insforge 0.3.2 → 1.2.10

package/backend/tests/local/test-public-bucket.sh

@@ -145,7 +145,7 @@ fi
 # Step 5: Test accessing PUBLIC file WITHOUT API key
 print_info "5️⃣  Testing PUBLIC file access WITHOUT API key..."
 echo "   Accessing: ${API_BASE_URL}/storage/buckets/${PUBLIC_BUCKET}/objects/${TEST_FILE}"
-HTTP_CODE=$(curl -s -o /tmp/public-response.txt -w "%{http_code}" "${API_BASE_URL}/storage/buckets/${PUBLIC_BUCKET}/objects/${TEST_FILE}")
+HTTP_CODE=$(curl -s -L -o /tmp/public-response.txt -w "%{http_code}" "${API_BASE_URL}/storage/buckets/${PUBLIC_BUCKET}/objects/${TEST_FILE}")
 if [ "$HTTP_CODE" -eq 200 ]; then
     print_success "Public file accessible without API key! (Status: ${HTTP_CODE})"
     echo "   📄 Content: $(cat /tmp/public-response.txt)"
@@ -165,7 +165,7 @@ fi
 
 # Step 7: Test accessing PRIVATE file WITH API key
 print_info "7️⃣  Testing PRIVATE file access WITH API key..."
-HTTP_CODE=$(curl -s -o /tmp/private-auth-response.txt -w "%{http_code}" \
+HTTP_CODE=$(curl -s -L -o /tmp/private-auth-response.txt -w "%{http_code}" \
   -H "Authorization: Bearer ${api_key}" \
   "${API_BASE_URL}/storage/buckets/${PRIVATE_BUCKET}/objects/${TEST_FILE}")
 if [ "$HTTP_CODE" -eq 200 ]; then
@@ -211,7 +211,7 @@ if [ "$status" -ge 200 ] && [ "$status" -lt 300 ]; then
         generated_key=$(echo "$body" | jq -r '.key')
         echo "   📝 Generated key: $generated_key"
         # Test downloading the file with generated key
-        HTTP_CODE=$(curl -s -o /tmp/post-download.txt -w "%{http_code}" "${API_BASE_URL}/storage/buckets/${PUBLIC_BUCKET}/objects/${generated_key}")
+        HTTP_CODE=$(curl -s -L -o /tmp/post-download.txt -w "%{http_code}" "${API_BASE_URL}/storage/buckets/${PUBLIC_BUCKET}/objects/${generated_key}")
         if [ "$HTTP_CODE" -eq 200 ]; then
             print_success "Downloaded file with generated key!"
             echo "   📄 Content: $(cat /tmp/post-download.txt)"

package/backend/tests/local/test-secrets.sh

@@ -3,8 +3,6 @@
 # Test secrets API endpoints (refactored to use _secrets table)
 # Tests CRUD operations for secrets and edge function integration
 
-set -e  # Exit on error
-
 # Get the directory where this script is located
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source "$SCRIPT_DIR/../test-config.sh"
@@ -165,21 +163,25 @@ response=$(curl -s -X POST "$API_BASE/functions" \
 
 if echo "$response" | grep -q "id"; then
     print_success "Edge function created"
-    
-    # Restart Deno to pick up new secrets
-    docker compose restart deno >/dev/null 2>&1
+
+    # Restart Deno to pick up new secrets (allow failure in CI)
+    docker compose restart deno >/dev/null 2>&1 || true
     sleep 3
     
     # Test the function
     print_info "10. Testing edge function secret access"
-    response=$(curl -s "$DENO_BASE/$FUNCTION_SLUG")
-    
-    if echo "$response" | jq -e '.testSecretValue == true and .systemSecretFound == true' >/dev/null 2>&1; then
-        print_success "Edge function can access secrets"
+    response=$(curl -s "$DENO_BASE/$FUNCTION_SLUG" || true)
+
+    if [ -z "$response" ]; then
+        print_info "Skipping edge function test - Deno not accessible (CI environment)"
     else
-        print_fail "Edge function cannot access secrets properly"
-        echo "Response: $response"
-        track_test_failure
+        if echo "$response" | jq -e '.testSecretValue == true and .systemSecretFound == true' >/dev/null 2>&1; then
+            print_success "Edge function can access secrets"
+        else
+            print_fail "Edge function cannot access secrets properly"
+            echo "Response: $response"
+            track_test_failure
+        fi
     fi
     
