npm - @sustaina/iam-middleware - Versions diffs - 1.0.3 → 1.1.0 - Mend

@sustaina/iam-middleware 1.0.3 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +97 -4
package/dist/auth/AuthMiddleware.d.ts +36 -5
package/dist/auth/AuthMiddleware.d.ts.map +1 -1
package/dist/auth/AuthMiddleware.js +187 -109
package/dist/auth/AuthMiddleware.js.map +1 -1
package/dist/auth/AuthMiddleware.test.d.ts +2 -0
package/dist/auth/AuthMiddleware.test.d.ts.map +1 -0
package/dist/auth/AuthMiddleware.test.js +712 -0
package/dist/auth/AuthMiddleware.test.js.map +1 -0
package/dist/auth/ImplementModeMiddleware.test.d.ts +2 -0
package/dist/auth/ImplementModeMiddleware.test.d.ts.map +1 -0
package/dist/auth/ImplementModeMiddleware.test.js +249 -0
package/dist/auth/ImplementModeMiddleware.test.js.map +1 -0
package/dist/types/AuthTypes.d.ts +14 -4
package/dist/types/AuthTypes.d.ts.map +1 -1
package/package.json +12 -7

package/dist/auth/AuthMiddleware.test.js ADDED Viewed

@@ -0,0 +1,712 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+// Mock dependencies
+jest.mock("jsonwebtoken");
+jest.mock("@opentelemetry/api", () => ({
+    trace: {
+        getTracer: () => ({
+            startSpan: () => ({
+                setAttributes: jest.fn(),
+                recordException: jest.fn(),
+                end: jest.fn(),
+            }),
+        }),
+    },
+}));
+jest.mock("pino", () => {
+    return jest.fn(() => ({
+        info: jest.fn(),
+        warn: jest.fn(),
+        error: jest.fn(),
+        debug: jest.fn(),
+    }));
+});
+// Mock Redis client - defined before jest.mock
+const mockRedisClient = {
+    get: jest.fn(),
+    multi: jest.fn(() => ({
+        exec: jest.fn(),
+    })),
+    isOpen: true,
+    connect: jest.fn(),
+};
+// Mock BaseMiddleware's Redis setup - use factory function to avoid hoisting issues
+jest.mock("../infrastructure/RedisClient", () => ({
+    RedisClient: {
+        getInstance: jest.fn().mockResolvedValue({
+            get: jest.fn(),
+            multi: jest.fn(() => ({
+                exec: jest.fn(),
+            })),
+            isOpen: true,
+            connect: jest.fn(),
+        }),
+    },
+}));
+// Import after mocks are set up
+const AuthMiddleware_1 = require("./AuthMiddleware");
+describe("AuthMiddleware", () => {
+    let authMiddleware;
+    const mockJwtSecret = "test-secret";
+    const mockToken = "valid.jwt.token";
+    // Valid user payload
+    const validUserPayload = {
+        id: "user-123",
+        name: "Test User",
+        email: "test@example.com",
+        tenantId: "tenant-456",
+        type: "user",
+        tenantLocale: "en-US",
+        passwordPolicy: "standard",
+        isDenyPasswordChange: false,
+        isPasswordSendEmail: true,
+        jti: "jti-token-123",
+    };
+    // Valid admin payload
+    const validAdminPayload = {
+        id: "admin-123",
+        name: "Test Admin",
+        email: "admin@example.com",
+        isPlatformAdmin: true,
+    };
+    // Mock request factory
+    const createMockRequest = (authHeader) => ({
+        headers: {
+            authorization: authHeader,
+        },
+        url: "/test-url",
+    });
+    // Mock reply factory
+    const createMockReply = () => {
+        const reply = {
+            status: jest.fn().mockReturnThis(),
+            send: jest.fn().mockReturnThis(),
+        };
+        return reply;
+    };
+    beforeEach(() => {
+        jest.clearAllMocks();
+        // Setup AuthMiddleware with mocked redis client
+        authMiddleware = new AuthMiddleware_1.AuthMiddleware({
+            jwtSecret: mockJwtSecret,
+            redisClient: mockRedisClient,
+        });
+        // Default mock implementations
+        jsonwebtoken_1.default.verify.mockReturnValue(validUserPayload);
+        mockRedisClient.get.mockResolvedValue(validUserPayload.jti);
+    });
+    describe("authenticate", () => {
+        it("should authenticate successfully with valid token", async () => {
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(request.isAuthenticated).toBe(true);
+            expect(request.user).toEqual({
+                id: validUserPayload.id,
+                name: validUserPayload.name,
+                email: validUserPayload.email,
+                type: validUserPayload.type,
+            });
+            expect(request.payload).toEqual(validUserPayload);
+        });
+        it("should return 401 when no authorization header is provided", async () => {
+            const request = createMockRequest();
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Authorization token is required",
+            });
+        });
+        it("should return 401 when authorization header does not start with Bearer", async () => {
+            const request = createMockRequest("Basic sometoken");
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Authorization token is required",
+            });
+        });
+        it("should return 401 when JWT verification fails", async () => {
+            jsonwebtoken_1.default.verify.mockImplementation(() => {
+                throw new Error("Invalid token");
+            });
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Invalid or expired token",
+            });
+        });
+        it("should return 401 when payload is incomplete", async () => {
+            const incompletePayload = {
+                id: "user-123",
+                name: "Test User",
+                // missing other required fields
+            };
+            jsonwebtoken_1.default.verify.mockReturnValue(incompletePayload);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Invalid token payload",
+            });
+        });
+        it("should return 401 when token is not in allowlist", async () => {
+            mockRedisClient.get.mockResolvedValue("different-jti");
