npm - @trailmix-cms/cms - Versions diffs - 0.4.3 → 0.7.1 - Mend

@trailmix-cms/cms 0.4.3 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (266) hide show

package/dist/auth.guard.d.ts +5 -13
package/dist/auth.guard.d.ts.map +1 -1
package/dist/auth.guard.js +23 -91
package/dist/auth.guard.js.map +1 -1
package/dist/collections/account.collection.d.ts +5 -3
package/dist/collections/account.collection.d.ts.map +1 -1
package/dist/collections/account.collection.js +15 -8
package/dist/collections/account.collection.js.map +1 -1
package/dist/collections/api-key.collection.d.ts +54 -0
package/dist/collections/api-key.collection.d.ts.map +1 -0
package/dist/collections/api-key.collection.js +142 -0
package/dist/collections/api-key.collection.js.map +1 -0
package/dist/collections/index.d.ts +4 -2
package/dist/collections/index.d.ts.map +1 -1
package/dist/collections/index.js +9 -5
package/dist/collections/index.js.map +1 -1
package/dist/collections/organization.collection.d.ts +20 -0
package/dist/collections/organization.collection.d.ts.map +1 -0
package/dist/collections/{file.collection.js → organization.collection.js} +17 -17
package/dist/collections/organization.collection.js.map +1 -0
package/dist/collections/role.collection.d.ts +32 -0
package/dist/collections/role.collection.d.ts.map +1 -0
package/dist/collections/role.collection.js +90 -0
package/dist/collections/role.collection.js.map +1 -0
package/dist/collections/security-audit.collection.d.ts +30 -0
package/dist/collections/security-audit.collection.d.ts.map +1 -0
package/dist/collections/security-audit.collection.js +79 -0
package/dist/collections/security-audit.collection.js.map +1 -0
package/dist/constants/cms-collection-names.d.ts +4 -2
package/dist/constants/cms-collection-names.d.ts.map +1 -1
package/dist/constants/cms-collection-names.js +4 -2
package/dist/constants/cms-collection-names.js.map +1 -1
package/dist/constants/provider-symbols.d.ts +10 -12
package/dist/constants/provider-symbols.d.ts.map +1 -1
package/dist/constants/provider-symbols.js +10 -12
package/dist/constants/provider-symbols.js.map +1 -1
package/dist/controllers/account.controller.d.ts +11 -15
package/dist/controllers/account.controller.d.ts.map +1 -1
package/dist/controllers/account.controller.js +69 -13
package/dist/controllers/account.controller.js.map +1 -1
package/dist/controllers/api-keys.controller.d.ts +13 -0
package/dist/controllers/api-keys.controller.d.ts.map +1 -0
package/dist/controllers/api-keys.controller.js +125 -0
package/dist/controllers/api-keys.controller.js.map +1 -0
package/dist/controllers/audit.controller.d.ts.map +1 -1
package/dist/controllers/audit.controller.js +3 -3
package/dist/controllers/audit.controller.js.map +1 -1
package/dist/controllers/audits.controller.d.ts +10 -0
package/dist/controllers/audits.controller.d.ts.map +1 -0
package/dist/controllers/audits.controller.js +107 -0
package/dist/controllers/audits.controller.js.map +1 -0
package/dist/controllers/global-roles.controller.d.ts +16 -0
package/dist/controllers/global-roles.controller.d.ts.map +1 -0
package/dist/controllers/global-roles.controller.js +137 -0
package/dist/controllers/global-roles.controller.js.map +1 -0
package/dist/controllers/index.d.ts +6 -1
package/dist/controllers/index.d.ts.map +1 -1
package/dist/controllers/index.js +6 -1
package/dist/controllers/index.js.map +1 -1
package/dist/controllers/organization-roles.controller.d.ts +16 -0
package/dist/controllers/organization-roles.controller.d.ts.map +1 -0
package/dist/controllers/organization-roles.controller.js +145 -0
package/dist/controllers/organization-roles.controller.js.map +1 -0
package/dist/controllers/organizations.controller.d.ts +65 -0
package/dist/controllers/organizations.controller.d.ts.map +1 -0
package/dist/controllers/organizations.controller.js +140 -0
package/dist/controllers/organizations.controller.js.map +1 -0
package/dist/controllers/security-audits.controller.d.ts +11 -0
package/dist/controllers/security-audits.controller.d.ts.map +1 -0
package/dist/controllers/security-audits.controller.js +130 -0
package/dist/controllers/security-audits.controller.js.map +1 -0
package/dist/decorators/account.decorator.d.ts +1 -3
package/dist/decorators/account.decorator.d.ts.map +1 -1
package/dist/decorators/account.decorator.js +3 -10
package/dist/decorators/account.decorator.js.map +1 -1
