adapt-authoring-auth 1.0.6 → 1.1.0

package/.github/workflows/tests.yml

@@ -0,0 +1,15 @@
+name: Tests
+on: push
+jobs:
+  default:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@master
+      - uses: actions/setup-node@master
+        with:
+          node-version: 'lts/*'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm test

package/package.json

@@ -1,32 +1,30 @@
 {
   "name": "adapt-authoring-auth",
-  "version": "1.0.6",
+  "version": "1.1.0",
   "description": "Authentication + authorisation module for the Adapt authoring tool",
   "homepage": "https://github.com/adaptlearning/adapt-authoring-auth",
   "license": "GPL-3.0",
   "type": "module",
   "main": "index.js",
   "repository": "github:adapt-security/adapt-authoring-auth",
+  "scripts": {
+    "test": "node --test 'tests/**/*.spec.js'"
+  },
   "dependencies": {
-    "adapt-authoring-roles": "github:adapt-security/adapt-authoring-roles",
-    "adapt-authoring-users": "github:adapt-security/adapt-authoring-users",
+    "adapt-authoring-core": "^1.7.0",
     "express-session": "1.19.0",
     "jsonwebtoken": "9.0.3",
     "path-to-regexp": "^8.0.0"
   },
   "peerDependencies": {
-    "adapt-authoring-core": "^1.7.0",
-    "adapt-authoring-jsonschema": "^1.1.5",
-    "adapt-authoring-mongodb": "^1.1.2",
-    "adapt-authoring-roles": "^1.1.2",
-    "adapt-authoring-server": "^1.2.0",
-    "adapt-authoring-sessions": "^1.0.1",
-    "adapt-authoring-users": "^1.0.1"
+    "adapt-authoring-jsonschema": "^1.2.0",
+    "adapt-authoring-mongodb": "^1.1.3",
+    "adapt-authoring-roles": "^1.1.3",
+    "adapt-authoring-server": "^1.2.1",
+    "adapt-authoring-sessions": "^1.0.2",
+    "adapt-authoring-users": "^1.0.2"
   },
   "peerDependenciesMeta": {
-    "adapt-authoring-core": {
-      "optional": true
-    },
     "adapt-authoring-jsonschema": {
       "optional": true
     },

