@terreno/api 0.10.0 → 0.11.0

package/src/auth.test.ts

@@ -619,4 +619,151 @@ describe("generateTokens edge cases", () => {
     expect(decoded.exp).toBeGreaterThan(expectedExp - 10);
     expect(decoded.exp).toBeLessThan(expectedExp + 10);
   });
+
+  it("throws when TOKEN_SECRET is not set", async () => {
+    process.env.TOKEN_SECRET = "";
+    let caught: unknown;
+    try {
+      await generateTokens({_id: "user-123"});
+    } catch (error) {
+      caught = error;
+    }
+    expect(caught).toBeDefined();
+    expect((caught as Error).message).toBe("TOKEN_SECRET must be set in env.");
+  });
+
+  it("uses TOKEN_EXPIRES_IN from env when valid", async () => {
+    const jwtLib = await import("jsonwebtoken");
+    process.env.TOKEN_EXPIRES_IN = "2h";
+    const result = await generateTokens({_id: "user-123"});
+    const decoded = jwtLib.decode(result.token as string) as any;
+    const expectedExp = Math.floor(Date.now() / 1000) + 2 * 3600;
+    expect(decoded.exp).toBeGreaterThan(expectedExp - 10);
+    expect(decoded.exp).toBeLessThan(expectedExp + 10);
+  });
+
+  it("uses REFRESH_TOKEN_EXPIRES_IN from env when valid", async () => {
+    const jwtLib = await import("jsonwebtoken");
+    process.env.REFRESH_TOKEN_EXPIRES_IN = "1h";
+    const result = await generateTokens({_id: "user-123"});
+    const decoded = jwtLib.decode(result.refreshToken as string) as any;
+    const expectedExp = Math.floor(Date.now() / 1000) + 3600;
+    expect(decoded.exp).toBeGreaterThan(expectedExp - 10);
+    expect(decoded.exp).toBeLessThan(expectedExp + 10);
+  });
+
+  it("does not issue refresh token when REFRESH_TOKEN_SECRET is not set", async () => {
+    process.env.REFRESH_TOKEN_SECRET = "";
+    const result = await generateTokens({_id: "user-123"});
+    expect(result.token).toBeDefined();
+    expect(result.refreshToken).toBeUndefined();
+  });
+});
+
+describe("addAuthRoutes /refresh_token error paths", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await setupDb();
+    app = setupServer({
+      addRoutes: () => {},
+      skipListen: true,
+      userModel: UserModel as any,
+    });
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+  });
+
+  it("returns 401 when no refreshToken in body", async () => {
+    const res = await agent.post("/auth/refresh_token").send({}).expect(401);
+    expect(res.body.message).toContain("No refresh token provided");
+  });
+
+  it("returns 401 when refresh token is invalid", async () => {
+    const res = await agent
+      .post("/auth/refresh_token")
+      .send({refreshToken: "not-a-valid-jwt"})
+      .expect(401);
+    expect(res.body.message).toBeDefined();
+  });
+
+  it("returns 401 when refresh token is signed with wrong secret", async () => {
+    const jwtLib = (await import("jsonwebtoken")).default;
+    const bogusToken = jwtLib.sign({id: "abc"}, "different-secret");
+    const res = await agent
+      .post("/auth/refresh_token")
+      .send({refreshToken: bogusToken})
+      .expect(401);
+    expect(res.body.message).toBeDefined();
+  });
+
+  it("returns 401 when refresh token has no id", async () => {
+    const jwtLib = (await import("jsonwebtoken")).default;
+    const tokenNoId = jwtLib.sign({foo: "bar"}, process.env.REFRESH_TOKEN_SECRET as string);
+    const res = await agent.post("/auth/refresh_token").send({refreshToken: tokenNoId}).expect(401);
+    expect(res.body.message).toBe("Invalid refresh token");
+  });
+
+  it("issues new tokens on valid refresh", async () => {
+    const [adminUser] = await setupDb();
+    const jwtLib = (await import("jsonwebtoken")).default;
+    const validToken = jwtLib.sign(
+      {id: (adminUser as any)._id.toString()},
+      process.env.REFRESH_TOKEN_SECRET as string
+    );
+    const res = await agent
+      .post("/auth/refresh_token")
+      .send({refreshToken: validToken})
+      .expect(200);
+    expect(res.body.data.token).toBeDefined();
+    expect(res.body.data.refreshToken).toBeDefined();
+  });
+});
+
+describe("addMeRoutes edge cases", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await setupDb();
+    app = setupServer({
+      addRoutes: () => {},
+      skipListen: true,
+      userModel: UserModel as any,
+    });
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+  });
+
+  it("GET /auth/me returns 401 without auth", async () => {
+    await agent.get("/auth/me").expect(401);
+  });
+
+  it("PATCH /auth/me returns 401 without auth", async () => {
+    await agent.patch("/auth/me").send({email: "x@x.com"}).expect(401);
+  });
+
+  it("GET /auth/me returns 404 when user is deleted after auth", async () => {
+    const [_admin, notAdmin] = await setupDb();
+    const jwtLib = (await import("jsonwebtoken")).default;
+    const token = jwtLib.sign(
+      {id: (notAdmin as any)._id.toString()},
+      process.env.TOKEN_SECRET as string,
+      {issuer: process.env.TOKEN_ISSUER}
+    );
+    // Delete the user so findById returns null
+    await UserModel.deleteOne({_id: (notAdmin as any)._id});
+    const res = await agent.get("/auth/me").set("authorization", `Bearer ${token}`);
+    // Either 404 (user not found in /me handler) or 401 (auth middleware rejects)
+    expect([401, 404]).toContain(res.status);
+  });
 });

