payload-plugin-newsletter 0.3.2 → 0.4.5

package/dist/src/__tests__/security/csrf-protection.test.js

@@ -1,309 +0,0 @@
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { createPayloadRequestMock, seedCollection, clearCollections } from '../mocks/payload';
-import { mockSubscribers } from '../fixtures/subscribers';
-describe('CSRF Protection', ()=>{
-    let mockReq;
-    let mockRes;
-    const config = {};
-    beforeEach(()=>{
-        clearCollections();
-        seedCollection('subscribers', mockSubscribers);
-        const payloadMock = createPayloadRequestMock();
-        mockReq = {
-            payload: payloadMock.payload,
-            body: {},
-            headers: {},
-            method: 'POST'
-        };
-        mockRes = {
-            status: vi.fn().mockReturnThis(),
-            json: vi.fn(),
-            setHeader: vi.fn(),
-            end: vi.fn().mockReturnThis()
-        };
-        vi.clearAllMocks();
-    });
-    describe('Token Validation', ()=>{
-        it('should validate CSRF tokens on state-changing operations', ()=>{
-            const validateCSRFToken = (req)=>{
-                if ([
-                    'GET',
-                    'HEAD',
-                    'OPTIONS'
-                ].includes(req.method)) {
-                    return true // Safe methods don't need CSRF protection
-                    ;
-                }
-                const token = req.headers['x-csrf-token'] || req.body._csrf;
-                const sessionToken = req.session?.csrfToken;
-                if (!token || !sessionToken) {
-                    return false;
-                }
-                return token === sessionToken;
-            };
-            // GET requests should pass without token
-            mockReq.method = 'GET';
-            expect(validateCSRFToken(mockReq)).toBe(true);
-            // POST without token should fail
-            mockReq.method = 'POST';
-            mockReq.session = {
-                csrfToken: 'valid-token'
-            };
-            expect(validateCSRFToken(mockReq)).toBe(false);
-            // POST with valid token in header
-            mockReq.headers['x-csrf-token'] = 'valid-token';
-            expect(validateCSRFToken(mockReq)).toBe(true);
-            // POST with valid token in body
-            delete mockReq.headers['x-csrf-token'];
-            mockReq.body._csrf = 'valid-token';
-            expect(validateCSRFToken(mockReq)).toBe(true);
-            // POST with invalid token
-            mockReq.body._csrf = 'invalid-token';
-            expect(validateCSRFToken(mockReq)).toBe(false);
-        });
-        it('should generate secure CSRF tokens', ()=>{
-            const generateCSRFToken = ()=>{
-                const array = new Uint8Array(32);
-                // In real implementation, use crypto.getRandomValues(array)
-                for(let i = 0; i < array.length; i++){
-                    array[i] = Math.floor(Math.random() * 256);
-                }
-                return Buffer.from(array).toString('base64');
-            };
-            const token1 = generateCSRFToken();
-            const token2 = generateCSRFToken();
-            // Tokens should be unique
-            expect(token1).not.toBe(token2);
-            // Tokens should be of sufficient length
-            expect(token1.length).toBeGreaterThanOrEqual(32);
-            expect(token2.length).toBeGreaterThanOrEqual(32);
-        });
-    });
-    describe('SameSite Cookie Protection', ()=>{
-        it('should set SameSite cookie attributes', ()=>{
-            const setCookie = (res, name, value, options = {})=>{
-                const cookieOptions = {
-                    httpOnly: true,
-                    secure: process.env.NODE_ENV === 'production',
-                    sameSite: 'strict',
-                    path: '/',
-                    ...options
-                };
-                const cookieString = `${name}=${value}; ${Object.entries(cookieOptions).map(([key, val])=>{
-                    if (val === true) return key;