package/dist/decorators/audit-context.decorator.d.ts +6 -0
package/dist/decorators/audit-context.decorator.d.ts.map +1 -1
package/dist/decorators/audit-context.decorator.js +12 -3
package/dist/decorators/audit-context.decorator.js.map +1 -1
package/dist/decorators/auth.decorator.d.ts +5 -3
package/dist/decorators/auth.decorator.d.ts.map +1 -1
package/dist/decorators/auth.decorator.js +38 -3
package/dist/decorators/auth.decorator.js.map +1 -1
package/dist/decorators/index.d.ts +4 -0
package/dist/decorators/index.d.ts.map +1 -0
package/dist/decorators/index.js +20 -0
package/dist/decorators/index.js.map +1 -0
package/dist/dto/account.dto.d.ts +33 -0
package/dist/dto/account.dto.d.ts.map +1 -0
package/dist/dto/account.dto.js +14 -0
package/dist/dto/account.dto.js.map +1 -0
package/dist/dto/api-key.dto.d.ts +89 -0
package/dist/dto/api-key.dto.d.ts.map +1 -0
package/dist/dto/api-key.dto.js +27 -0
package/dist/dto/api-key.dto.js.map +1 -0
package/dist/dto/audit.dto.d.ts +11 -5
package/dist/dto/audit.dto.d.ts.map +1 -1
package/dist/dto/audit.dto.js +1 -1
package/dist/dto/audit.dto.js.map +1 -1
package/dist/dto/global-role.dto.d.ts +99 -0
package/dist/dto/global-role.dto.d.ts.map +1 -0
package/dist/dto/global-role.dto.js +26 -0
package/dist/dto/global-role.dto.js.map +1 -0
package/dist/dto/organization-role.dto.d.ts +107 -0
package/dist/dto/organization-role.dto.d.ts.map +1 -0
package/dist/dto/organization-role.dto.js +26 -0
package/dist/dto/organization-role.dto.js.map +1 -0
package/dist/dto/organization.dto.d.ts +57 -0
package/dist/dto/organization.dto.d.ts.map +1 -0
package/dist/dto/organization.dto.js +32 -0
package/dist/dto/organization.dto.js.map +1 -0
package/dist/dto/security-audit.dto.d.ts +95 -0
package/dist/dto/security-audit.dto.d.ts.map +1 -0
package/dist/dto/security-audit.dto.js +26 -0
package/dist/dto/security-audit.dto.js.map +1 -0
package/dist/index.d.ts +7 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +8 -3
package/dist/index.js.map +1 -1
package/dist/managers/global-role.manager.d.ts +42 -0
package/dist/managers/global-role.manager.d.ts.map +1 -0
package/dist/managers/global-role.manager.js +117 -0
package/dist/managers/global-role.manager.js.map +1 -0
package/dist/managers/index.d.ts +4 -0
package/dist/managers/index.d.ts.map +1 -0
package/dist/managers/index.js +20 -0
package/dist/managers/index.js.map +1 -0
package/dist/managers/organization-role.manager.d.ts +47 -0
package/dist/managers/organization-role.manager.d.ts.map +1 -0
package/dist/managers/organization-role.manager.js +218 -0
package/dist/managers/organization-role.manager.js.map +1 -0
package/dist/managers/organization.manager.d.ts +39 -0
package/dist/managers/organization.manager.d.ts.map +1 -0
package/dist/managers/organization.manager.js +196 -0
package/dist/managers/organization.manager.js.map +1 -0
package/dist/module.d.ts +92 -0
package/dist/module.d.ts.map +1 -0
package/dist/module.js +137 -0
package/dist/module.js.map +1 -0
package/dist/pipes/api-key.pipe.d.ts +8 -0
package/dist/pipes/api-key.pipe.d.ts.map +1 -0
package/dist/pipes/api-key.pipe.js +28 -0
package/dist/pipes/api-key.pipe.js.map +1 -0
package/dist/pipes/organization.pipe.d.ts +8 -0
package/dist/pipes/organization.pipe.d.ts.map +1 -0
package/dist/pipes/organization.pipe.js +28 -0
package/dist/pipes/organization.pipe.js.map +1 -0
package/dist/pipes/role.pipe.d.ts +8 -0
package/dist/pipes/{file.pipe.d.ts.map → role.pipe.d.ts.map} +1 -1
package/dist/pipes/{file.pipe.js → role.pipe.js} +8 -8
package/dist/pipes/{file.pipe.js.map → role.pipe.js.map} +1 -1
package/dist/services/account.service.d.ts +0 -2
package/dist/services/account.service.d.ts.map +1 -1
package/dist/services/account.service.js +1 -37
package/dist/services/account.service.js.map +1 -1
package/dist/services/api-key.service.d.ts +42 -0
package/dist/services/api-key.service.d.ts.map +1 -0
package/dist/services/api-key.service.js +306 -0
package/dist/services/api-key.service.js.map +1 -0
package/dist/services/auth.service.d.ts +40 -0
package/dist/services/auth.service.d.ts.map +1 -0
package/dist/services/auth.service.js +227 -0
package/dist/services/auth.service.js.map +1 -0
package/dist/services/authorization.service.d.ts +44 -9
package/dist/services/authorization.service.d.ts.map +1 -1
package/dist/services/authorization.service.js +107 -41
