@rebasepro/server-core 0.0.1-canary.09e5ec5

package/test/query-parser.test.ts

@@ -0,0 +1,263 @@
+import { mapOperator, parseQueryOptions } from "../src/api/rest/query-parser";
+
+// ─────────────────────────────────────────────────────────────
+// mapOperator
+// ─────────────────────────────────────────────────────────────
+describe("mapOperator", () => {
+    it("maps PostgREST operators to Rebase operators", () => {
+        expect(mapOperator("eq")).toBe("==");
+        expect(mapOperator("neq")).toBe("!=");
+        expect(mapOperator("gt")).toBe(">");
+        expect(mapOperator("gte")).toBe(">=");
+        expect(mapOperator("lt")).toBe("<");
+        expect(mapOperator("lte")).toBe("<=");
+        expect(mapOperator("in")).toBe("in");
+        expect(mapOperator("nin")).toBe("not-in");
+        expect(mapOperator("cs")).toBe("array-contains");
+        expect(mapOperator("csa")).toBe("array-contains-any");
+    });
+
+    it("returns null for unknown operators", () => {
+        expect(mapOperator("like")).toBeNull();
+        expect(mapOperator("between")).toBeNull();
+        expect(mapOperator("")).toBeNull();
+    });
+});
+
+// ─────────────────────────────────────────────────────────────
+// parseQueryOptions — Pagination
+// ─────────────────────────────────────────────────────────────
+describe("parseQueryOptions — pagination", () => {
+    it("parses limit", () => {
+        const result = parseQueryOptions({ limit: "25" });
+        expect(result.limit).toBe(25);
+    });
+
+    it("parses offset", () => {
+        const result = parseQueryOptions({ offset: "50" });
+        expect(result.offset).toBe(50);
+    });
+
+    it("calculates offset from page number", () => {
+        const result = parseQueryOptions({ page: "3",
+limit: "10" });
+        expect(result.offset).toBe(20); // (3-1) * 10
+    });
+
+    it("uses default limit of 20 for page calculation when limit not set", () => {
+        const result = parseQueryOptions({ page: "2" });
+        expect(result.offset).toBe(20); // (2-1) * 20
+    });
+
+    it("handles no pagination params", () => {
+        const result = parseQueryOptions({});
+        expect(result.limit).toBeUndefined();
+        expect(result.offset).toBeUndefined();
+    });
+});
+
+// ─────────────────────────────────────────────────────────────
+// parseQueryOptions — PostgREST Filters
+// ─────────────────────────────────────────────────────────────
+describe("parseQueryOptions — PostgREST filters", () => {
+    it("parses equality filter (implicit eq)", () => {
+        const result = parseQueryOptions({ status: "published" });
+        expect(result.where?.status).toEqual(["==", "published"]);
+    });
+
+    it("parses eq operator explicitly", () => {
+        const result = parseQueryOptions({ status: "eq.published" });
+        expect(result.where?.status).toEqual(["==", "published"]);
+    });
+
+    it("parses gt with number coercion", () => {
+        const result = parseQueryOptions({ age: "gt.18" });
+        expect(result.where?.age).toEqual([">", 18]);
+    });
+
+    it("parses gte operator", () => {
+        const result = parseQueryOptions({ price: "gte.9.99" });
+        expect(result.where?.price).toEqual([">=", 9.99]);
+    });
+
+    it("parses lt operator", () => {
+        const result = parseQueryOptions({ count: "lt.100" });
+        expect(result.where?.count).toEqual(["<", 100]);
+    });
+
+    it("parses lte operator", () => {
+        const result = parseQueryOptions({ rating: "lte.5" });
+        expect(result.where?.rating).toEqual(["<=", 5]);
+    });
+
+    it("parses neq operator", () => {
+        const result = parseQueryOptions({ status: "neq.draft" });
+        expect(result.where?.status).toEqual(["!=", "draft"]);
+    });
+
+    it("parses boolean true", () => {
+        const result = parseQueryOptions({ active: "true" });
+        expect(result.where?.active).toEqual(["==", true]);
+    });
+
+    it("parses boolean false", () => {
+        const result = parseQueryOptions({ active: "false" });
+        expect(result.where?.active).toEqual(["==", false]);
+    });
+
+    it("parses null", () => {
+        const result = parseQueryOptions({ deleted_at: "null" });
+        expect(result.where?.deleted_at).toEqual(["==", null]);
+    });
+
+    it("parses numeric strings as numbers", () => {
+        const result = parseQueryOptions({ quantity: "42" });
+        expect(result.where?.quantity).toEqual(["==", 42]);
+    });
+
+    it("parses in operator with array", () => {
+        const result = parseQueryOptions({ role: "in.(admin,editor,viewer)" });
+        expect(result.where?.role).toEqual(["in", ["admin", "editor", "viewer"]]);
+    });
+
+    it("parses in operator with numeric array", () => {
+        const result = parseQueryOptions({ priority: "in.(1,2,3)" });
+        expect(result.where?.priority).toEqual(["in", [1, 2, 3]]);
+    });
+
+    it("parses array-contains operator", () => {
+        const result = parseQueryOptions({ tags: "cs.javascript" });
