npm - @tellescope/sdk - Versions diffs - 1.252.0 → 1.252.2 - Mend

@tellescope/sdk 1.252.0 → 1.252.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/lib/cjs/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.js ADDED Viewed

@@ -0,0 +1,237 @@
+"use strict";
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cascade_role_rename_cross_tenant_tests = void 0;
+require('source-map-support').install();
+var sdk_1 = require("../../../sdk");
+var testing_1 = require("@tellescope/testing");
+var setup_1 = require("../../setup");
+var constants_1 = require("@tellescope/constants");
+var host = process.env.API_URL || 'http://localhost:8080';
+// Separate tenant (different businessId), reusing the same hardcoded apiKey that
+// multi_tenant_tests relies on in tests.ts.
+var OTHER_TENANT_API_KEY = "ba745e25162bb95a795c5fa1af70df188d93c4d3aac9c48b34a5c8c9dd7b80f7";
+/**
+ * Tenant-boundary guard for cascade_role_rename (relates to security-audit finding F-0053,
+ * which was investigated and closed as a FALSE POSITIVE — see that file for the code trace).
+ *
+ * The `cascade_role_rename` side-effect handler
+ * ([event_handlers_v2/role_based_access_permissions.ts](packages/private/api/api/v1/event_handlers_v2/role_based_access_permissions.ts))
+ * runs when a `role_based_access_permissions` doc's `role` field changes. It finds every user
+ * with the old role name (via `DBUnrestricted.users`) and rewrites their `roles` array, then
+ * deauthenticates them. F-0053 hypothesized this query was globally cross-tenant. It is NOT:
+ * `DBUnrestricted` bypasses per-user/per-role RBAC but is STILL scoped to the acting session's
+ * `businessId` (see `modifyFilterForAccessConstraint` injecting `{ businessId }` at
+ * database.ts:1761-1763, reached via the `unrestricted: true` branch at database.ts:2137-2144).
+ *
+ * This test locks that boundary in place so a future refactor of `DBUnrestricted` semantics
+ * can't silently turn the cascade into a cross-tenant write:
+ *   1. Tenant A creates a role `ROLE_OLD` and assigns it to a Tenant A user (positive control).
+ *   2. Tenant B (separate businessId) has a user whose roles include the SAME `ROLE_OLD`.
+ *   3. Tenant A renames the role `ROLE_OLD` -> `ROLE_NEW`.
+ *   4. Assert the Tenant B user's roles are UNCHANGED (still `[ROLE_OLD]`)  <-- guards the tenant boundary.
+ *   5. Assert the Tenant A user's roles ARE renamed to `[ROLE_NEW]`         <-- same-tenant cascade works.
+ *
+ * Expected on current (correct) code: BOTH assertions pass. A regression that drops the
+ * `businessId` scoping would flip assertion #4 to red (Tenant B user becomes `[ROLE_NEW]`).
+ *
+ * A collision-proof unique role name (timestamped) is used so the test never touches real roles.
+ */
+var cascade_role_rename_cross_tenant_tests = function (_a) {
+    var sdk = _a.sdk;
+    return __awaiter(void 0, void 0, void 0, function () {
+        var stamp, ROLE_OLD, ROLE_NEW, sdkOther, rbapId, controlUserId, victimUserId, tenantABusinessId, rbap, controlUser, victimUser, victimBefore, controlBefore, victimAfter, controlAfter, _b, _c, _d;
+        return __generator(this, function (_e) {
+            switch (_e.label) {
+                case 0:
+                    (0, testing_1.log_header)("F-0053: cascade role rename cross-tenant regression");
+                    stamp = Date.now();
+                    ROLE_OLD = "XTenantRename_".concat(stamp);
+                    ROLE_NEW = "".concat(ROLE_OLD, "_renamed");
+                    sdkOther = new sdk_1.Session({ host: host, apiKey: OTHER_TENANT_API_KEY });
+                    _e.label = 1;
+                case 1:
+                    _e.trys.push([1, , 13, 26]);
+                    tenantABusinessId = sdk.userInfo.businessId;
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.createOne({
+                            role: ROLE_OLD,
+                            permissions: __assign({}, constants_1.PROVIDER_PERMISSIONS),
+                        })];
+                case 2:
+                    rbap = _e.sent();
+                    rbapId = rbap.id;
+                    return [4 /*yield*/, sdk.api.users.createOne({
+                            email: "f0053-control-".concat(stamp, "@example.com"),
+                            notificationEmailsDisabled: true,
+                        })];
+                case 3:
+                    controlUser = _e.sent();
+                    controlUserId = controlUser.id;
+                    return [4 /*yield*/, sdk.api.users.updateOne(controlUserId, { roles: [ROLE_OLD] }, { replaceObjectFields: true })
+                        // 3. Tenant B: create a throwaway victim user holding the SAME ROLE_OLD.
