chadstart 1.0.0

package/test/access-policies.test.js

@@ -0,0 +1,96 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const jwt = require('jsonwebtoken');
+const bcrypt = require('bcryptjs');
+const { buildCore } = require('../core/entity-engine');
+const dbModule = require('../core/db');
+const { JWT_SECRET } = require('../core/auth');
+
+function makeToken(payload) {
+  return jwt.sign(payload, JWT_SECRET, { expiresIn: '1h' });
+}
+
+function mockRes() {
+  const r = { _status: 200, _body: undefined };
+  r.status = (s) => { r._status = s; return r; };
+  r.json   = (b) => { r._body  = b; };
+  return r;
+}
+
+describe('access-policies – read condition: self', () => {
+  const selfReadCore = buildCore({
+    name: 'SelfRead',
+    entities: {
+      User: {
+        authenticable: true,
+        properties: ['name'],
+      },
+      Project: {
+        properties: ['title'],
+        belongsTo: ['User'],
+        policies: {
+          read: [{ access: 'restricted', allow: 'User', condition: 'self' }],
+        },
+      },
+    },
+  });
+
+  const entity = selfReadCore.entities.Project;
+  const policy = entity.policies.read[0];
+
+  it('read condition:self – sets req._selfFilter on valid token', () => {
+    const token = makeToken({ id: 'user-42', entity: 'User' });
+    const req = { headers: { authorization: `Bearer ${token}` }, params: {} };
+    const res = mockRes();
+    let nextCalled = false;
+
+    const allowed = Array.isArray(policy.allow) ? policy.allow : [policy.allow];
+    const mw = (req2, res2, next) => {
+      const header = req2.headers.authorization;
+      if (!header || !header.startsWith('Bearer ')) return res2.status(401).json({ error: 'Authorization required' });
+      try {
+        req2.user = jwt.verify(header.slice(7), JWT_SECRET);
+        if (!allowed.includes(req2.user.entity)) return res2.status(403).json({ error: 'Access denied' });
+        if (policy.condition === 'self') {
+          const userEntityObj = selfReadCore.entities[req2.user.entity];
+          if (userEntityObj) {
+            req2._selfFilter = { fk: `${userEntityObj.tableName}_id`, userId: req2.user.id };
+          }
+        }
+        next();
+      } catch (e) {
+        return res2.status(401).json({ error: 'Invalid or expired token' });
+      }
+    };
+
+    mw(req, res, () => { nextCalled = true; });
+    assert.ok(nextCalled, 'next should be called');
+    assert.ok(req._selfFilter, '_selfFilter should be set');
+    assert.strictEqual(req._selfFilter.fk, 'user_id');
+    assert.strictEqual(req._selfFilter.userId, 'user-42');
+  });
+
+  it('read condition:self – DB list is filtered to the owning user', () => {
+    const tmp = path.join(os.tmpdir(), `chadstart-selfread-${Date.now()}.db`);
+    dbModule.initDb(selfReadCore, tmp);
+
+    const user1 = dbModule.create('user', { name: 'Alice', email: 'alice@example.com', password: bcrypt.hashSync('pass1', 1) });
+    const user2 = dbModule.create('user', { name: 'Bob',   email: 'bob@example.com',   password: bcrypt.hashSync('pass2', 1) });
+    dbModule.create('project', { title: 'Alice Project 1', user_id: user1.id });
+    dbModule.create('project', { title: 'Alice Project 2', user_id: user1.id });
+    dbModule.create('project', { title: 'Bob Project',     user_id: user2.id });
+
+    const selfFilter = { fk: 'user_id', userId: user1.id };
+    const query = { [selfFilter.fk]: selfFilter.userId };
+    const result = dbModule.findAll('project', query, { perPage: 100 });
+
+    assert.strictEqual(result.total, 2, 'only Alice\'s projects returned');
+    assert.ok(result.data.every((r) => r.user_id === user1.id));
+
+    fs.unlinkSync(tmp);
+  });
+});

package/test/ai.test.js

@@ -0,0 +1,81 @@
+'use strict';
+
+const assert = require('assert');
+const { getAiProvider, isAiConfigured } = require('../server/express-server');
+
+// Save originals so we can restore after each test
+const ENV_KEYS = ['OPENAI_API_KEY', 'ANTHROPIC_API_KEY', 'GOOGLE_API_KEY', 'GEMINI_API_KEY', 'OPENROUTER_API_KEY'];
+function clearAiEnv() {
+  for (const k of ENV_KEYS) delete process.env[k];
+}
+
+describe('AI provider detection', () => {
+  beforeEach(clearAiEnv);
+  after(clearAiEnv);
+