package/dist/services/authorization.service.js.map +1 -1
package/dist/services/feature.service.d.ts +23 -0
package/dist/services/feature.service.d.ts.map +1 -0
package/dist/services/feature.service.js +49 -0
package/dist/services/feature.service.js.map +1 -0
package/dist/services/global-role.service.d.ts +17 -0
package/dist/services/global-role.service.d.ts.map +1 -0
package/dist/services/global-role.service.js +99 -0
package/dist/services/global-role.service.js.map +1 -0
package/dist/services/index.d.ts +9 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +25 -0
package/dist/services/index.js.map +1 -0
package/dist/services/organization-role.service.d.ts +33 -0
package/dist/services/organization-role.service.d.ts.map +1 -0
package/dist/services/organization-role.service.js +102 -0
package/dist/services/organization-role.service.js.map +1 -0
package/dist/services/organization.service.d.ts +29 -0
package/dist/services/organization.service.d.ts.map +1 -0
package/dist/services/organization.service.js +95 -0
package/dist/services/organization.service.js.map +1 -0
package/dist/types/feature-config.d.ts +9 -0
package/dist/types/feature-config.d.ts.map +1 -0
package/dist/types/feature-config.js +3 -0
package/dist/types/feature-config.js.map +1 -0
package/dist/types/hooks/auth-guard-hook.d.ts.map +1 -0
package/dist/types/hooks/auth-guard-hook.js.map +1 -0
package/dist/types/hooks/index.d.ts +3 -0
package/dist/types/hooks/index.d.ts.map +1 -0
package/dist/types/hooks/index.js +19 -0
package/dist/types/hooks/index.js.map +1 -0
package/dist/types/hooks/organization-delete-hook.d.ts +20 -0
package/dist/types/hooks/organization-delete-hook.d.ts.map +1 -0
package/dist/types/hooks/organization-delete-hook.js +3 -0
package/dist/types/hooks/organization-delete-hook.js.map +1 -0
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +21 -0
package/dist/types/index.js.map +1 -0
package/dist/types/request-principal.d.ts +9 -0
package/dist/types/request-principal.d.ts.map +1 -0
package/dist/types/request-principal.js +3 -0
package/dist/types/request-principal.js.map +1 -0
package/dist/utils/provider-helpers.d.ts +6 -1
package/dist/utils/provider-helpers.d.ts.map +1 -1
package/dist/utils/provider-helpers.js +11 -1
package/dist/utils/provider-helpers.js.map +1 -1
package/package.json +59 -17
package/test/unit/collections/api-key.collection.spec.ts +416 -0
package/test/unit/managers/global-role.manager.spec.ts +269 -0
package/test/unit/managers/organization-role.manager.spec.ts +632 -0
package/test/unit/managers/organization.manager.spec.ts +395 -0
package/test/unit/module.spec.ts +596 -0
package/test/unit/services/account.service.spec.ts +90 -0
package/test/unit/services/api-key.service.spec.ts +1244 -0
package/test/unit/services/auth.service.spec.ts +790 -0
package/test/unit/services/authorization.service.spec.ts +636 -0
package/test/unit/services/feature.service.spec.ts +56 -0
package/test/unit/services/global-role.service.spec.ts +289 -0
package/test/unit/services/organization-role.service.spec.ts +300 -0
package/test/unit/services/organization.service.spec.ts +385 -0
package/test/utils/auth-guard.ts +114 -0
package/test/utils/base.ts +16 -0
package/test/utils/entities/account.ts +13 -0
package/test/utils/entities/api-key.ts +15 -0
package/test/utils/entities/audit.ts +18 -0
package/test/utils/entities/index.ts +6 -0
package/test/utils/entities/mapping.ts +20 -0
package/test/utils/entities/organization.ts +13 -0
package/test/utils/entities/role.ts +21 -0
package/test/utils/entities/security-audit.ts +16 -0
package/test/utils/index.ts +4 -0
package/test/utils/models/audit-context.ts +10 -0
package/test/utils/models/authorization.ts +7 -0
package/test/utils/models/global-role.ts +22 -0
package/test/utils/models/index.ts +5 -0
package/test/utils/models/organization-role.ts +23 -0
package/test/utils/models/publishable.ts +7 -0
package/tsconfig.build.json +36 -0
package/tsconfig.build.tsbuildinfo +1 -0
package/dist/auth-guard-hook.d.ts.map +0 -1
package/dist/auth-guard-hook.js.map +0 -1
package/dist/cms.module.d.ts +0 -8
package/dist/cms.module.d.ts.map +0 -1
package/dist/cms.module.js +0 -44
package/dist/cms.module.js.map +0 -1
package/dist/cms.providers.d.ts +0 -120
package/dist/cms.providers.d.ts.map +0 -1
package/dist/cms.providers.js +0 -126
package/dist/cms.providers.js.map +0 -1
