@terreno/api 0.9.3 → 0.11.0

package/src/consentApp.test.ts

@@ -707,6 +707,168 @@ describe("ConsentApp", () => {
     });
   });
 
+  describe("POST /consent-forms/generate (aiConfig)", () => {
+    const aiConfig = {
+      generateContent: async ({
+        type,
+        description,
+        locale,
+      }: {
+        type: string;
+        description: string;
+        locale: string;
+      }) => `Generated ${type} content (${locale}) for: ${description}`,
+      translateContent: async ({
+        content,
+        fromLocale,
+        toLocale,
+      }: {
+        content: string;
+        fromLocale: string;
+        toLocale: string;
+      }) => `[${fromLocale}->${toLocale}] ${content}`,
+    };
+
+    it("generates consent form content for admins", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      const res = await aiAdmin
+        .post("/consent-forms/generate")
+        .send({description: "Privacy policy for a health app", locale: "es", type: "privacy"})
+        .expect(200);
+
+      expect(res.body.data.content).toBe(
+        "Generated privacy content (es) for: Privacy policy for a health app"
+      );
+    });
+
+    it("defaults locale to en when not provided", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      const res = await aiAdmin
+        .post("/consent-forms/generate")
+        .send({description: "Terms", type: "terms"})
+        .expect(200);
+
+      expect(res.body.data.content).toContain("(en)");
+    });
+
+    it("returns 403 for non-admin users", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiUser = await authAsUser(aiApp, "notAdmin");
+
+      await aiUser
+        .post("/consent-forms/generate")
+        .send({description: "Privacy", type: "privacy"})
+        .expect(403);
+    });
+
+    it("returns 400 when type is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin.post("/consent-forms/generate").send({description: "Privacy"}).expect(400);
+    });
+
+    it("returns 400 when description is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin.post("/consent-forms/generate").send({type: "privacy"}).expect(400);
+    });
+
+    it("returns 404 when aiConfig is not provided", async () => {
+      await adminAgent
+        .post("/consent-forms/generate")
+        .send({description: "Privacy", type: "privacy"})
+        .expect(404);
+    });
+  });
+
+  describe("POST /consent-forms/translate (aiConfig)", () => {
+    const aiConfig = {
+      generateContent: async ({
+        type,
+        description,
+        locale,
+      }: {
+        type: string;
+        description: string;
+        locale: string;
+      }) => `Generated ${type} content (${locale}) for: ${description}`,
+      translateContent: async ({
+        content,
+        fromLocale,
+        toLocale,
+      }: {
+        content: string;
+        fromLocale: string;
+        toLocale: string;
+      }) => `[${fromLocale}->${toLocale}] ${content}`,
+    };
+
+    it("translates consent form content for admins", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      const res = await aiAdmin
+        .post("/consent-forms/translate")
+        .send({content: "Hello world", fromLocale: "en", toLocale: "es"})
+        .expect(200);
+
+      expect(res.body.data.content).toBe("[en->es] Hello world");
+    });
+
+    it("returns 403 for non-admin users", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiUser = await authAsUser(aiApp, "notAdmin");
+
+      await aiUser
+        .post("/consent-forms/translate")
+        .send({content: "Hello", fromLocale: "en", toLocale: "es"})
+        .expect(403);
+    });
+
+    it("returns 400 when content is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin
+        .post("/consent-forms/translate")
+        .send({fromLocale: "en", toLocale: "es"})
+        .expect(400);
+    });
+
+    it("returns 400 when fromLocale is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin
+        .post("/consent-forms/translate")
+        .send({content: "Hello", toLocale: "es"})
+        .expect(400);
+    });
+
+    it("returns 400 when toLocale is missing", async () => {
+      const aiApp = buildApp({aiConfig});
+      const aiAdmin = await authAsUser(aiApp, "admin");
+
+      await aiAdmin
+        .post("/consent-forms/translate")
+        .send({content: "Hello", fromLocale: "en"})
+        .expect(400);
+    });
+
+    it("returns 404 when aiConfig is not provided", async () => {
+      await adminAgent
+        .post("/consent-forms/translate")
+        .send({content: "Hello", fromLocale: "en", toLocale: "es"})
+        .expect(404);
+    });
+  });
+
   describe("GET /consents/audit/:userId", () => {
     it("returns audit history for a user when auditTrail is enabled", async () => {
       const form = await ConsentForm.create({

package/src/expressServer.test.ts

@@ -310,21 +310,14 @@ describe("expressServer", () => {
       );
     });
 