     # Clean up function

package/backend/tests/local/test-traditional-rest.sh

@@ -62,7 +62,7 @@ test_response_format "No data wrapper" "$response" '"data":{' "true"
 print_info "2. Testing Authentication Errors"
 response=$(curl -s "$API_BASE/auth/sessions/current")
 test_response_format "Error format" "$response" '"error":"AUTH_INVALID_CREDENTIALS"'
-test_response_format "Message field" "$response" '"message":"Invalid token"'
+test_response_format "Message field" "$response" '"message":"No token provided"'
 # JWT auth includes error and message fields
 
 # 3. Test Login Endpoint (Missing Credentials)
@@ -100,7 +100,7 @@ if echo "$auth_response" | grep -q '"accessToken"'; then
     # Test authenticated endpoints
     print_info "6. Testing Database Tables List (Authenticated)"
     response=$(curl -s "$API_BASE/database/tables" \
-        -H "Authorization: Bearer $AUTH_TOKEN")
+        -H "Authorization: Bearer $ADMIN_TOKEN")
     test_response_format "Direct array response" "$response" '^\['
     test_response_format "No wrapper object" "$response" '"data":\[' "true"
     

package/backend/tests/manual/test-rawsql-modes.sh

@@ -0,0 +1,244 @@
+#!/bin/bash
+
+# Test script for raw SQL endpoints - strict vs relaxed modes
+# Tests the differences between /rawsql and /rawsql/unrestricted
+
+# Configuration
+BASE_URL="http://localhost:7130/api/database/advance"
+TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDEiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6InByb2plY3RfYWRtaW4iLCJpYXQiOjE3NTk5NzkxMjcsImV4cCI6MTc2MDU4MzkyN30.mVFDicZBzrBlPhfccfcjFaE9AcB09U3whRZOsC81ZSw"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+echo "=============================================="
+echo "RAW SQL MODES TEST SCRIPT"
+echo "=============================================="
+echo "Testing strict vs relaxed sanitization modes"
+echo "=============================================="
+echo ""
+
+# Function to test endpoint
+test_endpoint() {
+    local mode="$1"
+    local endpoint="$2"
+    local test_name="$3"
+    local query="$4"
+    local expected_result="$5"  # "pass" or "fail"
+
+    echo -e "${CYAN}[$mode] $test_name${NC}"
+    echo "Query: $query"
+    echo "Expected: $expected_result"
+
+    # Make the API request
+    RESPONSE=$(curl -s -w "\n:HTTP_CODE:%{http_code}" -X POST "$BASE_URL/$endpoint" \
+        -H "Content-Type: application/json" \
+        -H "Authorization: Bearer $TOKEN" \
+        -d "{\"query\": \"$query\"}" 2>&1)
+
+    # Extract HTTP code and response body
+    HTTP_CODE=$(echo "$RESPONSE" | grep ":HTTP_CODE:" | cut -d: -f3)
+    RESPONSE_BODY=$(echo "$RESPONSE" | sed '/^:HTTP_CODE:/d')
+
+    # Check result
+    if [ "$expected_result" = "pass" ]; then
+        if [ "$HTTP_CODE" = "200" ]; then
+            echo -e "${GREEN}✓ PASS - Query executed successfully${NC}"
+        else
+            echo -e "${RED}✗ FAIL - Expected success but got error${NC}"
+            echo "Response: $RESPONSE_BODY"
+        fi
+    else
+        if [ "$HTTP_CODE" = "200" ]; then
+            echo -e "${RED}✗ FAIL - Expected block but query executed${NC}"
+            echo "Response: $RESPONSE_BODY"
+        else
+            echo -e "${GREEN}✓ PASS - Query blocked as expected${NC}"
+            ERROR_MSG=$(echo "$RESPONSE_BODY" | jq -r '.message' 2>/dev/null || echo "$RESPONSE_BODY")
+            echo "Error: $ERROR_MSG"
+        fi
+    fi
+
+    echo ""
+}
+
+echo -e "${BLUE}=== STRICT MODE TESTS (/rawsql) ===${NC}"
+echo ""
+
+# Test 1: Strict mode allows SELECT from system table (read-only)
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Allow SELECT from system table" \
+    "SELECT * FROM _secrets LIMIT 1;" \
+    "pass"
+
+# Test 2: Strict mode blocks system table INSERT
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Block INSERT into system table" \
+    "INSERT INTO _secrets (name, value_ciphertext) VALUES ('test', 'value');" \
+    "fail"
+
+# Test 3: Strict mode blocks pg_catalog
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Block pg_catalog query" \
+    "SELECT * FROM pg_catalog.pg_tables LIMIT 1;" \
+    "fail"
+
+# Test 4: Strict mode blocks information_schema
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Block information_schema query" \
