npm - payload-plugin-newsletter - Versions diffs - 0.3.0 → 0.3.2 - Mend

payload-plugin-newsletter 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/dist/src/__tests__/security/xss-prevention.test.js ADDED Viewed

@@ -0,0 +1,305 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { createPayloadRequestMock, seedCollection, clearCollections } from '../mocks/payload';
+import { mockNewsletterSettings } from '../fixtures/newsletter-settings';
+describe('XSS Prevention', ()=>{
+    let mockReq;
+    const config = {};
+    beforeEach(()=>{
+        clearCollections();
+        seedCollection('newsletter-settings', [
+            mockNewsletterSettings
+        ]);
+        const payloadMock = createPayloadRequestMock();
+        mockReq = {
+            payload: payloadMock.payload,
+            body: {}
+        };
+        vi.clearAllMocks();
+    });
+    describe('Input Sanitization', ()=>{
+        it('should sanitize subscriber name field', async ()=>{
+            const maliciousNames = [
+                '<script>alert("xss")</script>John',
+                'John<img src=x onerror=alert("xss")>',
+                'John<iframe src="javascript:alert(\'xss\')"></iframe>',
+                '<svg onload=alert("xss")>John</svg>',
+                'John<body onload=alert("xss")>'
+            ];
+            for (const maliciousName of maliciousNames){
+                const result = await mockReq.payload.create({
+                    collection: 'subscribers',
+                    data: {
+                        email: `test${Date.now()}@example.com`,
+                        name: maliciousName
+                    }
+                });
+                // Name should be sanitized (implementation dependent)
+                expect(result.name).not.toContain('<script>');
+                expect(result.name).not.toContain('alert(');
+                expect(result.name).not.toContain('onerror=');
+                expect(result.name).not.toContain('javascript:');
+            }
+        });
+        it('should not allow HTML in email addresses', async ()=>{
+            const maliciousEmails = [
+                'user<script>alert("xss")</script>@example.com',
+                'user@example.com<img src=x onerror=alert("xss")>',
+                '<user@example.com>'
+            ];
+            for (const maliciousEmail of maliciousEmails){
+                try {
+                    await mockReq.payload.create({
+                        collection: 'subscribers',
+                        data: {
+                            email: maliciousEmail,
+                            name: 'Test User'
+                        }
+                    });
+                } catch (error) {
+                    // Should fail validation
+                    expect(error.message).toContain('Invalid email');
+                }
+            }
+        });
+        it('should sanitize custom fields', async ()=>{
+            const result = await mockReq.payload.create({
+                collection: 'subscribers',
+                data: {
+                    email: 'test@example.com',
+                    name: 'Test User',
+                    customField: '<script>alert("xss")</script>Custom Value'
+                }
+            });
+            if (result.customField) {
+                expect(result.customField).not.toContain('<script>');
+                expect(result.customField).not.toContain('alert(');
+            }
+        });
+    });
+    describe('Template Injection Prevention', ()=>{
+        it('should prevent template injection in email subjects', async ()=>{
+            const maliciousSubjects = [
+                '{{process.env.JWT_SECRET}}',
+                '${process.env.JWT_SECRET}',
+                '<%= process.env.JWT_SECRET %>',
+                '#{process.env.JWT_SECRET}'
+            ];
+            for (const subject of maliciousSubjects){
+                const settings = await mockReq.payload.update({
+                    collection: 'newsletter-settings',
+                    id: 'settings-1',
+                    data: {
+                        emailTemplates: {
+                            welcome: {
+                                subject: subject
+                            }
+                        }
+                    }
+                });
+                // Subject should be treated as literal string, not evaluated
+                expect(settings.emailTemplates.welcome.subject).toBe(subject);
+            // When used, should not expose secrets
+            }
+        });
+        it('should escape user data in email templates', ()=>{
+            // Template rendering function (example)
+            const renderTemplate = (template, data)=>{
+                // Should escape HTML entities
+                const escaped = {};
+                for (const [key, value] of Object.entries(data)){
+                    if (typeof value === 'string') {
+                        escaped[key] = value.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#x27;');
+                    } else {
+                        escaped[key] = value;
+                    }
+                }
+                // Simple template replacement
+                return template.replace(/\{\{(\w+)\}\}/g, (match, key)=>escaped[key] || '');
+            };
+            const template = '<p>Hello {{name}}, welcome to {{newsletter}}!</p>';
+            const maliciousData = {
+                name: '<script>alert("xss")</script>',
+                newsletter: 'Test Newsletter<img src=x onerror=alert("xss")>'
+            };