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Token is not in allow list",
+            });
+        });
+        it("should return 401 when jti is missing in token", async () => {
+            const payloadWithoutJti = { ...validUserPayload };
+            delete payloadWithoutJti.jti;
+            jsonwebtoken_1.default.verify.mockReturnValue(payloadWithoutJti);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Token is not in allow list",
+            });
+        });
+        it("should return 500 when Redis check fails", async () => {
+            mockRedisClient.get.mockRejectedValue(new Error("Redis connection error"));
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(500);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Internal Server Error",
+                message: "Error while checking token validity",
+            });
+        });
+    });
+    describe("optionalAuthenticate", () => {
+        it("should authenticate successfully with valid token", async () => {
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.optionalAuthenticate(request, reply);
+            expect(request.isAuthenticated).toBe(true);
+            expect(request.user).toEqual({
+                id: validUserPayload.id,
+                name: validUserPayload.name,
+                email: validUserPayload.email,
+                type: validUserPayload.type,
+            });
+        });
+        it("should not return error when no authorization header is provided", async () => {
+            const request = createMockRequest();
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticate(request, reply);
+            expect(result).toBeUndefined();
+            expect(request.isAuthenticated).toBeUndefined();
+        });
+        it("should not return error when JWT verification fails", async () => {
+            jsonwebtoken_1.default.verify.mockImplementation(() => {
+                throw new Error("Invalid token");
+            });
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticate(request, reply);
+            expect(result).toBeUndefined();
+        });
+        it("should not return error when payload is incomplete", async () => {
+            const incompletePayload = {
+                id: "user-123",
+                name: "Test User",
+            };
+            jsonwebtoken_1.default.verify.mockReturnValue(incompletePayload);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticate(request, reply);
+            expect(result).toBeUndefined();
+        });
+        it("should not return error when token is not in allowlist", async () => {
+            mockRedisClient.get.mockResolvedValue("different-jti");
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticate(request, reply);
+            expect(result).toBeUndefined();
+        });
+        it("should still return 500 on Redis error (server errors are not optional)", async () => {
+            mockRedisClient.get.mockRejectedValue(new Error("Redis connection error"));
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.optionalAuthenticate(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(500);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Internal Server Error",
+                message: "Error while checking token validity",
+            });
+        });
+    });
+    describe("authenticateAdmin", () => {
+        beforeEach(() => {
+            jsonwebtoken_1.default.verify.mockReturnValue(validAdminPayload);
+        });
+        it("should authenticate admin successfully with valid token", async () => {
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticateAdmin(request, reply);
+            expect(request.isAuthenticatedAdmin).toBe(true);
+            expect(request.admin).toEqual({
+                id: validAdminPayload.id,
+                name: validAdminPayload.name,
+                email: validAdminPayload.email,
+            });
+            expect(request.adminPayload).toEqual(validAdminPayload);
+        });
+        it("should return 401 when no authorization header is provided", async () => {
+            const request = createMockRequest();
+            const reply = createMockReply();
+            await authMiddleware.authenticateAdmin(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Authorization token is required",
+            });
+        });
+        it("should return 401 when authorization header does not start with Bearer", async () => {
+            const request = createMockRequest("Basic sometoken");
+            const reply = createMockReply();
+            await authMiddleware.authenticateAdmin(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Authorization token is required",
+            });
+        });
+        it("should return 401 when JWT verification fails", async () => {
+            jsonwebtoken_1.default.verify.mockImplementation(() => {
+                throw new Error("Invalid token");
+            });
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticateAdmin(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Invalid or expired token",
+            });
+        });
+        it("should return 401 when admin payload is incomplete", async () => {
+            const incompletePayload = {
+                id: "admin-123",
+                name: "Test Admin",
+                // missing email and isPlatformAdmin
+            };
+            jsonwebtoken_1.default.verify.mockReturnValue(incompletePayload);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticateAdmin(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Invalid token payload",
+            });
+        });
+        it("should return 401 when isPlatformAdmin is false", async () => {
+            const nonAdminPayload = {
+                ...validAdminPayload,