-    // Note: The "hourly" and "minutely" aliases have a bug - they convert the
-    // schedule to a cron expression but then use the original schedule string.
-    // This test documents that current (buggy) behavior.
-    it("hourly alias fails due to bug in implementation", () => {
+    it("accepts hourly alias", () => {
       const callback = () => {};
-      expect(() => cronjob("test-hourly-alias", "hourly", callback)).toThrow(
-        "Failed to create cronjob"
-      );
+      expect(() => cronjob("test-hourly-alias", "hourly", callback)).not.toThrow();
     });
 
-    it("minutely alias fails due to bug in implementation", () => {
+    it("accepts minutely alias", () => {
       const callback = () => {};
-      expect(() => cronjob("test-minutely-alias", "minutely", callback)).toThrow(
-        "Failed to create cronjob"
-      );
+      expect(() => cronjob("test-minutely-alias", "minutely", callback)).not.toThrow();
     });
   });
 

package/src/expressServer.ts

@@ -340,15 +340,11 @@ export function cronjob(
   schedule: "hourly" | "minutely" | string,
   callback: () => void
 ) {
-  let _cronSchedule = schedule;
-  if (schedule === "hourly") {
-    _cronSchedule = "0 * * * *";
-  } else if (schedule === "minutely") {
-    _cronSchedule = "* * * * *";
-  }
-  logger.info(`Adding cronjob ${name}, running at: ${schedule}`);
+  const cronSchedule =
+    schedule === "hourly" ? "0 * * * *" : schedule === "minutely" ? "* * * * *" : schedule;
+  logger.info(`Adding cronjob ${name}, running at: ${cronSchedule}`);
   try {
-    new cron.CronJob(schedule, callback, null, true, "America/Chicago");
+    new cron.CronJob(cronSchedule, callback, null, true, "America/Chicago");
   } catch (error) {
     throw new Error(`Failed to create cronjob: ${error}`);
   }

package/src/githubAuth.test.ts

@@ -1,12 +1,13 @@
 import {afterEach, beforeEach, describe, expect, it, setSystemTime} from "bun:test";
 import type express from "express";
 import mongoose, {model, Schema} from "mongoose";
+import passport from "passport";
 import passportLocalMongoose from "passport-local-mongoose";
 import supertest from "supertest";
 import type TestAgent from "supertest/lib/agent";
 
 import {setupServer} from "./expressServer";
-import {type GitHubUserFields, githubUserPlugin} from "./githubAuth";
+import {type GitHubUserFields, githubUserPlugin, setupGitHubAuth} from "./githubAuth";
 import {logger} from "./logger";
 import {createdUpdatedPlugin, isDisabledPlugin} from "./plugins";
 