+            const rendered = renderTemplate(template, maliciousData);
+            expect(rendered).not.toContain('<script>');
+            expect(rendered).not.toContain('<img src=x onerror=');
+            expect(rendered).toContain('&lt;script&gt;');
+            expect(rendered).toContain('&lt;img');
+        });
+    });
+    describe('Content Security Policy', ()=>{
+        it('should set appropriate CSP headers for admin UI', ()=>{
+            // Mock response headers
+            const headers = {};
+            // CSP middleware (example)
+            const setCSPHeaders = (res)=>{
+                res.setHeader('Content-Security-Policy', [
+                    "default-src 'self'",
+                    "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+                    "style-src 'self' 'unsafe-inline'",
+                    "img-src 'self' data: https:",
+                    "font-src 'self'",
+                    "connect-src 'self'",
+                    "frame-ancestors 'none'",
+                    "base-uri 'self'",
+                    "form-action 'self'"
+                ].join('; '));
+            };
+            const mockRes = {
+                setHeader: (name, value)=>{
+                    headers[name] = value;
+                }
+            };
+            setCSPHeaders(mockRes);
+            expect(headers['Content-Security-Policy']).toContain("default-src 'self'");
+            expect(headers['Content-Security-Policy']).toContain("frame-ancestors 'none'");
+        });
+    });
+    describe('JSON Injection Prevention', ()=>{
+        it('should prevent JSON injection in API responses', async ()=>{
+            const maliciousData = {
+                email: 'test@example.com',
+                name: 'Test", "isAdmin": true, "name": "Hacked'
+            };
+            const result = await mockReq.payload.create({
+                collection: 'subscribers',
+                data: maliciousData
+            });
+            // The name should be stored as a string, not parsed as JSON
+            expect(result.name).toBe(maliciousData.name);
+            expect(result.isAdmin).toBeUndefined();
+        });
+        it('should properly escape JSON in responses', ()=>{
+            const escapeJSON = (data)=>{
+                return JSON.stringify(data).replace(/\u2028/g, '\\u2028').replace(/\u2029/g, '\\u2029');
+            };
+            const data = {
+                name: 'Test\u2028User\u2029',
+                email: 'test@example.com'
+            };
+            const escaped = escapeJSON(data);
+            expect(escaped).not.toContain('\u2028');
+            expect(escaped).not.toContain('\u2029');
+        });
+    });
+    describe('URL Injection Prevention', ()=>{
+        it('should validate redirect URLs', ()=>{
+            const validateRedirectUrl = (url, allowedHosts)=>{
+                try {
+                    const parsed = new URL(url);
+                    return allowedHosts.includes(parsed.host);
+                } catch  {
+                    return false;
+                }
+            };
+            const allowedHosts = [
+                'example.com',
+                'app.example.com'
+            ];
+            // Valid URLs
+            expect(validateRedirectUrl('https://example.com/preferences', allowedHosts)).toBe(true);
+            expect(validateRedirectUrl('https://app.example.com/unsubscribe', allowedHosts)).toBe(true);
+            // Invalid URLs
+            expect(validateRedirectUrl('https://evil.com/phishing', allowedHosts)).toBe(false);
+            expect(validateRedirectUrl('javascript:alert("xss")', allowedHosts)).toBe(false);
+            expect(validateRedirectUrl('data:text/html,<script>alert("xss")</script>', allowedHosts)).toBe(false);
+        });
+        it('should sanitize magic link URLs', ()=>{
+            const generateMagicLink = (baseUrl, token)=>{
+                // Validate base URL
+                try {
+                    const url = new URL(baseUrl);
+                    if (![
+                        'http:',
+                        'https:'
+                    ].includes(url.protocol)) {
+                        throw new Error('Invalid protocol');
+                    }
+                    // Encode token to prevent injection
+                    url.searchParams.set('token', encodeURIComponent(token));
+                    return url.toString();
+                } catch  {
+                    throw new Error('Invalid base URL');
+                }
+            };
+            // Valid usage
+            const link = generateMagicLink('https://example.com/verify', 'abc123');
+            expect(link).toBe('https://example.com/verify?token=abc123');
+            // Token with special characters
+            const maliciousToken = '"><script>alert("xss")</script>';
+            const safeLink = generateMagicLink('https://example.com/verify', maliciousToken);
+            expect(safeLink).not.toContain('<script>');
+            // Verify the token is properly encoded (double-encoding is actually safer)
+            expect(safeLink).toContain('%253Cscript%253E');
+            expect(safeLink).toContain('%2522');
+            // Invalid base URLs
+            expect(()=>generateMagicLink('javascript:alert("xss")', 'token')).toThrow();
+            expect(()=>generateMagicLink('data:text/html,test', 'token')).toThrow();
+        });
+    });
+    describe('MongoDB Injection Prevention', ()=>{
+        it('should prevent NoSQL injection in queries', async ()=>{
+            // Malicious input attempting to bypass authentication
