@stonecrop/casl-middleware 0.7.0

package/dist/tests/jwt.test.js

@@ -0,0 +1,371 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import jwt from 'jsonwebtoken';
+import { createJWTMiddleware, createJWT, createHTTPJWTMiddleware, refreshTokenUtils, } from '../src/middleware/jwt';
+describe('JWT Middleware', () => {
+    const TEST_SECRET = 'test-secret-key-for-testing';
+    const TEST_USER = {
+        id: 'user-123',
+        roles: ['user', 'editor'],
+    };
+    describe('createJWT', () => {
+        it('should create a valid JWT token', () => {
+            const token = createJWT(TEST_USER, {
+                secret: TEST_SECRET,
+                expiresIn: '1h',
+            });
+            expect(token).toBeDefined();
+            expect(token.split('.')).toHaveLength(3);
+            // Verify the token
+            const decoded = jwt.verify(token, TEST_SECRET);
+            expect(decoded.sub).toBe(TEST_USER.id);
+            expect(decoded.roles).toEqual(TEST_USER.roles);
+        });
+        it('should include additional claims', () => {
+            const token = createJWT(TEST_USER, {
+                secret: TEST_SECRET,
+                additionalClaims: {
+                    email: 'user@example.com',
+                    permissions: ['read:posts', 'write:posts'],
+                },
+            });
+            const decoded = jwt.verify(token, TEST_SECRET);
+            expect(decoded.email).toBe('user@example.com');
+            expect(decoded.permissions).toEqual(['read:posts', 'write:posts']);
+        });
+        it('should set issuer and audience', () => {
+            const token = createJWT(TEST_USER, {
+                secret: TEST_SECRET,
+                issuer: 'test-app',
+                audience: 'api.example.com',
+            });
+            const decoded = jwt.verify(token, TEST_SECRET, {
+                issuer: 'test-app',
+                audience: 'api.example.com',
+            });
+            expect(decoded.iss).toBe('test-app');
+            expect(decoded.aud).toBe('api.example.com');
+        });
+    });
+    describe('createJWTMiddleware', () => {
+        let mockContext;
+        let mockNext;
+        beforeEach(() => {
+            mockContext = {
+                req: {
+                    headers: {
+                        get: vi.fn(),
+                    },
+                },
+                user: undefined,
+            };
+            mockNext = vi.fn().mockResolvedValue('next-result');
+        });
+        it('should extract and verify valid JWT token', async () => {
+            const token = createJWT(TEST_USER, { secret: TEST_SECRET });
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(`Bearer ${token}`);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user).toBeDefined();
+            expect(mockContext.user?.id).toBe(TEST_USER.id);
+            expect(mockContext.user?.roles).toEqual(TEST_USER.roles);
+            expect(mockNext).toHaveBeenCalled();
+        });
+        it('should handle token without Bearer prefix', async () => {
+            const token = createJWT(TEST_USER, { secret: TEST_SECRET });
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(token);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user?.id).toBe(TEST_USER.id);
+            expect(mockNext).toHaveBeenCalled();
+        });
+        it('should throw error for invalid token', async () => {
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue('Bearer invalid-token');
+            await expect(middleware(mockContext, mockNext)).rejects.toThrow('Invalid token');
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+        it('should throw error for expired token', async () => {
+            const token = jwt.sign({ sub: TEST_USER.id, roles: TEST_USER.roles }, TEST_SECRET, { expiresIn: '-1h' } // Already expired
+            );
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(`Bearer ${token}`);
+            await expect(middleware(mockContext, mockNext)).rejects.toThrow('Token has expired');
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+        it('should handle optional mode when no token is present', async () => {
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+                optional: true,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(null);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user).toBeUndefined();
+            expect(mockNext).toHaveBeenCalled();
+        });
+        it('should handle optional mode with invalid token', async () => {
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+                optional: true,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue('Bearer invalid-token');
+            // Should not throw in optional mode
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user).toBeUndefined();
+            expect(mockNext).toHaveBeenCalled();
+        });
+        it('should skip when disabled', async () => {
+            const middleware = createJWTMiddleware({
+                enabled: false,
+                secret: TEST_SECRET,
+            });
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user).toBeUndefined();