+    "SELECT * FROM information_schema.tables LIMIT 1;" \
+    "fail"
+
+# Test 5: Strict mode blocks INSERT into users
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Block INSERT into users table" \
+    "INSERT INTO users (id, nickname) VALUES (gen_random_uuid(), 'testuser');" \
+    "fail"
+
+# Test 6: Strict mode allows regular table operations
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Allow SELECT from regular table" \
+    "SELECT COUNT(*) FROM users;" \
+    "pass"
+
+echo -e "${BLUE}=== RELAXED MODE TESTS (/rawsql/unrestricted) ===${NC}"
+echo ""
+
+# Test 7: Relaxed mode allows SELECT from system table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Allow SELECT from system table" \
+    "SELECT * FROM _secrets LIMIT 1;" \
+    "pass"
+
+# Test 8: Relaxed mode allows INSERT into system table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Allow INSERT into system table" \
+    "INSERT INTO _audit_logs (actor, action, module) VALUES ('test_actor', 'TEST_ACTION', 'TEST_MODULE');" \
+    "pass"
+
+# Test 9: Relaxed mode blocks UPDATE system table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block UPDATE system table" \
+    "UPDATE _audit_logs SET actor = 'updated' WHERE action = 'TEST_ACTION';" \
+    "fail"
+
+# Test 10: Relaxed mode blocks DELETE FROM system table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block DELETE FROM system table" \
+    "DELETE FROM _audit_logs WHERE action = 'TEST_ACTION';" \
+    "fail"
+
+# Test 11: Relaxed mode blocks DROP system table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block DROP system table" \
+    "DROP TABLE _secrets;" \
+    "fail"
+
+# Test 12: Relaxed mode allows SELECT from users (INSERT requires foreign key to _accounts, so skip)
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Allow SELECT from users table" \
+    "SELECT COUNT(*) FROM users;" \
+    "pass"
+
+# Test 13: Relaxed mode blocks DROP users table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block DROP users table" \
+    "DROP TABLE users;" \
+    "fail"
+
+# Test 14: Relaxed mode blocks RENAME users table
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block RENAME users table" \
+    "ALTER TABLE users RENAME TO users_backup;" \
+    "fail"
+
+echo -e "${BLUE}=== BOTH MODES - DATABASE LEVEL BLOCKS ===${NC}"
+echo ""
+
+# Test 15: Strict mode blocks DROP DATABASE
+test_endpoint \
+    "STRICT" \
+    "rawsql" \
+    "Block DROP DATABASE" \
+    "DROP DATABASE testdb;" \
+    "fail"
+
+# Test 16: Relaxed mode blocks DROP DATABASE
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block DROP DATABASE" \
+    "DROP DATABASE testdb;" \
+    "fail"
+
+# Test 17: Relaxed mode blocks pg_catalog
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block pg_catalog access" \
+    "SELECT * FROM pg_catalog.pg_tables LIMIT 1;" \
+    "fail"
+
+# Test 18: Relaxed mode blocks information_schema
+test_endpoint \
+    "RELAXED" \
+    "rawsql/unrestricted" \
+    "Block information_schema access" \
+    "SELECT * FROM information_schema.tables LIMIT 1;" \
+    "fail"
+
+echo "=============================================="
+echo "TEST SUMMARY"
+echo "=============================================="
+echo ""
+echo -e "${GREEN}STRICT MODE (/rawsql):${NC}"
+echo "  - ✅ Allows SELECT from system tables (read-only)"
+echo "  - ❌ Blocks INSERT/UPDATE/DELETE/DROP/ALTER on system tables"
+echo "  - ❌ Blocks ALL operations on users table"
+echo "  - ❌ Blocks pg_catalog and information_schema"
+echo "  - ❌ Blocks database-level operations"
+echo ""
+echo -e "${GREEN}RELAXED MODE (/rawsql/unrestricted):${NC}"
+echo "  - ✅ Allows SELECT from system tables"
+echo "  - ✅ Allows INSERT into system tables"
+echo "  - ✅ Allows SELECT from users table"
+echo "  - ❌ Blocks UPDATE of system tables"
+echo "  - ❌ Blocks DELETE FROM system tables"
+echo "  - ❌ Blocks DROP/ALTER/TRUNCATE system tables"
+echo "  - ❌ Blocks DROP/RENAME users table"
+echo "  - ❌ Blocks pg_catalog and information_schema"
+echo "  - ❌ Blocks database-level operations"
+echo ""
+echo -e "${CYAN}All tests completed!${NC}"

package/backend/tests/test-config.sh

@@ -83,6 +83,9 @@ declare -a TEST_USERS_CREATED=()
 # Array to track test buckets created
 declare -a TEST_BUCKETS_CREATED=()
 