+            const maliciousInputs = [
+                {
+                    email: {
+                        $ne: null
+                    }
+                },
+                {
+                    email: {
+                        $regex: '.*'
+                    }
+                },
+                {
+                    email: {
+                        $where: 'this.isAdmin == true'
+                    }
+                }
+            ];
+            for (const input of maliciousInputs){
+                try {
+                    await mockReq.payload.find({
+                        collection: 'subscribers',
+                        where: input
+                    });
+                } catch (error) {
+                    // Should either sanitize or reject
+                    expect(error.message).toContain('Invalid');
+                }
+            }
+        });
+        it('should sanitize field names', async ()=>{
+            const maliciousFields = [
+                {
+                    '$where': 'malicious code'
+                },
+                {
+                    '__proto__': {
+                        isAdmin: true
+                    }
+                },
+                {
+                    'constructor.prototype.isAdmin': true
+                }
+            ];
+            for (const fields of maliciousFields){
+                try {
+                    await mockReq.payload.create({
+                        collection: 'subscribers',
+                        data: {
+                            email: 'test@example.com',
+                            ...fields
+                        }
+                    });
+                } catch (error) {
+                    // Should reject dangerous field names
+                    expect(error).toBeDefined();
+                }
+            }
+        });
+    });
+});
+//# sourceMappingURL=xss-prevention.test.js.map

package/dist/src/__tests__/security/xss-prevention.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/__tests__/security/xss-prevention.test.ts"],"sourcesContent":["import { describe, it, expect, beforeEach, vi } from 'vitest'\nimport { createPayloadRequestMock, seedCollection, clearCollections } from '../mocks/payload'\nimport { mockNewsletterSettings } from '../fixtures/newsletter-settings'\nimport type { NewsletterPluginConfig } from '../../types'\n\ndescribe('XSS Prevention', () => {\n let mockReq: any\n const config: NewsletterPluginConfig = {}\n\n beforeEach(() => {\n clearCollections()\n seedCollection('newsletter-settings', [mockNewsletterSettings])\n \n const payloadMock = createPayloadRequestMock()\n mockReq = {\n payload: payloadMock.payload,\n body: {},\n }\n \n vi.clearAllMocks()\n })\n\n describe('Input Sanitization', () => {\n it('should sanitize subscriber name field', async () => {\n const maliciousNames = [\n '<script>alert(\"xss\")</script>John',\n 'John<img src=x onerror=alert(\"xss\")>',\n 'John<iframe src=\"javascript:alert(\\'xss\\')\"></iframe>',\n '<svg onload=alert(\"xss\")>John</svg>',\n 'John<body onload=alert(\"xss\")>',\n ]\n\n for (const maliciousName of maliciousNames) {\n const result = await mockReq.payload.create({\n collection: 'subscribers',\n data: {\n email: `test${Date.now()}@example.com`,\n name: maliciousName,\n },\n })\n\n // Name should be sanitized (implementation dependent)\n expect(result.name).not.toContain('<script>')\n expect(result.name).not.toContain('alert(')\n expect(result.name).not.toContain('onerror=')\n expect(result.name).not.toContain('javascript:')\n }\n })\n\n it('should not allow HTML in email addresses', async () => {\n const maliciousEmails = [\n 'user<script>alert(\"xss\")</script>@example.com',\n 'user@example.com<img src=x onerror=alert(\"xss\")>',\n '<user@example.com>',\n ]\n\n for (const maliciousEmail of maliciousEmails) {\n try {\n await mockReq.payload.create({\n collection: 'subscribers',\n data: {\n email: maliciousEmail,\n name: 'Test User',\n },\n })\n } catch (error: any) {\n // Should fail validation\n expect(error.message).toContain('Invalid email')\n }\n }\n })\n\n it('should sanitize custom fields', async () => {\n const result = await mockReq.payload.create({\n collection: 'subscribers',\n data: {\n email: 'test@example.com',\n name: 'Test User',\n customField: '<script>alert(\"xss\")</script>Custom Value',\n },\n })\n\n if (result.customField) {\n expect(result.customField).not.toContain('<script>')\n expect(result.customField).not.toContain('alert(')\n }\n })\n })\n\n describe('Template Injection Prevention', () => {\n it('should prevent template injection in email subjects', async () => {\n const maliciousSubjects = [\n '{{process.env.JWT_SECRET}}',\n '${process.env.JWT_SECRET}',\n '<%= process.env.JWT_SECRET %>',\n '#{process.env.JWT_SECRET}',\n ]\n\n for (const subject of maliciousSubjects) {\n const settings = await mockReq.payload.update({\n collection: 'newsletter-settings',\n id: 'settings-1',\n data: {\n emailTemplates: {\n welcome: {\n subject: subject,\n },\n },\n },\n })\n\n // Subject should be treated as literal string, not evaluated\n expect(settings.emailTemplates.welcome.subject).toBe(subject)\n // When used, should not expose secrets\n }\n })\n\n it('should escape user data in email templates', () => {\n // Template rendering function (example)\n const renderTemplate = (template: string, data: any) => {\n // Should escape HTML entities\n const escaped: any = {}\n for (const [key, value] of Object.entries(data)) {\n if (typeof value === 'string') {\n escaped[key] = value\n .replace(/&/g, '&')\n .replace(/</g, '<')\n .replace(/>/g, '>')\n .replace(/\"/g, '"')\n .replace(/'/g, ''')\n } else {\n escaped[key] = value\n }\n }\n \n // Simple template replacement\n return template.replace(/\\{\\{(\\w+)\\}\\}/g, (match, key) => escaped[key] || '')\n }\n\n const template = '<p>Hello {{name}}, welcome to {{newsletter}}!