package/tests/AbstractAuthModule.spec.js

@@ -0,0 +1,341 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import { Hook } from 'adapt-authoring-core'
+import AbstractAuthModule from '../lib/AbstractAuthModule.js'
+
+function createMockApp () {
+  const moduleLoadedHook = new Hook()
+  return {
+    logger: { log: () => {} },
+    dependencyloader: { moduleLoadedHook },
+    errors: {
+      FUNC_NOT_OVERRIDDEN: {
+        setData: (data) => new Error(`Function not overridden: ${data.name}`)
+      }
+    }
+  }
+}
+
+describe('AbstractAuthModule', () => {
+  describe('constructor', () => {
+    it('should be instantiable', () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      assert.ok(module instanceof AbstractAuthModule)
+    })
+  })
+
+  describe('#setValues()', () => {
+    it('should set default values', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      await module.setValues()
+      assert.equal(module.type, undefined)
+      assert.equal(module.routes, undefined)
+      assert.equal(module.userSchema, 'user')
+    })
+
+    it('should be callable multiple times without error', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      await module.setValues()
+      await module.setValues()
+      assert.equal(module.userSchema, 'user')
+    })
+  })
+
+  describe('#authenticate()', () => {
+    it('should throw FUNC_NOT_OVERRIDDEN error when not overridden', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+
+      try {
+        await module.authenticate({}, {}, {})
+        assert.fail('Should have thrown error')
+      } catch (e) {
+        assert.ok(e.message.includes('authenticate'))
+      }
+    })
+
+    it('should include the class name in the error', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+
+      try {
+        await module.authenticate({}, {}, {})
+        assert.fail('Should have thrown error')
+      } catch (e) {
+        assert.ok(e.message.includes('AbstractAuthModule'))
+      }
+    })
+  })
+
+  describe('#secureRoute()', () => {
+    it('should delegate to auth.secureRoute with prefixed path', () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const secured = []
+      module.auth = {
+        secureRoute: (route, method, scopes) => secured.push({ route, method, scopes })
+      }
+      module.router = { path: '/api/auth/local' }
+
+      module.secureRoute('/register', 'post', ['register:users'])
+      assert.equal(secured.length, 1)
+      assert.equal(secured[0].route, '/api/auth/local/register')
+      assert.equal(secured[0].method, 'post')
+      assert.deepEqual(secured[0].scopes, ['register:users'])
+    })
+  })
+
+  describe('#unsecureRoute()', () => {
+    it('should delegate to auth.unsecureRoute with prefixed path', () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const unsecured = []
+      module.auth = {
+        unsecureRoute: (route, method) => unsecured.push({ route, method })
+      }
+      module.router = { path: '/api/auth/local' }
+
+      module.unsecureRoute('/', 'post')
+      assert.equal(unsecured.length, 1)
+      assert.equal(unsecured[0].route, '/api/auth/local/')
+      assert.equal(unsecured[0].method, 'post')
+    })
+  })
+
+  describe('#register()', () => {
+    it('should delegate to authentication.registerUser', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const expectedResult = { _id: '123', email: 'test@test.com' }
+      module.type = 'local'
+      module.auth = {
+        authentication: {
+          registerUser: (type, data) => {
+            assert.equal(type, 'local')
+            return expectedResult
+          }
+        }
+      }
+
+      const result = await module.register({ email: 'test@test.com' })
+      assert.deepEqual(result, expectedResult)
+    })
+  })
+
+  describe('#setUserEnabled()', () => {
+    it('should call users.update with correct params', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      let updateArgs
+      module.users = {
+        update: (query, data) => { updateArgs = { query, data } }
+      }
+
+      await module.setUserEnabled({ _id: 'user123' }, true)
+      assert.deepEqual(updateArgs.query, { _id: 'user123' })
+      assert.deepEqual(updateArgs.data, { isEnabled: true })
+    })
+
+    it('should pass false to disable a user', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      let updateArgs
+      module.users = {
+        update: (query, data) => { updateArgs = { query, data } }
+      }
+
+      await module.setUserEnabled({ _id: 'user123' }, false)
+      assert.deepEqual(updateArgs.data, { isEnabled: false })
+    })
+  })
+
+  describe('#disavowUser()', () => {
+    it('should delegate to authentication.disavowUser', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const expectedResult = { ok: true }
+      module.auth = {
+        authentication: {
+          disavowUser: (query) => {
+            assert.deepEqual(query, { userId: '123' })
+            return expectedResult
+          }
+        }
+      }
+
+      const result = await module.disavowUser({ userId: '123' })
+      assert.deepEqual(result, expectedResult)
+    })
+  })
+
+  describe('#authenticateHandler()', () => {
+    it('should send error if user is not found', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const sentError = {}
+      module.users = { find: () => [] }
+      const req = { body: { email: 'noone@test.com' } }
+      const res = { sendError: (e) => { sentError.error = e } }
+
+      await module.authenticateHandler(req, res, () => {})
+      assert.equal(sentError.error, module.app.errors.INVALID_LOGIN_DETAILS)
+    })
+
