutation throws ConvexError when unauthenticated", async () => {
+    const t = initConvexTest();
+    await expect(t.mutation(api.users.updateProfile, { bio: "nope" })).rejects.toThrowError(
+      ConvexError,
+    );
+  });
+  // The next two prove the harness genuinely traverses the Better Auth
+  // session lookup (expiresAt > now, _id == sessionId) rather than short
+  // circuiting on identity.subject alone.
+  test("expired session resolves to no user (getMe null)", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId } = await seedAuthedUser(t, {
+      expiresAt: Date.now() - 1000, // already expired
+    });
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    expect(await asUser.query(api.users.getMe, {})).toBeNull();
+  });
+  test("identity with a bogus sessionId resolves to no user", async () => {
+    const t = initConvexTest();
+    const { authUserId } = await seedAuthedUser(t);
+    // Real user/session exist, but the identity points at a session id that
+    // isn't in the table. safeGetAuthUser's session findOne returns null.
+    const asUser = t.withIdentity(identityFor(authUserId, "nonexistent_session_id"));
+    expect(await asUser.query(api.users.getMe, {})).toBeNull();
+  });
+});

package/dist/templates/default/__tests__/convex/_harness.ts ADDED Viewed

@@ -0,0 +1,132 @@
+/// <reference types="vite/client" />
+/**
+ * Shared convexTest harness for the authed Convex functions.
+ *
+ * Auth chain: authMutation -> requireAuthenticatedUser -> safeGetAuthUser, which
+ * reads the @convex-dev/better-auth component (a `session` by _id whose
+ * `expiresAt` is in the future, then a `user` by _id == identity.subject) and
+ * the mirrored app `users` row (by `authId`). So an authenticated call needs a
+ * component user + unexpired session (we capture their REAL ids), a `users` row
+ * keyed by that authId, and an identity whose `subject`/`sessionId` match.
+ *
+ * convex-test exposes `runInComponent` (to seed component tables) at runtime but
+ * not in its public types; `AuthedTest` narrows it back so callers stay typed.
+ */
+import { register as registerBetterAuth } from "@convex-dev/better-auth/test";
+import { register as registerRateLimiter } from "@convex-dev/rate-limiter/test";
+import { convexTest } from "convex-test";
+import type { Id } from "@/convex/_generated/dataModel";
+import schema from "@/convex/schema";
+const rootModules = import.meta.glob("../../convex/**/*.ts");
+type SeedCtx = { db: { insert: (table: string, doc: Record<string, unknown>) => Promise<string> } };
+// Derive the schema-typed TestConvex from a real convexTest(schema) call, so
+// `t.run` ctx.db is typed to the app schema. `ReturnType<typeof convexTest>`
+// alone falls back to the empty default schema.
+function baseConvexTest() {
+  return convexTest(schema, rootModules);
+}
+export type AuthedTest = ReturnType<typeof baseConvexTest> & {
+  runInComponent: <T>(component: string, fn: (ctx: SeedCtx) => Promise<T>) => Promise<T>;
+};
+/** convexTest with the components the authed functions cross (better-auth, rate-limiter). */
+export function initConvexTest(): AuthedTest {
+  const t = baseConvexTest();
+  registerBetterAuth(t);
+  registerRateLimiter(t);
+  return t as AuthedTest;
+}
+const SEVEN_DAYS = 7 * 24 * 60 * 60 * 1000;
+let seq = 0;
+export type SeededUser = {
+  authUserId: string;
+  sessionId: string;
+  appUserId: Id<"users">;
+  name: string;
+  email: string;
+};
+/**
+ * Seed a Better Auth user + unexpired session and the mirrored app `users` row.
+ * Pass `deletedAt` to tombstone the app row, `expiresAt` (in the past) to test
+ * an expired session, or `name`/`email` to assert specific identity fields.
