bunsane 0.1.4 → 0.2.0

package/tests/unit/gql/operationMiddleware.test.ts

@@ -0,0 +1,293 @@
+import { describe, it, expect } from "bun:test";
+import { GraphQLError } from "graphql";
+import {
+    Middleware,
+    composeOperationMiddleware,
+    type OperationMiddleware,
+} from "../../../gql/middleware";
+
+// --- Test helpers ---
+
+function createMockService() {
+    return {
+        getUser: async (args: any, context: any, _info: any) => {
+            return { id: args.id, name: "Test User", role: context.user?.role };
+        },
+        createUser: async (args: any, _context: any, _info: any) => {
+            return { id: "new-1", name: args.name };
+        },
+    };
+}
+
+const Authenticate: OperationMiddleware = async (args, ctx, info, next) => {
+    if (!ctx.user) {
+        throw new GraphQLError("Unauthenticated", {
+            extensions: { code: "UNAUTHENTICATED", http: { status: 401 } },
+        });
+    }
+    return next();
+};
+
+function Authorize(...permissions: string[]): OperationMiddleware {
+    return async (args, ctx, info, next) => {
+        const userPerms: string[] = ctx.user?.permissions ?? [];
+        if (!permissions.every((p) => userPerms.includes(p))) {
+            throw new GraphQLError("Forbidden", {
+                extensions: { code: "FORBIDDEN", http: { status: 403 } },
+            });
+        }
+        return next();
+    };
+}
+
+// --- Tests ---
+
+describe("composeOperationMiddleware", () => {
+    it("calls handler directly with empty middleware array", async () => {
+        const handler = async (args: any) => args.value;
+        const chain = composeOperationMiddleware([], handler, null);
+        const result = await chain({ value: 42 }, {}, {});
+        expect(result).toBe(42);
+    });
+
+    it("executes middleware in order", async () => {
+        const order: number[] = [];
+        const mw1: OperationMiddleware = async (a, c, i, next) => {
+            order.push(1);
+            const result = await next();
+            order.push(4);
+            return result;
+        };
+        const mw2: OperationMiddleware = async (a, c, i, next) => {
+            order.push(2);
+            const result = await next();
+            order.push(3);
+            return result;
+        };
+        const handler = async () => {
+            order.push(0);
+            return "done";
+        };
+        const chain = composeOperationMiddleware([mw1, mw2], handler, null);
+        await chain({}, {}, {});
+        expect(order).toEqual([1, 2, 0, 3, 4]);
+    });
+
+    it("short-circuits when middleware throws", async () => {
+        const handlerCalled = { value: false };
+        const mw: OperationMiddleware = async () => {
+            throw new GraphQLError("Blocked");
+        };
+        const handler = async () => {
+            handlerCalled.value = true;
+        };
+        const chain = composeOperationMiddleware([mw], handler, null);
+        expect(chain({}, {}, {})).rejects.toThrow("Blocked");
+        expect(handlerCalled.value).toBe(false);
+    });
+
+    it("middleware can transform the return value", async () => {
+        const transform: OperationMiddleware = async (a, c, i, next) => {
+            const result = await next();
+            return { ...result, extra: true };
+        };
+        const handler = async () => ({ name: "test" });
+        const chain = composeOperationMiddleware([transform], handler, null);
+        const result = await chain({}, {}, {});
+        expect(result).toEqual({ name: "test", extra: true });
+    });
+
+    it("preserves thisArg for the handler", async () => {
+        const service = {
+            prefix: "Hello",
+            greet: async function (args: any) {
+                return `${this.prefix} ${args.name}`;
+            },
+        };
+        const passthrough: OperationMiddleware = async (a, c, i, next) => next();
+        const chain = composeOperationMiddleware(
+            [passthrough],
+            service.greet,
+            service,
+        );
+        const result = await chain({ name: "World" }, {}, {});
+        expect(result).toBe("Hello World");
+    });
+});
+
+describe("@Middleware decorator", () => {
+    it("wraps a method with middleware chain", async () => {
+        const log: string[] = [];
+        const logger: OperationMiddleware = async (a, c, i, next) => {
+            log.push("before");
+            const result = await next();
+            log.push("after");
+            return result;
+        };
+
+        class TestService {
+            @Middleware([logger])
+            async getData(args: any, _ctx: any, _info: any) {
+                log.push("handler");
+                return { value: args.id };
+            }
+        }
+
+        const svc = new TestService();
+        const result = await svc.getData({ id: 1 }, {}, {});
+        expect(result).toEqual({ value: 1 });
+        expect(log).toEqual(["before", "handler", "after"]);
+    });
+
+    it("chains multiple middleware in order", async () => {
