@rangka/core 0.1.0 → 0.1.2

package/src/auth/__tests__/model-permissions.test.ts

@@ -1,205 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import {
-  createModelPermissionGuard,
-  isOwnerOnly,
-  modelHasCreatedBy,
-} from '../model-permissions.js';
-import { PermissionRegistry } from '../permission-registry.js';
-import { createTestServer } from '../../__tests__/helpers.js';
-import type { ResolvedModel } from '../../schema/types.js';
-import type { ResolvedPermissions } from '../types.js';
-
-const mockModel: ResolvedModel = {
-  qualifiedName: 'sales.customer',
-  app: 'sales',
-  module: 'sales',
-  name: 'customer',
-  auditLog: false,
-  traits: [],
-  fields: [],
-  indexes: [],
-};
-
-const mockModelWithTimestamped: ResolvedModel = {
-  qualifiedName: 'sales.order',
-  app: 'sales',
-  module: 'sales',
-  name: 'order',
-  auditLog: false,
-  traits: ['timestamped'],
-  fields: [
-    { name: 'id', config: { type: 'string' }, provenance: { source: 'base' } },
-    {
-      name: 'created_by',
-      config: { type: 'link', model: 'core.user' },
-      provenance: { source: 'trait', trait: 'timestamped' },
-    },
-    {
-      name: 'updated_by',
-      config: { type: 'link', model: 'core.user' },
-      provenance: { source: 'trait', trait: 'timestamped' },
-    },
-    {
-      name: 'created_at',
-      config: { type: 'datetime' },
-      provenance: { source: 'trait', trait: 'timestamped' },
-    },
-    {
-      name: 'updated_at',
-      config: { type: 'datetime' },
-      provenance: { source: 'trait', trait: 'timestamped' },
-    },
-  ] as ResolvedModel['fields'],
-  indexes: [],
-};
-
-function setupServer(permissions: any) {
-  const registry = new PermissionRegistry();
-  const server = createTestServer();
-
-  server.get('/test', {
-    preHandler: createModelPermissionGuard(mockModel, registry),
-    handler: async () => ({ ok: true }),
-  });
-
-  server.addHook('onRequest', async (request) => {
-    (request as any).authContext = { permissions };
-  });
-
-  return server;
-}
-
-describe('model permission hook', () => {
-  it('allows access when permission is granted', async () => {
-    const server = setupServer({
-      models: { 'sales.customer': { read: true } },
-      scopes: [],
-      version: 1,
-    });
-
-    const res = await server.inject({ method: 'GET', url: '/test' });
-    expect(res.statusCode).toBe(200);
-  });
-
-  it('returns 403 when permission is not granted', async () => {
-    const server = setupServer({
-      models: { 'sales.customer': { write: true } },
-      scopes: [],
-      version: 1,
-    });
-
-    const res = await server.inject({ method: 'GET', url: '/test' });
-    expect(res.statusCode).toBe(403);
-    expect(res.json().error.message).toContain('read');
-    expect(res.json().error.message).toContain('sales.customer');
-  });
-
-  it('returns 403 when no permissions resolved', async () => {
-    const server = setupServer(undefined);
-
-    const res = await server.inject({ method: 'GET', url: '/test' });
-    expect(res.statusCode).toBe(403);
-  });
-
-  it('checks create permission for POST', async () => {
-    const registry = new PermissionRegistry();
-    const server = createTestServer();
-
-    server.post('/test', {
-      preHandler: createModelPermissionGuard(mockModel, registry),
-      handler: async () => ({ ok: true }),
-    });
-
-    server.addHook('onRequest', async (request) => {
-      (request as any).authContext = {
-        permissions: {
-          models: { 'sales.customer': { read: true, write: true } },
-          scopes: [],
-          version: 1,
-        },
-      };
-    });
-
-    const res = await server.inject({ method: 'POST', url: '/test', payload: {} });
-    expect(res.statusCode).toBe(403);
-  });
-
-  it('allows multi-role union: if one role grants access', async () => {
-    const server = setupServer({
-      models: { 'sales.customer': { read: true, write: true, delete: true } },
-      scopes: [],
-      version: 1,
-    });
-
-    const res = await server.inject({ method: 'GET', url: '/test' });
-    expect(res.statusCode).toBe(200);
-  });
-