</p>'\n const maliciousData = {\n name: '<script>alert(\"xss\")</script>',\n newsletter: 'Test Newsletter<img src=x onerror=alert(\"xss\")>',\n }\n\n const rendered = renderTemplate(template, maliciousData)\n \n expect(rendered).not.toContain('<script>')\n expect(rendered).not.toContain('<img src=x onerror=')\n expect(rendered).toContain('<script>')\n expect(rendered).toContain('<img')\n })\n })\n\n describe('Content Security Policy', () => {\n it('should set appropriate CSP headers for admin UI', () => {\n // Mock response headers\n const headers: Record<string, string> = {}\n \n // CSP middleware (example)\n const setCSPHeaders = (res: any) => {\n res.setHeader('Content-Security-Policy', [\n \"default-src 'self'\",\n \"script-src 'self' 'unsafe-inline' 'unsafe-eval'\", // Payload admin needs these\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"connect-src 'self'\",\n \"frame-ancestors 'none'\",\n \"base-uri 'self'\",\n \"form-action 'self'\",\n ].join('; '))\n }\n\n const mockRes = {\n setHeader: (name: string, value: string) => {\n headers[name] = value\n },\n }\n\n setCSPHeaders(mockRes)\n \n expect(headers['Content-Security-Policy']).toContain(\"default-src 'self'\")\n expect(headers['Content-Security-Policy']).toContain(\"frame-ancestors 'none'\")\n })\n })\n\n describe('JSON Injection Prevention', () => {\n it('should prevent JSON injection in API responses', async () => {\n const maliciousData = {\n email: 'test@example.com',\n name: 'Test\", \"isAdmin\": true, \"name\": \"Hacked',\n }\n\n const result = await mockReq.payload.create({\n collection: 'subscribers',\n data: maliciousData,\n })\n\n // The name should be stored as a string, not parsed as JSON\n expect(result.name).toBe(maliciousData.name)\n expect(result.isAdmin).toBeUndefined()\n })\n\n it('should properly escape JSON in responses', () => {\n const escapeJSON = (data: any): string => {\n return JSON.stringify(data)\n .replace(/\\u2028/g, '\\\\u2028')\n .replace(/\\u2029/g, '\\\\u2029')\n }\n\n const data = {\n name: 'Test\\u2028User\\u2029',\n email: 'test@example.com',\n }\n\n const escaped = escapeJSON(data)\n expect(escaped).not.toContain('\\u2028')\n expect(escaped).not.toContain('\\u2029')\n })\n })\n\n describe('URL Injection Prevention', () => {\n it('should validate redirect URLs', () => {\n const validateRedirectUrl = (url: string, allowedHosts: string[]): boolean => {\n try {\n const parsed = new URL(url)\n return allowedHosts.includes(parsed.host)\n } catch {\n return false\n }\n }\n\n const allowedHosts = ['example.com', 'app.example.com']\n \n // Valid URLs\n expect(validateRedirectUrl('https://example.com/preferences', allowedHosts)).toBe(true)\n expect(validateRedirectUrl('https://app.example.com/unsubscribe', allowedHosts)).toBe(true)\n \n // Invalid URLs\n expect(validateRedirectUrl('https://evil.com/phishing', allowedHosts)).toBe(false)\n expect(validateRedirectUrl('javascript:alert(\"xss\")', allowedHosts)).toBe(false)\n expect(validateRedirectUrl('data:text/html,<script>alert(\"xss\")</script>', allowedHosts)).toBe(false)\n })\n\n it('should sanitize magic link URLs', () => {\n const generateMagicLink = (baseUrl: string, token: string): string => {\n // Validate base URL\n try {\n const url = new URL(baseUrl)\n if (!['http:', 'https:'].includes(url.protocol)) {\n throw new Error('Invalid protocol')\n }\n \n // Encode token to prevent injection\n url.searchParams.set('token', encodeURIComponent(token))\n return url.toString()\n } catch {\n throw new Error('Invalid base URL')\n }\n }\n\n // Valid usage\n const link = generateMagicLink('https://example.com/verify', 'abc123')\n expect(link).toBe('https://example.com/verify?token=abc123')\n \n // Token with special characters\n const maliciousToken = '\"><script>alert(\"xss\")</script>'\n const safeLink = generateMagicLink('https://example.com/verify', maliciousToken)\n expect(safeLink).not.toContain('<script>')\n // Verify the token is properly encoded (double-encoding is actually safer)\n expect(safeLink).toContain('%253Cscript%253E')\n expect(safeLink).toContain('%2522')\n \n // Invalid base URLs\n expect(() => generateMagicLink('javascript:alert(\"xss\")', 'token')).toThrow()\n expect(() => generateMagicLink('data:text/html,test', 'token')).toThrow()\n })\n })\n\n describe('MongoDB Injection Prevention', () => {\n it('should prevent NoSQL injection in queries', async () => {\n // Malicious input attempting to bypass authentication\n const maliciousInputs = [\n { email: { $ne: null } }, // Trying to get all records\n { email: { $regex: '.