package/src/consentApp.test.ts

@@ -707,6 +707,168 @@ describe("ConsentApp", () => {
     });
   });
 
+  describe("POST /consent-forms/generate (aiConfig)", () => {
+    const aiConfig = {
+      generateContent: async ({
+        type,
+        description,
+        locale,
+      }: {
+        type: string;
+        description: string;
+        locale: string;
+      }) => `Generated ${type} content (${locale}) for: ${description}`,
+      translateContent: async ({
+        content,
+        fromLocale,
+        toLocale,
+      }: {
+        content: string;
+        fromLocale: string;
+        toLocale: string;
+      }) => `[${fromLocale}->${toLocale}] ${content}`,
+    };
+
+    it("generates consent form content for admins", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      const res = await aiAdmin
+        .post("/consent-forms/generate")
+        .send({description: "Privacy policy for a health app", locale: "es", type: "privacy"})
+        .expect(200);
+
+      expect(res.body.data.content).toBe(
+        "Generated privacy content (es) for: Privacy policy for a health app"
+      );
+    });
+
+    it("defaults locale to en when not provided", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      const res = await aiAdmin
+        .post("/consent-forms/generate")
+        .send({description: "Terms", type: "terms"})
+        .expect(200);
+
+      expect(res.body.data.content).toContain("(en)");
+    });
+
+    it("returns 403 for non-admin users", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiUser = await authAsUser(aiApp, "notAdmin");
+
+      await aiUser
+        .post("/consent-forms/generate")
+        .send({description: "Privacy", type: "privacy"})
+        .expect(403);
+    });
+
+    it("returns 400 when type is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin.post("/consent-forms/generate").send({description: "Privacy"}).expect(400);
+    });
+
+    it("returns 400 when description is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin.post("/consent-forms/generate").send({type: "privacy"}).expect(400);
+    });
+
+    it("returns 404 when aiConfig is not provided", async () => {
+      await adminAgent
+        .post("/consent-forms/generate")
+        .send({description: "Privacy", type: "privacy"})
+        .expect(404);
+    });
+  });
+
+  describe("POST /consent-forms/translate (aiConfig)", () => {
+    const aiConfig = {
+      generateContent: async ({
+        type,
+        description,
+        locale,
+      }: {
+        type: string;
+        description: string;
+        locale: string;
+      }) => `Generated ${type} content (${locale}) for: ${description}`,
+      translateContent: async ({
+        content,
+        fromLocale,
+        toLocale,
+      }: {
+        content: string;
+        fromLocale: string;
+        toLocale: string;
+      }) => `[${fromLocale}->${toLocale}] ${content}`,
+    };
+
+    it("translates consent form content for admins", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      const res = await aiAdmin
+        .post("/consent-forms/translate")
+        .send({content: "Hello world", fromLocale: "en", toLocale: "es"})
+        .expect(200);
+
+      expect(res.body.data.content).toBe("[en->es] Hello world");
+    });
+
+    it("returns 403 for non-admin users", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiUser = await authAsUser(aiApp, "notAdmin");
+
+      await aiUser
+        .post("/consent-forms/translate")
+        .send({content: "Hello", fromLocale: "en", toLocale: "es"})
+        .expect(403);
+    });
+
+    it("returns 400 when content is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin
+        .post("/consent-forms/translate")
+        .send({fromLocale: "en", toLocale: "es"})
+        .expect(400);
+    });
+
+    it("returns 400 when fromLocale is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin
+        .post("/consent-forms/translate")
+        .send({content: "Hello", toLocale: "es"})
+        .expect(400);
+    });
+
+    it("returns 400 when toLocale is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin
+        .post("/consent-forms/translate")
+        .send({content: "Hello", fromLocale: "en"})
+        .expect(400);
+    });
+
+    it("returns 404 when aiConfig is not provided", async () => {
+      await adminAgent
+        .post("/consent-forms/translate")
+        .send({content: "Hello", fromLocale: "en", toLocale: "es"})
+        .expect(404);
+    });
+  });
+
   describe("GET /consents/audit/:userId", () => {
     it("returns audit history for a user when auditTrail is enabled", async () => {
       const form = await ConsentForm.create({