+        const order: string[] = [];
+        const first: OperationMiddleware = async (a, c, i, next) => {
+            order.push("first-in");
+            const r = await next();
+            order.push("first-out");
+            return r;
+        };
+        const second: OperationMiddleware = async (a, c, i, next) => {
+            order.push("second-in");
+            const r = await next();
+            order.push("second-out");
+            return r;
+        };
+
+        class TestService {
+            @Middleware([first, second])
+            async doWork(_args: any, _ctx: any, _info: any) {
+                order.push("resolver");
+                return true;
+            }
+        }
+
+        await new TestService().doWork({}, {}, {});
+        expect(order).toEqual([
+            "first-in",
+            "second-in",
+            "resolver",
+            "second-out",
+            "first-out",
+        ]);
+    });
+
+    it("preserves this context of the service", async () => {
+        class TestService {
+            private secret = "s3cret";
+
+            @Middleware([async (a, c, i, next) => next()])
+            async getSecret(_args: any, _ctx: any, _info: any) {
+                return this.secret;
+            }
+        }
+
+        const result = await new TestService().getSecret({}, {}, {});
+        expect(result).toBe("s3cret");
+    });
+});
+
+describe("Auth guard middleware", () => {
+    it("Authenticate allows requests with user in context", async () => {
+        const service = createMockService();
+
+        class UserService {
+            @Middleware([Authenticate])
+            async getUser(args: any, context: any, info: any) {
+                return service.getUser(args, context, info);
+            }
+        }
+
+        const svc = new UserService();
+        const result = await svc.getUser(
+            { id: "1" },
+            { user: { role: "admin" } },
+            {},
+        );
+        expect(result).toEqual({ id: "1", name: "Test User", role: "admin" });
+    });
+
+    it("Authenticate rejects requests without user", async () => {
+        class UserService {
+            @Middleware([Authenticate])
+            async getUser(args: any, ctx: any, info: any) {
+                return { id: args.id };
+            }
+        }
+
+        try {
+            await new UserService().getUser({ id: "1" }, {}, {});
+            expect.unreachable("Should have thrown");
+        } catch (err: any) {
+            expect(err).toBeInstanceOf(GraphQLError);
+            expect(err.extensions.code).toBe("UNAUTHENTICATED");
+            expect(err.extensions.http.status).toBe(401);
+        }
+    });
+
+    it("Authorize allows requests with correct permissions", async () => {
+        class UserService {
+            @Middleware([Authenticate, Authorize("users.read")])
+            async getUser(args: any, ctx: any, info: any) {
+                return { id: args.id };
+            }
+        }
+
+        const ctx = { user: { permissions: ["users.read", "users.write"] } };
+        const result = await new UserService().getUser({ id: "1" }, ctx, {});
+        expect(result).toEqual({ id: "1" });
+    });
+
+    it("Authorize rejects requests with missing permissions", async () => {
+        class UserService {
+            @Middleware([Authenticate, Authorize("users.delete")])
+            async deleteUser(args: any, ctx: any, info: any) {
+                return true;
+            }
+        }
+
+        const ctx = { user: { permissions: ["users.read"] } };
+        try {
+            await new UserService().deleteUser({ id: "1" }, ctx, {});
+            expect.unreachable("Should have thrown");
+        } catch (err: any) {
+            expect(err).toBeInstanceOf(GraphQLError);
+            expect(err.extensions.code).toBe("FORBIDDEN");
+            expect(err.extensions.http.status).toBe(403);
+        }
+    });
+
+    it("Authenticate runs before Authorize in the chain", async () => {
+        class UserService {
+            @Middleware([Authenticate, Authorize("admin")])
+            async adminOp(_args: any, _ctx: any, _info: any) {
+                return true;
+            }
+        }
+
+        // No user → should get UNAUTHENTICATED, not FORBIDDEN
+        try {
+            await new UserService().adminOp({}, {}, {});
+            expect.unreachable("Should have thrown");
+        } catch (err: any) {
+            expect(err.extensions.code).toBe("UNAUTHENTICATED");
+        }
+    });
+
+    it("resolver does not execute when middleware rejects", async () => {
+        let resolverCalled = false;
+
+        class UserService {
+            @Middleware([Authenticate])
+            async getUser(_args: any, _ctx: any, _info: any) {
+                resolverCalled = true;
+                return {};
+            }
+        }
+
+        try {
+            await new UserService().getUser({}, {}, {});
+        } catch {}
+        expect(resolverCalled).toBe(false);
+    });
+});