+        expect(result.where?.tags).toEqual(["array-contains", "javascript"]);
+    });
+
+    it("skips reserved query keys", () => {
+        const result = parseQueryOptions({
+            limit: "10",
+            offset: "0",
+            orderBy: "name:asc",
+            status: "eq.active"
+        });
+        // Only status should be in where
+        expect(result.where?.status).toEqual(["==", "active"]);
+        expect(result.where?.limit).toBeUndefined();
+        expect(result.where?.offset).toBeUndefined();
+        expect(result.where?.orderBy).toBeUndefined();
+    });
+
+    it("handles string values with dots that are not operators (fallback to eq)", () => {
+        const result = parseQueryOptions({ email: "user@example.com" });
+        // "user@example" is not a valid operator, so fallback to eq
+        expect(result.where?.email).toBeDefined();
+    });
+
+    it("removes empty where object", () => {
+        const result = parseQueryOptions({ limit: "10" });
+        expect(result.where).toBeUndefined();
+    });
+});
+
+// ─────────────────────────────────────────────────────────────
+// parseQueryOptions — Legacy JSON where
+// ─────────────────────────────────────────────────────────────
+describe("parseQueryOptions — legacy JSON where", () => {
+    it("parses JSON where string", () => {
+        const result = parseQueryOptions({
+            where: JSON.stringify({ status: ["==", "published"] })
+        });
+        expect(result.where?.status).toEqual(["==", "published"]);
+    });
+
+    it("accepts object where directly", () => {
+        const result = parseQueryOptions({
+            where: { status: ["==", "draft"] }
+        });
+        expect(result.where?.status).toEqual(["==", "draft"]);
+    });
+
+    it("throws for malformed JSON where", () => {
+        expect(() => parseQueryOptions({ where: "not valid json{" })).toThrow("Invalid 'where' filter");
+    });
+
+    it("throws for array where", () => {
+        expect(() => parseQueryOptions({ where: JSON.stringify([1, 2]) })).toThrow("Filter must be a JSON object");
+    });
+
+    it("throws for null where", () => {
+        expect(() => parseQueryOptions({ where: JSON.stringify(null) })).toThrow("Filter must be a JSON object");
+    });
+});
+
+// ─────────────────────────────────────────────────────────────
+// parseQueryOptions — Sorting
+// ─────────────────────────────────────────────────────────────
+describe("parseQueryOptions — sorting", () => {
+    it("parses JSON orderBy", () => {
+        const orderBy = JSON.stringify([{ field: "name",
+direction: "asc" }]);
+        const result = parseQueryOptions({ orderBy });
+        expect(result.orderBy).toEqual([{ field: "name",
+direction: "asc" }]);
+    });
+
+    it("parses simple field:direction format", () => {
+        const result = parseQueryOptions({ orderBy: "created_at:desc" });
+        expect(result.orderBy).toEqual([{ field: "created_at",
+direction: "desc" }]);
+    });
+
+    it("defaults direction to asc", () => {
+        const result = parseQueryOptions({ orderBy: "name" });
+        expect(result.orderBy).toEqual([{ field: "name",
+direction: "asc" }]);
+    });
+
+    it("handles no orderBy", () => {
+        const result = parseQueryOptions({});
+        expect(result.orderBy).toBeUndefined();
+    });
+});
+
+// ─────────────────────────────────────────────────────────────
+// parseQueryOptions — Relation includes
+// ─────────────────────────────────────────────────────────────
+describe("parseQueryOptions — includes", () => {
+    it("parses wildcard include", () => {
+        const result = parseQueryOptions({ include: "*" });
+        expect(result.include).toEqual(["*"]);
+    });
+
+    it("parses comma-separated includes", () => {
+        const result = parseQueryOptions({ include: "author,tags,category" });
+        expect(result.include).toEqual(["author", "tags", "category"]);
+    });
+
+    it("trims whitespace in includes", () => {
+        const result = parseQueryOptions({ include: " author , tags " });
+        expect(result.include).toEqual(["author", "tags"]);
+    });
+
+    it("handles no include", () => {
+        const result = parseQueryOptions({});
+        expect(result.include).toBeUndefined();
+    });
+});
+
+// ─────────────────────────────────────────────────────────────
+// parseQueryOptions — Field selection
+// ─────────────────────────────────────────────────────────────
+describe("parseQueryOptions — fields", () => {
+    it("parses comma-separated fields", () => {
+        const result = parseQueryOptions({ fields: "id,name,email" });
+        expect(result.fields).toEqual(["id", "name", "email"]);
+    });
+
+    it("trims whitespace", () => {
+        const result = parseQueryOptions({ fields: " id , name " });
+        expect(result.fields).toEqual(["id", "name"]);
+    });
+
+    it("handles no fields", () => {
+        const result = parseQueryOptions({});
+        expect(result.fields).toBeUndefined();
+    });
+});