package/dist/collections/file.collection.d.ts +0 -21
package/dist/collections/file.collection.d.ts.map +0 -1
package/dist/collections/file.collection.js.map +0 -1
package/dist/collections/text.collection.d.ts +0 -20
package/dist/collections/text.collection.d.ts.map +0 -1
package/dist/collections/text.collection.js +0 -56
package/dist/collections/text.collection.js.map +0 -1
package/dist/pipes/file.pipe.d.ts +0 -8
/package/dist/{auth-guard-hook.d.ts → types/hooks/auth-guard-hook.d.ts} +0 -0
/package/dist/{auth-guard-hook.js → types/hooks/auth-guard-hook.js} +0 -0

package/test/unit/collections/api-key.collection.spec.ts ADDED Viewed

@@ -0,0 +1,416 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { Logger } from '@nestjs/common';
+import { Collection, MongoServerError, ClientSession } from 'mongodb';
+import { faker } from '@faker-js/faker';
+import * as trailmixModels from '@trailmix-cms/models';
+import { DatabaseService, Collections } from '@trailmix-cms/db';
+import { Utils } from '@trailmix-cms/db';
+import * as TestUtils from '../../utils';
+import { ApiKeyCollection } from '@/collections';
+import { CMSCollectionName } from '@/constants';
+describe('ApiKeyCollection', () => {
+    let collection: ApiKeyCollection;
+    let mongoCollection: jest.Mocked<Collection<trailmixModels.ApiKey.Entity>>;
+    let databaseService: jest.Mocked<DatabaseService>;
+    let auditCollection: jest.Mocked<Collections.AuditCollection>;
+    beforeEach(async () => {
+        // Mock Logger methods to prevent console output during tests
+        jest.spyOn(Logger.prototype, 'log').mockImplementation();
+        jest.spyOn(Logger.prototype, 'error').mockImplementation();
+        jest.spyOn(Logger.prototype, 'warn').mockImplementation();
+        jest.spyOn(Logger.prototype, 'debug').mockImplementation();
+        jest.spyOn(Logger.prototype, 'verbose').mockImplementation();
+        const mockMongoCollection = {
+            createIndex: jest.fn().mockResolvedValue('api_key_1'),
+            insertOne: jest.fn(),
+        };
+        const mockSession = {} as ClientSession;
+        const mockDatabaseService = {
+            withTransaction: jest.fn((options, callback) => callback(mockSession)),
+        };
+        const mockAuditCollection = {
+            insertOne: jest.fn().mockResolvedValue(undefined),
+        };
+        const module: TestingModule = await Test.createTestingModule({
+            providers: [
+                ApiKeyCollection,
+                {
+                    provide: Utils.buildCollectionToken(CMSCollectionName.ApiKey),
+                    useValue: mockMongoCollection,
+                },
+                {
+                    provide: DatabaseService,
+                    useValue: mockDatabaseService,
+                },
+                {
+                    provide: Collections.AuditCollection,
+                    useValue: mockAuditCollection,
+                },
+            ],
+        }).compile();
+        collection = module.get<ApiKeyCollection>(ApiKeyCollection);
+        mongoCollection = module.get(Utils.buildCollectionToken(CMSCollectionName.ApiKey));
+        databaseService = module.get(DatabaseService);
+        auditCollection = module.get(Collections.AuditCollection);
+    });
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+    afterAll(() => {
+        // Restore Logger methods after all tests
+        jest.restoreAllMocks();
+    });
+    describe('onModuleInit', () => {
+        it('creates unique index on api_key field (ensuring API keys are unique)', async () => {
+            await collection.onModuleInit();
+            expect(mongoCollection.createIndex).toHaveBeenCalledWith(
+                { api_key: 1 },
+                { unique: true }
+            );
+            expect(Logger.prototype.verbose).toHaveBeenCalledWith(
+                `creating custom indexes for collection_${CMSCollectionName.ApiKey}`
+            );
+        });
+    });
+    describe('create', () => {
+        const accountEntity = TestUtils.Entities.createAccount();
+        const auditContext = TestUtils.Models.createAuditContext({
+            principal_id: accountEntity._id,
+            principal_type: trailmixModels.Principal.Account,
+        });