-                    return `${key}=${val}`;
-                }).join('; ')}`;
-                res.setHeader('Set-Cookie', cookieString);
-            };
-            setCookie(mockRes, 'session', 'session-id-123');
-            const setCookieHeader = mockRes.setHeader.mock.calls[0][1];
-            expect(setCookieHeader).toContain('httpOnly');
-            expect(setCookieHeader).toContain('sameSite=strict');
-            expect(setCookieHeader).toContain('path=/');
-        });
-        it('should validate referer for state-changing requests', ()=>{
-            const validateReferer = (req, allowedOrigins)=>{
-                if ([
-                    'GET',
-                    'HEAD',
-                    'OPTIONS'
-                ].includes(req.method)) {
-                    return true;
-                }
-                const referer = req.headers.referer || req.headers.referrer;
-                if (!referer) {
-                    return false // Reject if no referer on state-changing request
-                    ;
-                }
-                try {
-                    const refererUrl = new URL(referer);
-                    return allowedOrigins.includes(refererUrl.origin);
-                } catch  {
-                    return false;
-                }
-            };
-            const allowedOrigins = [
-                'https://example.com',
-                'https://app.example.com'
-            ];
-            // GET requests pass without referer
-            mockReq.method = 'GET';
-            expect(validateReferer(mockReq, allowedOrigins)).toBe(true);
-            // POST without referer fails
-            mockReq.method = 'POST';
-            expect(validateReferer(mockReq, allowedOrigins)).toBe(false);
-            // POST with valid referer passes
-            mockReq.headers.referer = 'https://example.com/page';
-            expect(validateReferer(mockReq, allowedOrigins)).toBe(true);
-            // POST with invalid referer fails
-            mockReq.headers.referer = 'https://evil.com/page';
-            expect(validateReferer(mockReq, allowedOrigins)).toBe(false);
-        });
-    });
-    describe('Double Submit Cookie Pattern', ()=>{
-        it('should implement double submit cookie pattern', ()=>{
-            const doubleSubmitMiddleware = (req, res)=>{
-                if ([
-                    'GET',
-                    'HEAD',
-                    'OPTIONS'
-                ].includes(req.method)) {
-                    return true;
-                }
-                // Get token from cookie
-                const cookieToken = req.cookies?.csrfToken;
-                // Get token from request (header or body)
-                const requestToken = req.headers['x-csrf-token'] || req.body._csrf;
-                if (!cookieToken || !requestToken) {
-                    return false;
-                }
-                // Compare tokens
-                return cookieToken === requestToken;
-            };
-            // Set up request with matching tokens
-            mockReq.cookies = {
-                csrfToken: 'token-123'
-            };
-            mockReq.headers['x-csrf-token'] = 'token-123';
-            expect(doubleSubmitMiddleware(mockReq, mockRes)).toBe(true);
-            // Mismatched tokens
-            mockReq.headers['x-csrf-token'] = 'different-token';
-            expect(doubleSubmitMiddleware(mockReq, mockRes)).toBe(false);
-            // Missing cookie token
-            delete mockReq.cookies.csrfToken;
-            expect(doubleSubmitMiddleware(mockReq, mockRes)).toBe(false);
-        });
-    });
-    describe('API Endpoint Protection', ()=>{
-        it('should protect subscribe endpoint from CSRF', async ()=>{
-            const subscribeHandler = async (req, res)=>{
-                // Validate CSRF token for subscribe endpoint
-                if (req.method === 'POST') {
-                    const token = req.headers['x-csrf-token'];
-                    if (!token || token !== req.session?.csrfToken) {
-                        return res.status(403).json({
