npm - @saltcorn/server - Versions diffs - 1.6.0-beta.5 → 1.6.0-beta.7 - Mend

@saltcorn/server 1.6.0-beta.5 → 1.6.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (743) hide show

package/tests/api.test.js CHANGED Viewed

@@ -822,7 +822,10 @@ describe("API emit-event access control", () => {
         .set("Authorization", `jwt ${adminJwt}`)
         .send({ payload: {} })
         .expect(
-          respondJsonWith(403, (resp) => resp.error === "Event type not allowed")
+          respondJsonWith(
+            403,
+            (resp) => resp.error === "Event type not allowed"
+          )
         );
     }
   });
@@ -1150,4 +1153,130 @@ describe("API cross-table sub-select access control", () => {
     const rows2 = resp2.body.success || [];
     expect(rows1.length).toBe(rows2.length);
   });
+  it("should not allow probing restricted tables via _relation_path_ parameter", async () => {
+    const app = await getApp({ disableCsrf: true });
+    // The _relation_path_ query parameter accepts JSON that specifies a
+    // relation path through arbitrary tables. handleRelationPath() constructs
+    // an inSelectWithLevels subquery with NO authorization checks.
+    //
+    // Attack: query the public books table with a _relation_path_ that
+    // traverses the restricted patients table (min_role_read=40):
+    //   ?_relation_path_={"relation":".books.patients$name","srcId":"Kirk Douglas"}
+    // This generates:
+    //   WHERE id IN (SELECT id FROM patients WHERE name = 'Kirk Douglas')
+    // A public user can determine whether a patient with a given name exists
+    // by observing which books are returned.
+    const patients = Table.findOne({ name: "patients" });
+    expect(patients.min_role_read).toBe(40);
+    // srcId matching an existing patient name
+    const resp1 = await request(app)
+      .get("/api/books/")
+      .query({
+        _relation_path_: JSON.stringify({
+          relation: ".books.patients$name",
+          srcId: "Kirk Douglas",
+        }),
+      })
+      .expect(200);
+    // srcId with a non-existent patient name
+    const resp2 = await request(app)
+      .get("/api/books/")
+      .query({
+        _relation_path_: JSON.stringify({
+          relation: ".books.patients$name",
+          srcId: "ZZZNONEXISTENT",
+        }),
+      })
+      .expect(200);
+    // If the relation_path is allowed without authorization, resp1 returns
+    // book id=1 (because patient "Kirk Douglas" has id=1) while resp2
+    // returns nothing. The difference reveals that "Kirk Douglas" exists
+    // in the restricted patients table.
+    //
+    // Secure behavior: both queries return the same results (the subquery
+    // against the restricted table is blocked or ignored), OR the query
+    // is rejected.
+    const rows1 = resp1.body.success || [];
+    const rows2 = resp2.body.success || [];
+    expect(rows1.length).toBe(rows2.length);
+  });
+  it("should not allow probing restricted tables via dot-prefix relation path", async () => {
+    const app = await getApp({ disableCsrf: true });
+    // The dot-prefix syntax (e.g. ?.books.patients$name=value) is another
+    // way to invoke handleRelationPath, which has no authorization checks.
+    // This constructs the same inSelectWithLevels subquery.