package/test/rate-limiter.test.ts

@@ -0,0 +1,102 @@
+import { createRateLimiter } from "../src/auth/rate-limiter";
+import { Hono } from "hono";
+import { HonoEnv } from "../src/api/types";
+
+describe("Rate Limiter", () => {
+
+    function createTestApp(options: { windowMs?: number; limit?: number } = {}) {
+        const app = new Hono<HonoEnv>();
+        const limiter = createRateLimiter({
+            windowMs: options.windowMs ?? 60 * 1000, // 1 minute
+            limit: options.limit ?? 3,
+            keyGenerator: (c) => c.req.header("x-forwarded-for") || "test-ip"
+        });
+        app.use("/api/*", limiter);
+        app.get("/api/test", (c) => c.json({ ok: true }));
+        return app;
+    }
+
+    it("allows requests under the limit", async () => {
+        const app = createTestApp({ limit: 5 });
+
+        const res = await app.request("/api/test", {
+            headers: { "x-forwarded-for": "1.2.3.4" }
+        });
+
+        expect(res.status).toBe(200);
+        expect(res.headers.get("X-RateLimit-Limit")).toBe("5");
+        expect(res.headers.get("X-RateLimit-Remaining")).toBe("4");
+    });
+
+    it("returns 429 when limit is exceeded", async () => {
+        const app = createTestApp({ limit: 2 });
+
+        // First two should pass
+        await app.request("/api/test", { headers: { "x-forwarded-for": "10.0.0.1" } });
+        await app.request("/api/test", { headers: { "x-forwarded-for": "10.0.0.1" } });
+
+        // Third should be rate limited
+        const res = await app.request("/api/test", {
+            headers: { "x-forwarded-for": "10.0.0.1" }
+        });
+
+        expect(res.status).toBe(429);
+        const body = await res.json() as any;
+        expect(body.error.code).toBe("RATE_LIMITED");
+    });
+
+    it("includes Retry-After header when rate limited", async () => {
+        const app = createTestApp({ limit: 1 });
+
+        await app.request("/api/test", { headers: { "x-forwarded-for": "10.0.0.2" } });
+        const res = await app.request("/api/test", {
+            headers: { "x-forwarded-for": "10.0.0.2" }
+        });
+
+        expect(res.headers.get("Retry-After")).toBeDefined();
+        expect(res.headers.get("X-RateLimit-Remaining")).toBe("0");
+    });
+
+    it("tracks different IPs separately", async () => {
+        const app = createTestApp({ limit: 1 });
+
+        const res1 = await app.request("/api/test", {
+            headers: { "x-forwarded-for": "ip-a" }
+        });
+        const res2 = await app.request("/api/test", {
+            headers: { "x-forwarded-for": "ip-b" }
+        });
+
+        expect(res1.status).toBe(200);
+        expect(res2.status).toBe(200);
+    });
+
+    it("decrements remaining count with each request", async () => {
+        const app = createTestApp({ limit: 3 });
+        const ip = "counter-ip";
+
+        const r1 = await app.request("/api/test", { headers: { "x-forwarded-for": ip } });
+        expect(r1.headers.get("X-RateLimit-Remaining")).toBe("2");
+
+        const r2 = await app.request("/api/test", { headers: { "x-forwarded-for": ip } });
+        expect(r2.headers.get("X-RateLimit-Remaining")).toBe("1");
+
+        const r3 = await app.request("/api/test", { headers: { "x-forwarded-for": ip } });
+        expect(r3.headers.get("X-RateLimit-Remaining")).toBe("0");
+    });
+
+    it("uses custom message", async () => {
+        const app = new Hono<HonoEnv>();
+        const limiter = createRateLimiter({
+            limit: 0,
+            message: "Slow down!",
+            keyGenerator: () => "always-same"
+        });
+        app.use("/api/*", limiter);
+        app.get("/api/test", (c) => c.json({ ok: true }));
+
+        const res = await app.request("/api/test");
+        const body = await res.json() as any;
+        expect(body.error.message).toBe("Slow down!");
+    });
+});