-  it('allows access through pre-handler when permission is own', async () => {
-    const server = setupServer({
-      models: { 'sales.customer': { read: 'own' } },
-      scopes: [],
-      version: 1,
-    });
-
-    const res = await server.inject({ method: 'GET', url: '/test' });
-    expect(res.statusCode).toBe(200);
-  });
-});
-
-describe('isOwnerOnly', () => {
-  const permsWithOwn: ResolvedPermissions = {
-    models: {
-      'sales.order': { read: 'own', write: 'own', delete: 'own', create: true },
-    },
-    pages: [],
-    version: 1,
-  };
-
-  const permsWithTrue: ResolvedPermissions = {
-    models: {
-      'sales.order': { read: true, write: true, delete: true, create: true },
-    },
-    pages: [],
-    version: 1,
-  };
-
-  it('returns true when permission is own', () => {
-    expect(isOwnerOnly(permsWithOwn, 'sales.order', 'read')).toBe(true);
-    expect(isOwnerOnly(permsWithOwn, 'sales.order', 'write')).toBe(true);
-    expect(isOwnerOnly(permsWithOwn, 'sales.order', 'delete')).toBe(true);
-  });
-
-  it('returns false when permission is true', () => {
-    expect(isOwnerOnly(permsWithTrue, 'sales.order', 'read')).toBe(false);
-    expect(isOwnerOnly(permsWithTrue, 'sales.order', 'write')).toBe(false);
-    expect(isOwnerOnly(permsWithTrue, 'sales.order', 'delete')).toBe(false);
-  });
-
-  it('returns false when permissions are undefined', () => {
-    expect(isOwnerOnly(undefined, 'sales.order', 'read')).toBe(false);
-  });
-
-  it('returns false when model has no permissions', () => {
-    expect(isOwnerOnly(permsWithOwn, 'sales.unknown', 'read')).toBe(false);
-  });
-
-  it('returns false when action is unset', () => {
-    const perms: ResolvedPermissions = {
-      models: { 'sales.order': { read: 'own' } },
-      pages: [],
-      version: 1,
-    };
-    expect(isOwnerOnly(perms, 'sales.order', 'write')).toBe(false);
-  });
-});
-
-describe('modelHasCreatedBy', () => {
-  it('returns true when model has created_by field', () => {
-    expect(modelHasCreatedBy(mockModelWithTimestamped)).toBe(true);
-  });
-
-  it('returns false when model lacks created_by field', () => {
-    expect(modelHasCreatedBy(mockModel)).toBe(false);
-  });
-});

package/src/auth/__tests__/password.test.ts

@@ -1,29 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import { hashPassword, verifyPassword } from '../password.js';
-
-describe('password hashing', () => {
-  it('hashes and verifies a password correctly', () => {
-    const password = 'my-secure-password';
-    const hashed = hashPassword(password);
-
-    expect(hashed).toContain(':');
-    expect(verifyPassword(password, hashed)).toBe(true);
-  });
-
-  it('rejects an incorrect password', () => {
-    const hashed = hashPassword('correct-password');
-    expect(verifyPassword('wrong-password', hashed)).toBe(false);
-  });
-
-  it('produces different hashes for the same password (random salt)', () => {
-    const password = 'same-password';
-    const hash1 = hashPassword(password);
-    const hash2 = hashPassword(password);
-    expect(hash1).not.toBe(hash2);
-  });
-
-  it('returns false for malformed stored hash', () => {
-    expect(verifyPassword('anything', 'nocolon')).toBe(false);
-    expect(verifyPassword('anything', '')).toBe(false);
-  });
-});

package/src/auth/__tests__/permission-registry.test.ts

@@ -1,313 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import {
-  PermissionRegistry,
-  DuplicateRoleError,
-  RoleInheritanceCycleError,
-} from '../permission-registry.js';
-
-describe('PermissionRegistry', () => {
-  describe('registerRoles', () => {
-    it('registers roles and retrieves them', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          sales_user: {
-            label: 'Sales User',
-            models: { 'sales.customer': { read: true, write: true } },
-          },
-        },
-        'sales',
-      );
-
-      const role = registry.getRole('sales_user');
-      expect(role).toBeDefined();
-      expect(role!.app).toBe('sales');
-    });
-
-    it('throws DuplicateRoleError for duplicate role names', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles({ admin: { label: 'Admin', models: {} } }, 'app1');
