npm - @trailmix-cms/cms - Versions diffs - 0.4.4 → 0.7.2 - Mend

@trailmix-cms/cms 0.4.4 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/dist/auth.guard.d.ts +5 -13
package/dist/auth.guard.d.ts.map +1 -1
package/dist/auth.guard.js +24 -95
package/dist/auth.guard.js.map +1 -1
package/dist/collections/account.collection.d.ts +5 -3
package/dist/collections/account.collection.d.ts.map +1 -1
package/dist/collections/account.collection.js +15 -8
package/dist/collections/account.collection.js.map +1 -1
package/dist/collections/api-key.collection.d.ts +54 -0
package/dist/collections/api-key.collection.d.ts.map +1 -0
package/dist/collections/api-key.collection.js +142 -0
package/dist/collections/api-key.collection.js.map +1 -0
package/dist/collections/index.d.ts +4 -2
package/dist/collections/index.d.ts.map +1 -1
package/dist/collections/index.js +9 -5
package/dist/collections/index.js.map +1 -1
package/dist/collections/organization.collection.d.ts +20 -0
package/dist/collections/organization.collection.d.ts.map +1 -0
package/dist/collections/{file.collection.js → organization.collection.js} +17 -17
package/dist/collections/organization.collection.js.map +1 -0
package/dist/collections/role.collection.d.ts +32 -0
package/dist/collections/role.collection.d.ts.map +1 -0
package/dist/collections/role.collection.js +90 -0
package/dist/collections/role.collection.js.map +1 -0
package/dist/collections/security-audit.collection.d.ts +30 -0
package/dist/collections/security-audit.collection.d.ts.map +1 -0
package/dist/collections/security-audit.collection.js +79 -0
package/dist/collections/security-audit.collection.js.map +1 -0
package/dist/constants/cms-collection-names.d.ts +4 -2
package/dist/constants/cms-collection-names.d.ts.map +1 -1
package/dist/constants/cms-collection-names.js +4 -2
package/dist/constants/cms-collection-names.js.map +1 -1
package/dist/constants/provider-symbols.d.ts +10 -12
package/dist/constants/provider-symbols.d.ts.map +1 -1
package/dist/constants/provider-symbols.js +10 -12
package/dist/constants/provider-symbols.js.map +1 -1
package/dist/controllers/account.controller.d.ts +11 -15
package/dist/controllers/account.controller.d.ts.map +1 -1
package/dist/controllers/account.controller.js +69 -13
package/dist/controllers/account.controller.js.map +1 -1
package/dist/controllers/api-keys.controller.d.ts +13 -0
package/dist/controllers/api-keys.controller.d.ts.map +1 -0
package/dist/controllers/api-keys.controller.js +125 -0
package/dist/controllers/api-keys.controller.js.map +1 -0
package/dist/controllers/audit.controller.d.ts.map +1 -1
package/dist/controllers/audit.controller.js +3 -3
package/dist/controllers/audit.controller.js.map +1 -1
package/dist/controllers/audits.controller.d.ts +10 -0
package/dist/controllers/audits.controller.d.ts.map +1 -0
package/dist/controllers/audits.controller.js +107 -0
package/dist/controllers/audits.controller.js.map +1 -0
package/dist/controllers/global-roles.controller.d.ts +16 -0
package/dist/controllers/global-roles.controller.d.ts.map +1 -0
package/dist/controllers/global-roles.controller.js +137 -0
package/dist/controllers/global-roles.controller.js.map +1 -0
package/dist/controllers/index.d.ts +6 -1
package/dist/controllers/index.d.ts.map +1 -1
package/dist/controllers/index.js +6 -1
package/dist/controllers/index.js.map +1 -1
package/dist/controllers/organization-roles.controller.d.ts +16 -0
package/dist/controllers/organization-roles.controller.d.ts.map +1 -0
package/dist/controllers/organization-roles.controller.js +145 -0
package/dist/controllers/organization-roles.controller.js.map +1 -0
package/dist/controllers/organizations.controller.d.ts +65 -0
package/dist/controllers/organizations.controller.d.ts.map +1 -0
package/dist/controllers/organizations.controller.js +140 -0
package/dist/controllers/organizations.controller.js.map +1 -0
package/dist/controllers/security-audits.controller.d.ts +11 -0
package/dist/controllers/security-audits.controller.d.ts.map +1 -0
package/dist/controllers/security-audits.controller.js +130 -0
package/dist/controllers/security-audits.controller.js.map +1 -0
package/dist/decorators/account.decorator.d.ts +1 -3
package/dist/decorators/account.decorator.d.ts.map +1 -1