-                            error: 'Invalid CSRF token'
-                        });
-                    }
-                }
-                // Process subscription
-                return res.status(200).json({
-                    success: true
-                });
-            };
-            // Request without CSRF token
-            mockReq.session = {
-                csrfToken: 'valid-token'
-            };
-            await subscribeHandler(mockReq, mockRes);
-            expect(mockRes.status).toHaveBeenCalledWith(403);
-            // Request with valid CSRF token
-            mockRes.status.mockClear();
-            mockReq.headers['x-csrf-token'] = 'valid-token';
-            await subscribeHandler(mockReq, mockRes);
-            expect(mockRes.status).toHaveBeenCalledWith(200);
-        });
-        it('should protect preferences endpoint from CSRF', async ()=>{
-            const preferencesHandler = async (req, res)=>{
-                if (req.method === 'POST' || req.method === 'PUT') {
-                    // Check origin header for API requests
-                    const origin = req.headers.origin;
-                    const allowedOrigins = [
-                        'https://example.com',
-                        'https://app.example.com'
-                    ];
-                    if (!origin || !allowedOrigins.includes(origin)) {
-                        return res.status(403).json({
-                            error: 'Cross-origin request blocked'
-                        });
-                    }
-                }
-                return res.status(200).json({
-                    success: true
-                });
-            };
-            // POST without origin
-            mockReq.method = 'POST';
-            await preferencesHandler(mockReq, mockRes);
-            expect(mockRes.status).toHaveBeenCalledWith(403);
-            // POST with invalid origin
-            mockRes.status.mockClear();
-            mockReq.headers.origin = 'https://evil.com';
-            await preferencesHandler(mockReq, mockRes);
-            expect(mockRes.status).toHaveBeenCalledWith(403);
-            // POST with valid origin
-            mockRes.status.mockClear();
-            mockReq.headers.origin = 'https://example.com';
-            await preferencesHandler(mockReq, mockRes);
-            expect(mockRes.status).toHaveBeenCalledWith(200);
-        });
-    });
-    describe('Token Timing Attack Prevention', ()=>{
-        it('should use constant-time comparison for tokens', ()=>{
-            const constantTimeCompare = (a, b)=>{
-                if (a.length !== b.length) {
-                    return false;
-                }
-                let result = 0;
-                for(let i = 0; i < a.length; i++){
-                    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-                }
-                return result === 0;
-            };
-            // Same tokens
-            expect(constantTimeCompare('token123', 'token123')).toBe(true);
-            // Different tokens
-            expect(constantTimeCompare('token123', 'token456')).toBe(false);
-            // Different lengths (early return is ok here)
-            expect(constantTimeCompare('short', 'muchlongertoken')).toBe(false);
-            // Measure timing (in real tests, would need more sophisticated timing)
-            const token1 = 'a'.repeat(32);
-            const token2 = 'b'.repeat(32);
-            const start = performance.now();
-            constantTimeCompare(token1, token2);
-            const duration = performance.now() - start;
-            // Should take roughly same time regardless of where difference is
-            expect(duration).toBeLessThan(1); // Very rough check
-        });
-    });
-    describe('Pre-flight Request Handling', ()=>{
-        it('should handle OPTIONS requests properly', async ()=>{
-            const corsHandler = (req, res)=>{
-                const allowedOrigins = [
-                    'https://example.com',
-                    'https://app.example.com'