@@ -221,3 +222,308 @@ describe("GitHub auth disabled", () => {
     await agent.delete("/auth/github/unlink").expect(404);
   });
 });
+
+interface GitHubProfileLike {
+  id?: string;
+  emails?: Array<{value: string}>;
+  username?: string;
+  displayName?: string;
+  [key: string]: unknown;
+}
+
+interface VerifyError {
+  status?: number;
+  message?: string;
+}
+
+type VerifiedUser = any;
+
+interface VerifyStrategy {
+  _verify: (
+    req: unknown,
+    accessToken: string,
+    refreshToken: string,
+    profile: GitHubProfileLike,
+    done: (err: VerifyError | null, user?: VerifiedUser) => void
+  ) => void;
+}
+
+interface PassportWithStrategies {
+  _strategies?: Record<string, VerifyStrategy | undefined>;
+}
+
+// Helper to extract the strategy verify callback and invoke it directly
+const invokeGitHubVerify = (
+  req: unknown,
+  accessToken: string,
+  refreshToken: string,
+  profile: GitHubProfileLike
+) => {
+  const strategy = (passport as unknown as PassportWithStrategies)._strategies?.github;
+  if (!strategy) {
+    throw new Error("github strategy not registered");
+  }
+  return new Promise<{err: VerifyError | null; user: VerifiedUser}>((resolve) => {
+    const done = (err: VerifyError | null, user?: VerifiedUser) => resolve({err, user});
+    strategy._verify(req, accessToken, refreshToken, profile, done);
+  });
+};
+
+describe("GitHub strategy verify callback", () => {
+  const testApp = {get: () => {}, use: () => {}} as any;
+
+  beforeEach(async () => {
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+  });
+
+  it("uses custom findOrCreateUser when provided", async () => {
+    const customUser = {_id: "custom-user-id", email: "custom@example.com"};
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+      findOrCreateUser: async () => customUser,
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {id: "123"});
+    expect(result.err).toBeNull();
+    expect(result.user).toEqual(customUser);
+  });
+
+  it("creates a new user when no existing GitHub or email user", async () => {
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const profile = {
+      emails: [{value: "new@example.com"}],
+      id: "gh-new-1",
+      photos: [{value: "http://avatar"}],
+      profileUrl: "http://profile",
+      username: "newghuser",
+    };
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", profile);
+    expect(result.err).toBeNull();
+    expect(result.user).toBeDefined();
+    expect(result.user.githubId).toBe("gh-new-1");
+    expect(result.user.githubUsername).toBe("newghuser");
+    expect(result.user.email).toBe("new@example.com");
+  });
+
+  it("logs in existing GitHub user", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "gh@example.com",
+      githubId: "gh-existing-1",
+      githubUsername: "ghuser",
+      name: "GH User",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {
+      id: "gh-existing-1",
+      username: "ghuser",
+    });
+    expect(result.err).toBeNull();
+    expect(result.user._id.toString()).toBe((existingUser as any)._id.toString());
+  });
+
+  it("links GitHub to authenticated user when allowAccountLinking=true", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "link@example.com",
+      name: "Link User",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: true,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const req = {user: existingUser};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {
+      id: "gh-link-1",
+      photos: [{value: "http://avatar"}],
+      profileUrl: "http://profile",
+      username: "linkedghuser",
+    });
+    expect(result.err).toBeNull();
+    expect(result.user.githubId).toBe("gh-link-1");
+    expect(result.user.githubUsername).toBe("linkedghuser");
+  });
+
+  it("rejects linking when allowAccountLinking=false", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "nolink@example.com",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: false,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const req = {user: existingUser};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {id: "gh-nolink-1"});
+    expect(result.err).toBeDefined();
+    expect((result.err as any).status).toBe(400);
+  });
+
+  it("rejects linking when GitHub account belongs to another user", async () => {
+    const userA = await GitHubTestUserModel.create({
+      email: "a@example.com",
+    } as any);
+    await GitHubTestUserModel.create({
+      email: "b@example.com",
+      githubId: "gh-other-1",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: true,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const req = {user: userA};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {id: "gh-other-1"});
+    expect(result.err).toBeDefined();
+    expect((result.err as any).status).toBe(400);
+  });
+
+  it("links GitHub to existing email user when allowAccountLinking is not false", async () => {
+    await GitHubTestUserModel.create({
+      email: "emailuser@example.com",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {
+      emails: [{value: "emailuser@example.com"}],
+      id: "gh-email-link-1",
+      username: "emailuserghuser",
+    });
+    expect(result.err).toBeNull();
+    expect(result.user.githubId).toBe("gh-email-link-1");
+    expect(result.user.email).toBe("emailuser@example.com");
+  });
+
+  it("rejects email-link when allowAccountLinking=false", async () => {
+    await GitHubTestUserModel.create({
+      email: "emailnolink@example.com",
+    } as any);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      allowAccountLinking: false,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {
+      emails: [{value: "emailnolink@example.com"}],
+      id: "gh-email-nolink-1",
+    });
+    expect(result.err).toBeDefined();
+    expect((result.err as any).status).toBe(400);
+  });
+
+  it("returns error when thrown during lookup", async () => {
+    // Set up strategy with findOrCreateUser that throws
+    setupGitHubAuth(testApp, GitHubTestUserModel as any, {
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+      findOrCreateUser: async () => {
+        throw new Error("boom");
+      },
+    });
+
+    const result = await invokeGitHubVerify({}, "access", "refresh", {id: "gh-err-1"});
+    expect(result.err).toBeDefined();
+    expect((result.err as Error).message).toBe("boom");
+  });
+});
+
+describe("addGitHubAuthRoutes link endpoints", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as any,
+    });
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+  });
+
+  it("GET /auth/github/link requires JWT authentication", async () => {
+    const res = await agent.get("/auth/github/link").expect(401);
+    expect(res.body.message).toContain("Authentication required");
+  });
+
+  it("GET /auth/github with returnTo stores it in session", async () => {
+    const res = await agent.get("/auth/github?returnTo=https://example.com/cb").expect(302);
+    expect(res.headers.location).toContain("github.com");
+  });
+
+  it("DELETE /auth/github/unlink clears GitHub fields", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "unlinkme@example.com",
+      githubAvatarUrl: "http://avatar",
+      githubId: "77777",
+      githubProfileUrl: "http://profile",
+      githubUsername: "ghunlink",
+    } as any);
+    await (user as any).setPassword("password123");
+    await user.save();
+
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "unlinkme@example.com", password: "password123"})
+      .expect(200);
+
+    await agent
+      .delete("/auth/github/unlink")
+      .set("authorization", `Bearer ${loginRes.body.data.token}`)
+      .expect(200);
+
+    const updatedUser = await GitHubTestUserModel.findOne({email: "unlinkme@example.com"});
+    expect((updatedUser as any).githubId).toBeUndefined();
+    expect((updatedUser as any).githubAvatarUrl).toBeUndefined();
+    expect((updatedUser as any).githubProfileUrl).toBeUndefined();
+  });
+});