package/dist/decorators/account.decorator.js +3 -10
package/dist/decorators/account.decorator.js.map +1 -1
package/dist/decorators/audit-context.decorator.d.ts +6 -0
package/dist/decorators/audit-context.decorator.d.ts.map +1 -1
package/dist/decorators/audit-context.decorator.js +12 -3
package/dist/decorators/audit-context.decorator.js.map +1 -1
package/dist/decorators/auth.decorator.d.ts +7 -6
package/dist/decorators/auth.decorator.d.ts.map +1 -1
package/dist/decorators/auth.decorator.js +38 -5
package/dist/decorators/auth.decorator.js.map +1 -1
package/dist/decorators/index.d.ts +4 -0
package/dist/decorators/index.d.ts.map +1 -0
package/dist/decorators/index.js +20 -0
package/dist/decorators/index.js.map +1 -0
package/dist/dto/account.dto.d.ts +33 -0
package/dist/dto/account.dto.d.ts.map +1 -0
package/dist/dto/account.dto.js +14 -0
package/dist/dto/account.dto.js.map +1 -0
package/dist/dto/api-key.dto.d.ts +89 -0
package/dist/dto/api-key.dto.d.ts.map +1 -0
package/dist/dto/api-key.dto.js +27 -0
package/dist/dto/api-key.dto.js.map +1 -0
package/dist/dto/audit.dto.d.ts +11 -5
package/dist/dto/audit.dto.d.ts.map +1 -1
package/dist/dto/audit.dto.js +1 -1
package/dist/dto/audit.dto.js.map +1 -1
package/dist/dto/global-role.dto.d.ts +99 -0
package/dist/dto/global-role.dto.d.ts.map +1 -0
package/dist/dto/global-role.dto.js +26 -0
package/dist/dto/global-role.dto.js.map +1 -0
package/dist/dto/organization-role.dto.d.ts +107 -0
package/dist/dto/organization-role.dto.d.ts.map +1 -0
package/dist/dto/organization-role.dto.js +26 -0
package/dist/dto/organization-role.dto.js.map +1 -0
package/dist/dto/organization.dto.d.ts +57 -0
package/dist/dto/organization.dto.d.ts.map +1 -0
package/dist/dto/organization.dto.js +32 -0
package/dist/dto/organization.dto.js.map +1 -0
package/dist/dto/security-audit.dto.d.ts +95 -0
package/dist/dto/security-audit.dto.d.ts.map +1 -0
package/dist/dto/security-audit.dto.js +26 -0
package/dist/dto/security-audit.dto.js.map +1 -0
package/dist/index.d.ts +7 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +8 -3
package/dist/index.js.map +1 -1
package/dist/managers/global-role.manager.d.ts +42 -0
package/dist/managers/global-role.manager.d.ts.map +1 -0
package/dist/managers/global-role.manager.js +117 -0
package/dist/managers/global-role.manager.js.map +1 -0
package/dist/managers/index.d.ts +4 -0
package/dist/managers/index.d.ts.map +1 -0
package/dist/managers/index.js +20 -0
package/dist/managers/index.js.map +1 -0
package/dist/managers/organization-role.manager.d.ts +47 -0
package/dist/managers/organization-role.manager.d.ts.map +1 -0
package/dist/managers/organization-role.manager.js +218 -0
package/dist/managers/organization-role.manager.js.map +1 -0
package/dist/managers/organization.manager.d.ts +39 -0
package/dist/managers/organization.manager.d.ts.map +1 -0
package/dist/managers/organization.manager.js +196 -0
package/dist/managers/organization.manager.js.map +1 -0
package/dist/module.d.ts +92 -0
package/dist/module.d.ts.map +1 -0
package/dist/module.js +137 -0
package/dist/module.js.map +1 -0
package/dist/pipes/api-key.pipe.d.ts +8 -0
package/dist/pipes/api-key.pipe.d.ts.map +1 -0
package/dist/pipes/api-key.pipe.js +28 -0
package/dist/pipes/api-key.pipe.js.map +1 -0
package/dist/pipes/organization.pipe.d.ts +8 -0
package/dist/pipes/organization.pipe.d.ts.map +1 -0
package/dist/pipes/organization.pipe.js +28 -0
package/dist/pipes/organization.pipe.js.map +1 -0
package/dist/pipes/role.pipe.d.ts +8 -0
package/dist/pipes/{file.pipe.d.ts.map → role.pipe.d.ts.map} +1 -1
package/dist/pipes/{file.pipe.js → role.pipe.js} +8 -8
package/dist/pipes/{file.pipe.js.map → role.pipe.js.map} +1 -1
package/dist/services/account.service.d.ts +0 -2
package/dist/services/account.service.d.ts.map +1 -1
package/dist/services/account.service.js +1 -37
package/dist/services/account.service.js.map +1 -1
package/dist/services/api-key.service.d.ts +42 -0
package/dist/services/api-key.service.d.ts.map +1 -0
package/dist/services/api-key.service.js +306 -0
package/dist/services/api-key.service.js.map +1 -0
package/dist/services/auth.service.d.ts +50 -0
package/dist/services/auth.service.d.ts.map +1 -0
package/dist/services/auth.service.js +259 -0