+            expect(mockNext).toHaveBeenCalled();
+            expect(mockContext.req.headers.get).not.toHaveBeenCalled();
+        });
+        it('should use custom user extractor', async () => {
+            const customUser = {
+                id: 'custom-id',
+                roles: ['custom-role'],
+                customField: 'custom-value',
+            };
+            const token = jwt.sign({ user_id: 'custom-id', user_roles: ['custom-role'], extra: 'custom-value' }, TEST_SECRET);
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+                extractUser: payload => ({
+                    id: payload.user_id,
+                    roles: payload.user_roles,
+                    customField: payload.extra,
+                }),
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(`Bearer ${token}`);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user).toEqual(customUser);
+        });
+        it('should verify with specific algorithms', async () => {
+            const token = jwt.sign({ sub: TEST_USER.id, roles: TEST_USER.roles }, TEST_SECRET, { algorithm: 'HS256' });
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+                algorithms: ['HS256'],
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(`Bearer ${token}`);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user?.id).toBe(TEST_USER.id);
+        });
+        it('should verify issuer and audience', async () => {
+            const token = jwt.sign({ sub: TEST_USER.id, roles: TEST_USER.roles }, TEST_SECRET, {
+                issuer: 'test-app',
+                audience: 'api.example.com',
+            });
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+                issuer: 'test-app',
+                audience: 'api.example.com',
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(`Bearer ${token}`);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.user?.id).toBe(TEST_USER.id);
+        });
+        it('should store JWT payload in context', async () => {
+            const token = createJWT(TEST_USER, {
+                secret: TEST_SECRET,
+                additionalClaims: { extra: 'data' },
+            });
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            mockContext.req.headers.get = vi.fn().mockReturnValue(`Bearer ${token}`);
+            await middleware(mockContext, mockNext);
+            expect(mockContext.jwtPayload).toBeDefined();
+            expect(mockContext.jwtPayload.extra).toBe('data');
+        });
+    });
+    describe('createHTTPJWTMiddleware', () => {
+        it('should work with Express-style middleware', async () => {
+            const token = createJWT(TEST_USER, { secret: TEST_SECRET });
+            const middleware = createHTTPJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            const req = {
+                headers: {
+                    authorization: `Bearer ${token}`,
+                },
+                user: undefined,
+            };
+            const res = {
+                status: vi.fn().mockReturnThis(),
+                json: vi.fn(),
+            };
+            const next = vi.fn();
+            await middleware(req, res, next);
+            expect(req.user).toBeDefined();
+            expect(req.user?.id).toBe(TEST_USER.id);
+            expect(next).toHaveBeenCalled();
+            expect(res.status).not.toHaveBeenCalled();
+        });
+        it('should return 401 for invalid token', async () => {
+            const middleware = createHTTPJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            const req = {
+                headers: {
+                    authorization: 'Bearer invalid-token',
+                },
+            };
+            const res = {
+                status: vi.fn().mockReturnThis(),
+                json: vi.fn(),
+            };
+            const next = vi.fn();
+            await middleware(req, res, next);
+            expect(res.status).toHaveBeenCalledWith(401);
+            expect(res.json).toHaveBeenCalledWith({
+                error: 'Invalid token',
+                code: 'UNAUTHORIZED',
+            });
+            expect(next).not.toHaveBeenCalled();
+        });
+        it('should continue in optional mode without token', async () => {
+            const middleware = createHTTPJWTMiddleware({
+                secret: TEST_SECRET,
+                optional: true,
+            });
+            const req = {
+                headers: {},
+                user: undefined,
+            };
+            const res = {
+                status: vi.fn().mockReturnThis(),
+                json: vi.fn(),
+            };
+            const next = vi.fn();
+            await middleware(req, res, next);
+            expect(req.user).toBeUndefined();
+            expect(next).toHaveBeenCalled();
+            expect(res.status).not.toHaveBeenCalled();
+        });
+    });
+    describe('refreshTokenUtils', () => {
+        it('should create access and refresh token pair', () => {
+            const { accessToken, refreshToken } = refreshTokenUtils.createTokenPair(TEST_USER, {
+                accessSecret: TEST_SECRET,
+                refreshSecret: TEST_SECRET + '-refresh',