+ */
+export async function seedAuthedUser(
+  t: AuthedTest,
+  overrides: { deletedAt?: number; name?: string; email?: string; expiresAt?: number } = {},
+): Promise<SeededUser> {
+  const now = Date.now();
+  const name = overrides.name ?? "Ada Lovelace";
+  const email = overrides.email ?? `user${++seq}@example.com`;
+  const { authUserId, sessionId } = await t.runInComponent("betterAuth", async (ctx) => {
+    const userId = await ctx.db.insert("user", {
+      name,
+      email,
+      emailVerified: true,
+      createdAt: now,
+      updatedAt: now,
+    });
+    const session = await ctx.db.insert("session", {
+      userId,
+      token: `tok_${userId}`,
+      expiresAt: overrides.expiresAt ?? now + SEVEN_DAYS,
+      createdAt: now,
+      updatedAt: now,
+    });
+    return { authUserId: userId, sessionId: session };
+  });
+  const appUserId = await t.run(async (ctx) =>
+    ctx.db.insert("users", {
+      authId: authUserId,
+      createdAt: now,
+      updatedAt: now,
+      deletedAt: overrides.deletedAt,
+    }),
+  );
+  return { authUserId, sessionId, appUserId, name, email };
+}
+/** Identity for `t.withIdentity(...)` matching a seeded user's component ids. */
+export function identityFor(authUserId: string, sessionId: string) {
+  return {
+    subject: authUserId,
+    sessionId,
+    issuer: "https://convex.test",
+    tokenIdentifier: `https://convex.test|${authUserId}`,
+  };
+}
+/** Account-deletion audit rows for one app user, oldest first. */
+export async function auditRowsFor(t: AuthedTest, userId: Id<"users">) {
+  return t.run(async (ctx) =>
+    ctx.db
+      .query("accountDeletionAudit")
+      .withIndex("by_user", (q) => q.eq("userId", userId))
+      .collect(),
+  );
+}
+/**
+ * Better Auth component `session` rows for one auth user. `runInComponent`
+ * exposes a real ctx but its public type only narrows `db.insert`, so cast to
+ * read; filtering in JS avoids depending on the component's index names.
+ */
+export async function componentSessionsFor(t: AuthedTest, authUserId: string) {
+  return t.runInComponent("betterAuth", async (ctx) => {
+    const db = ctx.db as unknown as {
+      query: (table: string) => { collect: () => Promise<Array<{ userId: string }>> };
+    };
+    const all = await db.query("session").collect();
+    return all.filter((s) => s.userId === authUserId);
+  });
+}

package/dist/templates/default/__tests__/convex/appAttest.test.ts ADDED Viewed

@@ -0,0 +1,172 @@
+import { createHash, generateKeyPairSync, sign as nodeSign, type KeyObject } from "node:crypto";
+import { encode as cborEncode } from "cbor-x";
+import { describe, expect, test } from "vitest";
+import { verifyAssertionBytes, verifyAttestationBytes } from "@/convex/appAttest";
+describe("verifyAttestationBytes", () => {
+  test("rejects non-Apple fmt", () => {
+    const bogus = cborEncode({ fmt: "fido-u2f", attStmt: {}, authData: Buffer.alloc(0) });
+    expect(() =>
+      verifyAttestationBytes({
+        keyId: "ignored",
+        attestation: bogus,
+        challenge: "c",
+        bundleId: "com.example",
+        teamId: "AAAAA12345",
+        environment: "development",
+      }),
+    ).toThrow(/unexpected fmt/);
+  });
+  test("rejects missing x5c", () => {
+    const bogus = cborEncode({ fmt: "apple-appattest", attStmt: {}, authData: Buffer.alloc(0) });
+    expect(() =>
+      verifyAttestationBytes({
+        keyId: "ignored",
+        attestation: bogus,
+        challenge: "c",
+        bundleId: "com.example",
+        teamId: "AAAAA12345",
+        environment: "development",
+      }),