+    const patients = Table.findOne({ name: "patients" });
+    expect(patients.min_role_read).toBe(40);
+    const resp1 = await request(app)
+      .get("/api/books/")
+      .query({ ".books.patients$name": "Kirk Douglas" })
+      .expect(200);
+    const resp2 = await request(app)
+      .get("/api/books/")
+      .query({ ".books.patients$name": "ZZZNONEXISTENT" })
+      .expect(200);
+    const rows1 = resp1.body.success || [];
+    const rows2 = resp2.body.success || [];
+    expect(rows1.length).toBe(rows2.length);
+  });
+});
+describe("API CSRF protection", () => {
+  let adminToken, adminJwt;
+  beforeAll(async () => {
+    const admin = await User.findOne({ email: "admin@foo.com" });
+    adminToken = await admin.getNewAPIToken();
+    adminJwt = await getAdminJwt();
+  });
+  it("should reject POST with session cookie but no CSRF token", async () => {
+    const app = await getApp({ disableCsrf: false });
+    const loginCookie = await getAdminLoginCookie();
+    await request(app)
+      .post("/api/books/")
+      .set("Cookie", loginCookie)
+      .send({ author: "CSRF Test", pages: 1 })
+      .set("Content-Type", "application/json")
+      .expect(302);
+  });
+  it("should allow POST with bearer token and no CSRF token", async () => {
+    const app = await getApp({ disableCsrf: false });
+    await request(app)
+      .post("/api/books/")
+      .set("Authorization", "Bearer " + adminToken)
+      .send({ author: "Bearer No CSRF", pages: 2 })
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(succeedJsonWith((resp) => resp && typeof resp === "number"));
+  });
+  it("should allow POST with valid JWT and no CSRF token", async () => {
+    const app = await getApp({ disableCsrf: false });
+    await request(app)
+      .post("/api/books/")
+      .set("Authorization", `jwt ${adminJwt}`)
+      .send({ author: "JWT No CSRF", pages: 3 })
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(succeedJsonWith((resp) => resp && typeof resp === "number"));
+  });
+  it("should not bypass CSRF by appending a fake ?jwt= query parameter", async () => {
+    const app = await getApp({ disableCsrf: false });
+    await request(app)
+      .post("/api/books/?jwt=fakejwt")
+      .send({ author: "CSRF Bypass Attempt", pages: 4 })
+      .set("Content-Type", "application/json")
+      .expect(302);
+  });
 });

package/tests/files.test.js CHANGED Viewed

@@ -107,6 +107,13 @@ beforeAll(async () => {
     "console.log('I am a script');",
     1
   );
+  await createTestFile(
+    "/",
+    "malicious.svg",
+    "image/svg+xml",
+    `<svg xmlns="http://www.w3.org/2000/svg"><script>alert('XSS')</script><circle cx="50" cy="50" r="40"/></svg>`,
+    100
+  );
 });
 afterAll(db.close);
@@ -163,6 +170,16 @@ describe("files admin", () => {
         toSucceedWithImage({ lengthIs: (bs) => bs < 100000 && bs > 2000 })
       );
   });
+  it("sanitize SVG served via /files/resize (XSS bypass)", async () => {
+    const app = await getApp({ disableCsrf: true });
+    const res = await request(app).get("/files/resize/0/0/malicious.svg");
+    expect(res.status).toBe(200);
+    const body = res.text || Buffer.from(res.body).toString();
+    // The resize endpoint must also sanitize SVG files, just like /files/serve does.
+    // Without this, an attacker can bypass DOMPurify by requesting an SVG via
+    // /files/resize/0/0/path.svg (width=0 makes it serve the original file).
+    expect(body).not.toContain("<script>");
+  });
   it("serve resized file without height", async () => {
     const app = await getApp({ disableCsrf: true });
     await request(app)
@@ -538,4 +555,26 @@ describe("visible_entries test", () => {
     expect(body.files.length).toBe(0);
     expect(body.directories.length).toBe(0);
   });
+  it("should not crash on regex special characters in file_exts (CVE: regex injection)", async () => {
+    // The file_exts parameter is passed directly to new RegExp() without escaping.
+    // Regex metacharacters like ( [ cause SyntaxError → 500 Internal Server Error.
+    // This also enables ReDoS: patterns like (a+)+b cause exponential CPU usage.
+    // Confirmed: a file with 30 repeated chars + backtracking regex → 3.6s,
+    //            35 chars → 112s. The endpoint should escape regex metacharacters
+    //            or use literal string matching, not raw user input in new RegExp().
