@xenterprises/fastify-xauth-jwks 1.0.0

package/test/integration.test.js

@@ -0,0 +1,259 @@
+// test/integration.test.js
+import { test } from "node:test";
+import assert from "node:assert";
+import Fastify from "fastify";
+import xAuth from "../src/xAuth.js";
+
+test("Protected route requires authentication", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/admin",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+        },
+      },
+    });
+    fastify.get("/admin/protected", async (request) => {
+      return { user: request.user };
+    });
+    const response = await fastify.inject({
+      method: "GET",
+      url: "/admin/protected",
+    });
+    assert.equal(response.statusCode, 401);
+    const body = JSON.parse(response.payload);
+    assert.equal(body.error, "Access token required");
+    assert.equal(body.path, "admin");
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Request with invalid token fails", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/admin",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+        },
+      },
+    });
+    fastify.get("/admin/protected", async (request) => {
+      return { user: request.user };
+    });
+    const response = await fastify.inject({
+      method: "GET",
+      url: "/admin/protected",
+      headers: {
+        authorization: "Bearer invalid_token",
+      },
+    });
+    assert.equal(response.statusCode, 401);
+    const body = JSON.parse(response.payload);
+    assert.equal(body.error, "Invalid token");
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Excluded paths do not require authentication", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/admin",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+          excludedPaths: ["/health", "/status"],
+        },
+      },
+    });
+    fastify.get("/admin/health", async () => {
+      return { status: "healthy" };
+    });
+    fastify.get("/admin/status", async () => {
+      return { status: "ok" };
+    });
+    const healthRes = await fastify.inject({
+      method: "GET",
+      url: "/admin/health",
+    });
+    assert.equal(healthRes.statusCode, 200);
+    const statusRes = await fastify.inject({
+      method: "GET",
+      url: "/admin/status",
+    });
+    assert.equal(statusRes.statusCode, 200);
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Different path patterns protect different routes", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/admin",
+          jwksUrl: "https://example.com/admin/.well-known/jwks.json",
+        },
+        portal: {
+          pathPattern: "/portal",
+          jwksUrl: "https://example.com/portal/.well-known/jwks.json",
+        },
+      },
+    });
+    fastify.get("/admin/data", async () => {
+      return { data: "admin" };
+    });
+    fastify.get("/portal/data", async () => {
+      return { data: "portal" };
+    });
+    fastify.get("/public/data", async () => {
+      return { data: "public" };
+    });
+    const adminRes = await fastify.inject({
+      method: "GET",
+      url: "/admin/data",
+    });
+    assert.equal(adminRes.statusCode, 401);
+    const portalRes = await fastify.inject({
+      method: "GET",
+      url: "/portal/data",
+    });
+    assert.equal(portalRes.statusCode, 401);
+    const publicRes = await fastify.inject({
+      method: "GET",
+      url: "/public/data",
+    });
+    assert.equal(publicRes.statusCode, 200);
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Multiple excluded paths work correctly", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/admin",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+          excludedPaths: ["/public", "/docs", "/health"],
+        },
+      },
+    });
+    fastify.get("/admin/public/info", async () => ({ message: "public" }));
+    fastify.get("/admin/docs/api", async () => ({ message: "docs" }));
+    fastify.get("/admin/health", async () => ({ message: "health" }));
+    fastify.get("/admin/dashboard", async () => ({ message: "dashboard" }));
+    const publicRes = await fastify.inject({ url: "/admin/public/info" });
+    assert.equal(publicRes.statusCode, 200);
+    const docsRes = await fastify.inject({ url: "/admin/docs/api" });
