npm - @useatlas/create - Versions diffs - 0.0.1 - Mend

@useatlas/create 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (515) hide show

package/templates/docker/src/lib/auth/__tests__/audit.test.ts ADDED Viewed

@@ -0,0 +1,418 @@
+import { describe, it, expect, beforeEach, afterEach } from "bun:test";
+import { withRequestContext } from "@atlas/api/lib/logger";
+import { _resetPool, type InternalPool } from "@atlas/api/lib/db/internal";
+import type { AtlasUser } from "../types";
+import { logQueryAudit } from "../audit";
+/**
+ * Audit tests use _resetPool() to inject a mock pg.Pool into the real
+ * internal.ts module. This avoids mock.module which is unreliable in
+ * bun's full test suite (module caching across files).
+ */
+// Capture pool.query calls for assertion
+let queryCalls: Array<{ sql: string; params?: unknown[] }> = [];
+let queryThrow: Error | null = null;
+const mockPool: InternalPool = {
+  query: async (sql: string, params?: unknown[]) => {
+    if (queryThrow) throw queryThrow;
+    queryCalls.push({ sql, params });
+    return { rows: [] };
+  },
+  end: async () => {},
+  on: () => {},
+};
+describe("logQueryAudit()", () => {
+  const origDbUrl = process.env.DATABASE_URL;
+  beforeEach(() => {
+    queryCalls = [];
+    queryThrow = null;
+  });
+  afterEach(() => {
+    // Restore original state
+    if (origDbUrl) {
+      process.env.DATABASE_URL = origDbUrl;
+    } else {
+      delete process.env.DATABASE_URL;
+    }
+    _resetPool(null);
+  });
+  /** Enable the internal DB path by setting env var + injecting mock pool */
+  function enableInternalDB() {
+    process.env.DATABASE_URL = "postgresql://test:test@localhost:5432/test";
+    _resetPool(mockPool);
+  }
+  it("inserts into audit_log with correct params when internal DB is available", () => {
+    enableInternalDB();
+    const user: AtlasUser = { id: "u1", label: "test@example.com", mode: "managed" };
+    withRequestContext({ requestId: "req-1", user }, () => {
+      logQueryAudit({
+        sql: "SELECT 1",
+        durationMs: 42,
+        rowCount: 1,
+        success: true,
+      });
+    });
+    expect(queryCalls).toHaveLength(1);
+    expect(queryCalls[0].sql).toContain("INSERT INTO audit_log");
+    expect(queryCalls[0].params).toEqual([
+      "u1",
+      "test@example.com",
+      "managed",
+      "SELECT 1",
+      42,
+      1,
+      true,
+      null,
+      null, // source_id
+      null, // source_type
+      null, // target_host
+    ]);
+  });
+  it("includes source fields in audit insert when provided", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: 1,
+      success: true,
+      sourceId: "warehouse",
+      sourceType: "postgres",
+      targetHost: "db.example.com",
+    });
+    expect(queryCalls).toHaveLength(1);
+    const params = queryCalls[0].params!;
+    expect(params[8]).toBe("warehouse");   // source_id
+    expect(params[9]).toBe("postgres");    // source_type
+    expect(params[10]).toBe("db.example.com"); // target_host
+  });
+  it("does not insert when internal DB is not available", () => {
+    delete process.env.DATABASE_URL;
+    _resetPool(null);
+    expect(() =>
+      logQueryAudit({
+        sql: "SELECT 1",
+        durationMs: 10,
+        rowCount: 1,
+        success: true,
+      }),
+    ).not.toThrow();
+    expect(queryCalls).toHaveLength(0);
+  });
+  it("does not throw when DB insert fails", () => {
+    enableInternalDB();
+    queryThrow = new Error("connection lost");
+    expect(() =>
+      logQueryAudit({
+        sql: "SELECT 1",
+        durationMs: 5,
+        rowCount: null,
+        success: false,
+        error: "timeout",
+      }),
+    ).not.toThrow();
+  });
+  it("preserves full SQL for DB insert when under 2000 chars", () => {
+    enableInternalDB();
+    const longSql = "SELECT " + "x".repeat(600); // 607 chars
+    logQueryAudit({ sql: longSql, durationMs: 10, rowCount: 5, success: true });
+    expect(queryCalls[0].params![3]).toBe(longSql);
+  });
+  it("truncates SQL to 2000 chars for DB when over limit", () => {
+    enableInternalDB();
+    const longSql = "SELECT " + "x".repeat(2500); // 2507 chars
+    logQueryAudit({ sql: longSql, durationMs: 10, rowCount: 5, success: true });
+    expect((queryCalls[0].params![3] as string).length).toBe(2000);
+  });
+  it("scrubs errors containing 'password' in DB insert", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "password authentication failed for user 'atlas'",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs errors containing 'secret' in DB insert", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "missing secret key",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs errors containing 'credential' in DB insert", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "invalid credential provided",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs errors containing 'connection_string' or 'connectionstring'", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "invalid connection_string format",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "bad connectionstring provided",