package/dist/services/auth.service.js.map +1 -0
package/dist/services/authorization.service.d.ts +44 -9
package/dist/services/authorization.service.d.ts.map +1 -1
package/dist/services/authorization.service.js +107 -41
package/dist/services/authorization.service.js.map +1 -1
package/dist/services/feature.service.d.ts +23 -0
package/dist/services/feature.service.d.ts.map +1 -0
package/dist/services/feature.service.js +49 -0
package/dist/services/feature.service.js.map +1 -0
package/dist/services/global-role.service.d.ts +17 -0
package/dist/services/global-role.service.d.ts.map +1 -0
package/dist/services/global-role.service.js +99 -0
package/dist/services/global-role.service.js.map +1 -0
package/dist/services/index.d.ts +9 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +25 -0
package/dist/services/index.js.map +1 -0
package/dist/services/organization-role.service.d.ts +33 -0
package/dist/services/organization-role.service.d.ts.map +1 -0
package/dist/services/organization-role.service.js +102 -0
package/dist/services/organization-role.service.js.map +1 -0
package/dist/services/organization.service.d.ts +29 -0
package/dist/services/organization.service.d.ts.map +1 -0
package/dist/services/organization.service.js +95 -0
package/dist/services/organization.service.js.map +1 -0
package/dist/types/feature-config.d.ts +9 -0
package/dist/types/feature-config.d.ts.map +1 -0
package/dist/types/feature-config.js +3 -0
package/dist/types/feature-config.js.map +1 -0
package/dist/types/hooks/auth-guard-hook.d.ts.map +1 -0
package/dist/types/hooks/auth-guard-hook.js.map +1 -0
package/dist/types/hooks/index.d.ts +3 -0
package/dist/types/hooks/index.d.ts.map +1 -0
package/dist/types/hooks/index.js +19 -0
package/dist/types/hooks/index.js.map +1 -0
package/dist/types/hooks/organization-delete-hook.d.ts +20 -0
package/dist/types/hooks/organization-delete-hook.d.ts.map +1 -0
package/dist/types/hooks/organization-delete-hook.js +3 -0
package/dist/types/hooks/organization-delete-hook.js.map +1 -0
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +21 -0
package/dist/types/index.js.map +1 -0
package/dist/types/request-principal.d.ts +9 -0
package/dist/types/request-principal.d.ts.map +1 -0
package/dist/types/request-principal.js +3 -0
package/dist/types/request-principal.js.map +1 -0
package/dist/utils/provider-helpers.d.ts +6 -1
package/dist/utils/provider-helpers.d.ts.map +1 -1
package/dist/utils/provider-helpers.js +11 -1
package/dist/utils/provider-helpers.js.map +1 -1
package/package.json +52 -17
package/test/unit/auth.guard.spec.ts +355 -0
package/test/unit/collections/api-key.collection.spec.ts +416 -0
package/test/unit/managers/global-role.manager.spec.ts +269 -0
package/test/unit/managers/organization-role.manager.spec.ts +632 -0
package/test/unit/managers/organization.manager.spec.ts +395 -0
package/test/unit/module.spec.ts +596 -0
package/test/unit/services/account.service.spec.ts +90 -0
package/test/unit/services/api-key.service.spec.ts +1244 -0
package/test/unit/services/auth.service.spec.ts +1036 -0
package/test/unit/services/authorization.service.spec.ts +636 -0
package/test/unit/services/feature.service.spec.ts +56 -0
package/test/unit/services/global-role.service.spec.ts +289 -0
package/test/unit/services/organization-role.service.spec.ts +300 -0
package/test/unit/services/organization.service.spec.ts +385 -0
package/test/utils/auth-guard.ts +114 -0
package/test/utils/base.ts +16 -0
package/test/utils/entities/account.ts +13 -0
package/test/utils/entities/api-key.ts +15 -0
package/test/utils/entities/audit.ts +18 -0
package/test/utils/entities/index.ts +6 -0
package/test/utils/entities/mapping.ts +20 -0
package/test/utils/entities/organization.ts +13 -0
package/test/utils/entities/role.ts +21 -0
package/test/utils/entities/security-audit.ts +16 -0
package/test/utils/index.ts +4 -0
package/test/utils/models/audit-context.ts +10 -0
package/test/utils/models/authorization.ts +7 -0
package/test/utils/models/global-role.ts +22 -0
package/test/utils/models/index.ts +5 -0
package/test/utils/models/organization-role.ts +23 -0
package/test/utils/models/publishable.ts +7 -0
package/tsconfig.build.json +36 -0
package/tsconfig.build.tsbuildinfo +1 -0