+    const app = await getApp({ disableCsrf: true });
+    const adminCookie = await getAdminLoginCookie();
+    await getState().setConfig("min_role_edit_files", 1);
+    const resp = await request(app)
+      .get(
+        "/files/visible_entries?dir=_sc_test_subfolder_one&file_exts=" +
+          encodeURIComponent("([")
+      )
+      .set("Cookie", adminCookie);
+    // Should return 200 with valid JSON, not crash with 500
+    expect(resp.statusCode).toBe(200);
+    expect(resp.body).toBeDefined();
+    expect(resp.body.files).toBeDefined();
+  });
 });

package/tests/plugin_install.test.js CHANGED Viewed

@@ -9,6 +9,7 @@ const {
 } = require("@saltcorn/admin-models/models/tenant");
 const { resetToFixtures } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
+const { get_store_items } = require("../routes/plugins");
 beforeAll(async () => {
   if (!db.isSQLite) await db.query(`drop schema if exists test101 CASCADE `);
@@ -87,6 +88,64 @@ describe("Tenant cannot install unsafe plugins", () => {
         expect(dbPlugin).toBe(null);
       });
     });
+    it("cannot install git plugins on tenant when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const loadAndSaveNewPlugin = Plugin.loadAndSaveNewPlugin;
+        await install_pack(
+          plugin_pack({
+            name: "some-git-plugin",
+            source: "git",
+            location: "https://github.com/example/some-git-plugin",
+          }),
+          "Some git plugin",
+          loadAndSaveNewPlugin
+        );
+        const dbPlugin = await Plugin.findOne({ name: "some-git-plugin" });
+        expect(dbPlugin).toBe(null);
+      });
+    });
+    it("cannot install github plugins on tenant when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const loadAndSaveNewPlugin = Plugin.loadAndSaveNewPlugin;
+        await install_pack(
+          plugin_pack({
+            name: "some-github-plugin",
+            source: "github",
+            location: "example/some-github-plugin",
+          }),
+          "Some github plugin",
+          loadAndSaveNewPlugin
+        );
+        const dbPlugin = await Plugin.findOne({ name: "some-github-plugin" });
+        expect(dbPlugin).toBe(null);
+      });
+    });
+    it("loadPlugin skips git plugin on tenant when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const result = await Plugin.loadPlugin(
+          new Plugin({
+            name: "some-git-plugin",
+            source: "git",
+            location: "https://github.com/example/some-git-plugin",
+          })
+        );
+        expect(result).toBeUndefined();
+      });
+    });
+    it("loadPlugin skips github plugin on tenant when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const result = await Plugin.loadPlugin(
+          new Plugin({
+            name: "some-github-plugin",
+            source: "github",
+            location: "example/some-github-plugin",
+          })
+        );
+        expect(result).toBeUndefined();
+      });
+    });
     it("can install unsafe plugins on tenant when permitted", async () => {
       await getState().setConfig("tenants_unsafe_plugins", true);
       await db.runWithTenant("test101", async () => {
@@ -346,3 +405,64 @@ describe("Stable versioning upgrade", () => {
     expect(newPlugin.version).toBe("0.1.0");
   });
 });
+describe("Tenant git plugin store filtering", () => {
+  const mockReq = { flash: () => {}, __: (s) => s };
+  if (!db.isSQLite) {
+    it("git plugin is excluded from installed list when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const gitPlugin = new Plugin({
+          name: "test-git-plugin",
+          source: "git",
+          location: "https://github.com/example/test-git-plugin",
+        });
+        await gitPlugin.upsert();
+        const items = await get_store_items(mockReq);
+        const names = items.map((i) => i.name);
+        expect(names).not.toContain("test-git-plugin");
+        await db.deleteWhere("_sc_plugins", { name: "test-git-plugin" });
+      });
+    });
+    it("github plugin is excluded from installed list when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const githubPlugin = new Plugin({
+          name: "test-github-plugin",
+          source: "github",
+          location: "example/test-github-plugin",
+        });
+        await githubPlugin.upsert();
+        const items = await get_store_items(mockReq);
+        const names = items.map((i) => i.name);
+        expect(names).not.toContain("test-github-plugin");
+        await db.deleteWhere("_sc_plugins", { name: "test-github-plugin" });
+      });
+    });