*' } }, // Regex injection\n { email: { $where: 'this.isAdmin == true' } }, // JavaScript injection\n ]\n\n for (const input of maliciousInputs) {\n try {\n await mockReq.payload.find({\n collection: 'subscribers',\n where: input as any,\n })\n } catch (error: any) {\n // Should either sanitize or reject\n expect(error.message).toContain('Invalid')\n }\n }\n })\n\n it('should sanitize field names', async () => {\n const maliciousFields = [\n { '$where': 'malicious code' },\n { '__proto__': { isAdmin: true } },\n { 'constructor.prototype.isAdmin': true },\n ]\n\n for (const fields of maliciousFields) {\n try {\n await mockReq.payload.create({\n collection: 'subscribers',\n data: {\n email: 'test@example.com',\n ...fields,\n },\n })\n } catch (error: any) {\n // Should reject dangerous field names\n expect(error).toBeDefined()\n }\n }\n })\n })\n})"],"names":["describe","it","expect","beforeEach","vi","createPayloadRequestMock","seedCollection","clearCollections","mockNewsletterSettings","mockReq","config","payloadMock","payload","body","clearAllMocks","maliciousNames","maliciousName","result","create","collection","data","email","Date","now","name","not","toContain","maliciousEmails","maliciousEmail","error","message","customField","maliciousSubjects","subject","settings","update","id","emailTemplates","welcome","toBe","renderTemplate","template","escaped","key","value","Object","entries","replace","match","maliciousData","newsletter","rendered","headers","setCSPHeaders","res","setHeader","join","mockRes","isAdmin","toBeUndefined","escapeJSON","JSON","stringify","validateRedirectUrl","url","allowedHosts","parsed","URL","includes","host","generateMagicLink","baseUrl","token","protocol","Error","searchParams","set","encodeURIComponent","toString","link","maliciousToken","safeLink","toThrow","maliciousInputs","$ne","$regex","$where","input","find","where","maliciousFields","fields","toBeDefined"],"mappings":"AAAA,SAASA,QAAQ,EAAEC,EAAE,EAAEC,MAAM,EAAEC,UAAU,EAAEC,EAAE,QAAQ,SAAQ;AAC7D,SAASC,wBAAwB,EAAEC,cAAc,EAAEC,gBAAgB,QAAQ,mBAAkB;AAC7F,SAASC,sBAAsB,QAAQ,kCAAiC;AAGxER,SAAS,kBAAkB;IACzB,IAAIS;IACJ,MAAMC,SAAiC,CAAC;IAExCP,WAAW;QACTI;QACAD,eAAe,uBAAuB;YAACE;SAAuB;QAE9D,MAAMG,cAAcN;QACpBI,UAAU;YACRG,SAASD,YAAYC,OAAO;YAC5BC,MAAM,CAAC;QACT;QAEAT,GAAGU,aAAa;IAClB;IAEAd,SAAS,sBAAsB;QAC7BC,GAAG,yCAAyC;YAC1C,MAAMc,iBAAiB;gBACrB;gBACA;gBACA;gBACA;gBACA;aACD;YAED,KAAK,MAAMC,iBAAiBD,eAAgB;gBAC1C,MAAME,SAAS,MAAMR,QAAQG,OAAO,CAACM,MAAM,CAAC;oBAC1CC,YAAY;oBACZC,MAAM;wBACJC,OAAO,CAAC,IAAI,EAAEC,KAAKC,GAAG,GAAG,YAAY,CAAC;wBACtCC,MAAMR;oBACR;gBACF;gBAEA,sDAAsD;gBACtDd,OAAOe,OAAOO,IAAI,EAAEC,GAAG,CAACC,SAAS,CAAC;gBAClCxB,OAAOe,OAAOO,IAAI,EAAEC,GAAG,CAACC,SAAS,CAAC;gBAClCxB,OAAOe,OAAOO,IAAI,EAAEC,GAAG,CAACC,SAAS,CAAC;gBAClCxB,OAAOe,OAAOO,IAAI,EAAEC,GAAG,CAACC,SAAS,CAAC;YACpC;QACF;QAEAzB,GAAG,4CAA4C;YAC7C,MAAM0B,kBAAkB;gBACtB;gBACA;gBACA;aACD;YAED,KAAK,MAAMC,kBAAkBD,gBAAiB;gBAC5C,IAAI;oBACF,MAAMlB,QAAQG,OAAO,CAACM,MAAM,CAAC;wBAC3BC,YAAY;wBACZC,MAAM;4BACJC,OAAOO;4BACPJ,MAAM;wBACR;oBACF;gBACF,EAAE,OAAOK,OAAY;oBACnB,yBAAyB;oBACzB3B,OAAO2B,MAAMC,OAAO,EAAEJ,SAAS,CAAC;gBAClC;YACF;QACF;QAEAzB,GAAG,iCAAiC;YAClC,MAAMgB,SAAS,MAAMR,QAAQG,OAAO,CAACM,MAAM,CAAC;gBAC1CC,YAAY;gBACZC,MAAM;oBACJC,OAAO;oBACPG,MAAM;oBACNO,aAAa;gBACf;YACF;YAEA,IAAId,OAAOc,WAAW,EAAE;gBACtB7B,OAAOe,OAAOc,WAAW,EAAEN,GAAG,CAACC,SAAS,CAAC;gBACzCxB,OAAOe,OAAOc,WAAW,EAAEN,GAAG,CAACC,SAAS,CAAC;YAC3C;QACF;IACF;IAEA1B,SAAS,iCAAiC;QACxCC,GAAG,uDAAuD;YACxD,MAAM+B,oBAAoB;gBACxB;gBACA;gBACA;gBACA;aACD;YAED,KAAK,MAAMC,WAAWD,kBAAmB;gBACvC,MAAME,WAAW,MAAMzB,QAAQG,OAAO,CAACuB,MAAM,CAAC;oBAC5ChB,YAAY;oBACZiB,IAAI;oBACJhB,MAAM;wBACJiB,gBAAgB;4BACdC,SAAS;gCACPL,SAASA;4BACX;wBACF;oBACF;gBACF;gBAEA,6DAA6D;gBAC7D/B,OAAOgC,SAASG,cAAc,CAACC,OAAO,CAACL,OAAO,EAAEM,IAAI,CAACN;YACrD,uCAAuC;YACzC;QACF;QAEAhC,GAAG,8CAA8C;YAC/C,wCAAwC;YACxC,MAAMuC,iBAAiB,CAACC,UAAkBrB;gBACxC,8BAA8B;gBAC9B,MAAMsB,UAAe,CAAC;gBACtB,KAAK,MAAM,CAACC,KAAKC,MAAM,IAAIC,OAAOC,OAAO,CAAC1B,MAAO;oBAC/C,IAAI,OAAOwB,UAAU,UAAU;wBAC7BF,OAAO,CAACC,IAAI,GAAGC,MACZG,OAAO,CAAC,MAAM,SACdA,OAAO,CAAC,MAAM,QACdA,OAAO,CAAC,MAAM,QACdA,OAAO,CAAC,MAAM,UACdA,OAAO,CAAC,MAAM;oBACnB,OAAO;wBACLL,OAAO,CAACC,IAAI,GAAGC;oBACjB;gBACF;gBAEA,8BAA8B;gBAC9B,OAAOH,SAASM,OAAO,CAAC,kBAAkB,CAACC,OAAOL,MAAQD,OAAO,CAACC,IAAI,IAAI;YAC5E;YAEA,MAAMF,WAAW;YACjB,MAAMQ,gBAAgB;gBACpBzB,MAAM;gBACN0B,YAAY;YACd;YAEA,MAAMC,WAAWX,eAAeC,UAAUQ;YAE1C/C,OAAOiD,UAAU1B,GAAG,CAACC,SAAS,CAAC;YAC/BxB,OAAOiD,UAAU1B,GAAG,CAACC,SAAS,CAAC;YAC/BxB,OAAOiD,UAAUzB,SAAS,CAAC;YAC3BxB,OAAOiD,UAAUzB,SAAS,CAAC;QAC7B;IACF;IAEA1B,SAAS,2BAA2B;QAClCC,GAAG,mDAAmD;YACpD,wBAAwB;YACxB,MAAMmD,UAAkC,CAAC;YAEzC,2BAA2B;YAC3B,MAAMC,gBAAgB,CAACC;gBACrBA,IAAIC,SAAS,CAAC,2BAA2B;oBACvC;oBACA;oBACA;oBACA;oBACA;oBACA;oBACA;oBACA;oBACA;iBACD,CAACC,IAAI,CAAC;YACT;YAEA,MAAMC,UAAU;gBACdF,WAAW,CAAC/B,MAAcoB;oBACxBQ,OAAO,CAAC5B,KAAK,GAAGoB;gBAClB;YACF;YAEAS,cAAcI;YAEdvD,OAAOkD,OAAO,CAAC,0BAA0B,EAAE1B,SAAS,CAAC;YACrDxB,OAAOkD,OAAO,CAAC,0BAA0B,EAAE1B,SAAS,CAAC;QACvD;IACF;IAEA1B,SAAS,6BAA6B;QACpCC,GAAG,kDAAkD;YACnD,MAAMgD,gBAAgB;gBACpB5B,OAAO;gBACPG,MAAM;YACR;YAEA,MAAMP,SAAS,MAAMR,QAAQG,OAAO,CAACM,MAAM,CAAC;gBAC1CC,YAAY;gBACZC,MAAM6B;YACR;YAEA,4DAA4D;YAC5D/C,OAAOe,OAAOO,IAAI,EAAEe,IAAI,CAACU,cAAczB,IAAI;YAC3CtB,OAAOe,OAAOyC,OAAO,EAAEC,aAAa;QACtC;QAEA1D,GAAG,4CAA4C;YAC7C,MAAM2D,aAAa,CAACxC;gBAClB,OAAOyC,KAAKC,SAAS,CAAC1C,MACnB2B,OAAO,CAAC,WAAW,WACnBA,OAAO,CAAC,WAAW;YACxB;YAEA,MAAM3B,OAAO;gBACXI,MAAM;gBACNH,OAAO;YACT;YAEA,MAAMqB,UAAUkB,WAAWxC;YAC3BlB,OAAOwC,SAASjB,GAAG,CAACC,SAAS,CAAC;YAC9BxB,OAAOwC,SAASjB,GAAG,CAACC,SAAS,CAAC;QAChC;IACF;IAEA1B,SAAS,4BAA4B;QACnCC,GAAG,iCAAiC;YAClC,MAAM8D,sBAAsB,CAACC,KAAaC;gBACxC,IAAI;oBACF,MAAMC,SAAS,IAAIC,IAAIH;oBACvB,OAAOC,aAAaG,QAAQ,CAACF,OAAOG,IAAI;gBAC1C,EAAE,OAAM;oBACN,OAAO;gBACT;YACF;YAEA,MAAMJ,eAAe;gBAAC;gBAAe;aAAkB;YAEvD,aAAa;YACb/D,OAAO6D,oBAAoB,mCAAmCE,eAAe1B,IAAI,CAAC;YAClFrC,OAAO6D,oBAAoB,uCAAuCE,eAAe1B,IAAI,CAAC;YAEtF,eAAe;YACfrC,OAAO6D,oBAAoB,6BAA6BE,eAAe1B,IAAI,CAAC;YAC5ErC,OAAO6D,oBAAoB,2BAA2BE,eAAe1B,IAAI,CAAC;YAC1ErC,OAAO6D,oBAAoB,gDAAgDE,eAAe1B,IAAI,CAAC;QACjG;QAEAtC,GAAG,mCAAmC;YACpC,MAAMqE,oBAAoB,CAACC,SAAiBC;gBAC1C,oBAAoB;gBACpB,IAAI;oBACF,MAAMR,MAAM,IAAIG,IAAII;oBACpB,IAAI,CAAC;wBAAC;wBAAS;qBAAS,CAACH,QAAQ,CAACJ,IAAIS,QAAQ,GAAG;wBAC/C,MAAM,IAAIC,MAAM;oBAClB;oBAEA,oCAAoC;oBACpCV,IAAIW,YAAY,CAACC,GAAG,CAAC,SAASC,mBAAmBL;oBACjD,OAAOR,IAAIc,QAAQ;gBACrB,EAAE,OAAM;oBACN,MAAM,IAAIJ,MAAM;gBAClB;YACF;YAEA,cAAc;YACd,MAAMK,OAAOT,kBAAkB,8BAA8B;YAC7DpE,OAAO6E,MAAMxC,IAAI,CAAC;YAElB,gCAAgC;YAChC,MAAMyC,iBAAiB;YACvB,MAAMC,WAAWX,kBAAkB,8BAA8BU;YACjE9E,OAAO+E,UAAUxD,GAAG,CAACC,SAAS,CAAC;YAC/B,2EAA2E;YAC3ExB,OAAO+E,UAAUvD,SAAS,CAAC;YAC3BxB,OAAO+E,UAAUvD,SAAS,CAAC;YAE3B,oBAAoB;YACpBxB,OAAO,IAAMoE,kBAAkB,2BAA2B,UAAUY,OAAO;YAC3EhF,OAAO,IAAMoE,kBAAkB,uBAAuB,UAAUY,OAAO;QACzE;IACF;IAEAlF,SAAS,gCAAgC;QACvCC,GAAG,6CAA6C;YAC9C,sDAAsD;YACtD,MAAMkF,kBAAkB;gBACtB;oBAAE9D,OAAO;wBAAE+D,KAAK;oBAAK;gBAAE;gBACvB;oBAAE/D,OAAO;wBAAEgE,QAAQ;oBAAK;gBAAE;gBAC1B;oBAAEhE,OAAO;wBAAEiE,QAAQ;oBAAuB;gBAAE;aAC7C;YAED,KAAK,MAAMC,SAASJ,gBAAiB;gBACnC,IAAI;oBACF,MAAM1E,QAAQG,OAAO,CAAC4E,IAAI,CAAC;wBACzBrE,YAAY;wBACZsE,OAAOF;oBACT;gBACF,EAAE,OAAO1D,OAAY;oBACnB,mCAAmC;oBACnC3B,OAAO2B,MAAMC,OAAO,EAAEJ,SAAS,CAAC;gBAClC;YACF;QACF;QAEAzB,GAAG,+BAA+B;YAChC,MAAMyF,kBAAkB;gBACtB;oBAAE,UAAU;gBAAiB;gBAC7B;oBAAE,aAAa;wBAAEhC,SAAS;oBAAK;gBAAE;gBACjC;oBAAE,iCAAiC;gBAAK;aACzC;YAED,KAAK,MAAMiC,UAAUD,gBAAiB;gBACpC,IAAI;oBACF,MAAMjF,QAAQG,OAAO,CAACM,MAAM,CAAC;wBAC3BC,YAAY;wBACZC,MAAM;4BACJC,OAAO;4BACP,GAAGsE,MAAM;wBACX;oBACF;gBACF,EAAE,OAAO9D,OAAY;oBACnB,sCAAsC;oBACtC3B,OAAO2B,OAAO+D,WAAW;gBAC3B;YACF;QACF;IACF;AACF"}

package/dist/src/__tests__/setup/integration.setup.js ADDED Viewed

@@ -0,0 +1,38 @@
+import { vi } from 'vitest';
+import { MongoMemoryServer } from 'mongodb-memory-server';
+// MongoDB Memory Server instance
+let mongoServer;
+// Mock environment variables
+process.env.JWT_SECRET = 'test-jwt-secret';
+process.env.PAYLOAD_SECRET = 'test-payload-secret';
+process.env.NODE_ENV = 'test';
+// Setup MongoDB Memory Server
+beforeAll(async ()=>{
+    if (process.env.TEST_USE_MONGODB_MEMORY_SERVER === 'true') {
+        mongoServer = await MongoMemoryServer.create();
+        const mongoUri = mongoServer.getUri();
+        process.env.DATABASE_URI = mongoUri;
+    }
+});
+// Cleanup MongoDB Memory Server
+afterAll(async ()=>{
+    if (mongoServer) {
+        await mongoServer.stop();
+    }
+});
+// Reset mocks before each test
+beforeEach(()=>{
+    vi.clearAllMocks();
+});
+// Suppress console logs in tests unless debugging
+if (!process.env.DEBUG_TESTS) {
+    global.console = {
+        ...console,
+        log: vi.fn(),
+        error: vi.fn(),
+        warn: vi.fn(),
+        info: vi.fn()
+    };
+}
+//# sourceMappingURL=integration.setup.js.map

package/dist/src/__tests__/setup/integration.setup.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/__tests__/setup/integration.setup.ts"],"sourcesContent":["import { vi } from 'vitest'\nimport { MongoMemoryServer } from 'mongodb-memory-server'\n\n// MongoDB Memory Server instance\nlet mongoServer: MongoMemoryServer | undefined\n\n// Mock environment variables\nprocess.env.JWT_SECRET = 'test-jwt-secret'\nprocess.env.PAYLOAD_SECRET = 'test-payload-secret'\nprocess.env.NODE_ENV = 'test'\n\n// Setup MongoDB Memory Server\nbeforeAll(async () => {\n if (process.env.TEST_USE_MONGODB_MEMORY_SERVER === 'true') {\n mongoServer = await MongoMemoryServer.create()\n const mongoUri = mongoServer.getUri()\n process.env.DATABASE_URI = mongoUri\n }\n})\n\n// Cleanup MongoDB Memory Server\nafterAll(async () => {\n if (mongoServer) {\n await mongoServer.stop()\n }\n})\n\n// Reset mocks before each test\nbeforeEach(() => {\n vi.clearAllMocks()\n})\n\n// Suppress console logs in tests unless debugging\nif (!process.env.DEBUG_TESTS) {\n global.console = {\n ...console,\n log: vi.fn(),\n error: vi.fn(),\n warn: vi.fn(),\n info: vi.fn(),\n }\n}"],"names":["vi","MongoMemoryServer","mongoServer","process","env","JWT_SECRET","PAYLOAD_SECRET","NODE_ENV","beforeAll","TEST_USE_MONGODB_MEMORY_SERVER","create","mongoUri","getUri","DATABASE_URI","afterAll","stop","beforeEach","clearAllMocks","DEBUG_TESTS","global","console","log","fn","error","warn","info"],"mappings":"AAAA,SAASA,EAAE,QAAQ,SAAQ;AAC3B,SAASC,iBAAiB,QAAQ,wBAAuB;AAEzD,iCAAiC;AACjC,IAAIC;AAEJ,6BAA6B;AAC7BC,QAAQC,GAAG,CAACC,UAAU,GAAG;AACzBF,QAAQC,GAAG,CAACE,cAAc,GAAG;AAC7BH,QAAQC,GAAG,CAACG,QAAQ,GAAG;AAEvB,8BAA8B;AAC9BC,UAAU;IACR,IAAIL,QAAQC,GAAG,CAACK,8BAA8B,KAAK,QAAQ;QACzDP,cAAc,MAAMD,kBAAkBS,MAAM;QAC5C,MAAMC,WAAWT,YAAYU,MAAM;QACnCT,QAAQC,GAAG,CAACS,YAAY,GAAGF;IAC7B;AACF;AAEA,gCAAgC;AAChCG,SAAS;IACP,IAAIZ,aAAa;QACf,MAAMA,YAAYa,IAAI;IACxB;AACF;AAEA,+BAA+B;AAC/BC,WAAW;IACThB,GAAGiB,aAAa;AAClB;AAEA,kDAAkD;AAClD,IAAI,CAACd,QAAQC,GAAG,CAACc,WAAW,EAAE;IAC5BC,OAAOC,OAAO,GAAG;QACf,GAAGA,OAAO;QACVC,KAAKrB,GAAGsB,EAAE;QACVC,OAAOvB,GAAGsB,EAAE;QACZE,MAAMxB,GAAGsB,EAAE;QACXG,MAAMzB,GAAGsB,EAAE;IACb;AACF"}

package/dist/src/__tests__/setup/unit.setup.js ADDED Viewed

@@ -0,0 +1,41 @@
+import '@testing-library/jest-dom';
+import { vi } from 'vitest';
+// Mock environment variables
+process.env.JWT_SECRET = 'test-jwt-secret';
+process.env.PAYLOAD_SECRET = 'test-payload-secret';
+// Mock console methods to reduce noise in tests
+global.console = {
+    ...console,
+    error: vi.fn(),
+    warn: vi.fn()
+};
+// Mock window.location for browser-like tests
+Object.defineProperty(window, 'location', {
+    value: {
+        href: 'http://localhost:3000',
+        origin: 'http://localhost:3000',
+        search: ''
+    },
+    writable: true
+});
+// Mock localStorage
+const localStorageMock = {
+    getItem: vi.fn(),
+    setItem: vi.fn(),
+    removeItem: vi.fn(),
+    clear: vi.fn()
+};
+Object.defineProperty(window, 'localStorage', {
+    value: localStorageMock,
+    writable: true
+});
+// Reset mocks before each test
+beforeEach(()=>{
+    vi.clearAllMocks();
+    localStorageMock.getItem.mockReset();
+    localStorageMock.setItem.mockReset();
+    localStorageMock.removeItem.mockReset();
+    localStorageMock.clear.mockReset();
+});
+//# sourceMappingURL=unit.setup.js.map