package/tests/unit/health/Health.test.ts

@@ -0,0 +1,129 @@
+import { describe, test, expect, beforeEach } from "bun:test";
+import {
+    deepHealthCheck,
+    readinessCheck,
+    type HealthDeps,
+} from "../../../core/health";
+
+let dbUp: boolean;
+let cacheUp: boolean;
+
+function makeDeps(): HealthDeps {
+    return {
+        pingDb: async () => {
+            if (!dbUp) throw new Error("connection refused");
+            return true;
+        },
+        pingCache: async () => cacheUp,
+    };
+}
+
+describe("deepHealthCheck", () => {
+    beforeEach(() => {
+        dbUp = true;
+        cacheUp = true;
+    });
+
+    test("returns ok when DB and cache are up", async () => {
+        const { result, httpStatus } = await deepHealthCheck(makeDeps());
+
+        expect(httpStatus).toBe(200);
+        expect(result.status).toBe("ok");
+        expect(result.checks.database.status).toBe("up");
+        expect(result.checks.cache.status).toBe("up");
+        expect(typeof result.checks.database.latency_ms).toBe("number");
+        expect(typeof result.checks.cache.latency_ms).toBe("number");
+        expect(typeof result.timestamp).toBe("string");
+        expect(typeof result.uptime).toBe("number");
+    });
+
+    test("returns degraded when DB is up but cache is down", async () => {
+        cacheUp = false;
+
+        const { result, httpStatus } = await deepHealthCheck(makeDeps());
+
+        expect(httpStatus).toBe(200);
+        expect(result.status).toBe("degraded");
+        expect(result.checks.database.status).toBe("up");
+        expect(result.checks.cache.status).toBe("down");
+    });
+
+    test("returns unavailable (503) when DB is down", async () => {
+        dbUp = false;
+
+        const { result, httpStatus } = await deepHealthCheck(makeDeps());
+
+        expect(httpStatus).toBe(503);
+        expect(result.status).toBe("unavailable");
+        expect(result.checks.database.status).toBe("down");
+    });
+
+    test("returns unavailable (503) when both DB and cache are down", async () => {
+        dbUp = false;
+        cacheUp = false;
+
+        const { result, httpStatus } = await deepHealthCheck(makeDeps());
+
+        expect(httpStatus).toBe(503);
+        expect(result.status).toBe("unavailable");
+        expect(result.checks.database.status).toBe("down");
+        expect(result.checks.cache.status).toBe("down");
+    });
+});
+
+describe("readinessCheck", () => {
+    beforeEach(() => {
+        dbUp = true;
+        cacheUp = true;
+    });
+
+    test("returns 503 when isReady is false", async () => {
+        const { result, httpStatus } = await readinessCheck(
+            false,
+            false,
+            makeDeps(),
+        );
+
+        expect(httpStatus).toBe(503);
+        expect(result.status).toBe("unavailable");
+        expect(result.checks.database.status).toBe("unknown");
+        expect(result.checks.cache.status).toBe("unknown");
+    });
+
+    test("returns 503 when isShuttingDown is true", async () => {
+        const { result, httpStatus } = await readinessCheck(
+            true,
+            true,
+            makeDeps(),
+        );
+
+        expect(httpStatus).toBe(503);
+        expect(result.status).toBe("unavailable");
+    });
+
+    test("delegates to deepHealthCheck when ready", async () => {
+        const { result, httpStatus } = await readinessCheck(
+            true,
+            false,
+            makeDeps(),
+        );
+
+        expect(httpStatus).toBe(200);
+        expect(result.status).toBe("ok");
+        expect(result.checks.database.status).toBe("up");
+        expect(result.checks.cache.status).toBe("up");
+    });
+
+    test("returns 503 when ready but DB is down", async () => {
+        dbUp = false;
+
+        const { result, httpStatus } = await readinessCheck(
+            true,
+            false,
+            makeDeps(),
+        );
+
+        expect(httpStatus).toBe(503);
+        expect(result.status).toBe("unavailable");
+    });
+});