package/src/logger.test.ts

@@ -0,0 +1,149 @@
+import {afterEach, beforeEach, describe, expect, it} from "bun:test";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import winston from "winston";
+
+import {logger, setupLogging} from "./logger";
+
+describe("logger", () => {
+  const OLD_ENV = process.env;
+
+  beforeEach(() => {
+    process.env = {...OLD_ENV};
+  });
+
+  afterEach(() => {
+    process.env = OLD_ENV;
+  });
+
+  it("logger.info writes a log entry", () => {
+    expect(() => logger.info("test info message")).not.toThrow();
+  });
+
+  it("logger.warn writes a log entry", () => {
+    expect(() => logger.warn("test warn message")).not.toThrow();
+  });
+
+  it("logger.error writes a log entry", () => {
+    expect(() => logger.error("test error message")).not.toThrow();
+  });
+
+  it("logger.debug writes a log entry", () => {
+    expect(() => logger.debug("test debug message")).not.toThrow();
+  });
+
+  it("logger.catch handles Error instance", () => {
+    expect(() => logger.catch(new Error("caught error"))).not.toThrow();
+  });
+
+  it("logger.catch handles non-Error value", () => {
+    expect(() => logger.catch("string error")).not.toThrow();
+  });
+
+  it("logger.catch with Sentry logging enabled and Error", () => {
+    process.env.USE_SENTRY_LOGGING = "true";
+    expect(() => logger.catch(new Error("captured"))).not.toThrow();
+  });
+});
+
+describe("setupLogging", () => {
+  let tempDir: string;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "logger-test-"));
+  });
+
+  afterEach(() => {
+    try {
+      fs.rmSync(tempDir, {force: true, recursive: true});
+    } catch {}
+    // Restore a default logger config
+    setupLogging({disableFileLogging: true});
+  });
+
+  it("disables console logging when disableConsoleLogging is true", () => {
+    expect(() =>
+      setupLogging({
+        disableConsoleLogging: true,
+        disableFileLogging: true,
+      })
+    ).not.toThrow();
+  });
+
+  it("disables console colors when disableConsoleColors is true", () => {
+    expect(() =>
+      setupLogging({
+        disableConsoleColors: true,
+        disableFileLogging: true,
+      })
+    ).not.toThrow();
+  });
+
+  it("adds timestamps when showConsoleTimestamps is true", () => {
+    expect(() =>
+      setupLogging({
+        disableFileLogging: true,
+        showConsoleTimestamps: true,
+      })
+    ).not.toThrow();
+  });
+
+  it("respects logLevel option", () => {
+    expect(() =>
+      setupLogging({
+        disableFileLogging: true,
+        level: "info",
+      })
+    ).not.toThrow();
+  });
+
+  it("creates log directory if it does not exist", () => {
+    const nonExistentDir = path.join(tempDir, "nested", "logs");
+    setupLogging({
+      disableConsoleLogging: true,
+      logDirectory: nonExistentDir,
+    });
+    expect(fs.existsSync(nonExistentDir)).toBe(true);
+  });
+
+  it("uses existing log directory if it exists", () => {
+    const existingDir = path.join(tempDir, "existing");
+    fs.mkdirSync(existingDir);
+    expect(() =>
+      setupLogging({
+        disableConsoleLogging: true,
+        logDirectory: existingDir,
+      })
+    ).not.toThrow();
+  });
+
+  it("adds custom transports when provided", () => {
+    const customTransport = new winston.transports.Console({level: "error"});
+    expect(() =>
+      setupLogging({
+        disableConsoleLogging: true,
+        disableFileLogging: true,
+        transports: [customTransport],
+      })
+    ).not.toThrow();
+  });
+
+  it("uses file logging at info level when level is info (no debug file)", () => {
+    setupLogging({
+      disableConsoleLogging: true,
+      level: "info",
+      logDirectory: tempDir,
+    });
+    // No assertion needed - just verifying branch coverage with level=info
+    expect(true).toBe(true);
+  });
+
+  it("uses file logging at debug level by default (with debug file)", () => {
+    setupLogging({
+      disableConsoleLogging: true,
+      logDirectory: tempDir,
+    });
+    expect(true).toBe(true);
+  });
+});