+                    ];
+                case 4:
+                    _e.sent();
+                    return [4 /*yield*/, sdkOther.api.users.createOne({
+                            email: "f0053-victim-".concat(stamp, "@example.com"),
+                            notificationEmailsDisabled: true,
+                        })];
+                case 5:
+                    victimUser = _e.sent();
+                    victimUserId = victimUser.id;
+                    return [4 /*yield*/, sdkOther.api.users.updateOne(victimUserId, { roles: [ROLE_OLD] }, { replaceObjectFields: true })
+                        // 4. Setup sanity: tenants are distinct and both users actually hold ROLE_OLD before the rename.
+                        //    (Distinguishes a setup failure from the security assertion below.)
+                    ];
+                case 6:
+                    _e.sent();
+                    // 4. Setup sanity: tenants are distinct and both users actually hold ROLE_OLD before the rename.
+                    //    (Distinguishes a setup failure from the security assertion below.)
+                    (0, testing_1.assert)(victimUser.businessId !== tenantABusinessId, "Victim user shares businessId with Tenant A (".concat(victimUser.businessId, ") \u2014 not a cross-tenant scenario"), 'F-0053 setup: tenants are distinct');
+                    return [4 /*yield*/, sdkOther.api.users.getOne(victimUserId)];
+                case 7:
+                    victimBefore = _e.sent();
+                    return [4 /*yield*/, sdk.api.users.getOne(controlUserId)];
+                case 8:
+                    controlBefore = _e.sent();
+                    (0, testing_1.assert)(JSON.stringify(victimBefore.roles) === JSON.stringify([ROLE_OLD])
+                        && JSON.stringify(controlBefore.roles) === JSON.stringify([ROLE_OLD]), "Setup failed: expected both users to hold [".concat(ROLE_OLD, "] (victim=").concat(JSON.stringify(victimBefore.roles), ", control=").concat(JSON.stringify(controlBefore.roles), ")"), 'F-0053 setup: both users hold ROLE_OLD');
+                    // 5. Tenant A renames the role. This triggers cascade_role_rename.
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.updateOne(rbapId, { role: ROLE_NEW })];
+                case 9:
+                    // 5. Tenant A renames the role. This triggers cascade_role_rename.
+                    _e.sent();
+                    return [4 /*yield*/, (0, testing_1.wait)(undefined, 1500)
+                        // 6. SECURITY ASSERTION — the Tenant B victim must be untouched by Tenant A's rename.
+                    ]; // let the side effect run
+                case 10:
+                    _e.sent(); // let the side effect run
+                    return [4 /*yield*/, sdkOther.api.users.getOne(victimUserId)];
+                case 11:
+                    victimAfter = _e.sent();
+                    (0, testing_1.assert)(JSON.stringify(victimAfter.roles) === JSON.stringify([ROLE_OLD]), "CROSS-TENANT LEAK: Tenant B victim roles changed to ".concat(JSON.stringify(victimAfter.roles), " ")
+                        + "after Tenant A renamed its role. Expected [".concat(ROLE_OLD, "]."), 'F-0053: Tenant B user roles unaffected by other-tenant role rename');
+                    return [4 /*yield*/, sdk.api.users.getOne(controlUserId)];
+                case 12:
+                    controlAfter = _e.sent();
+                    (0, testing_1.assert)(JSON.stringify(controlAfter.roles) === JSON.stringify([ROLE_NEW]), "Same-tenant cascade broken: Tenant A control roles are ".concat(JSON.stringify(controlAfter.roles), ", ")
+                        + "expected [".concat(ROLE_NEW, "]."), 'F-0053: Tenant A user roles renamed by same-tenant cascade');
+                    return [3 /*break*/, 26];
+                case 13:
+                    if (!victimUserId) return [3 /*break*/, 17];
+                    _e.label = 14;
+                case 14:
+                    _e.trys.push([14, 16, , 17]);
+                    return [4 /*yield*/, sdkOther.api.users.deleteOne(victimUserId)];
+                case 15:
+                    _e.sent();
+                    return [3 /*break*/, 17];
+                case 16:
+                    _b = _e.sent();
+                    return [3 /*break*/, 17];
+                case 17:
+                    if (!controlUserId) return [3 /*break*/, 21];