+    });
+    expect(queryCalls[1].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs case-insensitively (uppercase sensitive keywords)", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "AUTHENTICATION PASSWORD FAILED",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs MySQL 'Access denied for user' errors", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "Access denied for user 'root'@'localhost' (using password: YES)",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs MySQL ER_ACCESS_DENIED_ERROR", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "ER_ACCESS_DENIED_ERROR: Access denied",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs MySQL PROTOCOL_CONNECTION_LOST", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "PROTOCOL_CONNECTION_LOST: server closed the connection unexpectedly",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs ClickHouse UNKNOWN_USER error", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "UNKNOWN_USER: no user with such name: analyst",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs ClickHouse WRONG_PASSWORD error", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "WRONG_PASSWORD: password is incorrect for user default",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs ClickHouse IP_ADDRESS_NOT_ALLOWED error", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "IP_ADDRESS_NOT_ALLOWED: 10.0.0.5 is not allowed to connect",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("scrubs ClickHouse ALL_CONNECTION_TRIES_FAILED error", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "ALL_CONNECTION_TRIES_FAILED: could not connect to clickhouse-server:9000",
+    });
+    expect(queryCalls[0].params![7]).toBe("[scrubbed]");
+  });
+  it("does not scrub non-sensitive errors", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "column bad_col does not exist",
+    });
+    expect(queryCalls[0].params![7]).toBe("column bad_col does not exist");
+  });
+  it("pulls user identity from request context", () => {
+    enableInternalDB();
+    const user: AtlasUser = { id: "user-abc", label: "admin@co.com", mode: "simple-key" };
+    withRequestContext({ requestId: "req-42", user }, () => {
+      logQueryAudit({ sql: "SELECT 1", durationMs: 5, rowCount: 1, success: true });
+    });
+    expect(queryCalls[0].params![0]).toBe("user-abc");
+    expect(queryCalls[0].params![1]).toBe("admin@co.com");
+    expect(queryCalls[0].params![2]).toBe("simple-key");
+  });
+  it("uses auth_mode 'none' when no request context exists", () => {
+    enableInternalDB();
+    logQueryAudit({ sql: "SELECT 1", durationMs: 5, rowCount: 1, success: true });
+    expect(queryCalls[0].params![0]).toBeNull(); // user_id
+    expect(queryCalls[0].params![1]).toBeNull(); // user_label
+    expect(queryCalls[0].params![2]).toBe("none"); // auth_mode
+  });
+  it("records success=false and error for failed queries", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT bad_col FROM t",
+      durationMs: 3,
+      rowCount: null,
+      success: false,
+      error: "column bad_col does not exist",
+    });
+    expect(queryCalls[0].params![5]).toBeNull(); // row_count
+    expect(queryCalls[0].params![6]).toBe(false); // success
+    expect(queryCalls[0].params![7]).toBe("column bad_col does not exist");
+  });
+  it("records null error for successful queries", () => {
+    enableInternalDB();
+    logQueryAudit({ sql: "SELECT 1", durationMs: 5, rowCount: 10, success: true });
+    expect(queryCalls[0].params![5]).toBe(10); // row_count
+    expect(queryCalls[0].params![6]).toBe(true); // success
+    expect(queryCalls[0].params![7]).toBeNull(); // error
+  });
+  it("treats empty string error as no error (null in DB)", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: "",
+    });
+    expect(queryCalls[0].params![7]).toBeNull();
+  });
+  it("treats explicit undefined error as null in DB", () => {
+    enableInternalDB();
+    logQueryAudit({
+      sql: "SELECT 1",
+      durationMs: 10,
+      rowCount: null,
+      success: false,
+      error: undefined,
+    });
+    expect(queryCalls[0].params![7]).toBeNull();
+  });
+});

package/templates/docker/src/lib/auth/__tests__/byot-integration.test.ts ADDED Viewed

@@ -0,0 +1,222 @@
+/**
+ * BYOT integration test — validates JWT auth against a real JWKS HTTP server.