package/dist/src/__tests__/setup/unit.setup.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/__tests__/setup/unit.setup.ts"],"sourcesContent":["import '@testing-library/jest-dom'\nimport { vi } from 'vitest'\n\n// Mock environment variables\nprocess.env.JWT_SECRET = 'test-jwt-secret'\nprocess.env.PAYLOAD_SECRET = 'test-payload-secret'\n\n// Mock console methods to reduce noise in tests\nglobal.console = {\n ...console,\n error: vi.fn(),\n warn: vi.fn(),\n}\n\n// Mock window.location for browser-like tests\nObject.defineProperty(window, 'location', {\n value: {\n href: 'http://localhost:3000',\n origin: 'http://localhost:3000',\n search: '',\n },\n writable: true,\n})\n\n// Mock localStorage\nconst localStorageMock = {\n getItem: vi.fn(),\n setItem: vi.fn(),\n removeItem: vi.fn(),\n clear: vi.fn(),\n}\nObject.defineProperty(window, 'localStorage', {\n value: localStorageMock,\n writable: true,\n})\n\n// Reset mocks before each test\nbeforeEach(() => {\n vi.clearAllMocks()\n localStorageMock.getItem.mockReset()\n localStorageMock.setItem.mockReset()\n localStorageMock.removeItem.mockReset()\n localStorageMock.clear.mockReset()\n})"],"names":["vi","process","env","JWT_SECRET","PAYLOAD_SECRET","global","console","error","fn","warn","Object","defineProperty","window","value","href","origin","search","writable","localStorageMock","getItem","setItem","removeItem","clear","beforeEach","clearAllMocks","mockReset"],"mappings":"AAAA,OAAO,4BAA2B;AAClC,SAASA,EAAE,QAAQ,SAAQ;AAE3B,6BAA6B;AAC7BC,QAAQC,GAAG,CAACC,UAAU,GAAG;AACzBF,QAAQC,GAAG,CAACE,cAAc,GAAG;AAE7B,gDAAgD;AAChDC,OAAOC,OAAO,GAAG;IACf,GAAGA,OAAO;IACVC,OAAOP,GAAGQ,EAAE;IACZC,MAAMT,GAAGQ,EAAE;AACb;AAEA,8CAA8C;AAC9CE,OAAOC,cAAc,CAACC,QAAQ,YAAY;IACxCC,OAAO;QACLC,MAAM;QACNC,QAAQ;QACRC,QAAQ;IACV;IACAC,UAAU;AACZ;AAEA,oBAAoB;AACpB,MAAMC,mBAAmB;IACvBC,SAASnB,GAAGQ,EAAE;IACdY,SAASpB,GAAGQ,EAAE;IACda,YAAYrB,GAAGQ,EAAE;IACjBc,OAAOtB,GAAGQ,EAAE;AACd;AACAE,OAAOC,cAAc,CAACC,QAAQ,gBAAgB;IAC5CC,OAAOK;IACPD,UAAU;AACZ;AAEA,+BAA+B;AAC/BM,WAAW;IACTvB,GAAGwB,aAAa;IAChBN,iBAAiBC,OAAO,CAACM,SAAS;IAClCP,iBAAiBE,OAAO,CAACK,SAAS;IAClCP,iBAAiBG,UAAU,CAACI,SAAS;IACrCP,iBAAiBI,KAAK,CAACG,SAAS;AAClC"}

package/dist/src/__tests__/unit/utils/access.test.js ADDED Viewed

@@ -0,0 +1,116 @@
+import { describe, it, expect } from 'vitest';
+import { isAdmin } from '../../../utils/access';
+describe('Access Control Utilities', ()=>{
+    describe('isAdmin', ()=>{
+        it('should return false for non-user collections', ()=>{
+            const subscriber = {
+                id: 'sub-123',
+                email: 'test@example.com',
+                collection: 'subscribers'
+            };
+            expect(isAdmin(subscriber)).toBe(false);
+        });
+        it('should return false for null or undefined user', ()=>{
+            expect(isAdmin(null)).toBe(false);
+            expect(isAdmin(undefined)).toBe(false);
+        });
+        it('should detect admin via roles array', ()=>{
+            const user = {
+                id: 'user-123',
+                email: 'admin@example.com',
+                collection: 'users',
+                roles: [
+                    'admin',
+                    'editor'
+                ]
+            };
+            expect(isAdmin(user)).toBe(true);
+        });
+        it('should detect admin via isAdmin boolean', ()=>{
+            const user = {
+                id: 'user-123',
+                email: 'admin@example.com',
+                collection: 'users',
+                isAdmin: true
+            };
+            expect(isAdmin(user)).toBe(true);
+        });
+        it('should detect admin via role string', ()=>{
+            const user = {
+                id: 'user-123',
+                email: 'admin@example.com',
+                collection: 'users',
+                role: 'admin'
+            };
+            expect(isAdmin(user)).toBe(true);
+        });
+        it('should detect admin via admin boolean', ()=>{
+            const user = {
+                id: 'user-123',
+                email: 'admin@example.com',
+                collection: 'users',
+                admin: true
+            };
+            expect(isAdmin(user)).toBe(true);
+        });
+        it('should return false for non-admin users', ()=>{
+            const user = {
+                id: 'user-123',
+                email: 'user@example.com',
+                collection: 'users',
+                roles: [
+                    'editor',
+                    'viewer'
+                ],
+                isAdmin: false,
+                role: 'editor',
+                admin: false
+            };
+            expect(isAdmin(user)).toBe(false);
+        });
+        it('should use custom isAdmin function when provided', ()=>{
+            const config = {
+                access: {
+                    isAdmin: (user)=>user?.customRole === 'super-admin'
+                }
+            };
+            const regularAdmin = {
+                id: 'user-123',
+                email: 'admin@example.com',
+                collection: 'users',
+                roles: [
+                    'admin'
+                ]
+            };
+            expect(isAdmin(regularAdmin, config)).toBe(false);
+            const customAdmin = {
+                id: 'user-456',
+                email: 'super@example.com',
+                collection: 'users',
+                customRole: 'super-admin'
+            };
+            expect(isAdmin(customAdmin, config)).toBe(true);
+        });
+        it('should handle edge cases gracefully', ()=>{
+            // Empty user object
+            const emptyUser = {