+                    _e.label = 18;
+                case 18:
+                    _e.trys.push([18, 20, , 21]);
+                    return [4 /*yield*/, sdk.api.users.deleteOne(controlUserId)];
+                case 19:
+                    _e.sent();
+                    return [3 /*break*/, 21];
+                case 20:
+                    _c = _e.sent();
+                    return [3 /*break*/, 21];
+                case 21:
+                    if (!rbapId) return [3 /*break*/, 25];
+                    _e.label = 22;
+                case 22:
+                    _e.trys.push([22, 24, , 25]);
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.deleteOne(rbapId)];
+                case 23:
+                    _e.sent();
+                    return [3 /*break*/, 25];
+                case 24:
+                    _d = _e.sent();
+                    return [3 /*break*/, 25];
+                case 25: return [7 /*endfinally*/];
+                case 26: return [2 /*return*/];
+            }
+        });
+    });
+};
+exports.cascade_role_rename_cross_tenant_tests = cascade_role_rename_cross_tenant_tests;
+// Allow running this test file independently
+if (require.main === module) {
+    console.log("\uD83C\uDF10 Using API URL: ".concat(host));
+    var sdk_2 = new sdk_1.Session({ host: host });
+    var sdkNonAdmin_1 = new sdk_1.Session({ host: host });
+    var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, setup_1.setup_tests)(sdk_2, sdkNonAdmin_1)];
+                case 1:
+                    _a.sent();
+                    return [4 /*yield*/, (0, exports.cascade_role_rename_cross_tenant_tests)({ sdk: sdk_2, sdkNonAdmin: sdkNonAdmin_1 })];
+                case 2:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); };
+    runTests()
+        .then(function () {
+        console.log("✅ F-0053 cascade role rename cross-tenant test suite completed successfully");
+        process.exit(0);
+    })
+        .catch(function (error) {
+        console.error("❌ F-0053 cascade role rename cross-tenant test suite failed:", error);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=F-0053-cascade-role-rename-cross-tenant.test.js.map

package/lib/cjs/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0053-cascade-role-rename-cross-tenant.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,CAAC,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC;AAExC,oCAAsC;AACtC,+CAI4B;AAC5B,qCAAyC;AACzC,mDAA4D;AAE5D,IAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAgC,CAAA;AAEpE,iFAAiF;AACjF,4CAA4C;AAC5C,IAAM,oBAAoB,GAAG,kEAAkE,CAAA;AAE/F;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACI,IAAM,sCAAsC,GAAG,UAAO,EAAgD;QAA9C,GAAG,SAAA;;;;;;oBAChE,IAAA,oBAAU,EAAC,qDAAqD,CAAC,CAAA;oBAE3D,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;oBAClB,QAAQ,GAAG,wBAAiB,KAAK,CAAE,CAAA;oBACnC,QAAQ,GAAG,UAAG,QAAQ,aAAU,CAAA;oBAIhC,QAAQ,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAA;;;;oBAY5D,iBAAiB,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAA;oBAGpC,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC;4BACjE,IAAI,EAAE,QAAQ;4BACd,WAAW,eAAO,gCAAoB,CAAE;yBACzC,CAAC,EAAA;;oBAHI,IAAI,GAAG,SAGX;oBACF,MAAM,GAAG,IAAI,CAAC,EAAE,CAAA;oBAGI,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;4BAChD,KAAK,EAAE,wBAAiB,KAAK,iBAAc;4BAC3C,0BAA0B,EAAE,IAAI;yBAC1B,CAAC,EAAA;;oBAHH,WAAW,GAAG,SAGX;oBACT,aAAa,GAAG,WAAW,CAAC,EAAE,CAAA;oBAC9B,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,aAAa,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC;wBAElG,yEAAyE;sBAFyB;;oBAAlG,SAAkG,CAAA;oBAG/E,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;4BACpD,KAAK,EAAE,uBAAgB,KAAK,iBAAc;4BAC1C,0BAA0B,EAAE,IAAI;yBAC1B,CAAC,EAAA;;oBAHH,UAAU,GAAG,SAGV;oBACT,YAAY,GAAG,UAAU,CAAC,EAAE,CAAA;oBAC5B,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC;wBAEtG,iGAAiG;wBACjG,wEAAwE;sBAH8B;;oBAAtG,SAAsG,CAAA;oBAEtG,iGAAiG;oBACjG,wEAAwE;oBACxE,IAAA,gBAAM,EACJ,UAAU,CAAC,UAAU,KAAK,iBAAiB,EAC3C,uDAAgD,UAAU,CAAC,UAAU,yCAAiC,EACtG,oCAAoC,CACrC,CAAA;oBACoB,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAA;;oBAA5D,YAAY,GAAG,SAA6C;oBAC5C,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,EAAA;;oBAAzD,aAAa,GAAG,SAAyC;oBAC/D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC;2BAC5D,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,EACvE,qDAA8C,QAAQ,uBAAa,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,