+            });
+            expect(accessToken).toBeDefined();
+            expect(refreshToken).toBeDefined();
+            // Verify access token
+            const accessPayload = jwt.verify(accessToken, TEST_SECRET);
+            expect(accessPayload.sub).toBe(TEST_USER.id);
+            expect(accessPayload.type).toBe('access');
+            // Verify refresh token
+            const refreshPayload = jwt.verify(refreshToken, TEST_SECRET + '-refresh');
+            expect(refreshPayload.sub).toBe(TEST_USER.id);
+            expect(refreshPayload.type).toBe('refresh');
+        });
+        it('should refresh access token with valid refresh token', async () => {
+            const refreshToken = jwt.sign({ sub: TEST_USER.id, type: 'refresh' }, TEST_SECRET + '-refresh', {
+                expiresIn: '7d',
+            });
+            const mockGetUserById = vi.fn().mockResolvedValue(TEST_USER);
+            const result = await refreshTokenUtils.refreshAccessToken(refreshToken, {
+                accessSecret: TEST_SECRET,
+                refreshSecret: TEST_SECRET + '-refresh',
+                getUserById: mockGetUserById,
+            });
+            expect(result.accessToken).toBeDefined();
+            expect(result.user).toEqual(TEST_USER);
+            expect(mockGetUserById).toHaveBeenCalledWith(TEST_USER.id);
+            // Verify new access token
+            const decoded = jwt.verify(result.accessToken, TEST_SECRET);
+            expect(decoded.sub).toBe(TEST_USER.id);
+            expect(decoded.type).toBe('access');
+        });
+        it('should reject invalid refresh token type', async () => {
+            // Use access token as refresh token (wrong type)
+            const wrongToken = jwt.sign({ sub: TEST_USER.id, type: 'access' }, TEST_SECRET + '-refresh');
+            const mockGetUserById = vi.fn();
+            await expect(refreshTokenUtils.refreshAccessToken(wrongToken, {
+                accessSecret: TEST_SECRET,
+                refreshSecret: TEST_SECRET + '-refresh',
+                getUserById: mockGetUserById,
+            })).rejects.toThrow('Invalid token type');
+            expect(mockGetUserById).not.toHaveBeenCalled();
+        });
+        it('should reject expired refresh token', async () => {
+            const expiredToken = jwt.sign({ sub: TEST_USER.id, type: 'refresh' }, TEST_SECRET + '-refresh', {
+                expiresIn: '-1h',
+            });
+            const mockGetUserById = vi.fn();
+            await expect(refreshTokenUtils.refreshAccessToken(expiredToken, {
+                accessSecret: TEST_SECRET,
+                refreshSecret: TEST_SECRET + '-refresh',
+                getUserById: mockGetUserById,
+            })).rejects.toThrow('Refresh token expired');
+        });
+        it('should reject if user not found', async () => {
+            const refreshToken = jwt.sign({ sub: 'non-existent', type: 'refresh' }, TEST_SECRET + '-refresh');
+            const mockGetUserById = vi.fn().mockResolvedValue(null);
+            await expect(refreshTokenUtils.refreshAccessToken(refreshToken, {
+                accessSecret: TEST_SECRET,
+                refreshSecret: TEST_SECRET + '-refresh',
+                getUserById: mockGetUserById,
+            })).rejects.toThrow('User not found');
+        });
+    });
+    describe('JWT with permissions', () => {
+        it('should handle JWT with embedded permissions', async () => {
+            const tokenWithPermissions = jwt.sign({
+                sub: TEST_USER.id,
+                roles: TEST_USER.roles,
+                permissions: [
+                    { action: 'create', subject: 'Post' },
+                    { action: 'update', subject: 'Post', conditions: { authorId: TEST_USER.id } },
+                ],
+            }, TEST_SECRET);
+            const middleware = createJWTMiddleware({
+                secret: TEST_SECRET,
+            });
+            const mockContext = {
+                req: {
+                    headers: {
+                        get: vi.fn().mockReturnValue(`Bearer ${tokenWithPermissions}`),
+                    },
+                },
+                user: undefined,
+            };
+            await middleware(mockContext, vi.fn());
+            expect(mockContext.user).toBeDefined();
+            expect(mockContext.user.permissions).toHaveLength(2);
+            expect(mockContext.user.permissions[0]).toEqual({
+                action: 'create',
+                subject: 'Post',
+            });
+        });
+    });
+});
+describe('JWT Configuration Validation', () => {
+    it('should throw error if neither secret nor publicKey is provided', () => {
+        expect(() => {
+            createJWTMiddleware({
+                enabled: true,
+                // No secret or publicKey
+            });
+        }).toThrow('JWT middleware requires either secret or publicKey');
+    });
+    it('should not throw when disabled without secret', () => {
+        expect(() => {
+            createJWTMiddleware({
+                enabled: false,
+                // No secret, but disabled
+            });
+        }).not.toThrow();
+    });
+});