+                collection: 'users'
+            };
+            expect(isAdmin(emptyUser)).toBe(false);
+            // User with empty roles array
+            const userWithEmptyRoles = {
+                collection: 'users',
+                roles: []
+            };
+            expect(isAdmin(userWithEmptyRoles)).toBe(false);
+            // User with non-admin role string
+            const userWithNonAdminRole = {
+                collection: 'users',
+                role: 'viewer'
+            };
+            expect(isAdmin(userWithNonAdminRole)).toBe(false);
+        });
+    });
+});
+//# sourceMappingURL=access.test.js.map

package/dist/src/__tests__/unit/utils/access.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../../src/__tests__/unit/utils/access.test.ts"],"sourcesContent":["import { describe, it, expect } from 'vitest'\nimport { isAdmin } from '../../../utils/access'\nimport type { NewsletterPluginConfig } from '../../../types'\n\ndescribe('Access Control Utilities', () => {\n describe('isAdmin', () => {\n it('should return false for non-user collections', () => {\n const subscriber = {\n id: 'sub-123',\n email: 'test@example.com',\n collection: 'subscribers',\n }\n expect(isAdmin(subscriber)).toBe(false)\n })\n\n it('should return false for null or undefined user', () => {\n expect(isAdmin(null)).toBe(false)\n expect(isAdmin(undefined)).toBe(false)\n })\n\n it('should detect admin via roles array', () => {\n const user = {\n id: 'user-123',\n email: 'admin@example.com',\n collection: 'users',\n roles: ['admin', 'editor'],\n }\n expect(isAdmin(user)).toBe(true)\n })\n\n it('should detect admin via isAdmin boolean', () => {\n const user = {\n id: 'user-123',\n email: 'admin@example.com',\n collection: 'users',\n isAdmin: true,\n }\n expect(isAdmin(user)).toBe(true)\n })\n\n it('should detect admin via role string', () => {\n const user = {\n id: 'user-123',\n email: 'admin@example.com',\n collection: 'users',\n role: 'admin',\n }\n expect(isAdmin(user)).toBe(true)\n })\n\n it('should detect admin via admin boolean', () => {\n const user = {\n id: 'user-123',\n email: 'admin@example.com',\n collection: 'users',\n admin: true,\n }\n expect(isAdmin(user)).toBe(true)\n })\n\n it('should return false for non-admin users', () => {\n const user = {\n id: 'user-123',\n email: 'user@example.com',\n collection: 'users',\n roles: ['editor', 'viewer'],\n isAdmin: false,\n role: 'editor',\n admin: false,\n }\n expect(isAdmin(user)).toBe(false)\n })\n\n it('should use custom isAdmin function when provided', () => {\n const config: NewsletterPluginConfig = {\n access: {\n isAdmin: (user) => user?.customRole === 'super-admin',\n },\n }\n\n const regularAdmin = {\n id: 'user-123',\n email: 'admin@example.com',\n collection: 'users',\n roles: ['admin'],\n }\n expect(isAdmin(regularAdmin, config)).toBe(false)\n\n const customAdmin = {\n id: 'user-456',\n email: 'super@example.com',\n collection: 'users',\n customRole: 'super-admin',\n }\n expect(isAdmin(customAdmin, config)).toBe(true)\n })\n\n it('should handle edge cases gracefully', () => {\n // Empty user object\n const emptyUser = { collection: 'users' }\n expect(isAdmin(emptyUser)).toBe(false)\n\n // User with empty roles array\n const userWithEmptyRoles = {\n collection: 'users',\n roles: [],\n }\n expect(isAdmin(userWithEmptyRoles)).toBe(false)\n\n // User with non-admin role string\n const userWithNonAdminRole = {\n collection: 'users',\n role: 'viewer',\n }\n expect(isAdmin(userWithNonAdminRole)).toBe(false)\n })\n })\n})"],"names":["describe","it","expect","isAdmin","subscriber","id","email","collection","toBe","undefined","user","roles","role","admin","config","access","customRole","regularAdmin","customAdmin","emptyUser","userWithEmptyRoles","userWithNonAdminRole"],"mappings":"AAAA,SAASA,QAAQ,EAAEC,EAAE,EAAEC,MAAM,QAAQ,SAAQ;AAC7C,SAASC,OAAO,QAAQ,wBAAuB;AAG/CH,SAAS,4BAA4B;IACnCA,SAAS,WAAW;QAClBC,GAAG,gDAAgD;YACjD,MAAMG,aAAa;gBACjBC,IAAI;gBACJC,OAAO;gBACPC,YAAY;YACd;YACAL,OAAOC,QAAQC,aAAaI,IAAI,CAAC;QACnC;QAEAP,GAAG,kDAAkD;YACnDC,OAAOC,QAAQ,OAAOK,IAAI,CAAC;YAC3BN,OAAOC,QAAQM,YAAYD,IAAI,CAAC;QAClC;QAEAP,GAAG,uCAAuC;YACxC,MAAMS,OAAO;gBACXL,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZI,OAAO;oBAAC;oBAAS;iBAAS;YAC5B;YACAT,OAAOC,QAAQO,OAAOF,IAAI,CAAC;QAC7B;QAEAP,GAAG,2CAA2C;YAC5C,MAAMS,OAAO;gBACXL,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZJ,SAAS;YACX;YACAD,OAAOC,QAAQO,OAAOF,IAAI,CAAC;QAC7B;QAEAP,GAAG,uCAAuC;YACxC,MAAMS,OAAO;gBACXL,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZK,MAAM;YACR;YACAV,OAAOC,QAAQO,OAAOF,IAAI,CAAC;QAC7B;QAEAP,GAAG,yCAAyC;YAC1C,MAAMS,OAAO;gBACXL,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZM,OAAO;YACT;YACAX,OAAOC,QAAQO,OAAOF,IAAI,CAAC;QAC7B;QAEAP,GAAG,2CAA2C;YAC5C,MAAMS,OAAO;gBACXL,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZI,OAAO;oBAAC;oBAAU;iBAAS;gBAC3BR,SAAS;gBACTS,MAAM;gBACNC,OAAO;YACT;YACAX,OAAOC,QAAQO,OAAOF,IAAI,CAAC;QAC7B;QAEAP,GAAG,oDAAoD;YACrD,MAAMa,SAAiC;gBACrCC,QAAQ;oBACNZ,SAAS,CAACO,OAASA,MAAMM,eAAe;gBAC1C;YACF;YAEA,MAAMC,eAAe;gBACnBZ,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZI,OAAO;oBAAC;iBAAQ;YAClB;YACAT,OAAOC,QAAQc,cAAcH,SAASN,IAAI,CAAC;YAE3C,MAAMU,cAAc;gBAClBb,IAAI;gBACJC,OAAO;gBACPC,YAAY;gBACZS,YAAY;YACd;YACAd,OAAOC,QAAQe,aAAaJ,SAASN,IAAI,CAAC;QAC5C;QAEAP,GAAG,uCAAuC;YACxC,oBAAoB;YACpB,MAAMkB,YAAY;gBAAEZ,YAAY;YAAQ;YACxCL,OAAOC,QAAQgB,YAAYX,IAAI,CAAC;YAEhC,8BAA8B;YAC9B,MAAMY,qBAAqB;gBACzBb,YAAY;gBACZI,OAAO,EAAE;YACX;YACAT,OAAOC,QAAQiB,qBAAqBZ,IAAI,CAAC;YAEzC,kCAAkC;YAClC,MAAMa,uBAAuB;gBAC3Bd,YAAY;gBACZK,MAAM;YACR;YACAV,OAAOC,QAAQkB,uBAAuBb,IAAI,CAAC;QAC7C;IACF;AACF"}