uBAAa,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,MAAG,EACxJ,wCAAwC,CACzC,CAAA;oBAED,mEAAmE;oBACnE,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAA;;oBADjF,mEAAmE;oBACnE,SAAiF,CAAA;oBACjF,qBAAM,IAAA,cAAI,EAAC,SAAS,EAAE,IAAI,CAAC;wBAE3B,sFAAsF;sBAF3D,CAAC,0BAA0B;;oBAAtD,SAA2B,CAAA,CAAC,0BAA0B;oBAGlC,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAA;;oBAA3D,WAAW,GAAG,SAA6C;oBACjE,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,EAChE,8DAAuD,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,MAAG;0BACvF,qDAA8C,QAAQ,OAAI,EAC9D,oEAAoE,CACrE,CAAA;oBAGoB,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,EAAA;;oBAAxD,YAAY,GAAG,SAAyC;oBAC9D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,EACjE,iEAA0D,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,OAAI;0BAC5F,oBAAa,QAAQ,OAAI,EAC7B,4DAA4D,CAC7D,CAAA;;;yBAGG,YAAY,EAAZ,yBAAY;;;;oBACR,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,EAAA;;oBAAhD,SAAgD,CAAA;;;;;;yBAEpD,aAAa,EAAb,yBAAa;;;;oBACT,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,EAAA;;oBAA5C,SAA4C,CAAA;;;;;;yBAEhD,MAAM,EAAN,yBAAM;;;;oBACF,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC,MAAM,CAAC,EAAA;;oBAA7D,SAA6D,CAAA;;;;;;;;;;CAGxE,CAAA;AA/FY,QAAA,sCAAsC,0CA+FlD;AAED,6CAA6C;AAC7C,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,OAAO,CAAC,GAAG,CAAC,sCAAqB,IAAI,CAAE,CAAC,CAAA;IACxC,IAAM,KAAG,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IACjC,IAAM,aAAW,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IAEzC,IAAM,QAAQ,GAAG;;;wBACf,qBAAM,IAAA,mBAAW,EAAC,KAAG,EAAE,aAAW,CAAC,EAAA;;oBAAnC,SAAmC,CAAA;oBACnC,qBAAM,IAAA,8CAAsC,EAAC,EAAE,GAAG,OAAA,EAAE,WAAW,eAAA,EAAE,CAAC,EAAA;;oBAAlE,SAAkE,CAAA;;;;SACnE,CAAA;IAED,QAAQ,EAAE;SACP,IAAI,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAA;QAC1F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC;SACD,KAAK,CAAC,UAAC,KAAK;QACX,OAAO,CAAC,KAAK,CAAC,8DAA8D,EAAE,KAAK,CAAC,CAAA;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC,CAAA;CACL"}

package/lib/cjs/tests/api_tests/security/F-0076-self-admin-role-assignment.test.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import { Session } from "../../../sdk";
+/**
+ * Self-role privilege-escalation guard (relates to security-audit finding F-0076, which was
+ * investigated and closed as a FALSE POSITIVE — see that file for the full code trace).
+ *
+ * F-0076 hypothesized that a non-admin staff user could `PATCH /v1/users/{their-own-id}` with
+ * `{ roles: ['Admin'] }` and self-promote to Admin, because the FIRST `users` relationship
+ * constraint ("Only admin users can set the admin role",
+ * [schema.ts:3446](packages/public/schema/src/schema.ts#L3446)) has a self-exception
+ * (`if (_id === session.id) return`).
+ *
+ * That analysis missed the SECOND constraint, "Only admin users can update user roles"
+ * ([schema.ts:3486](packages/public/schema/src/schema.ts#L3486)), which has NO self-exception.
+ * Relationship constraints are AND-evaluated — `validateRelationshipConstraints`
+ * ([routing.ts:1240-1252](packages/private/api/api/modules/routing.ts#L1240)) loops the whole
+ * array and throws 400 on the FIRST evaluator that returns a string. So a non-admin self-update
+ * that includes `roles` passes constraint #1 (self-exception) but is rejected by constraint #2.
+ * The self-promotion is blocked.
+ *
+ * This test locks that boundary in place so a future refactor of the role constraints can't
+ * silently reintroduce the escalation. A dedicated throwaway non-admin user is used as the
+ * "attacker" (we never mutate the shared sdkNonAdmin's roles):
+ *   1. Admin creates a throwaway user and assigns it a non-admin role (`['Provider']`).
+ *   2. Authenticate AS that user via a freshly-minted auth token.
+ *   3. As the attacker, attempt four self-role mutations — ['Admin'], ['Provider','Admin'],
+ *      an arbitrary role, and [] — and assert EACH is blocked.       <-- the security assertions
+ *   4. Confirm (as admin) the attacker's roles are still ['Provider'] — nothing slipped through.
+ *   5. Positive control: admin CAN update the throwaway user's roles. <-- guards against an
+ *      over-restrictive regression that would block legitimate admin role management.
+ *
+ * Expected on current (correct) code: all assertions pass. A regression that made the self-update
+ * path role-writable by non-admins would flip the step-3/step-4 assertions to red.