+    ).toThrow(/missing x5c or authData/);
+  });
+  test("rejects single-cert chain", () => {
+    const bogus = cborEncode({
+      fmt: "apple-appattest",
+      attStmt: { x5c: [Buffer.alloc(8)] },
+      authData: Buffer.alloc(64),
+    });
+    expect(() =>
+      verifyAttestationBytes({
+        keyId: "ignored",
+        attestation: bogus,
+        challenge: "c",
+        bundleId: "com.example",
+        teamId: "AAAAA12345",
+        environment: "development",
+      }),
+    ).toThrow(/missing x5c or authData/);
+  });
+});
+describe("verifyAssertionBytes", () => {
+  test("rejects missing signature", () => {
+    const bogus = cborEncode({ authenticatorData: Buffer.alloc(37) });
+    expect(() =>
+      verifyAssertionBytes({
+        assertion: bogus,
+        payload: "p",
+        bundleId: "com.example",
+        teamId: "AAAAA12345",
+        publicKey: Buffer.alloc(0),
+        storedCounter: 0,
+      }),
+    ).toThrow(/missing signature/);
+  });
+  test("rejects missing authenticatorData", () => {
+    const bogus = cborEncode({ signature: Buffer.alloc(64) });
+    expect(() =>
+      verifyAssertionBytes({
+        assertion: bogus,
+        payload: "p",
+        bundleId: "com.example",
+        teamId: "AAAAA12345",
+        publicKey: Buffer.alloc(0),
+        storedCounter: 0,
+      }),
+    ).toThrow(/missing signature or authenticatorData/);
+  });
+});
+// The real verification core (ECDSA signature, counter monotonicity, rpIdHash)
+// was previously unreached: every test above only hit the CBOR early-guards. A
+// genuine signed round-trip exercises it, so a regression that inverts the
+// counter check or short-circuits the signature verify can't slip through.
+const sha256 = (b: Buffer) => createHash("sha256").update(b).digest();
+function makeAuthData(teamId: string, bundleId: string, counter: number): Buffer {
+  const rpIdHash = sha256(Buffer.from(`${teamId}.${bundleId}`, "utf8"));
+  const flags = Buffer.from([0x00]);
+  const counterBuf = Buffer.alloc(4);
+  counterBuf.writeUInt32BE(counter);
+  return Buffer.concat([rpIdHash, flags, counterBuf]); // 37 bytes, no credential block
+}
+// Mirror the device: sign over sha256(authData || sha256(payload)) with the
+// digest passed directly (algorithm null), matching the server's verify(null, …).
+function signAssertion(privateKey: KeyObject, authData: Buffer, payload: string): Buffer {
+  const hashedData = sha256(Buffer.concat([authData, sha256(Buffer.from(payload, "utf8"))]));
+  const signature = nodeSign(null, hashedData, privateKey);
+  return cborEncode({ signature, authenticatorData: authData });
+}
+describe("verifyAssertionBytes (signature + counter + rpIdHash)", () => {
+  const TEAM_ID = "AAAAA12345";
+  const BUNDLE_ID = "com.example.app";
+  const { publicKey, privateKey } = generateKeyPairSync("ec", { namedCurve: "prime256v1" });
+  const publicKeyDer = publicKey.export({ type: "spki", format: "der" }) as Buffer;
+  test("accepts a valid assertion and returns the new counter", () => {
+    const authData = makeAuthData(TEAM_ID, BUNDLE_ID, 5);
+    const assertion = signAssertion(privateKey, authData, "request-payload");
+    const counter = verifyAssertionBytes({
+      assertion,
+      payload: "request-payload",
+      bundleId: BUNDLE_ID,
+      teamId: TEAM_ID,
+      publicKey: publicKeyDer,
+      storedCounter: 0,
+    });
+    expect(counter).toBe(5);
+  });
+  test("rejects when the payload differs from what was signed", () => {
+    const authData = makeAuthData(TEAM_ID, BUNDLE_ID, 5);