+    it('should call authenticate and set session token on success', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const user = { _id: '123', email: 'test@test.com' }
+      module.users = { find: () => [user] }
+      module.authenticate = async () => {}
+      module.log = () => {}
+
+      let statusCode
+      let jsonCalled = false
+      const req = {
+        body: { email: 'test@test.com', persistSession: false },
+        session: { cookie: { maxAge: 3600 }, token: null }
+      }
+      const res = {
+        status: (code) => { statusCode = code; return res },
+        json: () => { jsonCalled = true }
+      }
+
+      // Mock AuthToken.generate
+      const { default: AuthToken } = await import('../lib/AuthToken.js')
+      const originalGenerate = AuthToken.generate
+      AuthToken.generate = async () => 'mock-token'
+
+      try {
+        await module.authenticateHandler(req, res, () => {})
+        assert.equal(statusCode, 204)
+        assert.equal(jsonCalled, true)
+        assert.equal(req.session.cookie.maxAge, null)
+        assert.equal(req.session.token, 'mock-token')
+      } finally {
+        AuthToken.generate = originalGenerate
+      }
+    })
+
+    it('should send error if authenticate throws', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const user = { _id: '123', email: 'test@test.com' }
+      const authError = new Error('bad password')
+      module.users = { find: () => [user] }
+      module.authenticate = async () => { throw authError }
+      module.log = () => {}
+      module.app.lang = { translate: (_, e) => e.message }
+
+      let sentError
+      const req = { body: { email: 'test@test.com' } }
+      const res = { sendError: (e) => { sentError = e } }
+
+      await module.authenticateHandler(req, res, () => {})
+      assert.equal(sentError, authError)
+    })
+  })
+
+  describe('#enableHandler()', () => {
+    it('should enable a user when URL is /enable', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const user = { _id: 'u1' }
+      let enabledValue
+      module.users = { find: () => [user] }
+      module.setUserEnabled = async (u, enabled) => { enabledValue = enabled }
+      module.log = () => {}
+
+      let statusCode
+      const req = {
+        body: { _id: 'u1' },
+        url: '/enable',
+        auth: { user: { _id: { toString: () => 'admin1' } } }
+      }
+      const res = {
+        status: (code) => { statusCode = code; return res },
+        json: () => {}
+      }
+
+      await module.enableHandler(req, res, () => {})
+      assert.equal(enabledValue, true)
+      assert.equal(statusCode, 204)
+    })
+
+    it('should disable a user when URL is not /enable', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const user = { _id: 'u1' }
+      let enabledValue
+      module.users = { find: () => [user] }
+      module.setUserEnabled = async (u, enabled) => { enabledValue = enabled }
+      module.log = () => {}
+
+      const req = {
+        body: { _id: 'u1' },
+        url: '/disable',
+        auth: { user: { _id: { toString: () => 'admin1' } } }
+      }
+      const res = {
+        status: (code) => { return res },
+        json: () => {}
+      }
+
+      await module.enableHandler(req, res, () => {})
+      assert.equal(enabledValue, false)
+    })
+
+    it('should call next with error on failure', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const error = new Error('user not found')
+      module.users = { find: () => { throw error } }
+
+      let nextError
+      const req = { body: { _id: 'u1' }, url: '/enable' }
+      const res = {}
+
+      await module.enableHandler(req, res, (e) => { nextError = e })
+      assert.equal(nextError, error)
+    })
+  })
+
+  describe('#registerHandler()', () => {
+    it('should register user and return result', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const newUser = { _id: '456', email: 'new@test.com' }
+      module.registerHook = new Hook({ mutable: true })
+      module.register = async () => newUser
+      module.log = () => {}
+
+      let jsonResult
+      const req = {
+        body: { email: 'new@test.com' },
+        auth: { user: { _id: { toString: () => 'admin1' } } }
+      }
+      const res = { json: (data) => { jsonResult = data } }
+
+      await module.registerHandler(req, res, () => {})
+      assert.deepEqual(jsonResult, newUser)
+    })
+
+    it('should set apiData if not already set', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      module.registerHook = new Hook({ mutable: true })
+      module.register = async () => ({ _id: '1' })
+      module.log = () => {}
+
+      const req = {
+        body: { email: 'a@b.com' },
+        auth: { user: { _id: { toString: () => 'admin' } } }
+      }
+      const res = { json: () => {} }
+
+      await module.registerHandler(req, res, () => {})
+      assert.deepEqual(req.apiData, { modifying: true, data: req.body })
+    })
+
+    it('should call next with USER_REG_FAILED on error', async () => {
+      const module = new AbstractAuthModule(createMockApp(), { name: 'test-auth' })
+      const error = new Error('registration failed')
+      module.registerHook = new Hook({ mutable: true })
+      module.register = async () => { throw error }
+      module.app.errors.USER_REG_FAILED = { setData: (data) => ({ code: 'USER_REG_FAILED', ...data }) }
+
+      let nextArg
+      const req = {
+        body: { email: 'fail@test.com' },
+        translate: (e) => e.message
+      }
+      const res = {}
+
+      await module.registerHandler(req, res, (e) => { nextArg = e })
+      assert.equal(nextArg.code, 'USER_REG_FAILED')
+    })
+  })
+})