+ *
+ * Separate from byot.test.ts because that file uses mock.module("jose", ...)
+ * which is sticky within its module graph. This file imports jose and byot.ts
+ * without any mocking.
+ */
+import { describe, it, expect, beforeAll, afterAll, beforeEach, afterEach } from "bun:test";
+import { generateKeyPair, exportJWK, SignJWT } from "jose";
+import { validateBYOT, resetJWKSCache } from "../byot";
+const TEST_ISSUER = "https://auth.integration-test.example.com";
+const TEST_AUDIENCE = "atlas-integration";
+let publicKey: CryptoKey;
+let privateKey: CryptoKey;
+let wrongPrivateKey: CryptoKey;
+let server: ReturnType<typeof Bun.serve>;
+let jwksUrl: string;
+// Env vars to restore after tests
+const origJwksUrl = process.env.ATLAS_AUTH_JWKS_URL;
+const origIssuer = process.env.ATLAS_AUTH_ISSUER;
+const origAudience = process.env.ATLAS_AUTH_AUDIENCE;
+beforeAll(async () => {
+  // Generate two RS256 key pairs — one for the JWKS server, one to simulate wrong-key signing
+  const primary = await generateKeyPair("RS256");
+  publicKey = primary.publicKey;
+  privateKey = primary.privateKey;
+  const wrong = await generateKeyPair("RS256");
+  wrongPrivateKey = wrong.privateKey;
+  const publicJwk = await exportJWK(publicKey);
+  publicJwk.kid = "integration-key-1";
+  publicJwk.alg = "RS256";
+  publicJwk.use = "sig";
+  const jwksPayload = JSON.stringify({ keys: [publicJwk] });
+  // Start an ephemeral HTTP server serving the JWKS endpoint
+  server = Bun.serve({
+    port: 0, // OS-assigned ephemeral port
+    fetch(req) {
+      const url = new URL(req.url);
+      if (url.pathname === "/.well-known/jwks.json") {
+        return new Response(jwksPayload, {
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+      return new Response("Not Found", { status: 404 });
+    },
+  });
+  jwksUrl = `http://localhost:${server.port}/.well-known/jwks.json`;
+});
+afterAll(() => {
+  if (server) server.stop(true);
+});
+beforeEach(() => {
+  process.env.ATLAS_AUTH_JWKS_URL = jwksUrl;
+  process.env.ATLAS_AUTH_ISSUER = TEST_ISSUER;
+  process.env.ATLAS_AUTH_AUDIENCE = TEST_AUDIENCE;
+  resetJWKSCache();
+});
+afterEach(() => {
+  if (origJwksUrl !== undefined) process.env.ATLAS_AUTH_JWKS_URL = origJwksUrl;
+  else delete process.env.ATLAS_AUTH_JWKS_URL;
+  if (origIssuer !== undefined) process.env.ATLAS_AUTH_ISSUER = origIssuer;
+  else delete process.env.ATLAS_AUTH_ISSUER;
+  if (origAudience !== undefined) process.env.ATLAS_AUTH_AUDIENCE = origAudience;
+  else delete process.env.ATLAS_AUTH_AUDIENCE;
+  resetJWKSCache();
+});
+/** Sign a JWT with the given key (defaults to the primary private key). */
+async function signJWT(
+  claims: Record<string, unknown> = {},
+  opts: { expiresIn?: string; issuer?: string; audience?: string; key?: CryptoKey } = {},
+): Promise<string> {
+  return new SignJWT(claims)
+    .setProtectedHeader({ alg: "RS256", kid: "integration-key-1" })
+    .setSubject((claims.sub as string) ?? "user_integ_1")
+    .setIssuedAt()
+    .setExpirationTime(opts.expiresIn ?? "1h")
+    .setIssuer(opts.issuer ?? TEST_ISSUER)
+    .setAudience(opts.audience ?? TEST_AUDIENCE)
+    .sign(opts.key ?? privateKey);
+}