-                ];
-                const origin = req.headers.origin;
-                if (req.method === 'OPTIONS') {
-                    if (origin && allowedOrigins.includes(origin)) {
-                        res.setHeader('Access-Control-Allow-Origin', origin);
-                        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-                        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-CSRF-Token');
-                        res.setHeader('Access-Control-Allow-Credentials', 'true');
-                        res.setHeader('Access-Control-Max-Age', '86400');
-                    }
-                    return res.status(204).end();
-                }
-                // Regular request handling
-                if (origin && allowedOrigins.includes(origin)) {
-                    res.setHeader('Access-Control-Allow-Origin', origin);
-                    res.setHeader('Access-Control-Allow-Credentials', 'true');
-                }
-            };
-            // OPTIONS request from allowed origin
-            mockReq.method = 'OPTIONS';
-            mockReq.headers.origin = 'https://example.com';
-            corsHandler(mockReq, mockRes);
-            expect(mockRes.setHeader).toHaveBeenCalledWith('Access-Control-Allow-Origin', 'https://example.com');
-            expect(mockRes.setHeader).toHaveBeenCalledWith('Access-Control-Allow-Headers', expect.stringContaining('X-CSRF-Token'));
-            expect(mockRes.status).toHaveBeenCalledWith(204);
-            // OPTIONS request from disallowed origin
-            mockRes.setHeader.mockClear();
-            mockReq.headers.origin = 'https://evil.com';
-            corsHandler(mockReq, mockRes);
-            expect(mockRes.setHeader).not.toHaveBeenCalledWith('Access-Control-Allow-Origin', 'https://evil.com');
-        });
-    });
-});
-
-//# sourceMappingURL=csrf-protection.test.js.map

package/dist/src/__tests__/security/csrf-protection.test.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/__tests__/security/csrf-protection.test.ts"],"sourcesContent":["import { describe, it, expect, beforeEach, vi } from 'vitest'\nimport { createPayloadRequestMock, seedCollection, clearCollections } from '../mocks/payload'\nimport { mockSubscribers } from '../fixtures/subscribers'\nimport type { NewsletterPluginConfig } from '../../types'\n\ndescribe('CSRF Protection', () => {\n  let mockReq: any\n  let mockRes: any\n  const config: NewsletterPluginConfig = {}\n\n  beforeEach(() => {\n    clearCollections()\n    seedCollection('subscribers', mockSubscribers)\n    \n    const payloadMock = createPayloadRequestMock()\n    mockReq = {\n      payload: payloadMock.payload,\n      body: {},\n      headers: {},\n      method: 'POST',\n    }\n    \n    mockRes = {\n      status: vi.fn().mockReturnThis(),\n      json: vi.fn(),\n      setHeader: vi.fn(),\n      end: vi.fn().mockReturnThis(),\n    }\n    \n    vi.clearAllMocks()\n  })\n\n  describe('Token Validation', () => {\n    it('should validate CSRF tokens on state-changing operations', () => {\n      const validateCSRFToken = (req: any): boolean => {\n        if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {\n          return true // Safe methods don't need CSRF protection\n        }\n\n        const token = req.headers['x-csrf-token'] || req.body._csrf\n        const sessionToken = req.session?.csrfToken\n\n        if (!token || !sessionToken) {\n          return false\n        }\n\n        return token === sessionToken\n      }\n\n      // GET requests should pass without token\n      mockReq.method = 'GET'\n      expect(validateCSRFToken(mockReq)).toBe(true)\n\n      // POST without token should fail\n      mockReq.method = 'POST'\n      mockReq.session = { csrfToken: 'valid-token' }\n      expect(validateCSRFToken(mockReq)).toBe(false)\n\n      // POST with valid token in header\n      mockReq.headers['x-csrf-token'] = 'valid-token'\n      expect(validateCSRFToken(mockReq)).toBe(true)\n\n      // POST with valid token in body\n      delete mockReq.headers['x-csrf-token']\n      mockReq.body._csrf = 