+        it('creates API key successfully on first attempt (ensuring basic creation works)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+            });
+            // Mock insertOne from AuditedCollection base class
+            jest.spyOn(collection, 'insertOne' as any).mockResolvedValueOnce(createdApiKey);
+            const result = await collection.create(params, auditContext);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(collection.insertOne).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    name: params.name,
+                    scope_type: params.scope_type,
+                    scope_id: params.scope_id,
+                    api_key: expect.stringMatching(/^[a-f0-9]{64}$/), // 32 bytes = 64 hex chars
+                }),
+                auditContext
+            );
+            expect(result).toEqual(createdApiKey);
+            expect(Logger.prototype.verbose).toHaveBeenCalledWith(
+                expect.stringContaining(`Successfully created APIKey with id ${createdApiKey._id} on attempt 1`)
+            );
+        });
+        it('creates API key with custom prefix (ensuring prefix is included in generated key)', async () => {
+            const prefix = 'test_prefix';
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+                api_key: `${prefix}_${faker.string.alphanumeric(64)}`,
+            });
+            jest.spyOn(collection, 'insertOne' as any).mockResolvedValueOnce(createdApiKey);
+            const result = await collection.create(params, auditContext, { prefix, maxRetries: 10, length: 32 });
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            // Verify that insertOne was called with a document containing the prefix
+            expect(collection.insertOne).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    name: params.name,
+                    scope_type: params.scope_type,
+                    scope_id: params.scope_id,
+                    api_key: expect.stringMatching(new RegExp(`^${prefix}_[a-f0-9]{64}$`)),
+                }),
+                auditContext
+            );
+            expect(result).toEqual(createdApiKey);
+        });
+        it('creates API key with custom length (ensuring custom length is respected)', async () => {
+            const customLength = 16;
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+            });
+            jest.spyOn(collection, 'insertOne' as any).mockResolvedValueOnce(createdApiKey);
+            const result = await collection.create(params, auditContext, { maxRetries: 10, length: customLength });
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            // Verify that insertOne was called with a document containing the correct length API key
+            expect(collection.insertOne).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    name: params.name,
+                    scope_type: params.scope_type,
+                    scope_id: params.scope_id,
+                    api_key: expect.stringMatching(/^[a-f0-9]{32}$/), // 16 bytes = 32 hex chars
+                }),
+                auditContext
+            );
+            expect(result).toEqual(createdApiKey);
+        });
+        it('retries with new API key when duplicate key error occurs (ensuring retry logic handles duplicates within same transaction)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const duplicateError = new MongoServerError({ message: 'Duplicate key error' });
+            duplicateError.code = 11000;
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+            });
+            // Mock insertOne from AuditedCollection base class to fail first time with duplicate, then succeed
+            // The retry happens within the same transaction callback
+            jest.spyOn(collection, 'insertOne' as any)
+                .mockImplementationOnce(() => Promise.reject(duplicateError))
+                .mockImplementationOnce(() => Promise.resolve(createdApiKey));
+            const result = await collection.create(params, auditContext, { maxRetries: 10, length: 32 });
+            // Should only call withTransaction once - retries happen inside the callback
+            expect(databaseService.withTransaction).toHaveBeenCalledTimes(1);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(Logger.prototype.warn).toHaveBeenCalledWith(
+                'Duplicate API key detected on attempt 1, retrying with new key...'