package/dist/tests/middleware.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=middleware.test.d.ts.map

package/dist/tests/middleware.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.test.d.ts","sourceRoot":"","sources":["../../tests/middleware.test.ts"],"names":[],"mappings":""}

package/dist/tests/middleware.test.js

@@ -0,0 +1,184 @@
+import { PureAbility, AbilityBuilder } from '@casl/ability';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createCaslMiddleware } from '../src/middleware/graphql';
+const Ability = PureAbility;
+// Helper to create abilities with proper matchers
+const createTestAbility = (rules) => {
+    const { can, cannot, build } = new AbilityBuilder(Ability);
+    rules.forEach(rule => {
+        if (rule.inverted) {
+            if (rule.fields && rule.conditions) {
+                cannot(rule.action, rule.subject, rule.fields, rule.conditions);
+            }
+            else if (rule.fields) {
+                cannot(rule.action, rule.subject, rule.fields);
+            }
+            else if (rule.conditions) {
+                cannot(rule.action, rule.subject, rule.conditions);
+            }
+            else {
+                cannot(rule.action, rule.subject);
+            }
+        }
+        else {
+            if (rule.fields && rule.conditions) {
+                can(rule.action, rule.subject, rule.fields, rule.conditions);
+            }
+            else if (rule.fields) {
+                can(rule.action, rule.subject, rule.fields);
+            }
+            else if (rule.conditions) {
+                can(rule.action, rule.subject, rule.conditions);
+            }
+            else {
+                can(rule.action, rule.subject);
+            }
+        }
+    });
+    return build({
+        detectSubjectType: (object) => object?.type || object?.constructor?.name || 'Unknown',
+        fieldMatcher: fields => field => {
+            if (!fields || !field)
+                return false;
+            return Array.isArray(fields) ? fields.includes(field) : fields === field;
+        },
+        conditionsMatcher: conditions => object => {
+            if (!conditions || !object)
+                return true;
+            return Object.keys(conditions).every(key => object[key] === conditions[key]);
+        },
+    });
+};
+describe('CASL GraphQL Middleware', () => {
+    let mockResolve;
+    let mockContext;
+    let mockInfo;
+    beforeEach(() => {
+        mockResolve = vi.fn().mockResolvedValue({ data: 'test' });
+        mockContext = {
+            ability: createTestAbility([
+                { action: 'read', subject: 'Query' },
+                { action: 'read', subject: 'User' },
+                { action: 'update', subject: 'User', conditions: { id: '123' } },
+            ]),
+            user: { id: '123', roles: ['user'] },
+        };
+        mockInfo = {
+            fieldName: 'getUser',
+            parentType: { name: 'Query' },
+            path: { typename: 'Query', key: 'getUser' },
+            operation: {
+                operation: 'query',
+                loc: { source: { body: 'query { getUser { id } }' } },
+            },
+        };
+    });
+    describe('Basic Middleware Functionality', () => {
+        it('should pass through when ability allows the operation', async () => {
+            const middleware = createCaslMiddleware();
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+        });
+        it('should create ability when not in context', async () => {
+            const middleware = createCaslMiddleware();
+            const contextWithoutAbility = { user: { id: '123', roles: ['user'] } };
+            // The middleware creates an ability if none exists
+            const result = await middleware(mockResolve, {}, {}, contextWithoutAbility, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+            expect(contextWithoutAbility.ability).toBeDefined();
+        });
+        it('should deny access when ability does not allow operation', async () => {