package/tests/AuthModule.spec.js

@@ -0,0 +1,193 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import { Hook } from 'adapt-authoring-core'
+import AuthModule from '../lib/AuthModule.js'
+
+function createMockApp () {
+  const moduleLoadedHook = new Hook()
+  return {
+    logger: { log: () => {} },
+    dependencyloader: { moduleLoadedHook },
+    config: { get: () => undefined }
+  }
+}
+
+describe('AuthModule', () => {
+  describe('constructor', () => {
+    it('should be instantiable', () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      assert.ok(authModule instanceof AuthModule)
+    })
+  })
+
+  describe('#unsecureRoute()', () => {
+    it('should mark route as unsecured', () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { post: {}, get: {}, put: {}, patch: {}, delete: {} }
+      authModule.log = () => {}
+
+      authModule.unsecureRoute('/api/test', 'post')
+      assert.equal(authModule.unsecuredRoutes.post['/api/test'], true)
+    })
+
+    it('should handle different HTTP methods', () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { post: {}, get: {}, put: {}, patch: {}, delete: {} }
+      authModule.log = () => {}
+
+      authModule.unsecureRoute('/api/another', 'get')
+      assert.equal(authModule.unsecuredRoutes.get['/api/another'], true)
+      assert.equal(authModule.unsecuredRoutes.post['/api/another'], undefined)
+    })
+
+    it('should handle case-insensitive HTTP methods', () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { post: {}, get: {}, put: {}, patch: {}, delete: {} }
+      authModule.log = () => {}
+
+      authModule.unsecureRoute('/api/case', 'POST')
+      assert.equal(authModule.unsecuredRoutes.post['/api/case'], true)
+    })
+
+    it('should allow multiple routes for same method', () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { post: {}, get: {}, put: {}, patch: {}, delete: {} }
+      authModule.log = () => {}
+
+      authModule.unsecureRoute('/api/a', 'get')
+      authModule.unsecureRoute('/api/b', 'get')
+      assert.equal(authModule.unsecuredRoutes.get['/api/a'], true)
+      assert.equal(authModule.unsecuredRoutes.get['/api/b'], true)
+    })
+  })
+
+  describe('#secureRoute()', () => {
+    it('should delegate to permissions.secureRoute', () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      const secured = []
+      authModule.permissions = {
+        secureRoute: (route, method, scopes) => secured.push({ route, method, scopes })
+      }
+
+      authModule.secureRoute('/api/users', 'get', ['read:users'])
+      assert.equal(secured.length, 1)
+      assert.equal(secured[0].route, '/api/users')
+      assert.equal(secured[0].method, 'get')
+      assert.deepEqual(secured[0].scopes, ['read:users'])
+    })
+  })
+
+  describe('#initAuthData()', () => {
+    it('should call AuthUtils.initAuthData', async () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.isEnabled = false
+
+      const req = { get: () => undefined, headers: {} }
+      await authModule.initAuthData(req)
+      assert.deepEqual(req.auth, {})
+    })
+  })
+
+  describe('#rootMiddleware()', () => {
+    it('should call next after initAuthData resolves', async () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.isEnabled = false
+
+      let nextCalled = false
+      const req = { get: () => undefined, headers: {} }
+      const res = {}
+
+      await new Promise((resolve) => {
+        authModule.rootMiddleware(req, res, () => {
+          nextCalled = true
+          resolve()
+        })
+      })
+      assert.equal(nextCalled, true)
+    })
+
+    it('should call next even if initAuthData fails', async () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.isEnabled = true
+      // Force initAuthData to throw by making initAuthData fail
+      authModule.initAuthData = async () => { throw new Error('fail') }
+
+      let nextCalled = false
+      const req = {}
+      const res = {}
+
+      await new Promise((resolve) => {
+        authModule.rootMiddleware(req, res, () => {
+          nextCalled = true
+          resolve()
+        })
+      })
+      assert.equal(nextCalled, true)
+    })
+  })
+
+  describe('#apiMiddleware()', () => {
+    it('should call next for unsecured routes without auth', async () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { get: { '/api/auth/check': true }, post: {}, put: {}, patch: {}, delete: {} }
+      authModule.isEnabled = false
+
+      let nextCalled = false
+      const req = {
+        get: () => undefined,
+        headers: {},
+        method: 'GET',
+        baseUrl: '/api/auth',
+        route: { path: '/check/' },
+        originalUrl: '/api/auth/check'
+      }
+      const res = { sendError: () => {} }
+
+      await authModule.apiMiddleware(req, res, () => { nextCalled = true })
+      assert.equal(nextCalled, true)
+    })
+
+    it('should send error for secured routes when initAuthData fails', async () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { get: {}, post: {}, put: {}, patch: {}, delete: {} }
+      authModule.log = () => {}
+      const initError = { statusCode: 401, message: 'Unauthenticated' }
+      authModule.initAuthData = async () => { throw initError }
+
+      let sentError
+      const req = {
+        method: 'GET',
+        baseUrl: '/api',
+        route: { path: '/users/' },
+        originalUrl: '/api/users'
+      }
+      const res = { sendError: (e) => { sentError = e } }
+
+      await authModule.apiMiddleware(req, res, () => {})
+      assert.equal(sentError, initError)
+    })
+
+    it('should check permissions for secured routes', async () => {
+      const authModule = new AuthModule(createMockApp(), { name: 'test-auth' })
+      authModule.unsecuredRoutes = { get: {}, post: {}, put: {}, patch: {}, delete: {} }
+      authModule.isEnabled = false
+      let permissionsChecked = false
+      authModule.permissions = {
+        check: async () => { permissionsChecked = true }
+      }
+
+      const req = {
+        get: () => undefined,
+        headers: {},
+        method: 'GET',
+        baseUrl: '/api',
+        route: { path: '/secure/' },
+        originalUrl: '/api/secure'
+      }
+      const res = {}
+
+      await authModule.apiMiddleware(req, res, () => {})
+      assert.equal(permissionsChecked, true)
+    })
+  })
+})