+            );
+            expect(Logger.prototype.verbose).toHaveBeenCalledWith(
+                expect.stringContaining(`Successfully created APIKey with id ${createdApiKey._id} on attempt 2`)
+            );
+            expect(result).toEqual(createdApiKey);
+        });
+        it('retries multiple times when duplicate key errors occur (ensuring multiple retries work within same transaction)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const duplicateError = new MongoServerError({ message: 'Duplicate key error' });
+            duplicateError.code = 11000;
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+            });
+            // Mock insertOne to fail twice with duplicate, then succeed
+            // All retries happen within the same transaction callback
+            jest.spyOn(collection, 'insertOne' as any)
+                .mockImplementationOnce(() => Promise.reject(duplicateError))
+                .mockImplementationOnce(() => Promise.reject(duplicateError))
+                .mockImplementationOnce(() => Promise.resolve(createdApiKey));
+            const result = await collection.create(params, auditContext, { maxRetries: 10, length: 32 });
+            // Should only call withTransaction once - all retries happen inside the callback
+            expect(databaseService.withTransaction).toHaveBeenCalledTimes(1);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(Logger.prototype.warn).toHaveBeenCalledTimes(2);
+            expect(Logger.prototype.warn).toHaveBeenNthCalledWith(1, 'Duplicate API key detected on attempt 1, retrying with new key...');
+            expect(Logger.prototype.warn).toHaveBeenNthCalledWith(2, 'Duplicate API key detected on attempt 2, retrying with new key...');
+            expect(Logger.prototype.verbose).toHaveBeenCalledWith(
+                expect.stringContaining(`Successfully created APIKey with id ${createdApiKey._id} on attempt 3`)
+            );
+            expect(result).toEqual(createdApiKey);
+        });
+        it('throws error when max retries exceeded due to duplicate keys (ensuring max retries limit is enforced within transaction)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const duplicateError = new MongoServerError({ message: 'Duplicate key error' });
+            duplicateError.code = 11000;
+            const maxRetries = 3;
+            // Mock insertOne to always fail with duplicate error
+            jest.spyOn(collection, 'insertOne' as any).mockImplementation(() => Promise.reject(duplicateError));
+            await expect(
+                collection.create(params, auditContext, { maxRetries, length: 32 })
+            ).rejects.toThrow(`Failed to create APIKey: generated ${maxRetries} duplicate API keys. This is extremely unlikely.`);
+            // Should only call withTransaction once - all retries happen inside the callback
+            expect(databaseService.withTransaction).toHaveBeenCalledTimes(1);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(Logger.prototype.warn).toHaveBeenCalledTimes(maxRetries);
+            expect(Logger.prototype.error).toHaveBeenCalledWith(
+                `Failed to create APIKey after ${maxRetries} attempts due to duplicate keys`
+            );
+        });
+        it('throws non-duplicate errors immediately without retrying (ensuring non-duplicate errors are not retried)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const otherError = new Error('Some other database error');
+            // Mock insertOne to throw non-duplicate error
+            jest.spyOn(collection, 'insertOne' as any).mockImplementationOnce(() => Promise.reject(otherError));
+            await expect(
+                collection.create(params, auditContext, { maxRetries: 10, length: 32 })
+            ).rejects.toThrow('Some other database error');
+            expect(databaseService.withTransaction).toHaveBeenCalledTimes(1);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(Logger.prototype.warn).not.toHaveBeenCalled();
+            expect(Logger.prototype.error).toHaveBeenCalledWith(`Failed to create APIKey: ${otherError}`);
+        });
+        it('throws non-duplicate MongoServerError immediately without retrying (ensuring only duplicate errors trigger retries)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const mongoError = new MongoServerError({ message: 'Some MongoDB error' });
+            mongoError.code = 11001; // Different error code, not a duplicate key error
+            // Mock insertOne to throw non-duplicate MongoServerError
+            jest.spyOn(collection, 'insertOne' as any).mockImplementationOnce(() => Promise.reject(mongoError));
+            await expect(
+                collection.create(params, auditContext, { maxRetries: 10, length: 32 })
+            ).rejects.toThrow(mongoError);
+            expect(databaseService.withTransaction).toHaveBeenCalledTimes(1);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(Logger.prototype.warn).not.toHaveBeenCalled();
+            expect(Logger.prototype.error).toHaveBeenCalledWith(`Failed to create APIKey: ${mongoError}`);
+        });
+        it('uses default options when not provided (ensuring default values are used)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+            });
+            jest.spyOn(collection, 'insertOne' as any).mockResolvedValueOnce(createdApiKey);
+            const result = await collection.create(params, auditContext);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+            expect(result).toEqual(createdApiKey);
+        });
+        it('passes session parameter to withTransaction when provided (ensuring session is correctly propagated)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            const createdApiKey = TestUtils.Entities.createApiKey({
+                ...params,
+            });
+            const providedSession = {} as ClientSession;
+            jest.spyOn(collection, 'insertOne' as any).mockResolvedValueOnce(createdApiKey);