+                isPlatformAdmin: false,
+            };
+            jsonwebtoken_1.default.verify.mockReturnValue(nonAdminPayload);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.authenticateAdmin(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "Invalid token payload",
+            });
+        });
+    });
+    describe("optionalAuthenticateAdmin", () => {
+        beforeEach(() => {
+            jsonwebtoken_1.default.verify.mockReturnValue(validAdminPayload);
+        });
+        it("should authenticate admin successfully with valid token", async () => {
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            await authMiddleware.optionalAuthenticateAdmin(request, reply);
+            expect(request.isAuthenticatedAdmin).toBe(true);
+            expect(request.admin).toEqual({
+                id: validAdminPayload.id,
+                name: validAdminPayload.name,
+                email: validAdminPayload.email,
+            });
+            expect(request.adminPayload).toEqual(validAdminPayload);
+        });
+        it("should not return error when no authorization header is provided", async () => {
+            const request = createMockRequest();
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticateAdmin(request, reply);
+            expect(result).toBeUndefined();
+            expect(request.isAuthenticatedAdmin).toBeUndefined();
+        });
+        it("should not return error when JWT verification fails", async () => {
+            jsonwebtoken_1.default.verify.mockImplementation(() => {
+                throw new Error("Invalid token");
+            });
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticateAdmin(request, reply);
+            expect(result).toBeUndefined();
+            expect(request.isAuthenticatedAdmin).toBeUndefined();
+        });
+        it("should not return error when admin payload is incomplete", async () => {
+            const incompletePayload = {
+                id: "admin-123",
+                name: "Test Admin",
+                // missing email and isPlatformAdmin
+            };
+            jsonwebtoken_1.default.verify.mockReturnValue(incompletePayload);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticateAdmin(request, reply);
+            expect(result).toBeUndefined();
+            expect(request.isAuthenticatedAdmin).toBeUndefined();
+        });
+        it("should not return error when isPlatformAdmin is false", async () => {
+            const nonAdminPayload = {
+                ...validAdminPayload,
+                isPlatformAdmin: false,
+            };
+            jsonwebtoken_1.default.verify.mockReturnValue(nonAdminPayload);
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const result = await authMiddleware.optionalAuthenticateAdmin(request, reply);
+            expect(result).toBeUndefined();
+            expect(request.isAuthenticatedAdmin).toBeUndefined();
+        });
+    });
+    describe("permissionGuard", () => {
+        beforeEach(() => {
+            jsonwebtoken_1.default.verify.mockReturnValue(validUserPayload);
+            mockRedisClient.get.mockResolvedValue(validUserPayload.jti);
+        });
+        const createAuthenticatedRequest = () => {
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            request.user = {
+                id: validUserPayload.id,
+                name: validUserPayload.name,
+                email: validUserPayload.email,
+                type: validUserPayload.type,
+            };
+            request.payload = validUserPayload;
+            return request;
+        };
+        it("should return 401 when user is not authenticated", async () => {
+            const request = createMockRequest(`Bearer ${mockToken}`);
+            const reply = createMockReply();
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(401);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Authentication Error",
+                message: "User not authenticated",
+            });
+        });
+        it("should pass when user is administrator", async () => {
+            const request = createAuthenticatedRequest();
+            request.payload = { ...validUserPayload, type: "administrator" };
+            const reply = createMockReply();
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalled();
+        });
+        it("should pass when user has canRead permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canRead: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should return 403 when user does not have canRead permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canRead: false }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionDenied",
+                message: "Permission denied: cannot read",
+            });
+        });
+        it("should pass when user has canCreate permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canCreate: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canCreate", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should return 403 when user does not have canCreate permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canCreate: false }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canCreate", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionDenied",
+                message: "Permission denied: cannot create",
+            });
+        });
+        it("should pass when user has canEdit permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canEdit: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canEdit", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should return 403 when user does not have canEdit permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canEdit: false }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canEdit", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionDenied",