package/tests/AuthToken.spec.js

@@ -0,0 +1,109 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import AuthToken from '../lib/AuthToken.js'
+
+describe('AuthToken', () => {
+  describe('#getSignature()', () => {
+    it('should extract signature from JWT token', () => {
+      const token = 'header.payload.signature'
+      const signature = AuthToken.getSignature(token)
+      assert.equal(signature, 'signature')
+    })
+
+    it('should return undefined for malformed token', () => {
+      const token = 'invalid'
+      const signature = AuthToken.getSignature(token)
+      assert.equal(signature, undefined)
+    })
+
+    it('should extract third part from token with more than three parts', () => {
+      const token = 'header.payload.signature.extra'
+      const signature = AuthToken.getSignature(token)
+      assert.equal(signature, 'signature')
+    })
+
+    it('should handle empty token parts', () => {
+      const token = '..'
+      const signature = AuthToken.getSignature(token)
+      assert.equal(signature, '')
+    })
+
+    it('should handle token with only two parts', () => {
+      const token = 'header.payload'
+      const signature = AuthToken.getSignature(token)
+      assert.equal(signature, undefined)
+    })
+
+    it('should handle realistic JWT signature', () => {
+      const token = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.abc123def456'
+      const signature = AuthToken.getSignature(token)
+      assert.equal(signature, 'abc123def456')
+    })
+  })
+
+  describe('#isSuper()', () => {
+    it('should return true for super user scope', () => {
+      const scopes = ['*:*']
+      assert.equal(AuthToken.isSuper(scopes), true)
+    })
+
+    it('should return false for empty scopes', () => {
+      const scopes = []
+      assert.equal(AuthToken.isSuper(scopes), false)
+    })
+
+    it('should return false for regular scopes', () => {
+      const scopes = ['read:users', 'write:content']
+      assert.equal(AuthToken.isSuper(scopes), false)
+    })
+
+    it('should return false when super scope is not the only scope', () => {
+      const scopes = ['*:*', 'read:users']
+      assert.equal(AuthToken.isSuper(scopes), false)
+    })
+
+    it('should return false for similar but not exact super scope', () => {
+      const scopes = ['*:']
+      assert.equal(AuthToken.isSuper(scopes), false)
+    })
+
+    it('should return false for partial wildcard scopes', () => {
+      assert.equal(AuthToken.isSuper(['*:users']), false)
+      assert.equal(AuthToken.isSuper(['read:*']), false)
+    })
+
+    it('should return false for single non-super scope', () => {
+      assert.equal(AuthToken.isSuper(['admin:all']), false)
+    })
+  })
+
+  describe('.generate()', () => {
+    it('should be a static method', () => {
+      assert.equal(typeof AuthToken.generate, 'function')
+    })
+  })
+
+  describe('.decode()', () => {
+    it('should be a static method', () => {
+      assert.equal(typeof AuthToken.decode, 'function')
+    })
+  })
+
+  describe('.find()', () => {
+    it('should be a static method', () => {
+      assert.equal(typeof AuthToken.find, 'function')
+    })
+  })
+
+  describe('.revoke()', () => {
+    it('should be a static method', () => {
+      assert.equal(typeof AuthToken.revoke, 'function')
+    })
+  })
+
+  describe('.initRequestData()', () => {
+    it('should be a static method', () => {
+      assert.equal(typeof AuthToken.initRequestData, 'function')
+    })
+  })
+})