+            const middleware = createCaslMiddleware();
+            mockContext.ability = createTestAbility([{ action: 'read', subject: 'Post' }]);
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Access denied for read on Query');
+        });
+    });
+    describe('Subject Mapping', () => {
+        it('should map GraphQL types to custom subjects', async () => {
+            const middleware = createCaslMiddleware({
+                subjectMap: {
+                    Query: 'query_operations',
+                    User: 'app_user',
+                },
+            });
+            mockContext.ability = createTestAbility([{ action: 'read', subject: 'query_operations' }]);
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+        });
+        it('should use original type name when no mapping exists', async () => {
+            const middleware = createCaslMiddleware({
+                subjectMap: { User: 'app_user' },
+            });
+            // Should work with original 'Query' subject since it's not mapped
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+    });
+    describe('Action Mapping', () => {
+        it('should map GraphQL operations to custom actions', async () => {
+            const middleware = createCaslMiddleware({
+                actionMap: {
+                    query: 'view',
+                    mutation: 'modify',
+                    subscription: 'watch',
+                },
+            });
+            mockContext.ability = createTestAbility([{ action: 'view', subject: 'Query' }]);
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+    });
+    describe('Field-Level Permissions', () => {
+        it('should check field-level permissions when configured', async () => {
+            const middleware = createCaslMiddleware({
+                fieldPermissions: {
+                    'User.email': [{ action: 'read', subject: 'UserEmail' }],
+                    'User.password': [{ action: 'read', subject: 'UserPassword' }],
+                },
+            });
+            mockInfo.parentType = { name: 'User' };
+            mockInfo.fieldName = 'email';
+            mockInfo.path = { typename: 'User', key: 'email' };
+            mockContext.ability = createTestAbility([
+                { action: 'read', subject: 'User' },
+                { action: 'read', subject: 'UserEmail' },
+            ]);
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+        it('should deny access to fields without permission', async () => {
+            const middleware = createCaslMiddleware({
+                fieldPermissions: {
+                    'User.password': [{ action: 'read', subject: 'UserPassword' }],
+                },
+            });
+            mockInfo.parentType = { name: 'User' };
+            mockInfo.fieldName = 'password';
+            mockInfo.path = { typename: 'User', key: 'password' };
+            mockContext.ability = createTestAbility([{ action: 'read', subject: 'User' }]);
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Access denied for field User.password');
+        });
+    });
+    describe('Mutation Field Checking', () => {
+        it('should check field permissions for mutations with input', async () => {
+            const middleware = createCaslMiddleware();
+            mockInfo.parentType = { name: 'Mutation' };
+            mockInfo.operation.operation = 'mutation';
+            mockInfo.operation.loc = {
+                source: {
+                    body: 'mutation { updateUser(input: { name: "test", role: "admin" }) { id } }',
+                },
+            };
+            mockContext.ability = createTestAbility([
+                { action: 'update', subject: 'Mutation' },
+                { action: 'update', subject: 'User', fields: ['name'] },
+            ]);
+            const args = { input: { name: 'test', role: 'admin' } };
+            const result = await middleware(mockResolve, {}, args, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+    });
+});