+                message: "Permission denied: cannot edit",
+            });
+        });
+        it("should pass when user has canDelete permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canDelete: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canDelete", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should return 403 when user does not have canDelete permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canDelete: false }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canDelete", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionDenied",
+                message: "Permission denied: cannot delete",
+            });
+        });
+        it("should pass when user has canNotify permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canNotify: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canNotify", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should return 403 when user does not have canNotify permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canNotify: false }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canNotify", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionDenied",
+                message: "Permission denied: cannot notify",
+            });
+        });
+        it("should pass when user has canCreateDraft permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canCreateDraft: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canCreateDraft", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should return 403 when user does not have canCreateDraft permission", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canCreateDraft: false }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canCreateDraft", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionDenied",
+                message: "Permission denied: cannot create draft",
+            });
+        });
+        it("should return 403 when permission not found in Redis", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(null);
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(403);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "PermissionNotFound",
+                message: "Permission not found for subprogram test-program",
+            });
+        });
+        it("should return 500 when Redis error occurs", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.reject(new Error("Redis error"));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test-program" });
+            await guard(request, reply);
+            expect(reply.status).toHaveBeenCalledWith(500);
+            expect(reply.send).toHaveBeenCalledWith({
+                error: "Internal Server Error",
+                message: "Redis error while checking permissions",
+            });
+        });
+        it("should handle array of permission checks", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                if (key.startsWith("auth:permission:")) {
+                    return Promise.resolve(JSON.stringify({ canRead: true, canCreate: true }));
+                }
+                return Promise.resolve(validUserPayload.jti);
+            });
+            const guard = authMiddleware.permissionGuard([
+                { access: "canRead", subProgram: "program1" },
+                { access: "canCreate", subProgram: "program2" },
+            ]);
+            await guard(request, reply);
+            expect(reply.status).not.toHaveBeenCalledWith(403);
+        });
+        it("should strip spaces from subProgram name in cache key", async () => {
+            const request = createAuthenticatedRequest();
+            const reply = createMockReply();
+            mockRedisClient.get.mockImplementation((key) => {
+                // Verify the key has spaces removed
+                if (key === `auth:permission:testprogram:${validUserPayload.id}`) {
+                    return Promise.resolve(JSON.stringify({ canRead: true }));
+                }
+                if (key.startsWith("auth:session:")) {
+                    return Promise.resolve(validUserPayload.jti);
+                }
+                return Promise.resolve(null);
+            });
+            const guard = authMiddleware.permissionGuard({ access: "canRead", subProgram: "test program" });
+            await guard(request, reply);
+            expect(mockRedisClient.get).toHaveBeenCalledWith(`auth:permission:testprogram:${validUserPayload.id}`);
+        });
+    });
+    describe("constructor", () => {
+        it("should use provided jwtSecret", () => {
+            const customSecret = "custom-secret";
+            const middleware = new AuthMiddleware_1.AuthMiddleware({
+                jwtSecret: customSecret,
+                redisClient: mockRedisClient,
+            });
+            expect(middleware).toBeDefined();
+        });
+        it("should use environment variable for jwtSecret when not provided", () => {
+            const originalEnv = process.env.IAM_JWT_SECRET;
+            process.env.IAM_JWT_SECRET = "env-secret";
+            const middleware = new AuthMiddleware_1.AuthMiddleware({
+                redisClient: mockRedisClient,
+            });
+            expect(middleware).toBeDefined();
+            process.env.IAM_JWT_SECRET = originalEnv;
+        });
+        it("should use default secret when neither option nor env is provided", () => {
+            const originalEnv = process.env.IAM_JWT_SECRET;
+            delete process.env.IAM_JWT_SECRET;
+            const middleware = new AuthMiddleware_1.AuthMiddleware({
+                redisClient: mockRedisClient,
+            });
+            expect(middleware).toBeDefined();
+            process.env.IAM_JWT_SECRET = originalEnv;
+        });
+    });
+});
+//# sourceMappingURL=AuthMiddleware.test.js.map