@stonecrop/casl-middleware 0.7.0

package/dist/tests/ability.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ability.test.d.ts.map

package/dist/tests/ability.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability.test.d.ts","sourceRoot":"","sources":["../../tests/ability.test.ts"],"names":[],"mappings":""}

package/dist/tests/ability.test.js

@@ -0,0 +1,125 @@
+import { AbilityBuilder, PureAbility, subject } from '@casl/ability';
+import { describe, it, expect } from 'vitest';
+import { createAbility, detectSubjectType } from '../src/middleware/ability';
+const Ability = PureAbility;
+describe('Ability Creation', () => {
+    describe('createAbility', () => {
+        // Create a test builder with proper matchers - using the same detectSubjectType as production
+        const testBuilder = (user) => {
+            const { can, cannot, build } = new AbilityBuilder(Ability);
+            if (!user) {
+                can('read', 'Query');
+                can('read', 'PublicType');
+            }
+            else {
+                can('read', 'Query');
+                can('read', 'Mutation');
+                if (user.roles?.includes('admin')) {
+                    can('manage', 'all');
+                }
+                else {
+                    can('read', 'User', { id: user.id });
+                    can('update', 'User', { id: user.id });
+                    cannot('update', 'User', 'role');
+                    cannot('update', 'User', 'permissions');
+                }
+                if (user.roles?.includes('moderator')) {
+                    can('update', 'Post');
+                    can('delete', 'Comment');
+                }
+                if (user.roles?.includes('editor')) {
+                    can('create', 'Post');
+                    can('update', 'Post');
+                    can('delete', 'Post');
+                }
+            }
+            return build({
+                detectSubjectType,
+                fieldMatcher: fields => field => {
+                    if (!fields || !field)
+                        return false;
+                    return Array.isArray(fields) ? fields.includes(field) : fields === field;
+                },
+                conditionsMatcher: conditions => object => {
+                    if (!conditions || !object)
+                        return true;
+                    return Object.keys(conditions).every(key => object[key] === conditions[key]);
+                },
+            });
+        };
+        it('should create a basic ability for unauthenticated users', async () => {
+            const ability = await createAbility(undefined, testBuilder);
+            expect(ability).toBeDefined();
+            expect(ability.can('read', 'Query')).toBe(true);
+            expect(ability.can('read', 'PublicType')).toBe(true);
+            expect(ability.can('read', 'Mutation')).toBe(false);
+            expect(ability.can('manage', 'all')).toBe(false);
+        });
+        it('should create abilities for authenticated users without roles', async () => {
+            const user = { id: '123', roles: [] };
+            const ability = await createAbility(user, testBuilder);
+            expect(ability.can('read', 'Query')).toBe(true);
+            expect(ability.can('read', 'Mutation')).toBe(true);
+            expect(ability.can('read', subject('User', { id: '123' }))).toBe(true);
+            expect(ability.can('update', subject('User', { id: '123' }))).toBe(true);
+            expect(ability.can('update', subject('User', { id: '456' }))).toBe(false);
+            // Check field-level restrictions
+            expect(ability.can('update', 'User', 'role')).toBe(false);
+            expect(ability.can('update', 'User', 'permissions')).toBe(false);
+        });
+        it('should create admin abilities for users with admin role', async () => {
+            const user = { id: '123', roles: ['admin'] };
+            const ability = await createAbility(user, testBuilder);
+            expect(ability.can('manage', 'all')).toBe(true);
+            expect(ability.can('read', 'Query')).toBe(true);
+            expect(ability.can('update', subject('User', { id: '456' }))).toBe(true);
+            expect(ability.can('delete', 'User')).toBe(true);
+        });
+        it('should handle mixed roles correctly', async () => {
+            const user = { id: '123', roles: ['user', 'moderator'] };
+            const ability = await createAbility(user, testBuilder);
+            expect(ability.can('read', 'Query')).toBe(true);
+            expect(ability.can('read', 'Mutation')).toBe(true);
+            expect(ability.can('manage', 'all')).toBe(false);
+            expect(ability.can('read', subject('User', { id: '123' }))).toBe(true);
+            expect(ability.can('update', subject('User', { id: '123' }))).toBe(true);
+            // Check field restrictions
+            expect(ability.can('update', 'User', 'role')).toBe(false);
+            expect(ability.can('update', 'User', 'permissions')).toBe(false);
+            // Check moderator permissions
+            expect(ability.can('update', 'Post')).toBe(true);
+            expect(ability.can('delete', 'Comment')).toBe(true);
+        });
+    });
+    describe('Custom Ability Builder', () => {
+        it('should allow custom ability definitions', () => {
+            const customCreateAbility = (user) => {
+                const { can, build } = new AbilityBuilder(Ability);
+                if (user?.permissions?.includes('read:posts')) {
+                    can('read', 'Post');
+                }
+                if (user?.permissions?.includes('write:posts')) {
+                    can(['create', 'update'], 'Post', { authorId: user.id });
+                }
+                if (user?.permissions?.includes('delete:posts')) {
+                    can('delete', 'Post', { authorId: user.id });
+                }
+                return build({
+                    detectSubjectType,
+                    conditionsMatcher: conditions => object => {
+                        if (!conditions || !object)
+                            return true;
+                        return Object.keys(conditions).every(key => object[key] === conditions[key]);
+                    },
+                });
+            };
+            const user = { id: '123', permissions: ['read:posts', 'write:posts'] };
+            const ability = customCreateAbility(user);
+            expect(ability.can('read', 'Post')).toBe(true);
+            expect(ability.can('create', subject('Post', { authorId: '123' }))).toBe(true);
+            expect(ability.can('update', subject('Post', { authorId: '123' }))).toBe(true);
+            expect(ability.can('delete', subject('Post', { authorId: '123' }))).toBe(false);
+            expect(ability.can('update', subject('Post', { authorId: '456' }))).toBe(false);
+        });
+    });
+});