package/dist/tests/postgraphile-plugin.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=postgraphile-plugin.test.d.ts.map

package/dist/tests/postgraphile-plugin.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgraphile-plugin.test.d.ts","sourceRoot":"","sources":["../../tests/postgraphile-plugin.test.ts"],"names":[],"mappings":""}

package/dist/tests/postgraphile-plugin.test.js

@@ -0,0 +1,56 @@
+import { describe, it, expect } from 'vitest';
+import { pglCaslPlugin } from '../src';
+import { createConfigBasedAbilityBuilder } from '../src/middleware/ability';
+describe('PostGraphile CASL Plugins', () => {
+    describe('pglCaslPlugin (extendSchema)', () => {
+        it('should be a valid extendSchema plugin object', () => {
+            expect(pglCaslPlugin).toBeDefined();
+            expect(pglCaslPlugin).toBeInstanceOf(Object); // It's an object, not a function
+            expect(pglCaslPlugin).toHaveProperty('name');
+            expect(pglCaslPlugin).toHaveProperty('version');
+        });
+        it('should have schema extension properties', () => {
+            // The plugin object has specific properties
+            expect(pglCaslPlugin).toHaveProperty('name');
+            expect(pglCaslPlugin.name).toMatch(/^ExtendSchemaPlugin_/);
+            // Check for schema extension function
+            expect(pglCaslPlugin).toHaveProperty('schema');
+            expect(typeof pglCaslPlugin.schema).toBe('object');
+            // Check for hooks if they exist
+            if (pglCaslPlugin.schema?.hooks) {
+                expect(pglCaslPlugin.schema.hooks).toHaveProperty('build');
+            }
+        });
+        it('should define schema extensions when executed', () => {
+            // Since extendSchema creates a plugin object, we need to test differently
+            // The actual schema extension happens when PostGraphile processes the plugin
+            // We can verify the plugin has the expected structure
+            expect(pglCaslPlugin).toHaveProperty('name');
+            expect(pglCaslPlugin).toHaveProperty('version');
+            // The schema extension function is wrapped inside the plugin
+            // and will be executed by PostGraphile
+        });
+    });
+    describe('Ability Integration', () => {
+        it('should create abilities with custom builder', async () => {
+            const customBuilder = createConfigBasedAbilityBuilder({
+                defaultRules: [{ action: 'read', subject: 'Query' }],
+                roles: {
+                    editor: [
+                        { action: 'create', subject: 'Post' },
+                        { action: 'update', subject: 'Post' },
+                    ],
+                },
+            });
+            // Test that the ability builder works
+            const ability = await customBuilder({ id: '123', roles: ['editor'] });
+            expect(ability.can('create', 'Post')).toBe(true);
+            expect(ability.can('update', 'Post')).toBe(true);
+        });
+        it('should work with PostGraphile plugin system', () => {
+            // Test that our plugin has the correct shape for PostGraphile
+            expect(pglCaslPlugin).toHaveProperty('name');
+            expect(pglCaslPlugin).toHaveProperty('version');
+        });
+    });
+});

package/dist/tests/setup.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=setup.d.ts.map

package/dist/tests/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../tests/setup.ts"],"names":[],"mappings":""}

package/dist/tests/setup.js

@@ -0,0 +1,11 @@
+import { beforeAll, afterEach, afterAll } from 'vitest';
+// Setup test environment
+beforeAll(() => {
+    // Add any global setup here
+});
+afterEach(() => {
+    // Clean up after each test
+});
+afterAll(() => {
+    // Clean up after all tests
+});

package/dist/tests/user-roles.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=user-roles.test.d.ts.map

package/dist/tests/user-roles.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-roles.test.d.ts","sourceRoot":"","sources":["../../tests/user-roles.test.ts"],"names":[],"mappings":""}