+ */
+export declare const self_admin_role_assignment_tests: ({ sdk }: {
+    sdk: Session;
+    sdkNonAdmin: Session;
+}) => Promise<void>;
+//# sourceMappingURL=F-0076-self-admin-role-assignment.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0076-self-admin-role-assignment.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"F-0076-self-admin-role-assignment.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0076-self-admin-role-assignment.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAUtC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,gCAAgC;SAA2B,OAAO;iBAAe,OAAO;mBAkGpG,CAAA"}

package/lib/cjs/tests/api_tests/security/F-0076-self-admin-role-assignment.test.js ADDED Viewed

@@ -0,0 +1,222 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.self_admin_role_assignment_tests = void 0;
+require('source-map-support').install();
+var sdk_1 = require("../../../sdk");
+var testing_1 = require("@tellescope/testing");
+var setup_1 = require("../../setup");
+var host = process.env.API_URL || 'http://localhost:8080';
+/**
+ * Self-role privilege-escalation guard (relates to security-audit finding F-0076, which was
+ * investigated and closed as a FALSE POSITIVE — see that file for the full code trace).
+ *
+ * F-0076 hypothesized that a non-admin staff user could `PATCH /v1/users/{their-own-id}` with
+ * `{ roles: ['Admin'] }` and self-promote to Admin, because the FIRST `users` relationship
+ * constraint ("Only admin users can set the admin role",
+ * [schema.ts:3446](packages/public/schema/src/schema.ts#L3446)) has a self-exception
+ * (`if (_id === session.id) return`).
+ *
+ * That analysis missed the SECOND constraint, "Only admin users can update user roles"
+ * ([schema.ts:3486](packages/public/schema/src/schema.ts#L3486)), which has NO self-exception.
+ * Relationship constraints are AND-evaluated — `validateRelationshipConstraints`
+ * ([routing.ts:1240-1252](packages/private/api/api/modules/routing.ts#L1240)) loops the whole
+ * array and throws 400 on the FIRST evaluator that returns a string. So a non-admin self-update
+ * that includes `roles` passes constraint #1 (self-exception) but is rejected by constraint #2.
+ * The self-promotion is blocked.
+ *
+ * This test locks that boundary in place so a future refactor of the role constraints can't
+ * silently reintroduce the escalation. A dedicated throwaway non-admin user is used as the
+ * "attacker" (we never mutate the shared sdkNonAdmin's roles):
+ *   1. Admin creates a throwaway user and assigns it a non-admin role (`['Provider']`).
+ *   2. Authenticate AS that user via a freshly-minted auth token.
+ *   3. As the attacker, attempt four self-role mutations — ['Admin'], ['Provider','Admin'],
+ *      an arbitrary role, and [] — and assert EACH is blocked.       <-- the security assertions
+ *   4. Confirm (as admin) the attacker's roles are still ['Provider'] — nothing slipped through.
+ *   5. Positive control: admin CAN update the throwaway user's roles. <-- guards against an
+ *      over-restrictive regression that would block legitimate admin role management.
+ *
+ * Expected on current (correct) code: all assertions pass. A regression that made the self-update
+ * path role-writable by non-admins would flip the step-3/step-4 assertions to red.
+ */
+var self_admin_role_assignment_tests = function (_a) {
+    var sdk = _a.sdk;
+    return __awaiter(void 0, void 0, void 0, function () {
+        var stamp, NON_ADMIN_ROLE, expect_blocked, attackerId, attacker, attackerBefore, sdkAttacker_1, _b, attackerAfter, afterAdminUpdate, _c;
+        var _d;
+        var _e;
+        return __generator(this, function (_f) {
+            switch (_f.label) {
+                case 0:
+                    (0, testing_1.log_header)("F-0076: self-admin role assignment privilege-escalation regression");
+                    stamp = Date.now();
+                    NON_ADMIN_ROLE = 'Provider';
+                    expect_blocked = function (fn, description) { return __awaiter(void 0, void 0, void 0, function () {
+                        var e_1;
+                        return __generator(this, function (_a) {
+                            switch (_a.label) {
+                                case 0:
+                                    _a.trys.push([0, 2, , 3]);
+                                    return [4 /*yield*/, fn()];
+                                case 1:
+                                    _a.sent();
+                                    (0, testing_1.assert)(false, "".concat(description, " - SELF-ROLE ESCALATION SUCCEEDED (expected it to be blocked)"));
+                                    return [3 /*break*/, 3];
+                                case 2:
+                                    e_1 = _a.sent();
+                                    // CRUD relationship-constraint failures surface as 400 { message, info } via SDK parseError.