package/tests/AuthUtils.spec.js

@@ -0,0 +1,102 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import AuthUtils from '../lib/AuthUtils.js'
+
+describe('AuthUtils', () => {
+  describe('#createEmptyStore()', () => {
+    it('should return an object with empty arrays for HTTP methods', () => {
+      const store = AuthUtils.createEmptyStore()
+      assert.equal(typeof store, 'object')
+      assert.ok(Array.isArray(store.post))
+      assert.ok(Array.isArray(store.get))
+      assert.ok(Array.isArray(store.put))
+      assert.ok(Array.isArray(store.patch))
+      assert.ok(Array.isArray(store.delete))
+      assert.equal(store.post.length, 0)
+      assert.equal(store.get.length, 0)
+      assert.equal(store.put.length, 0)
+      assert.equal(store.patch.length, 0)
+      assert.equal(store.delete.length, 0)
+    })
+
+    it('should return exactly five HTTP method keys', () => {
+      const store = AuthUtils.createEmptyStore()
+      assert.equal(Object.keys(store).length, 5)
+    })
+
+    it('should return a new object each time', () => {
+      const store1 = AuthUtils.createEmptyStore()
+      const store2 = AuthUtils.createEmptyStore()
+      assert.notEqual(store1, store2)
+      assert.notEqual(store1.post, store2.post)
+    })
+  })
+
+  describe('#initAuthData()', () => {
+    it('should initialize req.auth as empty object when no auth header', async () => {
+      const req = {
+        get: () => undefined,
+        headers: {}
+      }
+      await AuthUtils.initAuthData(req)
+      assert.deepEqual(req.auth, {})
+    })
+
+    it('should parse Authorization header with Bearer token', async () => {
+      const req = {
+        get: (header) => header === 'Authorization' ? 'Bearer abc123' : undefined,
+        headers: {}
+      }
+      await AuthUtils.initAuthData(req)
+      assert.equal(typeof req.auth, 'object')
+      assert.equal(typeof req.auth.header, 'object')
+      assert.equal(req.auth.header.type, 'Bearer')
+      assert.equal(req.auth.header.value, 'abc123')
+    })
+
+    it('should parse Authorization header from headers object', async () => {
+      const req = {
+        get: () => undefined,
+        headers: { Authorization: 'Basic xyz789' }
+      }
+      await AuthUtils.initAuthData(req)
+      assert.equal(typeof req.auth, 'object')
+      assert.equal(typeof req.auth.header, 'object')
+      assert.equal(req.auth.header.type, 'Basic')
+      assert.equal(req.auth.header.value, 'xyz789')
+    })
+
+    it('should handle auth headers with only type', async () => {
+      const req = {
+        get: (header) => header === 'Authorization' ? 'Bearer' : undefined,
+        headers: {}
+      }
+      await AuthUtils.initAuthData(req)
+      assert.equal(typeof req.auth, 'object')
+      assert.equal(typeof req.auth.header, 'object')
+      assert.equal(req.auth.header.type, 'Bearer')
+      assert.equal(req.auth.header.value, undefined)
+    })
+
+    it('should prefer req.get() over req.headers', async () => {
+      const req = {
+        get: (header) => header === 'Authorization' ? 'Bearer fromGet' : undefined,
+        headers: { Authorization: 'Basic fromHeaders' }
+      }
+      await AuthUtils.initAuthData(req)
+      assert.equal(req.auth.header.type, 'Bearer')
+      assert.equal(req.auth.header.value, 'fromGet')
+    })
+
+    it('should overwrite any existing req.auth', async () => {
+      const req = {
+        get: () => undefined,
+        headers: {},
+        auth: { stale: true }
+      }
+      await AuthUtils.initAuthData(req)
+      assert.deepEqual(req.auth, {})
+      assert.equal(req.auth.stale, undefined)
+    })
+  })
+})