+  it('returns null when no AI keys are set', () => {
+    assert.strictEqual(getAiProvider(), null);
+  });
+
+  it('returns "openai" when OPENAI_API_KEY is set', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    assert.strictEqual(getAiProvider(), 'openai');
+  });
+
+  it('returns "anthropic" when ANTHROPIC_API_KEY is set', () => {
+    process.env.ANTHROPIC_API_KEY = 'sk-ant-test';
+    assert.strictEqual(getAiProvider(), 'anthropic');
+  });
+
+  it('returns "google" when GOOGLE_API_KEY is set', () => {
+    process.env.GOOGLE_API_KEY = 'gkey';
+    assert.strictEqual(getAiProvider(), 'google');
+  });
+
+  it('returns "google" when GEMINI_API_KEY is set', () => {
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    assert.strictEqual(getAiProvider(), 'google');
+  });
+
+  it('returns "openrouter" when OPENROUTER_API_KEY is set', () => {
+    process.env.OPENROUTER_API_KEY = 'sk-or-test';
+    assert.strictEqual(getAiProvider(), 'openrouter');
+  });
+
+  it('openai takes priority over anthropic when both are set', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.ANTHROPIC_API_KEY = 'sk-ant-test';
+    assert.strictEqual(getAiProvider(), 'openai');
+  });
+
+  it('anthropic takes priority over google when openai is absent', () => {
+    process.env.ANTHROPIC_API_KEY = 'sk-ant-test';
+    process.env.GOOGLE_API_KEY = 'gkey';
+    assert.strictEqual(getAiProvider(), 'anthropic');
+  });
+
+  it('google takes priority over openrouter when neither openai nor anthropic are set', () => {
+    process.env.GOOGLE_API_KEY = 'gkey';
+    process.env.OPENROUTER_API_KEY = 'sk-or-test';
+    assert.strictEqual(getAiProvider(), 'google');
+  });
+});
+
+describe('isAiConfigured', () => {
+  beforeEach(clearAiEnv);
+  after(clearAiEnv);
+
+  it('returns false when no keys are set', () => {
+    assert.strictEqual(isAiConfigured(), false);
+  });
+
+  it('returns true when OPENAI_API_KEY is set', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    assert.strictEqual(isAiConfigured(), true);
+  });
+
+  it('returns true when OPENROUTER_API_KEY is set', () => {
+    process.env.OPENROUTER_API_KEY = 'sk-or-test';
+    assert.strictEqual(isAiConfigured(), true);
+  });
+});

package/test/api-keys.test.js

@@ -0,0 +1,361 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+// Isolate the DB for each test run
+const TMP_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'cs-apikey-test-'));
+process.env.DB_PATH = path.join(TMP_DIR, 'test.db');
+
+const { buildApp } = require('../server/express-server');
+const http = require('http');
+
+// ── Helpers ─────────────────────────────────────────────────────────────────
+
+function req(options) {
+  return new Promise((resolve, reject) => {
+    const { method = 'GET', path: p, body, headers = {} } = options;
+    const data = body ? JSON.stringify(body) : undefined;
+    const opts = {
+      hostname: 'localhost', port: options.port, path: p, method,
+      headers: { 'Content-Type': 'application/json', ...headers,
+        ...(data ? { 'Content-Length': Buffer.byteLength(data) } : {}) },
+    };
+    const r = http.request(opts, (res) => {
+      let buf = '';
+      res.on('data', (c) => { buf += c; });
+      res.on('end', () => {
+        let json;
+        try { json = JSON.parse(buf); } catch { json = buf; }
+        resolve({ status: res.statusCode, body: json });
+      });
+    });
+    r.on('error', reject);
+    if (data) r.write(data);
+    r.end();
+  });
+}
+
+// ── Test suite ───────────────────────────────────────────────────────────────
+
+describe('API Keys', function () {
+  let server, port, adminToken, adminId;
+
+  const YAML_PATH = path.resolve(__dirname, '../chadstart.yaml');
+
+  before(async function () {
+    this.timeout(10000);
+    const { app } = await buildApp(YAML_PATH, null);
+    server = http.createServer(app);
+    await new Promise((resolve) => server.listen(0, resolve));
+    port = server.address().port;
+
+    // Sign up an admin user
+    const su = await req({ port, method: 'POST', path: '/api/auth/admin/signup',
+      body: { email: 'apikey@test.com', password: 'secret123', name: 'Test Admin' } });
+    assert.strictEqual(su.status, 201, 'signup should succeed');