+            const result = await collection.create(params, auditContext, { maxRetries: 10, length: 32 }, providedSession);
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: providedSession },
+                expect.any(Function)
+            );
+            expect(result).toEqual(createdApiKey);
+        });
+        it('throws unexpected error when maxRetries is 0 (ensuring fallback error path is covered)', async () => {
+            const params: Omit<trailmixModels.ApiKey.Entity, '_id' | 'created_at' | 'updated_at' | 'api_key'> = {
+                name: faker.word.noun(),
+                scope_type: trailmixModels.ApiKeyScope.Account,
+                scope_id: accountEntity._id,
+            };
+            // When maxRetries is 0, the while loop won't execute, and we'll hit the fallback error
+            await expect(
+                collection.create(params, auditContext, { maxRetries: 0, length: 32 })
+            ).rejects.toThrow('Unexpected error in create method');
+            expect(databaseService.withTransaction).toHaveBeenCalledWith(
+                { session: undefined },
+                expect.any(Function)
+            );
+        });
+    });
+});

package/test/unit/managers/global-role.manager.spec.ts ADDED Viewed

@@ -0,0 +1,269 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { BadRequestException, ForbiddenException, NotFoundException, Logger } from '@nestjs/common';
+import { ObjectId } from 'mongodb';
+import * as trailmixModels from '@trailmix-cms/models';
+import * as TestUtils from '../../utils';
+import { GlobalRoleManager } from '@/managers';
+import { GlobalRoleService, AuthorizationService } from '@/services';
+import { SecurityAuditCollection } from '@/collections';
+import { RequestPrincipal } from '@/types';
+import { createAuditContextForPrincipal } from '@/decorators/audit-context.decorator';
+describe('GlobalRoleManager', () => {
+    let manager: GlobalRoleManager;
+    let globalRoleService: jest.Mocked<GlobalRoleService>;
+    let authorizationService: jest.Mocked<AuthorizationService>;
+    let securityAuditCollection: jest.Mocked<SecurityAuditCollection>;
+    const accountEntity = TestUtils.Entities.createAccount();
+    const accountPrincipal: RequestPrincipal = {
+        principal_type: trailmixModels.Principal.Account,
+        entity: accountEntity,
+    };
+    const auditContext = createAuditContextForPrincipal(accountPrincipal);
+    beforeEach(async () => {
+        // Mock Logger methods to prevent console output during tests
+        jest.spyOn(Logger.prototype, 'log').mockImplementation();
+        jest.spyOn(Logger.prototype, 'error').mockImplementation();
+        jest.spyOn(Logger.prototype, 'warn').mockImplementation();
+        jest.spyOn(Logger.prototype, 'debug').mockImplementation();
+        jest.spyOn(Logger.prototype, 'verbose').mockImplementation();
+        const mockGlobalRoleService = {
+            insertOne: jest.fn(),
+            find: jest.fn(),
+            findOne: jest.fn(),
+            deleteOne: jest.fn(),
+        };
+        const mockAuthorizationService = {
+            isGlobalAdmin: jest.fn(),
+        };
+        const mockSecurityAuditCollection = {
+            insertOne: jest.fn().mockResolvedValue(undefined),
+        };
+        const module: TestingModule = await Test.createTestingModule({
+            providers: [
+                GlobalRoleManager,
+                {
+                    provide: GlobalRoleService,
+                    useValue: mockGlobalRoleService,
+                },
+                {
+                    provide: AuthorizationService,
+                    useValue: mockAuthorizationService,
+                },
+                {
+                    provide: SecurityAuditCollection,
+                    useValue: mockSecurityAuditCollection,
+                },
+            ],
+        }).compile();
+        manager = module.get<GlobalRoleManager>(GlobalRoleManager);
+        globalRoleService = module.get(GlobalRoleService);
+        authorizationService = module.get(AuthorizationService);
+        securityAuditCollection = module.get(SecurityAuditCollection);
+    });
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+    afterAll(() => {
+        jest.restoreAllMocks();
+    });
+    describe('insertOne', () => {
+        const params = {
+            principal_id: new ObjectId(),
+            principal_type: trailmixModels.Principal.Account,
+            role: trailmixModels.RoleValue.Admin,
+        };
+        it('successfully creates a global role when user is global admin and role does not exist (ensuring global role creation works)', async () => {
+            const globalRole = TestUtils.Models.createGlobalRoleModel(params);
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.findOne.mockResolvedValue(null);
+            globalRoleService.insertOne.mockResolvedValue(globalRole);
+            const result = await manager.insertOne(params, accountPrincipal, auditContext);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalledWith(
+                accountEntity._id,
+                accountPrincipal.principal_type,
+            );
+            expect(globalRoleService.findOne).toHaveBeenCalledWith(params);
+            expect(globalRoleService.insertOne).toHaveBeenCalledWith(params, auditContext);
+            expect(result).toEqual(globalRole);
+            expect(securityAuditCollection.insertOne).not.toHaveBeenCalled();
+        });
+        it('throws ForbiddenException when user is not global admin (ensuring only global admins can create global roles)', async () => {
+            authorizationService.isGlobalAdmin.mockResolvedValue(false);
+            await expect(
+                manager.insertOne(params, accountPrincipal, auditContext)
+            ).rejects.toThrow(ForbiddenException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.findOne).not.toHaveBeenCalled();
+            expect(globalRoleService.insertOne).not.toHaveBeenCalled();