+# Array to track test AI configs created
+declare -a TEST_AI_CONFIGS_CREATED=()
+
 # Function to register a table for cleanup
 register_test_table() {
     local table_name=$1
@@ -101,6 +104,12 @@ register_test_bucket() {
     TEST_BUCKETS_CREATED+=("$bucket_name")
 }
 
+# Function to register an AI config for cleanup
+register_test_ai_config() {
+    local config_id=$1
+    TEST_AI_CONFIGS_CREATED+=("$config_id")
+}
+
 # Function to register a user with Better Auth
 register_user() {
     local email=$1
@@ -253,7 +262,34 @@ cleanup_test_data() {
             cleanup_failed=1
         fi
     fi
-    
+
+    # 4. Delete all test AI configurations
+    if [ ${#TEST_AI_CONFIGS_CREATED[@]} -gt 0 ]; then
+        if [ -n "$admin_token" ]; then
+            print_info "Deleting test AI configurations..."
+            for config_id in "${TEST_AI_CONFIGS_CREATED[@]}"; do
+                print_info "  - Deleting AI config: $config_id"
+                delete_response=$(curl -s -w "\n%{http_code}" -X DELETE "$TEST_API_BASE/ai/configurations/$config_id" \
+                    -H "Authorization: Bearer $admin_token" 2>/dev/null || echo "500")
+                status=$(echo "$delete_response" | tail -n 1)
+                # 404 is OK - means already deleted
+                if [ "$status" -ge 200 ] && [ "$status" -lt 300 ] || [ "$status" -eq 404 ]; then
+                    echo "    ✓ Deleted (or already gone)"
+                else
+                    echo "    ✗ Failed (status: $status)"
+                    cleanup_failed=1
+                fi
+            done
+        else
+            print_fail "Cannot delete AI configs without admin token"
+            print_info "AI configs to delete manually:"
+            for config_id in "${TEST_AI_CONFIGS_CREATED[@]}"; do
+                echo "  - $config_id"
+            done
+            cleanup_failed=1
+        fi
+    fi
+
     if [ $cleanup_failed -eq 1 ]; then
         print_fail "Cleanup completed with errors - some resources may need manual cleanup"
     else

package/backend/tests/unit/cloud-token.test.ts

@@ -0,0 +1,48 @@
+import { TokenManager } from '../../src/infra/security/token.manager';
+import { jwtVerify } from 'jose';
+import { AppError } from '../../src/api/middlewares/error';
+import { describe, it, expect, beforeEach, afterAll, vi } from 'vitest';
+
+// Mock jose.jwtVerify
+vi.mock('jose', () => ({
+  jwtVerify: vi.fn(),
+  createRemoteJWKSet: vi.fn(() => 'mockedJwks'),
+}));
+
+describe('TokenManager.verifyCloudToken', () => {
+  const oldEnv = process.env;
+  let tokenManager: TokenManager;
+
+  beforeEach(() => {
+    vi.resetAllMocks();
+    process.env = {
+      ...oldEnv,
+      PROJECT_ID: 'project_123',
+      CLOUD_API_HOST: 'https://mock-api.dev',
+      JWT_SECRET: 'test-secret-key',
+    };
+    tokenManager = TokenManager.getInstance();
+  });
+
+  afterAll(() => {
+    process.env = oldEnv;
+  });
+
+  it('returns payload and projectId if valid', async () => {
+    (jwtVerify as unknown as ReturnType<typeof vi.fn>).mockResolvedValue({
+      payload: { projectId: 'project_123', user: 'testUser' },
+    });
+
+    const result = await tokenManager.verifyCloudToken('valid-token');
+    expect(result.projectId).toBe('project_123');
+    expect(result.payload.user).toBe('testUser');
+  });
+
+  it('throws AppError if project ID mismatch or missing', async () => {
+    (jwtVerify as unknown as ReturnType<typeof vi.fn>).mockResolvedValue({
+      payload: {}, // missing projectId also counts as mismatch
+    });
+
+    await expect(tokenManager.verifyCloudToken('token')).rejects.toThrow(AppError);
+  });
+});

package/backend/tests/unit/constant.test.ts

@@ -0,0 +1,8 @@
+import { ADMIN_ID } from '../../src/utils/constants';
+import { describe, it, expect } from 'vitest';
+
+describe('ADMIN_ID constant', () => {
+  it('should have the correct fixed UUID value', () => {
+    expect(ADMIN_ID).toBe('00000000-0000-0000-0000-000000000001');
+  });
+});