package/dist/auth-guard-hook.d.ts.map +0 -1
package/dist/auth-guard-hook.js.map +0 -1
package/dist/cms.module.d.ts +0 -8
package/dist/cms.module.d.ts.map +0 -1
package/dist/cms.module.js +0 -44
package/dist/cms.module.js.map +0 -1
package/dist/cms.providers.d.ts +0 -120
package/dist/cms.providers.d.ts.map +0 -1
package/dist/cms.providers.js +0 -126
package/dist/cms.providers.js.map +0 -1
package/dist/collections/file.collection.d.ts +0 -21
package/dist/collections/file.collection.d.ts.map +0 -1
package/dist/collections/file.collection.js.map +0 -1
package/dist/collections/text.collection.d.ts +0 -20
package/dist/collections/text.collection.d.ts.map +0 -1
package/dist/collections/text.collection.js +0 -56
package/dist/collections/text.collection.js.map +0 -1
package/dist/pipes/file.pipe.d.ts +0 -8
/package/dist/{auth-guard-hook.d.ts → types/hooks/auth-guard-hook.d.ts} +0 -0
/package/dist/{auth-guard-hook.js → types/hooks/auth-guard-hook.js} +0 -0

package/test/unit/auth.guard.spec.ts ADDED Viewed

@@ -0,0 +1,355 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { Reflector } from '@nestjs/core';
+import { UnauthorizedException, ForbiddenException, InternalServerErrorException, ExecutionContext } from '@nestjs/common';
+import { FastifyRequest } from 'fastify';
+import * as trailmixModels from '@trailmix-cms/models';
+import { AuthGuard } from '@/auth.guard';
+import { AuthService, AuthResult } from '@/services/auth.service';
+import { AUTH_OPTIONS_KEY, AuthOptions } from '@/decorators/auth.decorator';
+import { type RequestPrincipal } from '@/types';
+import * as TestUtils from '../utils';
+describe('AuthGuard', () => {
+    let guard: AuthGuard;
+    let reflector: jest.Mocked<Reflector>;
+    let authService: jest.Mocked<AuthService>;
+    const createMockContext = (request: Partial<FastifyRequest> = {}): ExecutionContext => {
+        return {
+            switchToHttp: () => ({
+                getRequest: () => request as FastifyRequest,
+            }),
+            getHandler: jest.fn(),
+            getClass: jest.fn(),
+        } as any as ExecutionContext;
+    };
+    beforeEach(async () => {
+        const mockReflector = {
+            getAllAndOverride: jest.fn(),
+        };
+        const mockAuthService = {
+            getPrincipal: jest.fn(),
+            validateAuth: jest.fn(),
+        };
+        const module: TestingModule = await Test.createTestingModule({
+            providers: [
+                AuthGuard,
+                {
+                    provide: Reflector,
+                    useValue: mockReflector,
+                },
+                {
+                    provide: AuthService,
+                    useValue: mockAuthService,
+                },
+            ],
+        }).compile();
+        guard = module.get<AuthGuard>(AuthGuard);
+        reflector = module.get(Reflector);
+        authService = module.get(AuthService);
+    });
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+    describe('canActivate', () => {
+        it('returns true and sets principal when authentication is valid (ensuring successful authentication flow)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const request = { url: '/test/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [trailmixModels.Principal.Account],
+                requiredGlobalRoles: [],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.IsValid);
+            const result = await guard.canActivate(context);
+            expect(result).toBe(true);
+            expect(reflector.getAllAndOverride).toHaveBeenCalledWith(AUTH_OPTIONS_KEY, [
+                context.getHandler(),
+                context.getClass(),
+            ]);
+            expect(authService.getPrincipal).toHaveBeenCalledWith(context);
+            expect(authService.validateAuth).toHaveBeenCalledWith(
+                principal,
+                {
+                    allowAnonymous: false,
+                    requiredPrincipalTypes: [trailmixModels.Principal.Account],
+                    requiredGlobalRoles: [],
+                    requiredApiKeyScopes: [],
+                },
+                '/test/endpoint'
+            );
+            expect(request.principal).toEqual(principal);