+    assert.equal(docsRes.statusCode, 200);
+    const healthRes = await fastify.inject({ url: "/admin/health" });
+    assert.equal(healthRes.statusCode, 200);
+    const dashboardRes = await fastify.inject({ url: "/admin/dashboard" });
+    assert.equal(dashboardRes.statusCode, 401);
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Nested protected routes work correctly", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/admin",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+        },
+      },
+    });
+    fastify.get("/admin/users/profile", async () => ({
+      user: "profile",
+    }));
+    fastify.get("/admin/users/:id", async () => ({
+      user: "by_id",
+    }));
+    fastify.get("/admin/settings/theme", async () => ({
+      theme: "dark",
+    }));
+    const profileRes = await fastify.inject({ url: "/admin/users/profile" });
+    assert.equal(profileRes.statusCode, 401);
+    const userRes = await fastify.inject({ url: "/admin/users/123" });
+    assert.equal(userRes.statusCode, 401);
+    const themeRes = await fastify.inject({ url: "/admin/settings/theme" });
+    assert.equal(themeRes.statusCode, 401);
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Token extraction works with Bearer prefix", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        api: {
+          pathPattern: "/api",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+        },
+      },
+    });
+    fastify.get("/api/test", async (request) => {
+      return { received: !!request.user };
+    });
+    const response1 = await fastify.inject({
+      method: "GET",
+      url: "/api/test",
+      headers: {
+        authorization: "invalid_token",
+      },
+    });
+    assert.equal(response1.statusCode, 401);
+    const body1 = JSON.parse(response1.payload);
+    assert.equal(body1.error, "Access token required");
+    const response2 = await fastify.inject({
+      method: "GET",
+      url: "/api/test",
+      headers: {
+        authorization: "Bearer some_token",
+      },
+    });
+    assert.equal(response2.statusCode, 401);
+    const body2 = JSON.parse(response2.payload);
+    assert.equal(body2.error, "Invalid token");
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});
+
+test("Case sensitivity of path patterns", async () => {
+  const fastify = Fastify({ logger: false });
+  try {
+    await fastify.register(xAuth, {
+      paths: {
+        admin: {
+          pathPattern: "/Admin",
+          jwksUrl: "https://example.com/.well-known/jwks.json",
+        },
+      },
+    });
+    fastify.get("/Admin/data", async () => ({ data: "admin" }));
+    fastify.get("/admin/data", async () => ({ data: "public" }));
+    const adminRes = await fastify.inject({ url: "/Admin/data" });
+    assert.equal(adminRes.statusCode, 401);
+    const pubRes = await fastify.inject({ url: "/admin/data" });
+    assert.equal(pubRes.statusCode, 200);
+  } finally {
+    try { await fastify.close(); } catch {}
+  }
+});

package/test/utils.test.js

@@ -0,0 +1,195 @@
+// test/utils.test.js
+import { test } from "node:test";
+import assert from "node:assert";
+import {
+  extractToken,
+  hasRole,
+  hasPermission,
+  getUserId,
+  getAuthEndpoint,
+} from "../src/utils/index.js";
+
+test("extractToken - valid Bearer token", () => {
+  const request = {
+    headers: {
+      authorization: "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
+    },
+  };
+
+  const token = extractToken(request);
+  assert.equal(token, "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...");
+});
+
+test("extractToken - no authorization header", () => {
+  const request = { headers: {} };
+  const token = extractToken(request);
+  assert.equal(token, null);
+});
+
+test("extractToken - invalid format", () => {
+  const request = {
+    headers: {
+      authorization: "Basic dXNlcjpwYXNz",
+    },
+  };
+
+  const token = extractToken(request);
+  assert.equal(token, null);
+});
+
+test("hasRole - user has single role", () => {
+  const user = { roles: ["admin"] };
+
+  assert.ok(hasRole(user, "admin"));
+  assert.ok(!hasRole(user, "super_admin"));
+});
+
+test("hasRole - user has multiple roles", () => {
+  const user = { roles: ["admin", "manager", "editor"] };
+