package/tests/Authentication.spec.js

@@ -0,0 +1,159 @@
+import { describe, it, before, after } from 'node:test'
+import assert from 'node:assert/strict'
+import { App, Hook } from 'adapt-authoring-core'
+import Authentication from '../lib/Authentication.js'
+import AbstractAuthModule from '../lib/AbstractAuthModule.js'
+
+function createMockApp () {
+  const moduleLoadedHook = new Hook()
+  return {
+    logger: { log: () => {} },
+    dependencyloader: { moduleLoadedHook },
+    errors: {
+      DUPL_AUTH_PLUGIN_REG: {
+        setData: (data) => Object.assign(new Error(`Duplicate plugin: ${data.name}`), { code: 'DUPL_AUTH_PLUGIN_REG' })
+      },
+      AUTH_PLUGIN_INVALID_CLASS: {
+        setData: (data) => Object.assign(new Error(`Invalid class: ${data.name}`), { code: 'AUTH_PLUGIN_INVALID_CLASS' })
+      },
+      NOT_FOUND: {
+        setData: (data) => Object.assign(new Error(`Not found: ${data.id}`), { code: 'NOT_FOUND' })
+      },
+      INVALID_PARAMS: {
+        setData: (data) => Object.assign(new Error(`Invalid params: ${data.params}`), { code: 'INVALID_PARAMS' })
+      }
+    }
+  }
+}
+
+function mockAppInstance (mockApp) {
+  Object.defineProperty(App, 'instance', {
+    get: () => mockApp,
+    configurable: true
+  })
+}
+
+function restoreAppInstance () {
+  // Delete the overridden property to restore the original getter from the prototype
+  delete App.instance
+}
+
+describe('Authentication', () => {
+  let mockApp
+
+  before(() => {
+    mockApp = createMockApp()
+    mockAppInstance(mockApp)
+  })
+
+  after(() => {
+    restoreAppInstance()
+  })
+
+  describe('constructor', () => {
+    it('should initialize plugins object', () => {
+      const authentication = new Authentication()
+      assert.equal(typeof authentication.plugins, 'object')
+      assert.equal(Object.keys(authentication.plugins).length, 0)
+    })
+  })
+
+  describe('#registerPlugin()', () => {
+    it('should register a valid auth plugin', () => {
+      const authentication = new Authentication()
+      const plugin = new AbstractAuthModule(mockApp, { name: 'test-plugin' })
+      authentication.registerPlugin('local', plugin)
+      assert.equal(authentication.plugins.local, plugin)
+    })
+
+    it('should throw DUPL_AUTH_PLUGIN_REG for duplicate type', () => {
+      const authentication = new Authentication()
+      const plugin = new AbstractAuthModule(mockApp, { name: 'test-plugin' })
+      authentication.registerPlugin('local', plugin)
+
+      assert.throws(() => {
+        authentication.registerPlugin('local', plugin)
+      }, (err) => {
+        assert.equal(err.code, 'DUPL_AUTH_PLUGIN_REG')
+        return true
+      })
+    })
+
+    it('should throw AUTH_PLUGIN_INVALID_CLASS for non-AbstractAuthModule instance', () => {
+      const authentication = new Authentication()
+
+      assert.throws(() => {
+        authentication.registerPlugin('invalid', { type: 'invalid' })
+      }, (err) => {
+        assert.equal(err.code, 'AUTH_PLUGIN_INVALID_CLASS')
+        return true
+      })
+    })
+
+    it('should allow registering multiple different types', () => {
+      const authentication = new Authentication()
+      const plugin1 = new AbstractAuthModule(mockApp, { name: 'plugin1' })
+      const plugin2 = new AbstractAuthModule(mockApp, { name: 'plugin2' })
+      authentication.registerPlugin('local', plugin1)
+      authentication.registerPlugin('oauth', plugin2)
+      assert.equal(authentication.plugins.local, plugin1)
+      assert.equal(authentication.plugins.oauth, plugin2)
+      assert.equal(Object.keys(authentication.plugins).length, 2)
+    })
+  })
+
+  describe('#registerUser()', () => {
+    it('should throw NOT_FOUND if auth plugin is not registered', async () => {
+      const authentication = new Authentication()
+
+      await assert.rejects(
+        () => authentication.registerUser('nonexistent', { email: 'test@test.com' }),
+        (err) => {
+          assert.equal(err.code, 'NOT_FOUND')
+          return true
+        }
+      )
+    })
+
+    it('should call users.insert with correct data when plugin exists', async () => {
+      const authentication = new Authentication()
+      const insertedData = {}
+      mockApp.waitForModule = async () => ({
+        insert: (data, opts) => {
+          insertedData.data = data
+          insertedData.opts = opts
+          return data
+        }
+      })
+
+      const plugin = new AbstractAuthModule(mockApp, { name: 'test-plugin' })
+      plugin.userSchema = 'localuser'
+      authentication.plugins.local = plugin
+
+      await authentication.registerUser('local', { email: 'user@test.com' })
+      assert.equal(insertedData.data.email, 'user@test.com')
+      assert.equal(insertedData.data.authType, 'local')
+      assert.equal(insertedData.opts.schemaName, 'localuser')
+    })
+  })
+
+  describe('#disavowUser()', () => {
+    it('should throw INVALID_PARAMS if userId is missing', async () => {
+      const authentication = new Authentication()
+
+      await assert.rejects(
+        () => authentication.disavowUser({}),
+        (err) => {
+          assert.equal(err.code, 'INVALID_PARAMS')
+          return true
+        }
+      )
+    })
+  })
+
+  describe('static #init()', () => {
+    it('should be a static method', () => {
+      assert.equal(typeof Authentication.init, 'function')
+    })
+  })
+})