+                                    (0, testing_1.assert)((e_1 === null || e_1 === void 0 ? void 0 : e_1.code) === 400 || (e_1 === null || e_1 === void 0 ? void 0 : e_1.statusCode) === 400 || typeof (e_1 === null || e_1 === void 0 ? void 0 : e_1.message) === 'string', "".concat(description, " - expected a block error, got: ").concat(JSON.stringify(e_1)), description);
+                                    return [3 /*break*/, 3];
+                                case 3: return [2 /*return*/];
+                            }
+                        });
+                    }); };
+                    _f.label = 1;
+                case 1:
+                    _f.trys.push([1, , 15, 20]);
+                    return [4 /*yield*/, sdk.api.users.createOne({
+                            email: "f0076-attacker-".concat(stamp, "@example.com"),
+                            notificationEmailsDisabled: true,
+                            verifiedEmail: true,
+                        })];
+                case 2:
+                    attacker = _f.sent();
+                    attackerId = attacker.id;
+                    return [4 /*yield*/, sdk.api.users.updateOne(attackerId, { roles: [NON_ADMIN_ROLE] }, { replaceObjectFields: true })];
+                case 3:
+                    _f.sent();
+                    return [4 /*yield*/, (0, testing_1.wait)(undefined, 2000)
+                        // Setup sanity: the attacker holds exactly the non-admin role and is NOT an admin.
+                    ]; // role change triggers a logout; let it propagate before minting a token
+                case 4:
+                    _f.sent(); // role change triggers a logout; let it propagate before minting a token
+                    return [4 /*yield*/, sdk.api.users.getOne(attackerId)];
+                case 5:
+                    attackerBefore = _f.sent();
+                    (0, testing_1.assert)(JSON.stringify(attackerBefore.roles) === JSON.stringify([NON_ADMIN_ROLE]), "Setup failed: expected attacker to hold [".concat(NON_ADMIN_ROLE, "], got ").concat(JSON.stringify(attackerBefore.roles)), 'F-0076 setup: attacker holds a non-admin role');
+                    _b = sdk_1.Session.bind;
+                    _d = {
+                        host: host
+                    };
+                    return [4 /*yield*/, sdk.api.users.generate_auth_token({ id: attackerId })];
+                case 6:
+                    sdkAttacker_1 = new (_b.apply(sdk_1.Session, [void 0, (_d.authToken = (_f.sent()).authToken,
+                            _d)]))();
+                    return [4 /*yield*/, sdkAttacker_1.refresh_session()]; // populate userInfo from the freshly-minted token
+                case 7:
+                    _f.sent(); // populate userInfo from the freshly-minted token
+                    (0, testing_1.assert)(sdkAttacker_1.userInfo.id === attackerId && !((_e = sdkAttacker_1.userInfo.roles) !== null && _e !== void 0 ? _e : []).includes('Admin'), "Setup failed: attacker session is not the expected non-admin user", 'F-0076 setup: authenticated as the non-admin attacker');
+                    // 3. SECURITY ASSERTIONS — every self-role mutation by the non-admin must be blocked.
+                    return [4 /*yield*/, expect_blocked(function () { return sdkAttacker_1.api.users.updateOne(attackerId, { roles: ['Admin'] }, { replaceObjectFields: true }); }, 'F-0076: non-admin self-update to [Admin] is blocked')];
+                case 8:
+                    // 3. SECURITY ASSERTIONS — every self-role mutation by the non-admin must be blocked.
+                    _f.sent();
+                    return [4 /*yield*/, expect_blocked(function () { return sdkAttacker_1.api.users.updateOne(attackerId, { roles: [NON_ADMIN_ROLE, 'Admin'] }, { replaceObjectFields: true }); }, 'F-0076: non-admin self-update to [Provider, Admin] is blocked')];
+                case 9:
+                    _f.sent();
+                    return [4 /*yield*/, expect_blocked(function () { return sdkAttacker_1.api.users.updateOne(attackerId, { roles: ["Arbitrary_".concat(stamp)] }, { replaceObjectFields: true }); }, 'F-0076: non-admin self-update to an arbitrary role is blocked')];
+                case 10:
+                    _f.sent();
+                    return [4 /*yield*/, expect_blocked(function () { return sdkAttacker_1.api.users.updateOne(attackerId, { roles: [] }, { replaceObjectFields: true }); }, 'F-0076: non-admin self-update to [] (would grant defaults) is blocked')
+                        // 4. STATE ASSERTION — nothing slipped through; roles are still the original non-admin role.
+                    ];
+                case 11:
+                    _f.sent();
+                    return [4 /*yield*/, sdk.api.users.getOne(attackerId)];
+                case 12:
+                    attackerAfter = _f.sent();
+                    (0, testing_1.assert)(JSON.stringify(attackerAfter.roles) === JSON.stringify([NON_ADMIN_ROLE]), "ESCALATION LEAK: attacker roles changed to ".concat(JSON.stringify(attackerAfter.roles), " ")
+                        + "after self-update attempts. Expected [".concat(NON_ADMIN_ROLE, "]."), 'F-0076: attacker roles unchanged after all self-escalation attempts');
+                    // 5. POSITIVE CONTROL — an Admin CAN update the user's roles (mechanism is not over-restricted).
+                    return [4 /*yield*/, sdk.api.users.updateOne(attackerId, { roles: [NON_ADMIN_ROLE] }, { replaceObjectFields: true })];
+                case 13:
+                    // 5. POSITIVE CONTROL — an Admin CAN update the user's roles (mechanism is not over-restricted).