+            expect(securityAuditCollection.insertOne).toHaveBeenCalledWith({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                message: 'Insufficient permissions to create global role',
+                source: GlobalRoleManager.name,
+            });
+        });
+        it('throws BadRequestException when role already exists (ensuring role uniqueness is enforced)', async () => {
+            const existingRole = TestUtils.Models.createGlobalRoleModel(params);
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.findOne.mockResolvedValue(existingRole);
+            await expect(
+                manager.insertOne(params, accountPrincipal, auditContext)
+            ).rejects.toThrow(BadRequestException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.findOne).toHaveBeenCalledWith(params);
+            expect(globalRoleService.insertOne).not.toHaveBeenCalled();
+        });
+    });
+    describe('find', () => {
+        const query = {
+            principal_id: new ObjectId(),
+        };
+        it('successfully finds global roles when user is global admin (ensuring global role retrieval works)', async () => {
+            const globalRoles = [
+                TestUtils.Models.createGlobalRoleModel(),
+                TestUtils.Models.createGlobalRoleModel(),
+            ];
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.find.mockResolvedValue(globalRoles);
+            const result = await manager.find(query, accountPrincipal);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalledWith(
+                accountEntity._id,
+                accountPrincipal.principal_type,
+            );
+            expect(globalRoleService.find).toHaveBeenCalledWith(query);
+            expect(result).toEqual(globalRoles);
+        });
+        it('throws ForbiddenException when user is not global admin (ensuring only global admins can find global roles)', async () => {
+            authorizationService.isGlobalAdmin.mockResolvedValue(false);
+            await expect(
+                manager.find(query, accountPrincipal)
+            ).rejects.toThrow(ForbiddenException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.find).not.toHaveBeenCalled();
+            expect(securityAuditCollection.insertOne).toHaveBeenCalledWith({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                message: 'Insufficient permissions to find global roles',
+                source: GlobalRoleManager.name,
+            });
+        });
+    });
+    describe('get', () => {
+        const roleId = new ObjectId();
+        it('successfully gets a global role when user is global admin and role exists (ensuring global role retrieval works)', async () => {
+            const globalRole = TestUtils.Models.createGlobalRoleModel({ _id: roleId });
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.findOne.mockResolvedValue(globalRole);
+            const result = await manager.get(roleId, accountPrincipal);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalledWith(
+                accountEntity._id,
+                accountPrincipal.principal_type,
+            );
+            expect(globalRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(result).toEqual(globalRole);
+        });
+        it('throws NotFoundException when role does not exist (ensuring role existence is validated)', async () => {
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.findOne.mockResolvedValue(null);
+            await expect(
+                manager.get(roleId, accountPrincipal)
+            ).rejects.toThrow(NotFoundException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+        });
+        it('throws ForbiddenException when user is not global admin (ensuring only global admins can get global roles)', async () => {
+            authorizationService.isGlobalAdmin.mockResolvedValue(false);
+            await expect(
+                manager.get(roleId, accountPrincipal)
+            ).rejects.toThrow(ForbiddenException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.findOne).not.toHaveBeenCalled();
+        });
+    });
+    describe('deleteOne', () => {
+        const roleId = new ObjectId();
+        it('successfully deletes a global role when user is global admin and role exists (ensuring global role deletion works)', async () => {
+            const globalRole = TestUtils.Models.createGlobalRoleModel({ _id: roleId });
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.findOne.mockResolvedValue(globalRole);
+            globalRoleService.deleteOne.mockResolvedValue(undefined);
+            await manager.deleteOne(roleId, accountPrincipal, auditContext);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalledWith(
+                accountEntity._id,
+                accountPrincipal.principal_type,
+            );
+            expect(globalRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(globalRoleService.deleteOne).toHaveBeenCalledWith(roleId, auditContext);
+        });
+        it('throws NotFoundException when role does not exist (ensuring role existence is validated)', async () => {
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            globalRoleService.findOne.mockResolvedValue(null);
+            await expect(
+                manager.deleteOne(roleId, accountPrincipal, auditContext)
+            ).rejects.toThrow(NotFoundException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(globalRoleService.deleteOne).not.toHaveBeenCalled();
+        });
+        it('throws ForbiddenException when user is not global admin (ensuring only global admins can delete global roles)', async () => {
+            authorizationService.isGlobalAdmin.mockResolvedValue(false);
+            await expect(
+                manager.deleteOne(roleId, accountPrincipal, auditContext)
+            ).rejects.toThrow(ForbiddenException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(globalRoleService.findOne).not.toHaveBeenCalled();
+            expect(globalRoleService.deleteOne).not.toHaveBeenCalled();
+        });
+    });
+});