+    it("git plugin does not appear as installed in set=all when tenants_install_git is false", async () => {
+      await db.runWithTenant("test101", async () => {
+        const gitPlugin = new Plugin({
+          name: "test-git-plugin",
+          source: "git",
+          location: "https://github.com/example/test-git-plugin",
+        });
+        await gitPlugin.upsert();
+        const items = await get_store_items(mockReq);
+        const match = items.find((i) => i.name === "test-git-plugin");
+        expect(match).toBeUndefined();
+        await db.deleteWhere("_sc_plugins", { name: "test-git-plugin" });
+      });
+    });
+  } else {
+    it("does not support tenants on SQLite", async () => {
+      expect(db.isSQLite).toBe(true);
+    });
+  }
+});

package/tests/sync.test.js CHANGED Viewed

@@ -101,7 +101,7 @@ describe("load remote insert/updates", () => {
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
             books: {
-              maxLoadedId: 0,
+              lastModifiedAt: 0,
             },
           },
         });
@@ -111,15 +111,16 @@ describe("load remote insert/updates", () => {
       for (const row of data.books.rows) {
         const fromDb = await books.getRows({ id: row._sync_info_tbl_ref_ });
         expect(fromDb.length).toBe(1);
-        expect(row._sync_info_tbl_last_modified_).toBe(loadUntil.valueOf());
-        expect(row._sync_info_tbl_deleted_).toBe(null);
+        expect(typeof row._sync_info_tbl_last_modified_).toBe("number");
+        expect(row._sync_info_tbl_deleted_).toBe(false);
       }
     });
-    it("with syncFrom, without sync_infos", async () => {
+    it("with syncFrom, no changes in window", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       const loadUntil = new Date();
+      // syncFrom == loadUntil → empty time window → no rows
       const resp = await request(app)
         .post("/sync/load_changes")
         .set("Cookie", loginCookie)
@@ -127,8 +128,8 @@ describe("load remote insert/updates", () => {
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
             books: {
-              maxLoadedId: 0,
-              syncFrom: 1000,
+              lastModifiedAt: 0,
+              syncFrom: loadUntil.valueOf(),
             },
           },
         });
@@ -154,7 +155,7 @@ describe("load remote insert/updates", () => {
             loadUntil: (await db.time()).valueOf(),
             syncInfos: {
               books: {
-                maxLoadedId: 0,
+                lastModifiedAt: 0,
                 syncFrom: dbTime.valueOf(),
               },
             },
@@ -169,7 +170,7 @@ describe("load remote insert/updates", () => {
           _sync_info_tbl_deleted_,
           ...rest
         } = data.books.rows[0];
-        expect(_sync_info_tbl_ref_).toBe(2);
+        expect(Number(_sync_info_tbl_ref_)).toBe(2);
         expect(_sync_info_tbl_last_modified_).toBe(last_modified.valueOf());
         expect(_sync_info_tbl_deleted_).toBe(false);
         expect(rest.author).toBe("Leo Tolstoy");
@@ -183,7 +184,7 @@ describe("load remote insert/updates", () => {
             loadUntil: (await db.time()).valueOf(),
             syncInfos: {
               books: {
-                maxLoadedId: 0,
+                lastModifiedAt: 0,
                 syncFrom: dbTime.valueOf(),
               },
             },
@@ -198,13 +199,13 @@ describe("load remote insert/updates", () => {
             _sync_info_tbl_deleted_,
             ...rest
           } = row;
-          expect(_sync_info_tbl_ref_).toBe(rest.id);
+          expect(Number(_sync_info_tbl_ref_)).toBe(rest.id);
           const { last_modified } = await books.latestSyncInfo(rest.id);
           expect(_sync_info_tbl_last_modified_).toBe(last_modified.valueOf());
           expect(_sync_info_tbl_deleted_).toBe(false);
         }
-        expect(data.books.rows[0].author).toBe("Herman Melville");
-        expect(data.books.rows[1].author).toBe("Leo Tolstoy");
+        expect(data.books.rows[0].author).toBe("Leo Tolstoy");
+        expect(data.books.rows[1].author).toBe("Herman Melville");
       }
     });
@@ -246,7 +247,7 @@ describe("load remote insert/updates", () => {
           loadUntil: (await db.time()).valueOf(),
           syncInfos: {
             "Table with capitals": {
-              maxLoadedId: 0,
+              lastModifiedAt: 0,
               syncFrom: dbTime.valueOf(),
             },
           },
@@ -265,7 +266,7 @@ describe("load remote insert/updates", () => {
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
             patients: {
-              maxLoadedId: 0,
+              lastModifiedAt: 0,
               syncFrom: 1000,