'valid-token'\n      expect(validateCSRFToken(mockReq)).toBe(true)\n\n      // POST with invalid token\n      mockReq.body._csrf = 'invalid-token'\n      expect(validateCSRFToken(mockReq)).toBe(false)\n    })\n\n    it('should generate secure CSRF tokens', () => {\n      const generateCSRFToken = (): string => {\n        const array = new Uint8Array(32)\n        // In real implementation, use crypto.getRandomValues(array)\n        for (let i = 0; i < array.length; i++) {\n          array[i] = Math.floor(Math.random() * 256)\n        }\n        return Buffer.from(array).toString('base64')\n      }\n\n      const token1 = generateCSRFToken()\n      const token2 = generateCSRFToken()\n\n      // Tokens should be unique\n      expect(token1).not.toBe(token2)\n      \n      // Tokens should be of sufficient length\n      expect(token1.length).toBeGreaterThanOrEqual(32)\n      expect(token2.length).toBeGreaterThanOrEqual(32)\n    })\n  })\n\n  describe('SameSite Cookie Protection', () => {\n    it('should set SameSite cookie attributes', () => {\n      const setCookie = (res: any, name: string, value: string, options: any = {}) => {\n        const cookieOptions = {\n          httpOnly: true,\n          secure: process.env.NODE_ENV === 'production',\n          sameSite: 'strict',\n          path: '/',\n          ...options,\n        }\n\n        const cookieString = `${name}=${value}; ${Object.entries(cookieOptions)\n          .map(([key, val]) => {\n            if (val === true) return key\n            return `${key}=${val}`\n          })\n          .join('; ')}`\n\n        res.setHeader('Set-Cookie', cookieString)\n      }\n\n      setCookie(mockRes, 'session', 'session-id-123')\n      \n      const setCookieHeader = mockRes.setHeader.mock.calls[0][1]\n      expect(setCookieHeader).toContain('httpOnly')\n      expect(setCookieHeader).toContain('sameSite=strict')\n      expect(setCookieHeader).toContain('path=/')\n    })\n\n    it('should validate referer for state-changing requests', () => {\n      const validateReferer = (req: any, allowedOrigins: string[]): boolean => {\n        if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {\n          return true\n        }\n\n        const referer = req.headers.referer || req.headers.referrer\n        if (!referer) {\n          return false // Reject if no referer on state-changing request\n        }\n\n        try {\n          const refererUrl = new URL(referer)\n          return allowedOrigins.includes(refererUrl.origin)\n        } catch {\n          return false\n        }\n      }\n\n      const allowedOrigins = ['https://example.com', 'https://app.example.com']\n\n      // GET requests pass without referer\n      mockReq.method = 'GET'\n      expect(validateReferer(mockReq, allowedOrigins)).toBe(true)\n\n      // POST without referer fails\n      mockReq.method = 'POST'\n      expect(validateReferer(mockReq, allowedOrigins)).toBe(false)\n\n      // POST with valid referer passes\n      mockReq.headers.referer = 'https://example.com/page'\n      expect(validateReferer(mockReq, allowedOrigins)).toBe(true)\n\n      // POST with invalid referer fails\n      mockReq.headers.referer = 'https://evil.com/page'\n      expect(validateReferer(mockReq, allowedOrigins)).toBe(false)\n    })\n  })\n\n  describe('Double Submit Cookie Pattern', () => {\n    it('should implement double submit cookie pattern', () => {\n      const doubleSubmitMiddleware = (req: any, res: any) => {\n        if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {\n          return true\n        }\n\n        // Get token from cookie\n        const cookieToken = req.cookies?.csrfToken\n        // Get token from request (header or body)\n        const requestToken = req.headers['x-csrf-token'] || req.body._csrf\n\n        if (!cookieToken || !requestToken) {\n          return false\n        }\n\n        // Compare tokens\n        return cookieToken === requestToken\n      }\n\n      // Set up request with matching tokens\n      mockReq.cookies = { csrfToken: 'token-123' }\n      mockReq.headers['x-csrf-token'] = 