package/dist/tests/helpers/test-utils.d.ts

@@ -0,0 +1,46 @@
+import { PureAbility } from '@casl/ability';
+import { GraphQLSchema } from 'graphql';
+import type { AppAbility } from '../../src/middleware/ability';
+import { Context, User } from '../../src/types';
+/**
+ * Create a mock GraphQL context for testing
+ */
+export declare const createMockContext: (user?: User, ability?: AppAbility) => Context;
+/**
+ * Create a simple test schema
+ */
+export declare const createTestSchema: () => GraphQLSchema;
+/**
+ * Create test users with different roles
+ */
+export declare const testUsers: {
+    public: undefined;
+    regular: {
+        id: string;
+        roles: string[];
+    };
+    moderator: {
+        id: string;
+        roles: string[];
+    };
+    editor: {
+        id: string;
+        roles: string[];
+    };
+    admin: {
+        id: string;
+        roles: string[];
+    };
+};
+/**
+ * Assertion helper for checking abilities
+ */
+export declare const expectAbility: (ability: PureAbility) => {
+    toAllow: (action: string, subject: string, conditions?: any) => void;
+    toDeny: (action: string, subject: string, conditions?: any) => void;
+};
+/**
+ * Mock GraphQL ResolveInfo for testing
+ */
+export declare const createMockResolveInfo: (overrides?: any) => any;
+//# sourceMappingURL=test-utils.d.ts.map

package/dist/tests/helpers/test-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-utils.d.ts","sourceRoot":"","sources":["../../../tests/helpers/test-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAE3C,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAE/C;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAAI,OAAO,IAAI,EAAE,UAAU,UAAU,KAAG,OAOrE,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAAO,aA4CnC,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;CAMrB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,aAAa,GAAI,SAAS,WAAW;sBAC/B,MAAM,WAAW,MAAM,eAAe,GAAG;qBAG1C,MAAM,WAAW,MAAM,eAAe,GAAG;CAGzD,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,YAAW,GAAQ,KAAG,GAS1D,CAAA"}