             },
           },
@@ -304,7 +305,7 @@ describe("load remote insert/updates", () => {
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
             patients: {
-              maxLoadedId: 0,
+              lastModifiedAt: 0,
             },
           },
         });
@@ -334,7 +335,7 @@ describe("load remote insert/updates", () => {
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
             patients: {
-              maxLoadedId: 0,
+              lastModifiedAt: 0,
               syncFrom: 1000,
             },
           },
@@ -913,9 +914,9 @@ describe("SQL injection protection", () => {
       await initSyncInfo(["books"]);
     });
-    // --- /sync/load_changes : maxLoadedId ---
+    // --- /sync/load_changes : lastModifiedAt ---
-    it("rejects SQL injection in maxLoadedId (OR 1=1)", async () => {
+    it("rejects SQL injection in lastModifiedAt (OR 1=1)", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       await request(app)
@@ -923,14 +924,17 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: new Date().valueOf(),
-          syncInfos: { books: { maxLoadedId: "0 OR 1=1--" } },
+          syncInfos: { books: { lastModifiedAt: "0 OR 1=1--" } },
         })
         .expect(
-          respondJsonWith(400, (resp) => resp.error === "Invalid maxLoadedId")
+          respondJsonWith(
+            400,
+            (resp) => resp.error === "Invalid lastModifiedAt"
+          )
         );
     });
-    it("rejects SQL injection in maxLoadedId (UNION SELECT)", async () => {
+    it("rejects SQL injection in lastModifiedAt (UNION SELECT)", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       await request(app)
@@ -939,15 +943,18 @@ describe("SQL injection protection", () => {
         .send({
           loadUntil: new Date().valueOf(),
           syncInfos: {
-            books: { maxLoadedId: "0 UNION SELECT * FROM users--" },
+            books: { lastModifiedAt: "0 UNION SELECT * FROM users--" },
           },
         })
         .expect(
-          respondJsonWith(400, (resp) => resp.error === "Invalid maxLoadedId")
+          respondJsonWith(
+            400,
+            (resp) => resp.error === "Invalid lastModifiedAt"
+          )
         );
     });
-    it("rejects SQL injection in maxLoadedId (stacked query)", async () => {
+    it("rejects SQL injection in lastModifiedAt (stacked query)", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       await request(app)
@@ -956,15 +963,18 @@ describe("SQL injection protection", () => {
         .send({
           loadUntil: new Date().valueOf(),
           syncInfos: {
-            books: { maxLoadedId: "0; DROP TABLE books; --" },
+            books: { lastModifiedAt: "0; DROP TABLE books; --" },
           },
         })
         .expect(
-          respondJsonWith(400, (resp) => resp.error === "Invalid maxLoadedId")
+          respondJsonWith(
+            400,
+            (resp) => resp.error === "Invalid lastModifiedAt"
+          )
         );
     });
-    it("rejects non-numeric string for maxLoadedId", async () => {
+    it("rejects non-numeric string for lastModifiedAt", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       await request(app)
@@ -972,14 +982,17 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: new Date().valueOf(),
-          syncInfos: { books: { maxLoadedId: "abc" } },
+          syncInfos: { books: { lastModifiedAt: "abc" } },
         })
         .expect(
-          respondJsonWith(400, (resp) => resp.error === "Invalid maxLoadedId")
+          respondJsonWith(
+            400,
+            (resp) => resp.error === "Invalid lastModifiedAt"
+          )
         );
     });
-    it("rejects float maxLoadedId", async () => {
+    it("rejects float lastModifiedAt", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       await request(app)
@@ -987,10 +1000,13 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: new Date().valueOf(),
-          syncInfos: { books: { maxLoadedId: 1.5 } },
+          syncInfos: { books: { lastModifiedAt: 1.5 } },
         })
         .expect(
-          respondJsonWith(400, (resp) => resp.error === "Invalid maxLoadedId")
+          respondJsonWith(
+            400,
+            (resp) => resp.error === "Invalid lastModifiedAt"
+          )
         );
     });
@@ -1004,7 +1020,7 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: new Date().valueOf(),
-          syncInfos: { books: { maxLoadedId: 0, syncFrom: "not-a-date" } },
+          syncInfos: { books: { lastModifiedAt: 0, syncFrom: "not-a-date" } },
         })
         .expect(