+  assert.ok(hasRole(user, "admin"));
+  assert.ok(hasRole(user, "manager"));
+  assert.ok(!hasRole(user, "owner"));
+});
+
+test("hasRole - check against array of roles (any match)", () => {
+  const user = { roles: ["manager"] };
+
+  assert.ok(hasRole(user, ["admin", "manager", "editor"]));
+  assert.ok(!hasRole(user, ["admin", "owner"]));
+});
+
+test("hasRole - user has no roles", () => {
+  const user = {};
+
+  assert.ok(!hasRole(user, "admin"));
+});
+
+test("hasRole - roles as string instead of array", () => {
+  const user = { roles: "admin" };
+
+  assert.ok(hasRole(user, "admin"));
+  assert.ok(!hasRole(user, "manager"));
+});
+
+test("hasPermission - user has single permission", () => {
+  const user = { permissions: ["users:read"] };
+
+  assert.ok(hasPermission(user, "users:read"));
+  assert.ok(!hasPermission(user, "users:write"));
+});
+
+test("hasPermission - user has multiple permissions", () => {
+  const user = { permissions: ["users:read", "users:write", "posts:read"] };
+
+  assert.ok(hasPermission(user, "users:read"));
+  assert.ok(hasPermission(user, "users:write"));
+  assert.ok(!hasPermission(user, "users:delete"));
+});
+
+test("hasPermission - check against array of permissions (any match)", () => {
+  const user = { permissions: ["posts:read"] };
+
+  assert.ok(hasPermission(user, ["users:read", "posts:read"]));
+  assert.ok(!hasPermission(user, ["users:read", "users:write"]));
+});
+
+test("hasPermission - user has no permissions", () => {
+  const user = {};
+
+  assert.ok(!hasPermission(user, "users:read"));
+});
+
+test("getUserId - from auth.userId", () => {
+  const request = {
+    auth: { userId: "user_123" },
+  };
+
+  const userId = getUserId(request);
+  assert.equal(userId, "user_123");
+});
+
+test("getUserId - from user.sub", () => {
+  const request = {
+    user: { sub: "user_456" },
+  };
+
+  const userId = getUserId(request);
+  assert.equal(userId, "user_456");
+});
+
+test("getUserId - prioritizes auth.userId over user.sub", () => {
+  const request = {
+    auth: { userId: "user_123" },
+    user: { sub: "user_456" },
+  };
+
+  const userId = getUserId(request);
+  assert.equal(userId, "user_123");
+});
+
+test("getUserId - returns null when not found", () => {
+  const request = {};
+
+  const userId = getUserId(request);
+  assert.equal(userId, null);
+});
+
+test("getAuthEndpoint - returns path name", () => {
+  const request = {
+    auth: { endpoint: "admin" },
+  };
+
+  const endpoint = getAuthEndpoint(request);
+  assert.equal(endpoint, "admin");
+});
+
+test("getAuthEndpoint - returns null when not found", () => {
+  const request = {};
+
+  const endpoint = getAuthEndpoint(request);
+  assert.equal(endpoint, null);
+});
+
+test("requireRole - creates preHandler function", async () => {
+  const { requireRole } = await import("../src/utils/index.js");
+
+  const handler = requireRole("admin");
+  assert.ok(typeof handler === "function");
+});
+
+test("requirePermission - creates preHandler function", async () => {
+  const { requirePermission } = await import("../src/utils/index.js");
+
+  const handler = requirePermission("users:write");
+  assert.ok(typeof handler === "function");
+});
+
+test("requireEndpoint - creates preHandler function", async () => {
+  const { requireEndpoint } = await import("../src/utils/index.js");
+
+  const handler = requireEndpoint("portal");
+  assert.ok(typeof handler === "function");
+});
+
+test("decodeToken - decodes JWT without verification", async () => {
+  const { decodeToken } = await import("../src/utils/index.js");
+
+  // Sample JWT (unsigned)
+  const token = "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTY5MjEwMzAwMH0.";
+  const payload = decodeToken(token);
+
+  assert.equal(payload.sub, "user_123");
+  assert.equal(payload.name, "John Doe");
+});
+
+test("decodeHeader - decodes JWT header", async () => {
+  const { decodeHeader } = await import("../src/utils/index.js");
+
+  const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3Rfa2V5In0.eyJzdWIiOiJ1c2VyXzEyMyJ9.signature";
+  const header = decodeHeader(token);
+
+  assert.equal(header.alg, "HS256");
+  assert.equal(header.typ, "JWT");
+  assert.equal(header.kid, "test_key");
+});