+    const assertion = signAssertion(privateKey, authData, "original-payload");
+    expect(() =>
+      verifyAssertionBytes({
+        assertion,
+        payload: "tampered-payload",
+        bundleId: BUNDLE_ID,
+        teamId: TEAM_ID,
+        publicKey: publicKeyDer,
+        storedCounter: 0,
+      }),
+    ).toThrow(/signature failed verification/);
+  });
+  test("rejects a replayed counter (not strictly greater than stored)", () => {
+    const authData = makeAuthData(TEAM_ID, BUNDLE_ID, 3);
+    const assertion = signAssertion(privateKey, authData, "p");
+    expect(() =>
+      verifyAssertionBytes({
+        assertion,
+        payload: "p",
+        bundleId: BUNDLE_ID,
+        teamId: TEAM_ID,
+        publicKey: publicKeyDer,
+        storedCounter: 5,
+      }),
+    ).toThrow(/not strictly greater/);
+  });
+  test("rejects an rpIdHash that doesn't match TEAM_ID.BUNDLE_ID", () => {
+    const authData = makeAuthData("WRONG00000", "com.wrong.app", 5);
+    const assertion = signAssertion(privateKey, authData, "p");
+    expect(() =>
+      verifyAssertionBytes({
+        assertion,
+        payload: "p",
+        bundleId: BUNDLE_ID,
+        teamId: TEAM_ID,
+        publicKey: publicKeyDer,
+        storedCounter: 0,
+      }),
+    ).toThrow(/rpIdHash mismatch/);
+  });
+});

package/dist/templates/default/__tests__/convex/appAttestStore.test.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/// <reference types="vite/client" />
+/**
+ * convexTest coverage for `appAttestStore.consumeChallenge`, the App Attest
+ * replay guard. It returns true only the first time a known, unexpired nonce is
+ * seen, marking it consumed atomically so a captured nonce can't be replayed.
+ * Drop the `row.used` check and a replayed nonce verifies forever.
+ */
+import { describe, expect, test } from "vitest";
+import { internal } from "@/convex/_generated/api";
+import { initConvexTest } from "./_harness";
+describe("appAttestStore.consumeChallenge", () => {
+  test("single-use: first consume succeeds, second fails", async () => {
+    const t = initConvexTest();
+    const now = Date.now();
+    await t.mutation(internal.appAttestStore.createChallenge, {
+      nonce: "n1",
+      expiresAt: now + 60_000,
+    });
+    expect(await t.mutation(internal.appAttestStore.consumeChallenge, { nonce: "n1", now })).toBe(
+      true,
+    );
+    expect(await t.mutation(internal.appAttestStore.consumeChallenge, { nonce: "n1", now })).toBe(
+      false,
+    );
+  });
+  test("expired challenge is rejected", async () => {
+    const t = initConvexTest();
+    const now = Date.now();
+    await t.mutation(internal.appAttestStore.createChallenge, { nonce: "n2", expiresAt: now - 1 });
+    expect(await t.mutation(internal.appAttestStore.consumeChallenge, { nonce: "n2", now })).toBe(
+      false,
+    );
+  });
+  test("unknown nonce is rejected", async () => {
+    const t = initConvexTest();
+    expect(
+      await t.mutation(internal.appAttestStore.consumeChallenge, {
+        nonce: "never-issued",
+        now: Date.now(),
+      }),
+    ).toBe(false);
+  });
+});

package/dist/templates/default/__tests__/convex/pushTokens-remove.test.ts ADDED Viewed

@@ -0,0 +1,106 @@
+/// <reference types="vite/client" />
+/**
+ * Real convexTest coverage for the authed `pushTokens.remove` mutation.
+ *
+ * `remove` (convex/pushTokens.ts) is an authMutation that:
+ *   1. rate-limits on "userAction" (needs the rateLimiter component),
+ *   2. finds the row by the "by_token" index,
+ *   3. deletes it ONLY when it exists AND row.userId === ctx.user._id,
+ *   4. returns null.