package/dist/tests/helpers/test-utils.js

@@ -0,0 +1,92 @@
+import { PureAbility } from '@casl/ability';
+import { makeExecutableSchema } from '@graphql-tools/schema';
+/**
+ * Create a mock GraphQL context for testing
+ */
+export const createMockContext = (user, ability) => {
+    const defaultAbility = new PureAbility([{ action: 'read', subject: 'Query' }]);
+    return {
+        user: user || undefined,
+        ability: ability || defaultAbility,
+    };
+};
+/**
+ * Create a simple test schema
+ */
+export const createTestSchema = () => {
+    const typeDefs = `
+		type User {
+			id: ID!
+			name: String!
+			email: String
+			role: String
+		}
+
+		type Post {
+			id: ID!
+			title: String!
+			content: String!
+			authorId: String!
+		}
+
+		type Query {
+			me: User
+			user(id: ID!): User
+			posts: [Post!]!
+		}
+
+		type Mutation {
+			updateUser(id: ID!, name: String): User
+			createPost(title: String!, content: String!): Post
+		}
+	`;
+    const resolvers = {
+        Query: {
+            me: () => ({ id: '123', name: 'Test User', email: 'test@example.com', role: 'user' }),
+            user: (_, { id }) => ({ id, name: `User ${id}`, email: `user${id}@example.com`, role: 'user' }),
+            posts: () => [
+                { id: '1', title: 'Post 1', content: 'Content 1', authorId: '123' },
+                { id: '2', title: 'Post 2', content: 'Content 2', authorId: '456' },
+            ],
+        },
+        Mutation: {
+            updateUser: (_, { id, name }) => ({ id, name: name || 'Updated', email: 'updated@example.com' }),
+            createPost: (_, { title, content }) => ({ id: '3', title, content, authorId: '123' }),
+        },
+    };
+    return makeExecutableSchema({ typeDefs, resolvers });
+};
+/**
+ * Create test users with different roles
+ */
+export const testUsers = {
+    public: undefined,
+    regular: { id: '123', roles: ['user'] },
+    moderator: { id: '456', roles: ['user', 'moderator'] },
+    editor: { id: '789', roles: ['user', 'editor'] },
+    admin: { id: '999', roles: ['admin'] },
+};
+/**
+ * Assertion helper for checking abilities
+ */
+export const expectAbility = (ability) => ({
+    toAllow: (action, subject, conditions) => {
+        expect(ability.can(action, subject, conditions)).toBe(true);
+    },
+    toDeny: (action, subject, conditions) => {
+        expect(ability.can(action, subject, conditions)).toBe(false);
+    },
+});
+/**
+ * Mock GraphQL ResolveInfo for testing
+ */
+export const createMockResolveInfo = (overrides = {}) => ({
+    fieldName: 'testField',
+    parentType: { name: 'Query' },
+    path: { typename: 'Query', key: 'testField' },
+    operation: {
+        operation: 'query',
+        loc: { source: { body: 'query { testField }' } },
+    },
+    ...overrides,
+});

package/dist/tests/introspection.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=introspection.test.d.ts.map

package/dist/tests/introspection.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspection.test.d.ts","sourceRoot":"","sources":["../../tests/introspection.test.ts"],"names":[],"mappings":""}