package/tests/Permissions.spec.js

@@ -0,0 +1,154 @@
+import { describe, it, before, after } from 'node:test'
+import assert from 'node:assert/strict'
+import { App } from 'adapt-authoring-core'
+import Permissions from '../lib/Permissions.js'
+
+function mockAppInstance (mockApp) {
+  Object.defineProperty(App, 'instance', {
+    get: () => mockApp,
+    configurable: true
+  })
+}
+
+function restoreAppInstance () {
+  delete App.instance
+}
+
+describe('Permissions', () => {
+  let permissions
+
+  before(async () => {
+    mockAppInstance({
+      onReady: () => Promise.resolve({
+        waitForModule: async () => [
+          { getConfig: () => false }, // auth with logMissingPermissions=false
+          { api: { flattenRouters: () => [] } } // server
+        ]
+      })
+    })
+    permissions = await Permissions.init()
+  })
+
+  after(() => {
+    restoreAppInstance()
+  })
+
+  describe('#secureRoute()', () => {
+    it('should secure a route with scopes', () => {
+      permissions.secureRoute('/api/users/:id', 'get', ['read:users'])
+      const scopes = permissions.getScopesForRoute('get', '/api/users/123')
+      assert.deepEqual(scopes, ['read:users'])
+    })
+
+    it('should handle multiple scopes', () => {
+      permissions.secureRoute('/api/content/:id', 'post', ['write:content', 'create:content'])
+      const scopes = permissions.getScopesForRoute('post', '/api/content/456')
+      assert.deepEqual(scopes, ['write:content', 'create:content'])
+    })
+
+    it('should match routes with path parameters', () => {
+      permissions.secureRoute('/api/resources/:resourceId/items/:itemId', 'put', ['write:resources'])
+      const scopes = permissions.getScopesForRoute('put', '/api/resources/abc/items/xyz')
+      assert.deepEqual(scopes, ['write:resources'])
+    })
+
+    it('should normalize HTTP method to lowercase', () => {
+      permissions.secureRoute('/api/admin', 'DELETE', ['delete:admin'])
+      const scopes = permissions.getScopesForRoute('delete', '/api/admin')
+      assert.deepEqual(scopes, ['delete:admin'])
+    })
+
+    it('should store routes as regexp/scopes pairs', () => {
+      const initialLength = permissions.routes.patch.length
+      permissions.secureRoute('/api/items/:id', 'patch', ['update:items'])
+      assert.equal(permissions.routes.patch.length, initialLength + 1)
+      const entry = permissions.routes.patch[permissions.routes.patch.length - 1]
+      assert.ok(Array.isArray(entry))
+      assert.equal(entry.length, 2)
+      assert.ok(entry[0] instanceof RegExp)
+      assert.deepEqual(entry[1], ['update:items'])
+    })
+  })
+
+  describe('#getScopesForRoute()', () => {
+    it('should return undefined for unsecured route', () => {
+      const scopes = permissions.getScopesForRoute('get', '/api/nonexistent')
+      assert.equal(scopes, undefined)
+    })
+
+    it('should be case-sensitive for HTTP methods', () => {
+      permissions.secureRoute('/api/test', 'delete', ['delete:test'])
+      const scopes = permissions.getScopesForRoute('delete', '/api/test')
+      assert.deepEqual(scopes, ['delete:test'])
+    })
+
+    it('should not match wrong HTTP method', () => {
+      permissions.secureRoute('/api/different', 'patch', ['patch:different'])
+      const scopes = permissions.getScopesForRoute('get', '/api/different')
+      assert.equal(scopes, undefined)
+    })
+
+    it('should handle exact path matches', () => {
+      permissions.secureRoute('/api/exact/path', 'get', ['read:exact'])
+      const scopes = permissions.getScopesForRoute('get', '/api/exact/path')
+      assert.deepEqual(scopes, ['read:exact'])
+    })
+
+    it('should not match partial path', () => {
+      permissions.secureRoute('/api/full', 'get', ['read:full'])
+      const scopes = permissions.getScopesForRoute('get', '/api/full/extra')
+      assert.equal(scopes, undefined)
+    })
+  })
+
+  describe('#check()', () => {
+    it('should allow super users regardless of scopes', async () => {
+      permissions.secureRoute('/api/restricted', 'get', ['admin:all'])
+
+      const req = {
+        baseUrl: '/api',
+        path: '/restricted',
+        method: 'get',
+        auth: { isSuper: true, scopes: ['*:*'] }
+      }
+
+      await assert.doesNotReject(() => permissions.check(req))
+    })
+
+    it('should allow users with matching scopes', async () => {
+      permissions.secureRoute('/api/data', 'get', ['read:data'])
+
+      const req = {
+        baseUrl: '/api',
+        path: '/data',
+        method: 'get',
+        auth: { isSuper: false, scopes: ['read:data', 'write:data'] }
+      }
+
+      await assert.doesNotReject(() => permissions.check(req))
+    })
+
+    it('should strip trailing slash from path', async () => {
+      permissions.secureRoute('/api/trailing', 'get', ['read:trailing'])
+
+      const req = {
+        baseUrl: '/api',
+        path: '/trailing/',
+        method: 'get',
+        auth: { isSuper: false, scopes: ['read:trailing'] }
+      }
+
+      await assert.doesNotReject(() => permissions.check(req))
+    })
+  })
+
+  describe('constructor', () => {
+    it('should initialize routes as empty store', () => {
+      assert.ok(Array.isArray(permissions.routes.get))
+      assert.ok(Array.isArray(permissions.routes.post))
+      assert.ok(Array.isArray(permissions.routes.put))
+      assert.ok(Array.isArray(permissions.routes.patch))
+      assert.ok(Array.isArray(permissions.routes.delete))
+    })
+  })
+})