+function makeRequest(headers?: Record<string, string>): Request {
+  return new Request("http://localhost/api/chat", {
+    method: "POST",
+    headers: headers ?? {},
+  });
+}
+describe("BYOT integration (real JWKS server)", () => {
+  it("valid JWT authenticates successfully via real JWKS fetch", async () => {
+    const token = await signJWT({ sub: "user_integ_1", email: "alice@corp.com" });
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result).toMatchObject({
+      authenticated: true,
+      mode: "byot",
+      user: {
+        id: "user_integ_1",
+        mode: "byot",
+        label: "alice@corp.com",
+      },
+    });
+    // Verify claims populated from JWT payload
+    if (result.authenticated && result.user) {
+      expect(result.user.claims).toBeDefined();
+      expect(result.user.claims!.sub).toBe("user_integ_1");
+    }
+  });
+  it("expired JWT returns 401", async () => {
+    const token = await signJWT({ sub: "user_integ_1" }, { expiresIn: "-1h" });
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result.authenticated).toBe(false);
+    if (!result.authenticated) {
+      expect(result.status).toBe(401);
+      expect(result.error).toContain("Invalid or expired");
+    }
+  });
+  it("wrong issuer returns 401", async () => {
+    const token = await signJWT(
+      { sub: "user_integ_1" },
+      { issuer: "https://evil.example.com" },
+    );
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result.authenticated).toBe(false);
+    if (!result.authenticated) {
+      expect(result.status).toBe(401);
+    }
+  });
+  it("wrong audience returns 401", async () => {
+    const token = await signJWT(
+      { sub: "user_integ_1" },
+      { audience: "wrong-audience" },
+    );
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result.authenticated).toBe(false);
+    if (!result.authenticated) {
+      expect(result.status).toBe(401);
+    }
+  });
+  it("token signed with wrong key returns 401", async () => {
+    const token = await signJWT(
+      { sub: "user_integ_1" },
+      { key: wrongPrivateKey },
+    );
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result.authenticated).toBe(false);
+    if (!result.authenticated) {
+      expect(result.status).toBe(401);
+    }
+  });
+  it("empty ATLAS_AUTH_AUDIENCE skips audience check (accepts any audience)", async () => {
+    process.env.ATLAS_AUTH_AUDIENCE = "";
+    resetJWKSCache();
+    const token = await signJWT(
+      { sub: "user_integ_1" },
+      { audience: "any-audience-should-work" },
+    );
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result.authenticated).toBe(true);
+  });
+  it("JWT missing sub claim returns 401", async () => {
+    const token = await new SignJWT({ email: "nosub@example.com" })
+      .setProtectedHeader({ alg: "RS256", kid: "integration-key-1" })
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .setIssuer(TEST_ISSUER)
+      .setAudience(TEST_AUDIENCE)
+      .sign(privateKey);
+    const result = await validateBYOT(
+      makeRequest({ Authorization: `Bearer ${token}` }),
+    );
+    expect(result).toEqual({
+      authenticated: false,
+      mode: "byot",
+      status: 401,
+      error: "JWT missing sub claim",
+    });
+  });
+});