+        });
+        it('uses default auth options when metadata is undefined (ensuring default behavior when no metadata)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const request = { url: '/test/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            // When metadata is undefined, destructuring will fail, so return empty object instead
+            reflector.getAllAndOverride.mockReturnValue({} as AuthOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.IsValid);
+            const result = await guard.canActivate(context);
+            expect(result).toBe(true);
+            expect(authService.validateAuth).toHaveBeenCalledWith(
+                principal,
+                {
+                    allowAnonymous: undefined,
+                    requiredPrincipalTypes: undefined,
+                    requiredGlobalRoles: undefined,
+                    requiredApiKeyScopes: undefined,
+                },
+                '/test/endpoint'
+            );
+            expect(request.principal).toEqual(principal);
+        });
+        it('throws UnauthorizedException when auth result is Unauthorized (ensuring unauthorized requests are rejected)', async () => {
+            const request = { url: '/test/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [],
+                requiredGlobalRoles: [],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(null);
+            authService.validateAuth.mockResolvedValue(AuthResult.Unauthorized);
+            await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
+            await expect(guard.canActivate(context)).rejects.toThrow('Unauthorized request');
+            expect(authService.validateAuth).toHaveBeenCalled();
+            expect(request.principal).toBeUndefined();
+        });
+        it('throws ForbiddenException when auth result is Forbidden (ensuring forbidden requests are rejected)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const request = { url: '/test/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [],
+                requiredGlobalRoles: [trailmixModels.RoleValue.Admin],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.Forbidden);
+            await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
+            await expect(guard.canActivate(context)).rejects.toThrow('You are not authorized to access this resource');
+            expect(authService.validateAuth).toHaveBeenCalled();
+            expect(request.principal).toBeUndefined();
+        });
+        it('throws InternalServerErrorException when auth result is unexpected (ensuring unexpected results throw error)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const request = { url: '/test/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [],
+                requiredGlobalRoles: [],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue('unexpected-result' as AuthResult);
+            await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+            await expect(guard.canActivate(context)).rejects.toThrow('Failed to validate authentication');
+            expect(authService.validateAuth).toHaveBeenCalled();
+            expect(request.principal).toBeUndefined();
+        });
+        it('passes correct auth options to validateAuth (ensuring all options are passed correctly)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const request = { url: '/api/users' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: true,
+                requiredPrincipalTypes: [trailmixModels.Principal.Account, trailmixModels.Principal.ApiKey],
+                requiredGlobalRoles: [trailmixModels.RoleValue.User, trailmixModels.RoleValue.Admin],
+                requiredApiKeyScopes: [trailmixModels.ApiKeyScope.Account, trailmixModels.ApiKeyScope.Organization],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.IsValid);
+            await guard.canActivate(context);
+            expect(authService.validateAuth).toHaveBeenCalledWith(
+                principal,
+                {
+                    allowAnonymous: true,
+                    requiredPrincipalTypes: [trailmixModels.Principal.Account, trailmixModels.Principal.ApiKey],
+                    requiredGlobalRoles: [trailmixModels.RoleValue.User, trailmixModels.RoleValue.Admin],