package/dist/tests/introspection.test.js

@@ -0,0 +1,368 @@
+// casl-middleware/tests/introspection.test.ts
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { AbilityBuilder, PureAbility } from '@casl/ability';
+import { createIntrospectionMiddleware, createIntrospectionAbilityRules, createPostgraphileIntrospectionPlugin, createSecureGraphQLMiddleware, } from '../src/middleware/introspection';
+const Ability = PureAbility;
+describe('Introspection Middleware', () => {
+    let mockResolve;
+    let mockContext;
+    let mockInfo;
+    beforeEach(() => {
+        mockResolve = vi.fn().mockResolvedValue({
+            types: [
+                { name: 'User', fields: [{ name: 'id' }, { name: 'email' }] },
+                { name: 'AdminData', fields: [{ name: 'secret' }] },
+                { name: 'Post', fields: [{ name: 'title' }, { name: 'content' }] },
+            ],
+        });
+        mockContext = {
+            user: { id: 'user-123', roles: ['user'] },
+            ability: undefined,
+        };
+        mockInfo = {
+            fieldName: '__schema',
+            parentType: { name: 'Query' },
+        };
+    });
+    describe('Basic Introspection Control', () => {
+        it('should allow introspection when enabled', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+            });
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toBeDefined();
+        });
+        it('should block introspection when disabled', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: false,
+            });
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Introspection is disabled');
+            expect(mockResolve).not.toHaveBeenCalled();
+        });
+        it('should pass through non-introspection queries', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: false, // Even when disabled
+            });
+            mockInfo.fieldName = 'getUser'; // Not an introspection query
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toBeDefined();
+        });
+        it('should detect __type introspection queries', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: false,
+            });
+            mockInfo.fieldName = '__type';
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Introspection is disabled');
+        });
+        it('should detect nested introspection queries', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: false,
+            });
+            mockInfo.fieldName = 'fields';
+            mockInfo.parentType = { name: '__Type' };
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Introspection is disabled');
+        });
+    });
+    describe('Authentication Requirements', () => {
+        it('should require authentication by default', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                allowAnonymous: false,
+            });
+            mockContext.user = undefined; // No user
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Authentication required for introspection');
+        });
+        it('should allow anonymous introspection when configured', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                allowAnonymous: true,
+            });
+            mockContext.user = undefined; // No user
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toBeDefined();
+        });
+    });
+    describe('Role-Based Access Control', () => {
+        it('should allow introspection for allowed roles', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                allowedRoles: ['admin', 'developer'],
+            });
+            mockContext.user = { id: 'user-123', roles: ['developer'] };
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+        it('should deny introspection for non-allowed roles', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                allowedRoles: ['admin', 'developer'],
+            });
+            mockContext.user = { id: 'user-123', roles: ['user'] };
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Insufficient permissions for introspection');
+        });
+        it('should handle users with multiple roles', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                allowedRoles: ['admin', 'developer'],
+            });
+            mockContext.user = { id: 'user-123', roles: ['user', 'developer'] };
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+        it('should handle empty allowed roles array', async () => {
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                allowedRoles: [],
+            });
+            // Empty allowed roles means no role-based restriction
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+    });
+    describe('CASL Integration', () => {
+        it('should check CASL permissions when ability exists', async () => {
+            const { can, build } = new AbilityBuilder(Ability);
+            can('read', '__Schema');
+            const ability = build();
+            mockContext.ability = ability;
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+            });
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+        it('should deny when CASL permission is not granted', async () => {
+            const { can, build } = new AbilityBuilder(Ability);
+            can('read', 'User'); // Can read User, but not __Schema
+            const ability = build();
+            mockContext.ability = ability;
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+            });
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Permission denied for schema introspection');
+        });
+    });
+    describe('Custom Check Function', () => {
+        it('should use custom check function when provided', async () => {
+            const customCheck = vi.fn().mockResolvedValue(true);
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                customCheck,
+            });
+            await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(customCheck).toHaveBeenCalledWith(mockContext);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+        it('should deny when custom check returns false', async () => {
+            const customCheck = vi.fn().mockResolvedValue(false);
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                customCheck,
+            });
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Introspection not allowed');
+            expect(customCheck).toHaveBeenCalledWith(mockContext);
+            expect(mockResolve).not.toHaveBeenCalled();
+        });
+        it('should handle async custom check functions', async () => {
+            const customCheck = vi.fn().mockImplementation(async (context) => {
+                await new Promise(resolve => setTimeout(resolve, 10));
+                return context.user?.roles?.includes('admin');
+            });
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                customCheck,
+            });
+            mockContext.user = { id: 'user-123', roles: ['admin'] };
+            await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(customCheck).toHaveBeenCalledWith(mockContext);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+    });
+    describe('Type Filtering', () => {
+        it('should filter types based on permissions', async () => {
+            const { can, build } = new AbilityBuilder(Ability);
+            can('read', '__Schema');
+            can('read', 'User');
+            can('read', 'Post');
+            // Cannot read AdminData
+            const ability = build();
+            mockContext.ability = ability;
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                typePermissions: {
+                    AdminData: { action: 'read', subject: 'AdminData' },
+                },
+            });
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            // Should filter out AdminData
+            expect(result.types).toHaveLength(2);