package/src/githubAuth.test.ts

@@ -1,12 +1,13 @@
 import {afterEach, beforeEach, describe, expect, it, setSystemTime} from "bun:test";
 import type express from "express";
 import mongoose, {model, Schema} from "mongoose";
+import passport from "passport";
 import passportLocalMongoose from "passport-local-mongoose";
 import supertest from "supertest";
 import type TestAgent from "supertest/lib/agent";
 
 import {setupServer} from "./expressServer";
-import {type GitHubUserFields, githubUserPlugin} from "./githubAuth";
+import {type GitHubUserFields, githubUserPlugin, setupGitHubAuth} from "./githubAuth";
 import {logger} from "./logger";
 import {createdUpdatedPlugin, isDisabledPlugin} from "./plugins";
 
@@ -221,3 +222,308 @@ describe("GitHub auth disabled", () => {
     await agent.delete("/auth/github/unlink").expect(404);
   });
 });
+
+interface GitHubProfileLike {
+  id?: string;
+  emails?: Array<{value: string}>;
+  username?: string;
+  displayName?: string;
+  [key: string]: unknown;
+}
+
+interface VerifyError {
+  status?: number;
+  message?: string;
+}
+
+type VerifiedUser = any;
+
+interface VerifyStrategy {
+  _verify: (
+    req: unknown,
+    accessToken: string,
+    refreshToken: string,
+    profile: GitHubProfileLike,
+    done: (err: VerifyError | null, user?: VerifiedUser) => void
+  ) => void;
+}
+
+interface PassportWithStrategies {
+  _strategies?: Record<string, VerifyStrategy | undefined>;
+}
+
+// Helper to extract the strategy verify callback and invoke it directly
+const invokeGitHubVerify = (
+  req: unknown,
+  accessToken: string,
+  refreshToken: string,
+  profile: GitHubProfileLike
+) => {
+  const strategy = (passport as unknown as PassportWithStrategies)._strategies?.github;
+  if (!strategy) {
+    throw new Error("github strategy not registered");
+  }
+  return new Promise<{err: VerifyError | null; user: VerifiedUser}>((resolve) => {
+    const done = (err: VerifyError | null, user?: VerifiedUser) => resolve({err, user});
+    strategy._verify(req, accessToken, refreshToken, profile, done);
+  });
+};
+
+describe("GitHub strategy verify callback", () => {
+  const testApp = {get: () => {}, use: () => {}} as any;
+
+  beforeEach(async () => {
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+  });
+
+  it("uses custom findOrCreateUser when provided", async () => {
+    const customUser = {_id: "custom-user-id", email: "custom@example.com"};
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+      findOrCreateUser: async () => customUser,
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {id: "123"});
+    expect(result.err).toBeNull();
+    expect(result.user).toEqual(customUser);
+  });
+
+  it("creates a new user when no existing GitHub or email user", async () => {
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const profile = {
+      emails: [{value: "new@example.com"}],
+      id: "gh-new-1",
+      photos: [{value: "http://avatar"}],
+      profileUrl: "http://profile",
+      username: "newghuser",
+    };
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", profile);
+    expect(result.err).toBeNull();
+    expect(result.user).toBeDefined();
+    expect(result.user.githubId).toBe("gh-new-1");
+    expect(result.user.githubUsername).toBe("newghuser");
+    expect(result.user.email).toBe("new@example.com");
+  });
+
+  it("logs in existing GitHub user", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "gh@example.com",
+      githubId: "gh-existing-1",
+      githubUsername: "ghuser",
+      name: "GH User",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {
+      id: "gh-existing-1",
+      username: "ghuser",
+    });
+    expect(result.err).toBeNull();
+    expect(result.user._id.toString()).toBe((existingUser as any)._id.toString());
+  });
+
+  it("links GitHub to authenticated user when allowAccountLinking=true", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "link@example.com",
+      name: "Link User",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: true,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const req = {user: existingUser};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {
+      id: "gh-link-1",
+      photos: [{value: "http://avatar"}],
+      profileUrl: "http://profile",