+    adminToken = su.body.token;
+    adminId    = su.body.user.id;
+  });
+
+  after(function (done) {
+    server.close(done);
+  });
+
+  // ── Unit tests (auth module) ──────────────────────────────────────────
+
+  describe('auth module – API key functions', function () {
+    const {
+      initApiKeys, createApiKey, verifyApiKeyStr, listApiKeys, deleteApiKey,
+    } = require('../core/auth');
+
+    it('createApiKey returns a key string and record', function () {
+      const { key, record } = createApiKey('user-1', 'Admin', { name: 'TestKey', permissions: ['read'], entities: [] });
+      assert.ok(key.startsWith('cs_'), 'key should start with cs_');
+      assert.strictEqual(key.length, 3 + 64, 'key should be cs_ + 64 hex chars');
+      assert.strictEqual(record.name, 'TestKey');
+      assert.strictEqual(record.userId, 'user-1');
+      assert.strictEqual(record.userEntity, 'Admin');
+      assert.deepStrictEqual(record.permissions, ['read']);
+      assert.ok(!record.keyHash, 'keyHash should not be in returned record');
+    });
+
+    it('verifyApiKeyStr returns record for valid key', function () {
+      const { key } = createApiKey('user-2', 'Admin', { name: 'Verify' });
+      const record = verifyApiKeyStr(key);
+      assert.ok(record, 'should return a record');
+      assert.strictEqual(record.userId, 'user-2');
+    });
+
+    it('verifyApiKeyStr returns null for wrong key', function () {
+      assert.strictEqual(verifyApiKeyStr('cs_notavalidkey'), null);
+    });
+
+    it('verifyApiKeyStr returns null for non-cs_ prefixed string', function () {
+      assert.strictEqual(verifyApiKeyStr('eyJhbGciOiJIUzI1NiJ9.x.y'), null);
+    });
+
+    it('verifyApiKeyStr returns null for expired key', function () {
+      const pastDate = new Date(Date.now() - 1000).toISOString();
+      const { key } = createApiKey('user-3', 'Admin', { expiresAt: pastDate });
+      assert.strictEqual(verifyApiKeyStr(key), null, 'expired key should return null');
+    });
+
+    it('listApiKeys returns user keys', function () {
+      const { key } = createApiKey('user-list', 'Admin', { name: 'ListKey' });
+      const keys = listApiKeys('user-list', 'Admin');
+      assert.ok(keys.length >= 1);
+      assert.ok(keys.every((k) => !k.keyHash), 'keyHash should be stripped');
+    });
+
+    it('deleteApiKey removes the key', function () {
+      const { record } = createApiKey('user-del', 'Admin', { name: 'ToDelete' });
+      deleteApiKey(record.id);
+      const verifiedAfterDelete = listApiKeys('user-del', 'Admin').find((k) => k.id === record.id);
+      assert.ok(!verifiedAfterDelete, 'key should be deleted');
+    });
+  });
+
+  // ── resolveAuthHeader ─────────────────────────────────────────────────
+
+  describe('resolveAuthHeader', function () {
+    const { resolveAuthHeader, signToken, createApiKey } = require('../core/auth');
+
+    it('resolves JWT Bearer tokens', function () {
+      const token = signToken({ id: 'u1', entity: 'Admin' });
+      const { user, error } = resolveAuthHeader(`Bearer ${token}`);
+      assert.ok(user);
+      assert.strictEqual(user.id, 'u1');
+      assert.strictEqual(error, null);
+    });
+
+    it('returns error for no header', function () {
+      const { user, error } = resolveAuthHeader(undefined);
+      assert.ok(!user);
+      assert.strictEqual(error, 'no_header');
+    });
+
+    it('resolves API key Bearer tokens', function () {
+      const { key } = createApiKey('u-resolve', 'Admin', { permissions: ['read'], entities: ['posts'] });
+      const { user, apiKeyPermissions, error } = resolveAuthHeader(`Bearer ${key}`);
+      assert.ok(user);
+      assert.strictEqual(user.id, 'u-resolve');
+      assert.strictEqual(error, null);
+      assert.deepStrictEqual(apiKeyPermissions.operations, ['read']);
+      assert.deepStrictEqual(apiKeyPermissions.entities, ['posts']);
+    });
+
+    it('returns error for invalid token', function () {
+      const { user, error } = resolveAuthHeader('Bearer bad-token-here');
+      assert.ok(!user);
+      assert.strictEqual(error, 'invalid_token');
+    });
+  });
+
+  // ── HTTP API – user self-service ──────────────────────────────────────
+