package/test/safe-compare.test.ts

@@ -0,0 +1,66 @@
+/**
+ * Tests for the safeCompare function used in auth middleware.
+ *
+ * Since safeCompare is not exported, we test it indirectly through
+ * the createAuthMiddleware behavior with service keys. However, for
+ * unit-level verification we replicate the logic here.
+ */
+import { timingSafeEqual } from "crypto";
+
+// Replicate the safeCompare implementation to test in isolation
+function safeCompare(a: string, b: string): boolean {
+    const maxLen = Math.max(a.length, b.length);
+    const bufA = Buffer.alloc(maxLen);
+    const bufB = Buffer.alloc(maxLen);
+    bufA.write(a);
+    bufB.write(b);
+    try {
+        const isEqual = timingSafeEqual(bufA, bufB);
+        return isEqual && a.length === b.length;
+    } catch {
+        return false;
+    }
+}
+
+describe("safeCompare", () => {
+    it("should return true for identical strings", () => {
+        expect(safeCompare("my-secret-key-12345678901234567890", "my-secret-key-12345678901234567890")).toBe(true);
+    });
+
+    it("should return false for different strings of same length", () => {
+        expect(safeCompare("aaaa", "bbbb")).toBe(false);
+    });
+
+    it("should return false for different length strings", () => {
+        expect(safeCompare("short", "a-much-longer-string")).toBe(false);
+    });
+
+    it("should return false when one string is a prefix of the other", () => {
+        // This is the critical case: "abc" vs "abc\0\0\0" would match
+        // without the length check, since Buffer.alloc zero-fills
+        expect(safeCompare("abc", "abc\0\0\0")).toBe(false);
+    });
+
+    it("should return false for empty string vs non-empty", () => {
+        expect(safeCompare("", "something")).toBe(false);
+    });
+
+    it("should return true for two empty strings", () => {
+        expect(safeCompare("", "")).toBe(true);
+    });
+
+    it("should handle unicode strings", () => {
+        expect(safeCompare("café", "café")).toBe(true);
+        expect(safeCompare("café", "cafe")).toBe(false);
+    });
+
+    it("should not leak length information via early return", () => {
+        // Both comparisons should take similar time (constant-time)
+        // We can't easily assert timing, but we verify they both
+        // go through the same code path
+        const result1 = safeCompare("a", "bb");
+        const result2 = safeCompare("aa", "bb");
+        expect(result1).toBe(false);
+        expect(result2).toBe(false);
+    });
+});

package/test/singleton.test.ts

@@ -0,0 +1,59 @@
+import { rebase, _initRebase, _setRebaseMock, _resetRebaseMock } from "../src/singleton";
+import type { RebaseClient } from "@rebasepro/types";
+
+describe("rebase singleton", () => {
+    afterEach(() => {
+        // Reset after each test to avoid interference
+        process.env.NODE_ENV = "test";
+        _resetRebaseMock();
+    });
+
+    it("should throw when accessing properties before initialization", () => {
+        expect(() => rebase.data).toThrowError(/server not initialized yet/);
+    });
+
+    it("should allow property access after initialization", () => {
+        const mockData = { find: jest.fn() };
+        _setRebaseMock({ data: mockData } as Partial<RebaseClient>);
+
+        expect(rebase.data).toBe(mockData);
+    });
+
+    it("should throw on property assignment (set trap)", () => {
+        _setRebaseMock({ data: {} } as Partial<RebaseClient>);
+
+        expect(() => {
+            (rebase as Record<string, unknown>).data = "overwritten";
+        }).toThrowError(/Cannot set rebase\.data directly/);
+    });
+
+    it("should reset properly with _resetRebaseMock", () => {
+        _setRebaseMock({ data: {} } as Partial<RebaseClient>);
+        expect(() => rebase.data).not.toThrow();
+
+        _resetRebaseMock();
+        expect(() => rebase.data).toThrowError(/server not initialized yet/);
+    });
+
+    it("should throw if _setRebaseMock is called outside test env", () => {
+        const originalEnv = process.env.NODE_ENV;
+        process.env.NODE_ENV = "production";
+
+        expect(() => _setRebaseMock({} as Partial<RebaseClient>)).toThrowError(
+            /can only be called in a test environment/
+        );
+
+        process.env.NODE_ENV = originalEnv;
+    });
+
+    it("should throw if _resetRebaseMock is called outside test env", () => {
+        const originalEnv = process.env.NODE_ENV;
+        process.env.NODE_ENV = "production";
+
+        expect(() => _resetRebaseMock()).toThrowError(
+            /can only be called in a test environment/
+        );
+
+        process.env.NODE_ENV = originalEnv;
+    });
+});