+                    _f.sent();
+                    return [4 /*yield*/, sdk.api.users.getOne(attackerId)];
+                case 14:
+                    afterAdminUpdate = _f.sent();
+                    (0, testing_1.assert)(JSON.stringify(afterAdminUpdate.roles) === JSON.stringify([NON_ADMIN_ROLE]), "Admin role update failed: roles are ".concat(JSON.stringify(afterAdminUpdate.roles), ", expected [").concat(NON_ADMIN_ROLE, "]"), 'F-0076: admin can manage user roles (positive control)');
+                    return [3 /*break*/, 20];
+                case 15:
+                    if (!attackerId) return [3 /*break*/, 19];
+                    _f.label = 16;
+                case 16:
+                    _f.trys.push([16, 18, , 19]);
+                    return [4 /*yield*/, sdk.api.users.deleteOne(attackerId)];
+                case 17:
+                    _f.sent();
+                    return [3 /*break*/, 19];
+                case 18:
+                    _c = _f.sent();
+                    return [3 /*break*/, 19];
+                case 19: return [7 /*endfinally*/];
+                case 20: return [2 /*return*/];
+            }
+        });
+    });
+};
+exports.self_admin_role_assignment_tests = self_admin_role_assignment_tests;
+// Allow running this test file independently
+if (require.main === module) {
+    console.log("\uD83C\uDF10 Using API URL: ".concat(host));
+    var sdk_2 = new sdk_1.Session({ host: host });
+    var sdkNonAdmin_1 = new sdk_1.Session({ host: host });
+    var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, setup_1.setup_tests)(sdk_2, sdkNonAdmin_1)];
+                case 1:
+                    _a.sent();
+                    return [4 /*yield*/, (0, exports.self_admin_role_assignment_tests)({ sdk: sdk_2, sdkNonAdmin: sdkNonAdmin_1 })];
+                case 2:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); };
+    runTests()
+        .then(function () {
+        console.log("✅ F-0076 self-admin role assignment test suite completed successfully");
+        process.exit(0);
+    })
+        .catch(function (error) {
+        console.error("❌ F-0076 self-admin role assignment test suite failed:", error);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=F-0076-self-admin-role-assignment.test.js.map

package/lib/cjs/tests/api_tests/security/F-0076-self-admin-role-assignment.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0076-self-admin-role-assignment.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0076-self-admin-role-assignment.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,CAAC,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC;AAExC,oCAAsC;AACtC,+CAI4B;AAC5B,qCAAyC;AAEzC,IAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAgC,CAAA;AAEpE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACI,IAAM,gCAAgC,GAAG,UAAO,EAAgD;QAA9C,GAAG,SAAA;;;;;;;;oBAC1D,IAAA,oBAAU,EAAC,oEAAoE,CAAC,CAAA;oBAE1E,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;oBAClB,cAAc,GAAG,UAAU,CAAA;oBAG3B,cAAc,GAAG,UAAO,EAAsB,EAAE,WAAmB;;;;;;oCAErE,qBAAM,EAAE,EAAE,EAAA;;oCAAV,SAAU,CAAA;oCACV,IAAA,gBAAM,EAAC,KAAK,EAAE,UAAG,WAAW,kEAA+D,CAAC,CAAA;;;;oCAE5F,6FAA6F;oCAC7F,IAAA,gBAAM,EACJ,CAAA,GAAC,aAAD,GAAC,uBAAD,GAAC,CAAE,IAAI,MAAK,GAAG,IAAI,CAAA,GAAC,aAAD,GAAC,uBAAD,GAAC,CAAE,UAAU,MAAK,GAAG,IAAI,OAAO,CAAA,GAAC,aAAD,GAAC,uBAAD,GAAC,CAAE,OAAO,CAAA,KAAK,QAAQ,EAC1E,UAAG,WAAW,6CAAmC,IAAI,CAAC,SAAS,CAAC,GAAC,CAAC,CAAE,EACpE,WAAW,CACZ,CAAA;;;;;yBAEJ,CAAA;;;;oBASkB,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;4BAC7C,KAAK,EAAE,yBAAkB,KAAK,iBAAc;4BAC5C,0BAA0B,EAAE,IAAI;4BAChC,aAAa,EAAE,IAAI;yBACb,CAAC,EAAA;;oBAJH,QAAQ,GAAG,SAIR;oBACT,UAAU,GAAG,QAAQ,CAAC,EAAE,CAAA;oBACxB,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAAA;;oBAArG,SAAqG,CAAA;oBACrG,qBAAM,IAAA,cAAI,EAAC,SAAS,EAAE,IAAI,CAAC;wBAE3B,mFAAmF;sBAFxD,CAAC,yEAAyE;;