+  describe('GET /api/auth/admin/api-keys', function () {
+    it('returns 401 without token', async function () {
+      const r = await req({ port, path: '/api/auth/admin/api-keys' });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('returns empty array initially', async function () {
+      const r = await req({ port, path: '/api/auth/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` } });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body));
+    });
+  });
+
+  describe('POST /api/auth/admin/api-keys', function () {
+    it('returns 401 without token', async function () {
+      const r = await req({ port, method: 'POST', path: '/api/auth/admin/api-keys', body: { name: 'X' } });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('creates a key and returns the plaintext key once', async function () {
+      const r = await req({ port, method: 'POST', path: '/api/auth/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { name: 'My Key', permissions: ['read'], entities: [], expiresAt: null },
+      });
+      assert.strictEqual(r.status, 201);
+      assert.ok(r.body.key, 'should return the plaintext key');
+      assert.ok(r.body.key.startsWith('cs_'), 'key should start with cs_');
+      assert.ok(r.body.record, 'should return the record');
+      assert.ok(!r.body.record.keyHash, 'keyHash must not be exposed');
+      assert.strictEqual(r.body.record.name, 'My Key');
+    });
+  });
+
+  describe('DELETE /api/auth/admin/api-keys/:id', function () {
+    it('deletes own API key', async function () {
+      // Create
+      const create = await req({ port, method: 'POST', path: '/api/auth/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { name: 'ToDelete' },
+      });
+      assert.strictEqual(create.status, 201);
+      const keyId = create.body.record.id;
+
+      // Delete
+      const del = await req({ port, method: 'DELETE', path: `/api/auth/admin/api-keys/${keyId}`,
+        headers: { Authorization: `Bearer ${adminToken}` } });
+      assert.strictEqual(del.status, 200);
+      assert.ok(del.body.success);
+    });
+
+    it('returns 404 for non-existent key', async function () {
+      const r = await req({ port, method: 'DELETE', path: '/api/auth/admin/api-keys/nonexistent-id',
+        headers: { Authorization: `Bearer ${adminToken}` } });
+      assert.strictEqual(r.status, 404);
+    });
+  });
+
+  // ── HTTP API – using API key for authentication ───────────────────────
+
+  describe('API key authentication on entity routes', function () {
+    let apiKey;
+
+    before(async function () {
+      // Create an API key with read-only access to 'post' entity
+      const r = await req({ port, method: 'POST', path: '/api/auth/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { name: 'ReadOnly', permissions: ['read'], entities: ['post'], expiresAt: null },
+      });
+      assert.strictEqual(r.status, 201);
+      apiKey = r.body.key;
+    });
+
+    it('can access public routes with API key', async function () {
+      // Post has public read policy
+      const r = await req({ port, path: '/api/collections/post',
+        headers: { Authorization: `Bearer ${apiKey}` } });
+      assert.strictEqual(r.status, 200);
+    });
+
+    it('rejects API key for entities not in entity access list', async function () {
+      // Create a key restricted to 'post' only
+      const createR = await req({ port, method: 'POST', path: '/api/auth/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { name: 'PostOnly', permissions: ['read', 'create', 'update', 'delete'], entities: ['post'] },
+      });
+      const restrictedKey = createR.body.key;
+      // Attempt to access 'comment' (not in entities list)
+      const r = await req({ port, path: '/api/collections/comment',
+        headers: { Authorization: `Bearer ${restrictedKey}` } });
+      assert.strictEqual(r.status, 403);
+    });
+  });
+
+  // ── Admin routes ──────────────────────────────────────────────────────
+
+  describe('GET /admin/api-keys', function () {
+    it('returns 401 without token', async function () {
+      const r = await req({ port, path: '/admin/api-keys' });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('returns array with valid token', async function () {