+      username: "linkedghuser",
+    });
+    expect(result.err).toBeNull();
+    expect(result.user.githubId).toBe("gh-link-1");
+    expect(result.user.githubUsername).toBe("linkedghuser");
+  });
+
+  it("rejects linking when allowAccountLinking=false", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "nolink@example.com",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: false,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const req = {user: existingUser};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {id: "gh-nolink-1"});
+    expect(result.err).toBeDefined();
+    expect((result.err as any).status).toBe(400);
+  });
+
+  it("rejects linking when GitHub account belongs to another user", async () => {
+    const userA = await GitHubTestUserModel.create({
+      email: "a@example.com",
+    } as any);
+    await GitHubTestUserModel.create({
+      email: "b@example.com",
+      githubId: "gh-other-1",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: true,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const req = {user: userA};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {id: "gh-other-1"});
+    expect(result.err).toBeDefined();
+    expect((result.err as any).status).toBe(400);
+  });
+
+  it("links GitHub to existing email user when allowAccountLinking is not false", async () => {
+    await GitHubTestUserModel.create({
+      email: "emailuser@example.com",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {
+      emails: [{value: "emailuser@example.com"}],
+      id: "gh-email-link-1",
+      username: "emailuserghuser",
+    });
+    expect(result.err).toBeNull();
+    expect(result.user.githubId).toBe("gh-email-link-1");
+    expect(result.user.email).toBe("emailuser@example.com");
+  });
+
+  it("rejects email-link when allowAccountLinking=false", async () => {
+    await GitHubTestUserModel.create({
+      email: "emailnolink@example.com",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: false,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {
+      emails: [{value: "emailnolink@example.com"}],
+      id: "gh-email-nolink-1",
+    });
+    expect(result.err).toBeDefined();
+    expect((result.err as any).status).toBe(400);
+  });
+
+  it("returns error when thrown during lookup", async () => {
+    // Set up strategy with findOrCreateUser that throws
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+      findOrCreateUser: async () => {
+        throw new Error("boom");
+      },
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {id: "gh-err-1"});
+    expect(result.err).toBeDefined();
+    expect((result.err as Error).message).toBe("boom");
+  });
+});
+
+describe("addGitHubAuthRoutes link endpoints", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as any,
+    });
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+  });
+
+  it("GET /auth/github/link requires JWT authentication", async () => {
+    const res = await agent.get("/auth/github/link").expect(401);
+    expect(res.body.message).toContain("Authentication required");
+  });
+
+  it("GET /auth/github with returnTo stores it in session", async () => {
+    const res = await agent.get("/auth/github?returnTo=https://example.com/cb").expect(302);
+    expect(res.headers.location).toContain("github.com");
+  });
+
+  it("DELETE /auth/github/unlink clears GitHub fields", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "unlinkme@example.com",
+      githubAvatarUrl: "http://avatar",
+      githubId: "77777",
+      githubProfileUrl: "http://profile",
+      githubUsername: "ghunlink",
+    } as any);
+    await (user as any).setPassword("password123");
+    await user.save();
+
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "unlinkme@example.com", password: "password123"})
+      .expect(200);
+
+    await agent
+      .delete("/auth/github/unlink")
+      .set("authorization", `Bearer ${loginRes.body.data.token}`)
+      .expect(200);
+
+    const updatedUser = await GitHubTestUserModel.findOne({email: "unlinkme@example.com"});
+    expect((updatedUser as any).githubId).toBeUndefined();
+    expect((updatedUser as any).githubAvatarUrl).toBeUndefined();
+    expect((updatedUser as any).githubProfileUrl).toBeUndefined();
+  });
+});