+            expect(result.types.map((t) => t.name)).toEqual(['User', 'Post']);
+            expect(result.types.map((t) => t.name)).not.toContain('AdminData');
+        });
+        it('should keep types without permission requirements', async () => {
+            const { can, build } = new AbilityBuilder(Ability);
+            can('read', '__Schema');
+            const ability = build();
+            mockContext.ability = ability;
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                typePermissions: {
+                    AdminData: { action: 'read', subject: 'AdminData' },
+                },
+            });
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            // Should keep User and Post (no permission requirements)
+            // Should filter out AdminData
+            expect(result.types.map((t) => t.name)).toContain('User');
+            expect(result.types.map((t) => t.name)).toContain('Post');
+            expect(result.types.map((t) => t.name)).not.toContain('AdminData');
+        });
+    });
+    describe('Field Filtering', () => {
+        it('should filter fields based on permissions', async () => {
+            const { can, build } = new AbilityBuilder(Ability);
+            can('read', '__Schema');
+            can('read', 'UserPublicFields');
+            // Cannot read User.email
+            const ability = build();
+            mockContext.ability = ability;
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                fieldPermissions: {
+                    'User.email': { action: 'read', subject: 'UserEmail' },
+                },
+            });
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            const userType = result.types.find((t) => t.name === 'User');
+            expect(userType.fields).toHaveLength(1);
+            expect(userType.fields[0].name).toBe('id');
+        });
+        it('should handle __type field filtering', async () => {
+            const { can, build } = new AbilityBuilder(Ability);
+            can('read', '__Schema');
+            const ability = build();
+            mockContext.ability = ability;
+            mockInfo.fieldName = '__type';
+            // Mock __type result
+            mockResolve.mockResolvedValue({
+                name: 'User',
+                fields: [{ name: 'id' }, { name: 'email' }, { name: 'password' }],
+            });
+            const middleware = createIntrospectionMiddleware({
+                enabled: true,
+                fieldPermissions: {
+                    'User.password': { action: 'read', subject: 'UserPassword' },
+                },
+            });
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            // Should filter out password field
+            expect(result.fields).toHaveLength(2);
+            expect(result.fields.map((f) => f.name)).toEqual(['id', 'email']);
+        });
+    });
+    describe('createIntrospectionAbilityRules', () => {
+        it('should return empty rules for anonymous users', () => {
+            const rules = createIntrospectionAbilityRules();
+            expect(rules).toEqual([]);
+        });
+        it('should return admin rules for admin users', () => {
+            const rules = createIntrospectionAbilityRules({ roles: ['admin'] });
+            expect(rules).toEqual([
+                { action: 'read', subject: '__Schema' },
+                { action: 'read', subject: '__Type' },
+            ]);
+        });
+        it('should return developer rules for developer users', () => {
+            const rules = createIntrospectionAbilityRules({ roles: ['developer'] });
+            expect(rules).toEqual([
+                { action: 'read', subject: '__Schema' },
+                { action: 'read', subject: '__Type' },
+            ]);
+        });
+        it('should return limited rules for regular users', () => {
+            const rules = createIntrospectionAbilityRules({ roles: ['user'] });
+            expect(rules).toEqual([{ action: 'read', subject: '__Schema' }]);
+        });
+        it('should handle users with multiple roles (admin takes precedence)', () => {
+            const rules = createIntrospectionAbilityRules({ roles: ['user', 'admin'] });
+            // Admin rules should be returned (early return)
+            expect(rules).toEqual([
+                { action: 'read', subject: '__Schema' },
+                { action: 'read', subject: '__Type' },
+            ]);
+        });
+    });
+    describe('Postgraphile Plugin', () => {
+        it('should create a valid plugin object', () => {
+            const plugin = createPostgraphileIntrospectionPlugin({
+                enabled: true,
+            });
+            expect(plugin).toBeDefined();
+            expect(plugin.name).toBe('IntrospectionControlPlugin');
+            expect(plugin.version).toBe('1.0.0');
+            expect(plugin.grafast).toBeDefined();
+        });
+        it('should warn when introspection is disabled', () => {
+            const consoleSpy = vi.spyOn(console, 'warn').mockImplementation(() => { });
+            const plugin = createPostgraphileIntrospectionPlugin({
+                enabled: false,
+            });
+            // Simulate the hook being called
+            const schema = {};
+            plugin.grafast.hooks.GraphQLSchema(schema);
+            expect(consoleSpy).toHaveBeenCalledWith('Introspection control in Postgraphile requires custom implementation');
+            consoleSpy.mockRestore();
+        });
+    });
+    describe('createSecureGraphQLMiddleware', () => {
+        it('should combine middlewares', () => {
+            const middleware = createSecureGraphQLMiddleware({
+                introspection: {
+                    enabled: true,
+                    allowedRoles: ['admin'],
+                },
+            });
+            expect(middleware).toBeInstanceOf(Function);
+        });
+        it('should apply introspection middleware when configured', async () => {
+            const mockResolve = vi.fn().mockResolvedValue({ data: 'test' });
+            const middleware = createSecureGraphQLMiddleware({
+                introspection: {
+                    enabled: false,
+                },
+            });
+            mockInfo.fieldName = '__schema';
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Introspection is disabled');
+        });
+        it('should pass through when no introspection config', async () => {
+            const mockResolve = vi.fn().mockResolvedValue({ data: 'test' });
+            const middleware = createSecureGraphQLMiddleware({});
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+        });
+    });
+    describe('Environment-based Defaults', () => {
+        it('should default to enabled in development', () => {
+            const originalEnv = process.env.NODE_ENV;
+            process.env.NODE_ENV = 'development';
+            const middleware = createIntrospectionMiddleware({});
+            // Should not throw
+            expect(async () => {
+                await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            }).not.toThrow();
+            process.env.NODE_ENV = originalEnv;
+        });
+        it('should default to disabled in production', async () => {
+            const originalEnv = process.env.NODE_ENV;
+            process.env.NODE_ENV = 'production';
+            const middleware = createIntrospectionMiddleware({});
+            // Should throw in production
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Introspection is disabled');
+            process.env.NODE_ENV = originalEnv;
+        });
+    });
+});

package/dist/tests/jwt.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=jwt.test.d.ts.map

package/dist/tests/jwt.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.test.d.ts","sourceRoot":"","sources":["../../tests/jwt.test.ts"],"names":[],"mappings":""}