+      const r = await req({ port, path: '/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` } });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body));
+      assert.ok(r.body.every((k) => !k.keyHash), 'keyHash must never be exposed');
+    });
+  });
+
+  describe('POST /admin/api-keys (admin creates for any user)', function () {
+    it('creates key for a specific user', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userId: adminId, userEntity: 'Admin', name: 'AdminCreated', permissions: [], entities: [] },
+      });
+      assert.strictEqual(r.status, 201);
+      assert.ok(r.body.key.startsWith('cs_'));
+      assert.strictEqual(r.body.record.userId, adminId);
+    });
+
+    it('returns 400 when userId is missing', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userEntity: 'Admin', name: 'NoUser' },
+      });
+      assert.strictEqual(r.status, 400);
+    });
+  });
+
+  describe('DELETE /admin/api-keys/:id', function () {
+    it('admin can delete any API key', async function () {
+      const create = await req({ port, method: 'POST', path: '/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userId: adminId, userEntity: 'Admin', name: 'AdminDel' },
+      });
+      const keyId = create.body.record.id;
+      const del = await req({ port, method: 'DELETE', path: `/admin/api-keys/${keyId}`,
+        headers: { Authorization: `Bearer ${adminToken}` } });
+      assert.strictEqual(del.status, 200);
+    });
+  });
+
+  // ── POST /admin/impersonate ───────────────────────────────────────────
+
+  describe('POST /admin/impersonate', function () {
+    it('returns 401 without token', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/impersonate',
+        body: { userId: adminId, userEntity: 'Admin' } });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('returns 400 when userId is missing', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/impersonate',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userEntity: 'Admin' } });
+      assert.strictEqual(r.status, 400);
+    });
+
+    it('returns impersonation token with impersonated flag', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/impersonate',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userId: adminId, userEntity: 'Admin' } });
+      assert.strictEqual(r.status, 200);
+      assert.ok(r.body.token, 'should return a token');
+      assert.ok(r.body.expiresAt, 'should return an expiry');
+      assert.strictEqual(r.body.userId, adminId);
+      // Verify the token decodes correctly
+      const { verifyToken } = require('../core/auth');
+      const payload = verifyToken(r.body.token);
+      assert.strictEqual(payload.id, adminId);
+      assert.strictEqual(payload.entity, 'Admin');
+      assert.strictEqual(payload.impersonated, true);
+    });
+
+    it('returns 404 for non-existent user', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/impersonate',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userId: 'non-existent-user', userEntity: 'Admin' } });
+      assert.strictEqual(r.status, 404);
+    });
+
+    it('returns 404 for unknown user collection', async function () {
+      const r = await req({ port, method: 'POST', path: '/admin/impersonate',
+        headers: { Authorization: `Bearer ${adminToken}` },
+        body: { userId: adminId, userEntity: 'NonExistent' } });
+      assert.strictEqual(r.status, 404);
+    });
+  });
+
+  // ── Admin schema returns userCollections ──────────────────────────────
+
+  describe('GET /admin/schema', function () {
+    it('returns userCollections field with authenticable entities', async function () {
+      const r = await req({ port, path: '/admin/schema' });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body.userCollections), 'userCollections should be an array');
+      assert.ok(r.body.userCollections.every((e) => e.authenticable), 'all userCollections should be authenticable');
+      assert.ok(Array.isArray(r.body.entities), 'entities should be an array');
+    });
+  });
+});

package/test/auth.test.js

@@ -0,0 +1,122 @@
+'use strict';
+
+const assert = require('assert');
+const { signToken, verifyToken, omitPassword, requireAuth, optionalAuth } = require('../core/auth');