           respondJsonWith(400, (resp) => resp.error === "Invalid syncFrom")
@@ -1020,7 +1036,7 @@ describe("SQL injection protection", () => {
         .send({
           loadUntil: new Date().valueOf(),
           syncInfos: {
-            books: { maxLoadedId: 0, syncFrom: "0); SELECT pg_sleep(5)--" },
+            books: { lastModifiedAt: 0, syncFrom: "0); SELECT pg_sleep(5)--" },
           },
         })
         .expect(
@@ -1038,7 +1054,7 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: "not-a-date",
-          syncInfos: { books: { maxLoadedId: 0 } },
+          syncInfos: { books: { lastModifiedAt: 0 } },
         })
         .expect(
           respondJsonWith(400, (resp) => resp.error === "Invalid syncUntil")
@@ -1113,7 +1129,7 @@ describe("SQL injection protection", () => {
     // --- regression: valid requests still succeed ---
-    it("valid maxLoadedId integer still works", async () => {
+    it("valid lastModifiedAt value still works", async () => {
       const app = await getApp({ disableCsrf: true });
       const loginCookie = await getAdminLoginCookie();
       const resp = await request(app)
@@ -1121,7 +1137,7 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: new Date().valueOf(),
-          syncInfos: { books: { maxLoadedId: 0 } },
+          syncInfos: { books: { lastModifiedAt: 0 } },
         });
       expect(resp.status).toBe(200);
       expect(resp._body.books).toBeDefined();
@@ -1135,7 +1151,7 @@ describe("SQL injection protection", () => {
         .set("Cookie", loginCookie)
         .send({
           loadUntil: new Date().valueOf(),
-          syncInfos: { books: { maxLoadedId: 0, syncFrom: 1000 } },
+          syncInfos: { books: { lastModifiedAt: 0, syncFrom: 1000 } },
         });
       expect(resp.status).toBe(200);
     });
@@ -1322,7 +1338,7 @@ describe("deletes authorization with ownership_formula", () => {
       expect(resp.status).toBe(200);
       const deletes = resp._body.deletes?.sync_owned || [];
       expect(deletes.length).toBe(1);
-      expect(deletes[0].ref).toBe(itemId);
+      expect(Number(deletes[0].ref)).toBe(itemId);
     });
     it("direct formula: non-owner does not see deleted rows", async () => {
@@ -1373,7 +1389,7 @@ describe("deletes authorization with ownership_formula", () => {
       expect(resp.status).toBe(200);
       const deletes = resp._body.deletes?.sync_child || [];
       expect(deletes.length).toBe(1);
-      expect(deletes[0].ref).toBe(childId);
+      expect(Number(deletes[0].ref)).toBe(childId);
     });
     it("join formula: non-owner does not see deleted child rows", async () => {
@@ -1613,7 +1629,7 @@ describe("load_changes authorization with ownership_formula", () => {
         .send({
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
-            lc_owned: { maxLoadedId: 0 },
+            lc_owned: { lastModifiedAt: 0 },
           },
         });
       expect(resp.status).toBe(200);
@@ -1635,7 +1651,7 @@ describe("load_changes authorization with ownership_formula", () => {
         .send({
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
-            lc_owned: { maxLoadedId: 0 },
+            lc_owned: { lastModifiedAt: 0 },
           },
         });
       expect(resp.status).toBe(200);
@@ -1661,7 +1677,7 @@ describe("load_changes authorization with ownership_formula", () => {
         .send({
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
-            lc_child: { maxLoadedId: 0 },
+            lc_child: { lastModifiedAt: 0 },
           },
         });
       expect(resp.status).toBe(200);
@@ -1687,7 +1703,7 @@ describe("load_changes authorization with ownership_formula", () => {
         .send({
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
-            lc_child: { maxLoadedId: 0 },
+            lc_child: { lastModifiedAt: 0 },
           },
         });
       expect(resp.status).toBe(200);
@@ -1712,7 +1728,7 @@ describe("load_changes authorization with ownership_formula", () => {
         .send({
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
-            lc_owned: { maxLoadedId: 0, syncFrom: syncFrom.valueOf() },
+            lc_owned: { lastModifiedAt: 0, syncFrom: syncFrom.valueOf() },
           },
         });
       expect(resp.status).toBe(200);
@@ -1737,7 +1753,7 @@ describe("load_changes authorization with ownership_formula", () => {
         .send({
           loadUntil: loadUntil.valueOf(),
           syncInfos: {
-            lc_owned: { maxLoadedId: 0, syncFrom: syncFrom.valueOf() },
+            lc_owned: { lastModifiedAt: 0, syncFrom: syncFrom.valueOf() },
           },
         });
       expect(resp.status).toBe(200);