+                    requiredApiKeyScopes: [trailmixModels.ApiKeyScope.Account, trailmixModels.ApiKeyScope.Organization],
+                },
+                '/api/users'
+            );
+        });
+        it('handles API key principal correctly (ensuring API key principals work)', async () => {
+            const apiKeyEntity = TestUtils.Entities.createApiKey();
+            const principal: RequestPrincipal = {
+                entity: apiKeyEntity,
+                principal_type: trailmixModels.Principal.ApiKey,
+            };
+            const request = { url: '/api/data' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [trailmixModels.Principal.ApiKey],
+                requiredGlobalRoles: [],
+                requiredApiKeyScopes: [trailmixModels.ApiKeyScope.Account],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.IsValid);
+            const result = await guard.canActivate(context);
+            expect(result).toBe(true);
+            expect(request.principal).toEqual(principal);
+        });
+        it('handles null principal when allowAnonymous is true (ensuring anonymous access works)', async () => {
+            const request = { url: '/public/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: true,
+                requiredPrincipalTypes: [],
+                requiredGlobalRoles: [],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(null);
+            authService.validateAuth.mockResolvedValue(AuthResult.IsValid);
+            const result = await guard.canActivate(context);
+            expect(result).toBe(true);
+            expect(authService.validateAuth).toHaveBeenCalledWith(
+                null,
+                {
+                    allowAnonymous: true,
+                    requiredPrincipalTypes: [],
+                    requiredGlobalRoles: [],
+                    requiredApiKeyScopes: [],
+                },
+                '/public/endpoint'
+            );
+            // Principal is set to null when principal is null (non-null assertion still allows null)
+            expect(request.principal).toBeNull();
+        });
+        it('extracts request URL correctly (ensuring URL is passed to validateAuth)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const requestUrl = '/api/v1/organizations/123/members';
+            const request = { url: requestUrl } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [],
+                requiredGlobalRoles: [],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.IsValid);
+            await guard.canActivate(context);
+            expect(authService.validateAuth).toHaveBeenCalledWith(
+                principal,
+                expect.objectContaining({
+                    allowAnonymous: false,
+                    requiredPrincipalTypes: [],
+                    requiredGlobalRoles: [],
+                    requiredApiKeyScopes: [],
+                }),
+                requestUrl
+            );
+        });
+        it('does not set principal when authentication fails (ensuring principal is not set on failure)', async () => {
+            const accountEntity = TestUtils.Entities.createAccount();
+            const principal: RequestPrincipal = {
+                entity: accountEntity,
+                principal_type: trailmixModels.Principal.Account,
+            };
+            const request = { url: '/test/endpoint' } as FastifyRequest;
+            const context = createMockContext(request);
+            const authOptions: AuthOptions = {
+                allowAnonymous: false,
+                requiredPrincipalTypes: [],
+                requiredGlobalRoles: [trailmixModels.RoleValue.Admin],
+                requiredApiKeyScopes: [],
+            };
+            reflector.getAllAndOverride.mockReturnValue(authOptions);
+            authService.getPrincipal.mockResolvedValue(principal);
+            authService.validateAuth.mockResolvedValue(AuthResult.Forbidden);
+            try {
+                await guard.canActivate(context);
+            } catch (error) {
+                // Expected to throw
+            }
+            expect(request.principal).toBeUndefined();
+        });
+    });
+});