package/tests/unit/middleware/AccessLog.test.ts

@@ -0,0 +1,37 @@
+import { describe, test, expect, mock } from 'bun:test';
+import { accessLog } from '../../../core/middleware/AccessLog';
+
+const ok = async () => new Response('ok');
+
+describe('accessLog middleware', () => {
+    test('passes through and returns the response', async () => {
+        const mw = accessLog();
+        const res = await mw(new Request('http://localhost/test'), ok);
+
+        expect(res.status).toBe(200);
+        expect(await res.text()).toBe('ok');
+    });
+
+    test('skips configured paths', async () => {
+        const mw = accessLog({ skip: ['/health'] });
+
+        // Should still work, just not log
+        const res = await mw(new Request('http://localhost/health'), ok);
+        expect(res.status).toBe(200);
+    });
+
+    test('propagates errors from handler', async () => {
+        const mw = accessLog();
+        const failing = async () => { throw new Error('boom'); };
+
+        expect(mw(new Request('http://localhost/'), failing)).rejects.toThrow('boom');
+    });
+
+    test('handles non-200 responses', async () => {
+        const mw = accessLog();
+        const notFound = async () => new Response('not found', { status: 404 });
+        const res = await mw(new Request('http://localhost/missing'), notFound);
+
+        expect(res.status).toBe(404);
+    });
+});

package/tests/unit/middleware/Middleware.test.ts

@@ -0,0 +1,98 @@
+import { describe, test, expect } from 'bun:test';
+import { composeMiddleware, type Middleware } from '../../../core/Middleware';
+
+describe('composeMiddleware', () => {
+    test('calls final handler when no middleware', async () => {
+        const handler = async (req: Request) => new Response('ok');
+        const composed = composeMiddleware([], handler);
+        const res = await composed(new Request('http://localhost/'));
+        expect(await res.text()).toBe('ok');
+    });
+
+    test('executes middleware in order (onion model)', async () => {
+        const order: string[] = [];
+
+        const mw1: Middleware = async (req, next) => {
+            order.push('mw1-before');
+            const res = await next();
+            order.push('mw1-after');
+            return res;
+        };
+
+        const mw2: Middleware = async (req, next) => {
+            order.push('mw2-before');
+            const res = await next();
+            order.push('mw2-after');
+            return res;
+        };
+
+        const handler = async (req: Request) => {
+            order.push('handler');
+            return new Response('ok');
+        };
+
+        const composed = composeMiddleware([mw1, mw2], handler);
+        await composed(new Request('http://localhost/'));
+
+        expect(order).toEqual([
+            'mw1-before',
+            'mw2-before',
+            'handler',
+            'mw2-after',
+            'mw1-after',
+        ]);
+    });
+
+    test('middleware can short-circuit (skip next)', async () => {
+        const mw: Middleware = async (req, next) => {
+            return new Response('blocked', { status: 403 });
+        };
+
+        const handler = async (req: Request) => new Response('ok');
+        const composed = composeMiddleware([mw], handler);
+        const res = await composed(new Request('http://localhost/'));
+        expect(res.status).toBe(403);
+        expect(await res.text()).toBe('blocked');
+    });
+
+    test('middleware can modify the response', async () => {
+        const mw: Middleware = async (req, next) => {
+            const res = await next();
+            const headers = new Headers(res.headers);
+            headers.set('X-Custom', 'test');
+            return new Response(res.body, {
+                status: res.status,
+                headers,
+            });
+        };
+
+        const handler = async (req: Request) => new Response('ok');
+        const composed = composeMiddleware([mw], handler);
+        const res = await composed(new Request('http://localhost/'));
+        expect(res.headers.get('X-Custom')).toBe('test');
+    });
+
+    test('errors propagate through middleware chain', async () => {
+        const mw: Middleware = async (req, next) => {
+            return next();
+        };
+
+        const handler = async (req: Request) => {
+            throw new Error('boom');
+        };
+
+        const composed = composeMiddleware([mw], handler);
+        expect(composed(new Request('http://localhost/'))).rejects.toThrow('boom');
+    });
+
+    test('rejects if next() called multiple times', async () => {
+        const mw: Middleware = async (req, next) => {
+            await next();
+            return next(); // second call should reject
+        };
+
+        const handler = async (req: Request) => new Response('ok');
+        const composed = composeMiddleware([mw], handler);
+        expect(composed(new Request('http://localhost/'))).rejects.toThrow('next() called multiple times');
+    });
+});