-
-      expect(() => {
-        registry.registerRoles({ admin: { label: 'Admin', models: {} } }, 'app2');
-      }).toThrow(DuplicateRoleError);
-    });
-
-    it('getAllRoles returns all registered roles', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          role_a: { label: 'Role A', models: {} },
-          role_b: { label: 'Role B', models: {} },
-        },
-        'app1',
-      );
-
-      expect(registry.getAllRoles()).toHaveLength(2);
-    });
-  });
-
-  describe('inheritance resolution', () => {
-    it('resolves single-level inheritance', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          parent: { label: 'Parent', models: { 'a.b': { read: true } } },
-          child: { label: 'Child', extends: 'parent', models: { 'a.b': { write: true } } },
-        },
-        'app',
-      );
-
-      const chain = registry.getInheritanceChain('child');
-      expect(chain).toEqual(['parent']);
-    });
-
-    it('resolves multi-level inheritance', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          grandparent: { label: 'Grandparent', models: { 'a.b': { read: true } } },
-          parent: { label: 'Parent', extends: 'grandparent', models: {} },
-          child: { label: 'Child', extends: 'parent', models: {} },
-        },
-        'app',
-      );
-
-      const chain = registry.getInheritanceChain('child');
-      expect(chain).toEqual(['grandparent', 'parent']);
-    });
-
-    it('detects circular inheritance', () => {
-      const registry = new PermissionRegistry();
-      expect(() => {
-        registry.registerRoles(
-          {
-            a: { label: 'A', extends: 'b', models: {} },
-            b: { label: 'B', extends: 'a', models: {} },
-          },
-          'app',
-        );
-      }).toThrow(RoleInheritanceCycleError);
-    });
-
-    it('throws for inheritance from unknown role', () => {
-      const registry = new PermissionRegistry();
-      expect(() => {
-        registry.registerRoles(
-          {
-            child: { label: 'Child', extends: 'non_existent', models: {} },
-          },
-          'app',
-        );
-      }).toThrow(/unknown role/);
-    });
-  });
-
-  describe('resolvePermissionsForRoles', () => {
-    it('merges permissions additively across roles', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          role_a: { label: 'Role A', models: { 'sales.customer': { read: true, write: true } } },
-          role_b: { label: 'Role B', models: { 'sales.customer': { read: true, delete: true } } },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['role_a', 'role_b']);
-      expect(perms.models['sales.customer']).toEqual({
-        read: true,
-        write: true,
-        delete: true,
-      });
-    });
-
-    it('inherits permissions from parent roles', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          parent: {
-            label: 'Parent',
-            models: { 'sales.customer': { read: true, write: true, create: true } },
-          },
-          child: {
-            label: 'Child',
-            extends: 'parent',
-            models: { 'sales.customer': { delete: true } },
-          },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['child']);
-      expect(perms.models['sales.customer']).toEqual({
-        read: true,
-        write: true,
-        create: true,
-        delete: true,
-      });
-    });
-
-    it('merges field permissions additively (most permissive wins)', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          role_a: {
-            label: 'Role A',
-            models: {
-              'sales.invoice': {
-                read: true,
-                fieldPermissions: { cost_price: { read: false } },
-              },
-            },
-          },
-          role_b: {
-            label: 'Role B',
-            models: {
-              'sales.invoice': {
-                read: true,
-                fieldPermissions: { cost_price: { read: true, write: true } },
-              },
-            },
-          },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['role_a', 'role_b']);