+ *
+ * Auth is seeded the same way as _auth-harness.test.ts: a Better Auth
+ * component user + unexpired session whose real ids back the identity, plus
+ * the mirrored app `users` row keyed by authId. pushTokens.userId is the app
+ * users _id, so we seed rows pointing at it.
+ */
+import { ConvexError } from "convex/values";
+import { describe, expect, test } from "vitest";
+import { api } from "@/convex/_generated/api";
+import type { Id } from "@/convex/_generated/dataModel";
+import { type AuthedTest, identityFor, initConvexTest, seedAuthedUser } from "./_harness";
+/** Insert a pushTokens row owned by `userId` and return its id. */
+async function seedPushToken(t: AuthedTest, userId: Id<"users">, token: string) {
+  const now = Date.now();
+  return t.run(async (ctx) =>
+    ctx.db.insert("pushTokens", {
+      userId,
+      token,
+      deviceType: "ios" as const,
+      createdAt: now,
+      updatedAt: now,
+      lastSeenAt: now,
+    }),
+  );
+}
+describe("pushTokens.remove (authMutation)", () => {
+  test("deletes the caller's own token and returns null", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    const tokenId = await seedPushToken(t, appUserId, "ExponentPushToken[own-device]");
+    // Sanity: the row exists before we call remove.
+    expect(await t.run((ctx) => ctx.db.get(tokenId))).not.toBeNull();
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const result = await asUser.mutation(api.pushTokens.remove, {
+      token: "ExponentPushToken[own-device]",
+    });
+    expect(result).toBeNull();
+    // Real DB effect: the row is gone.
+    expect(await t.run((ctx) => ctx.db.get(tokenId))).toBeNull();
+  });
+  test("does NOT delete a token owned by another user", async () => {
+    const t = initConvexTest();
+    const caller = await seedAuthedUser(t);
+    const other = await seedAuthedUser(t);
+    // A token that belongs to `other`, but `caller` knows the string and asks
+    // to remove it. The userId guard must leave it untouched.
+    const sharedToken = "ExponentPushToken[other-device]";
+    const otherTokenId = await seedPushToken(t, other.appUserId, sharedToken);
+    const asCaller = t.withIdentity(identityFor(caller.authUserId, caller.sessionId));
+    const result = await asCaller.mutation(api.pushTokens.remove, { token: sharedToken });
+    expect(result).toBeNull(); // no error, just a no-op
+    // The other user's row survives.
+    const surviving = await t.run((ctx) => ctx.db.get(otherTokenId));
+    expect(surviving).not.toBeNull();
+    expect(surviving?.userId).toBe(other.appUserId);
+  });
+  test("removing a non-existent token is a no-op returning null", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    // Seed an unrelated token to prove remove() doesn't nuke the table.
+    const keepId = await seedPushToken(t, appUserId, "ExponentPushToken[keep]");
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const result = await asUser.mutation(api.pushTokens.remove, {
+      token: "ExponentPushToken[never-registered]",
+    });
+    expect(result).toBeNull();
+    expect(await t.run((ctx) => ctx.db.get(keepId))).not.toBeNull();
+  });
+  test("throws ConvexError when called unauthenticated", async () => {
+    const t = initConvexTest();
+    const { appUserId } = await seedAuthedUser(t);
+    const tokenId = await seedPushToken(t, appUserId, "ExponentPushToken[guarded]");
+    // No identity -> requireAuthenticatedUser throws before any delete.
+    await expect(
+      t.mutation(api.pushTokens.remove, { token: "ExponentPushToken[guarded]" }),
+    ).rejects.toThrowError(ConvexError);
+    // And nothing was deleted.
+    expect(await t.run((ctx) => ctx.db.get(tokenId))).not.toBeNull();
+  });
+});