package/tests/unit/middleware/RequestId.test.ts

@@ -0,0 +1,54 @@
+import { describe, test, expect } from 'bun:test';
+import { requestId, getRequestId, requestStore } from '../../../core/middleware/RequestId';
+
+const ok = async () => new Response('ok');
+
+describe('requestId middleware', () => {
+    test('generates a UUID and sets X-Request-Id header', async () => {
+        const mw = requestId();
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        const id = res.headers.get('X-Request-Id');
+        expect(id).toBeTruthy();
+        // UUID format check
+        expect(id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/);
+    });
+
+    test('respects incoming X-Request-Id header', async () => {
+        const mw = requestId();
+        const req = new Request('http://localhost/', {
+            headers: { 'X-Request-Id': 'custom-id-123' },
+        });
+        const res = await mw(req, ok);
+
+        expect(res.headers.get('X-Request-Id')).toBe('custom-id-123');
+    });
+
+    test('getRequestId() returns current request ID within middleware', async () => {
+        const mw = requestId();
+        let capturedId: string | undefined;
+
+        const handler = async () => {
+            capturedId = getRequestId();
+            return new Response('ok');
+        };
+
+        const res = await mw(new Request('http://localhost/'), handler);
+        const headerId = res.headers.get('X-Request-Id')!;
+
+        expect(capturedId).toBe(headerId);
+    });
+
+    test('getRequestId() returns undefined outside request context', () => {
+        expect(getRequestId()).toBeUndefined();
+    });
+
+    test('preserves original response body and status', async () => {
+        const handler = async () => new Response('hello', { status: 201 });
+        const mw = requestId();
+        const res = await mw(new Request('http://localhost/'), handler);
+
+        expect(res.status).toBe(201);
+        expect(await res.text()).toBe('hello');
+    });
+});

package/tests/unit/middleware/SecurityHeaders.test.ts

@@ -0,0 +1,66 @@
+import { describe, test, expect } from 'bun:test';
+import { securityHeaders } from '../../../core/middleware/SecurityHeaders';
+
+const ok = async () => new Response('ok');
+
+describe('securityHeaders middleware', () => {
+    test('adds default security headers', async () => {
+        const mw = securityHeaders();
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('X-Frame-Options')).toBe('DENY');
+        expect(res.headers.get('X-Content-Type-Options')).toBe('nosniff');
+        expect(res.headers.get('Referrer-Policy')).toBe('strict-origin-when-cross-origin');
+    });
+
+    test('sets HSTS in production', async () => {
+        const mw = securityHeaders({ hsts: true });
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('Strict-Transport-Security')).toBe('max-age=31536000; includeSubDomains');
+    });
+
+    test('custom hstsMaxAge', async () => {
+        const mw = securityHeaders({ hsts: true, hstsMaxAge: 86400 });
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('Strict-Transport-Security')).toBe('max-age=86400; includeSubDomains');
+    });
+
+    test('frameOptions SAMEORIGIN', async () => {
+        const mw = securityHeaders({ frameOptions: 'SAMEORIGIN' });
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('X-Frame-Options')).toBe('SAMEORIGIN');
+    });
+
+    test('frameOptions disabled', async () => {
+        const mw = securityHeaders({ frameOptions: false });
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('X-Frame-Options')).toBeNull();
+    });
+
+    test('noSniff disabled', async () => {
+        const mw = securityHeaders({ noSniff: false });
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('X-Content-Type-Options')).toBeNull();
+    });
+
+    test('referrerPolicy disabled', async () => {
+        const mw = securityHeaders({ referrerPolicy: false });
+        const res = await mw(new Request('http://localhost/'), ok);
+
+        expect(res.headers.get('Referrer-Policy')).toBeNull();
+    });
+
+    test('preserves original response body and status', async () => {
+        const handler = async () => new Response('hello', { status: 201 });
+        const mw = securityHeaders();
+        const res = await mw(new Request('http://localhost/'), handler);
+
+        expect(res.status).toBe(201);
+        expect(await res.text()).toBe('hello');
+    });
+});