-      expect(perms.models['sales.invoice'].fieldPermissions!.cost_price).toEqual({
-        read: true,
-        write: true,
-      });
-    });
-
-    it('resolves pages from a single role', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          admin: { label: 'Admin', models: {}, pages: ['admin.dashboard', 'admin.settings'] },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['admin']);
-      expect(perms.pages.sort()).toEqual(['admin.dashboard', 'admin.settings']);
-    });
-
-    it('merges pages from multiple roles with deduplication', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          admin: { label: 'Admin', models: {}, pages: ['admin.dashboard', 'shared.reports'] },
-          sales: { label: 'Sales', models: {}, pages: ['sales.dashboard', 'shared.reports'] },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['admin', 'sales']);
-      expect(perms.pages.sort()).toEqual(['admin.dashboard', 'sales.dashboard', 'shared.reports']);
-    });
-
-    it('inherits pages from parent roles', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          sales_rep: { label: 'Sales Rep', models: {}, pages: ['sales.dashboard'] },
-          sales_mgr: {
-            label: 'Sales Mgr',
-            extends: 'sales_rep',
-            models: {},
-            pages: ['sales.reports'],
-          },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['sales_mgr']);
-      expect(perms.pages.sort()).toEqual(['sales.dashboard', 'sales.reports']);
-    });
-
-    it('returns empty pages when no role defines pages', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          basic: { label: 'Basic', models: { 'a.b': { read: true } } },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['basic']);
-      expect(perms.pages).toEqual([]);
-    });
-
-    it('true permission is never downgraded by own', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          admin: { label: 'Admin', models: { 'sales.order': { write: true, delete: true } } },
-          restricted: {
-            label: 'Restricted',
-            models: { 'sales.order': { write: 'own', delete: 'own' } },
-          },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['admin', 'restricted']);
-      expect(perms.models['sales.order'].write).toBe(true);
-      expect(perms.models['sales.order'].delete).toBe(true);
-    });
-
-    it('own is upgraded to true when a more permissive role is applied', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          restricted: {
-            label: 'Restricted',
-            models: { 'sales.order': { write: 'own', delete: 'own' } },
-          },
-          admin: { label: 'Admin', models: { 'sales.order': { write: true, delete: true } } },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['restricted', 'admin']);
-      expect(perms.models['sales.order'].write).toBe(true);
-      expect(perms.models['sales.order'].delete).toBe(true);
-    });
-
-    it('own remains own when no higher grant exists', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          sales_rep: {
-            label: 'Sales Rep',
-            models: { 'sales.order': { read: true, write: 'own', delete: 'own', create: true } },
-          },
-        },
-        'app',
-      );
-
-      const perms = registry.resolvePermissionsForRoles(['sales_rep']);
-      expect(perms.models['sales.order'].write).toBe('own');
-      expect(perms.models['sales.order'].delete).toBe('own');
-      expect(perms.models['sales.order'].read).toBe(true);
-      expect(perms.models['sales.order'].create).toBe(true);
-    });
-
-    it('inherited role with true overrides child own', () => {
-      const registry = new PermissionRegistry();
-      registry.registerRoles(
-        {
-          base: { label: 'Base', models: { 'sales.order': { write: true } } },
-          child: { label: 'Child', extends: 'base', models: { 'sales.order': { write: 'own' } } },
-        },
-        'app',
-      );
-
-      // Parent grants true first, child's 'own' should not downgrade
-      const perms = registry.resolvePermissionsForRoles(['child']);
-      expect(perms.models['sales.order'].write).toBe(true);
-    });
-  });
-});