'token-123'\n      expect(doubleSubmitMiddleware(mockReq, mockRes)).toBe(true)\n\n      // Mismatched tokens\n      mockReq.headers['x-csrf-token'] = 'different-token'\n      expect(doubleSubmitMiddleware(mockReq, mockRes)).toBe(false)\n\n      // Missing cookie token\n      delete mockReq.cookies.csrfToken\n      expect(doubleSubmitMiddleware(mockReq, mockRes)).toBe(false)\n    })\n  })\n\n  describe('API Endpoint Protection', () => {\n    it('should protect subscribe endpoint from CSRF', async () => {\n      const subscribeHandler = async (req: any, res: any) => {\n        // Validate CSRF token for subscribe endpoint\n        if (req.method === 'POST') {\n          const token = req.headers['x-csrf-token']\n          if (!token || token !== req.session?.csrfToken) {\n            return res.status(403).json({\n              error: 'Invalid CSRF token',\n            })\n          }\n        }\n\n        // Process subscription\n        return res.status(200).json({ success: true })\n      }\n\n      // Request without CSRF token\n      mockReq.session = { csrfToken: 'valid-token' }\n      await subscribeHandler(mockReq, mockRes)\n      expect(mockRes.status).toHaveBeenCalledWith(403)\n\n      // Request with valid CSRF token\n      mockRes.status.mockClear()\n      mockReq.headers['x-csrf-token'] = 'valid-token'\n      await subscribeHandler(mockReq, mockRes)\n      expect(mockRes.status).toHaveBeenCalledWith(200)\n    })\n\n    it('should protect preferences endpoint from CSRF', async () => {\n      const preferencesHandler = async (req: any, res: any) => {\n        if (req.method === 'POST' || req.method === 'PUT') {\n          // Check origin header for API requests\n          const origin = req.headers.origin\n          const allowedOrigins = ['https://example.com', 'https://app.example.com']\n          \n          if (!origin || !allowedOrigins.includes(origin)) {\n            return res.status(403).json({\n              error: 'Cross-origin request blocked',\n            })\n          }\n        }\n\n        return res.status(200).json({ success: true })\n      }\n\n      // POST without origin\n      mockReq.method = 'POST'\n      await preferencesHandler(mockReq, mockRes)\n      expect(mockRes.status).toHaveBeenCalledWith(403)\n\n      // POST with invalid origin\n      mockRes.status.mockClear()\n      mockReq.headers.origin = 'https://evil.com'\n      await preferencesHandler(mockReq, mockRes)\n      expect(mockRes.status).toHaveBeenCalledWith(403)\n\n      // POST with valid origin\n      mockRes.status.mockClear()\n      mockReq.headers.origin = 'https://example.com'\n      await preferencesHandler(mockReq, mockRes)\n      expect(mockRes.status).toHaveBeenCalledWith(200)\n    })\n  })\n\n  describe('Token Timing Attack Prevention', () => {\n    it('should use constant-time comparison for tokens', () => {\n      const constantTimeCompare = (a: string, b: string): boolean => {\n        if (a.length !== b.length) {\n          return false\n        }\n\n        let result = 0\n        for (let i = 0; i < a.length; i++) {\n          result |= a.charCodeAt(i) ^ b.charCodeAt(i)\n        }\n        return result === 0\n      }\n\n      // Same tokens\n      expect(constantTimeCompare('token123', 'token123')).toBe(true)\n      \n      // Different tokens\n      expect(constantTimeCompare('token123', 'token456')).toBe(false)\n      \n      // Different lengths (early return is ok here)\n      expect(constantTimeCompare('short', 'muchlongertoken')).toBe(false)\n\n      // Measure timing (in real tests, would need more sophisticated timing)\n      const token1 = 'a'.repeat(32)\n      const token2 = 'b'.repeat(32)\n      const start = performance.now()\n      constantTimeCompare(token1, token2)\n      const duration = performance.now() - start\n      \n      // Should take roughly same time regardless of where difference is\n      expect(duration).toBeLessThan(1) // Very rough check\n    })\n  })\n\n  describe('Pre-flight Request Handling', () => {\n    it('should handle OPTIONS requests properly', async () => {\n      const