oBAArG,SAA2B,CAAA,CAAC,yEAAyE;oBAG9E,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,EAAA;;oBAAvD,cAAc,GAAG,SAAsC;oBAC7D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,CAAC,EACzE,mDAA4C,cAAc,oBAAU,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,KAAK,CAAC,CAAE,EAC1G,+CAA+C,CAChD,CAAA;yBAGuB,aAAO;;wBAC7B,IAAI,MAAA;;oBACQ,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,EAAA;;oBAFnE,gBAAc,cAAI,aAAO,YAE7B,YAAS,GAAE,CAAC,SAA2D,CAAC,CAAC,SAAS;oCAClF;oBACF,qBAAM,aAAW,CAAC,eAAe,EAAE,EAAA,CAAC,kDAAkD;;oBAAtF,SAAmC,CAAA,CAAC,kDAAkD;oBACtF,IAAA,gBAAM,EACJ,aAAW,CAAC,QAAQ,CAAC,EAAE,KAAK,UAAU,IAAI,CAAC,CAAC,MAAA,aAAW,CAAC,QAAQ,CAAC,KAAK,mCAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAC/F,mEAAmE,EACnE,uDAAuD,CACxD,CAAA;oBAED,sFAAsF;oBACtF,qBAAM,cAAc,CAClB,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAW,EAAE,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAAjG,CAAiG,EACvG,qDAAqD,CACtD,EAAA;;oBAJD,sFAAsF;oBACtF,SAGC,CAAA;oBACD,qBAAM,cAAc,CAClB,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAW,EAAE,EAAE,KAAK,EAAE,CAAC,cAAc,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAAjH,CAAiH,EACvH,+DAA+D,CAChE,EAAA;;oBAHD,SAGC,CAAA;oBACD,qBAAM,cAAc,CAClB,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAW,EAAE,EAAE,KAAK,EAAE,CAAC,oBAAa,KAAK,CAAE,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAA9G,CAA8G,EACpH,+DAA+D,CAChE,EAAA;;oBAHD,SAGC,CAAA;oBACD,qBAAM,cAAc,CAClB,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAW,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAA1F,CAA0F,EAChG,uEAAuE,CACxE;wBAED,6FAA6F;sBAF5F;;oBAHD,SAGC,CAAA;oBAGqB,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,EAAA;;oBAAtD,aAAa,GAAG,SAAsC;oBAC5D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,CAAC,EACxE,qDAA8C,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,MAAG;0BAChF,gDAAyC,cAAc,OAAI,EAC/D,qEAAqE,CACtE,CAAA;oBAED,iGAAiG;oBACjG,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAAA;;oBADrG,iGAAiG;oBACjG,SAAqG,CAAA;oBAC5E,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,EAAA;;oBAAzD,gBAAgB,GAAG,SAAsC;oBAC/D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,CAAC,EAC3E,8CAAuC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,KAAK,CAAC,yBAAe,cAAc,MAAG,EAC7G,wDAAwD,CACzD,CAAA;;;yBAGG,UAAU,EAAV,yBAAU;;;;oBACN,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,EAAA;;oBAAzC,SAAyC,CAAA;;;;;;;;;;CAGpD,CAAA;AAlGY,QAAA,gCAAgC,oCAkG5C;AAED,6CAA6C;AAC7C,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,OAAO,CAAC,GAAG,CAAC,sCAAqB,IAAI,CAAE,CAAC,CAAA;IACxC,IAAM,KAAG,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IACjC,IAAM,aAAW,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IAEzC,IAAM,QAAQ,GAAG;;;wBACf,qBAAM,IAAA,mBAAW,EAAC,KAAG,EAAE,aAAW,CAAC,EAAA;;oBAAnC,SAAmC,CAAA;oBACnC,qBAAM,IAAA,wCAAgC,EAAC,EAAE,GAAG,OAAA,EAAE,WAAW,eAAA,EAAE,CAAC,EAAA;;oBAA5D,SAA4D,CAAA;;;;SAC7D,CAAA;IAED,QAAQ,EAAE;SACP,IAAI,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAA;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC;SACD,KAAK,CAAC,UAAC,KAAK;QACX,OAAO,CAAC,KAAK,CAAC,wDAAwD,EAAE,KAAK,CAAC,CAAA;QAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC,CAAA;CACL"}

package/lib/cjs/tests/api_tests/user_portal_settings.test.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { Session } from "../../sdk";
+export declare const user_portal_settings_tests: ({ sdk, sdkNonAdmin }: {
+    sdk: Session;
+    sdkNonAdmin: Session;
+}) => Promise<void>;
+//# sourceMappingURL=user_portal_settings.test.d.ts.map

package/lib/cjs/tests/api_tests/user_portal_settings.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"user_portal_settings.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/api_tests/user_portal_settings.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAkB,MAAM,WAAW,CAAA;AAanD,eAAO,MAAM,0BAA0B;SAAuC,OAAO;iBAAe,OAAO;mBAmL1G,CAAA"}