+
+function mockReq(headers = {}) {
+  return { headers, user: undefined };
+}
+
+function mockRes() {
+  const r = { _status: 200, _body: undefined };
+  r.status = (s) => { r._status = s; return r; };
+  r.json   = (b) => { r._body  = b; };
+  return r;
+}
+
+describe('auth', () => {
+  it('signToken/verifyToken round-trip', () => {
+    const t = signToken({ id: 1, entity: 'Admin' });
+    const d = verifyToken(t);
+    assert.strictEqual(d.id, 1);
+    assert.strictEqual(d.entity, 'Admin');
+  });
+
+  it('verifyToken throws on invalid', () => assert.throws(() => verifyToken('bad'), /malformed|invalid/i));
+  it('omitPassword removes password', () => assert.ok(!('password' in omitPassword({ id: 1, password: 'x', email: 'a@b.com' }))));
+});
+
+describe('auth – middleware', () => {
+  it('requireAuth: 401 when no Authorization header', () => {
+    const mw  = requireAuth();
+    const req = mockReq();
+    const res = mockRes();
+    let nextCalled = false;
+    mw(req, res, () => { nextCalled = true; });
+    assert.strictEqual(res._status, 401);
+    assert.ok(!nextCalled);
+  });
+
+  it('requireAuth: 401 when header lacks Bearer prefix', () => {
+    const mw  = requireAuth();
+    const req = mockReq({ authorization: 'Basic abc123' });
+    const res = mockRes();
+    let nextCalled = false;
+    mw(req, res, () => { nextCalled = true; });
+    assert.strictEqual(res._status, 401);
+    assert.ok(!nextCalled);
+  });
+
+  it('requireAuth: 401 for invalid token', () => {
+    const mw  = requireAuth();
+    const req = mockReq({ authorization: 'Bearer not-a-valid-jwt' });
+    const res = mockRes();
+    let nextCalled = false;
+    mw(req, res, () => { nextCalled = true; });
+    assert.strictEqual(res._status, 401);
+    assert.ok(!nextCalled);
+  });
+
+  it('requireAuth: 403 when entity does not match', () => {
+    const token = signToken({ id: 'u1', entity: 'Admin' });
+    const mw    = requireAuth('User');
+    const req   = mockReq({ authorization: `Bearer ${token}` });
+    const res   = mockRes();
+    let nextCalled = false;
+    mw(req, res, () => { nextCalled = true; });
+    assert.strictEqual(res._status, 403);
+    assert.ok(!nextCalled);
+  });
+
+  it('requireAuth: sets req.user and calls next for valid token (with entity filter)', () => {
+    const token = signToken({ id: 'u2', entity: 'Admin' });
+    const mw    = requireAuth('Admin');
+    const req   = mockReq({ authorization: `Bearer ${token}` });
+    const res   = mockRes();
+    let nextCalled = false;
+    mw(req, res, () => { nextCalled = true; });
+    assert.ok(nextCalled);
+    assert.strictEqual(req.user.id, 'u2');
+    assert.strictEqual(req.user.entity, 'Admin');
+  });
+
+  it('requireAuth: sets req.user and calls next without entity filter', () => {
+    const token = signToken({ id: 'u3', entity: 'Member' });
+    const mw    = requireAuth();
+    const req   = mockReq({ authorization: `Bearer ${token}` });
+    const res   = mockRes();
+    let nextCalled = false;
+    mw(req, res, () => { nextCalled = true; });
+    assert.ok(nextCalled);
+    assert.strictEqual(req.user.entity, 'Member');
+  });
+
+  it('optionalAuth: calls next without user when no header', () => {
+    const req = mockReq();
+    const res = mockRes();
+    let nextCalled = false;
+    optionalAuth(req, res, () => { nextCalled = true; });
+    assert.ok(nextCalled);
+    assert.ok(!req.user);
+  });
+
+  it('optionalAuth: calls next without user when token is invalid', () => {
+    const req = mockReq({ authorization: 'Bearer bad-token' });
+    const res = mockRes();
+    let nextCalled = false;
+    optionalAuth(req, res, () => { nextCalled = true; });
+    assert.ok(nextCalled);
+    assert.ok(!req.user);
+  });
+
+  it('optionalAuth: sets req.user when token is valid', () => {
+    const token = signToken({ id: 'u4', entity: 'Guest' });
+    const req   = mockReq({ authorization: `Bearer ${token}` });
+    const res   = mockRes();
+    let nextCalled = false;
+    optionalAuth(req, res, () => { nextCalled = true; });
+    assert.ok(nextCalled);
+    assert.strictEqual(req.user.id, 'u4');
+    assert.strictEqual(req.user.entity, 'Guest');
+  });
+});