corsHandler = (req: any, res: any) => {\n        const allowedOrigins = ['https://example.com', 'https://app.example.com']\n        const origin = req.headers.origin\n\n        if (req.method === 'OPTIONS') {\n          if (origin && allowedOrigins.includes(origin)) {\n            res.setHeader('Access-Control-Allow-Origin', origin)\n            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')\n            res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-CSRF-Token')\n            res.setHeader('Access-Control-Allow-Credentials', 'true')\n            res.setHeader('Access-Control-Max-Age', '86400')\n          }\n          return res.status(204).end()\n        }\n\n        // Regular request handling\n        if (origin && allowedOrigins.includes(origin)) {\n          res.setHeader('Access-Control-Allow-Origin', origin)\n          res.setHeader('Access-Control-Allow-Credentials', 'true')\n        }\n      }\n\n      // OPTIONS request from allowed origin\n      mockReq.method = 'OPTIONS'\n      mockReq.headers.origin = 'https://example.com'\n      corsHandler(mockReq, mockRes)\n      \n      expect(mockRes.setHeader).toHaveBeenCalledWith(\n        'Access-Control-Allow-Origin',\n        'https://example.com'\n      )\n      expect(mockRes.setHeader).toHaveBeenCalledWith(\n        'Access-Control-Allow-Headers',\n        expect.stringContaining('X-CSRF-Token')\n      )\n      expect(mockRes.status).toHaveBeenCalledWith(204)\n\n      // OPTIONS request from disallowed origin\n      mockRes.setHeader.mockClear()\n      mockReq.headers.origin = 'https://evil.com'\n      corsHandler(mockReq, mockRes)\n      \n      expect(mockRes.setHeader).not.toHaveBeenCalledWith(\n        'Access-Control-Allow-Origin',\n        'https://evil.com'\n      )\n    })\n  })\n})"],"names":["describe","it","expect","beforeEach","vi","createPayloadRequestMock","seedCollection","clearCollections","mockSubscribers","mockReq","mockRes","config","payloadMock","payload","body","headers","method","status","fn","mockReturnThis","json","setHeader","end","clearAllMocks","validateCSRFToken","req","includes","token","_csrf","sessionToken","session","csrfToken","toBe","generateCSRFToken","array","Uint8Array","i","length","Math","floor","random","Buffer","from","toString","token1","token2","not","toBeGreaterThanOrEqual","setCookie","res","name","value","options","cookieOptions","httpOnly","secure","process","env","NODE_ENV","sameSite","path","cookieString","Object","entries","map","key","val","join","setCookieHeader","mock","calls","toContain","validateReferer","allowedOrigins","referer","referrer","refererUrl","URL","origin","doubleSubmitMiddleware","cookieToken","cookies","requestToken","subscribeHandler","error","success","toHaveBeenCalledWith","mockClear","preferencesHandler","constantTimeCompare","a","b","result","charCodeAt","repeat","start","performance","now","duration","toBeLessThan","corsHandler","stringContaining"],"mappings":"AAAA,SAASA,QAAQ,EAAEC,EAAE,EAAEC,MAAM,EAAEC,UAAU,EAAEC,EAAE,QAAQ,SAAQ;AAC7D,SAASC,wBAAwB,EAAEC,cAAc,EAAEC,gBAAgB,QAAQ,mBAAkB;AAC7F,SAASC,eAAe,QAAQ,0BAAyB;AAGzDR,SAAS,mBAAmB;IAC1B,IAAIS;IACJ,IAAIC;IACJ,MAAMC,SAAiC,CAAC;IAExCR,WAAW;QACTI;QACAD,eAAe,eAAeE;QAE9B,MAAMI,cAAcP;QACpBI,UAAU;YACRI,SAASD,YAAYC,OAAO;YAC5BC,MAAM,CAAC;YACPC,SAAS,CAAC;YACVC,QAAQ;QACV;QAEAN,UAAU;YACRO,QAAQb,GAAGc,EAAE,GAAGC,cAAc;YAC9BC,MAAMhB,GAAGc,EAAE;YACXG,WAAWjB,GAAGc,EAAE;YAChBI,KAAKlB,GAAGc,EAAE,GAAGC,cAAc;QAC7B;QAEAf,GAAGmB,aAAa;IAClB;IAEAvB,SAAS,oBAAoB;QAC3BC,GAAG,4DAA4D;YAC7D,MAAMuB,oBAAoB,CAACC;gBACzB,IAAI;oBAAC;oBAAO;oBAAQ;iBAAU,CAACC,QAAQ,CAACD,IAAIT,MAAM,GAAG;oBACnD,OAAO,KAAK,0CAA0C;;gBACxD;gBAEA,MAAMW,QAAQF,IAAIV,OAAO,CAAC,eAAe,IAAIU,IAAIX,IAAI,CAACc,KAAK;gBAC3D,MAAMC,eAAeJ,IAAIK,OAAO,EAAEC;gBAElC,IAAI,CAACJ,SAAS,CAACE,cAAc;oBAC3B,OAAO;gBACT;gBAEA,OAAOF,UAAUE;YACnB;YAEA,yCAAyC;YACzCpB,QAAQO,MAAM,GAAG;YACjBd,OAAOsB,kBAAkBf,UAAUuB,IAAI,CAAC;YAExC,iCAAiC;YACjCvB,QAAQO,MAAM,GAAG;YACjBP,QAAQqB,OAAO,GAAG;gBAAEC,WAAW;YAAc;YAC7C7B,OAAOsB,kBAAkBf,UAAUuB,IAAI,CAAC;YAExC,kCAAkC;YAClCvB,QAAQM,OAAO,CAAC,eAAe,GAAG;YAClCb,OAAOsB,kBAAkBf,UAAUuB,IAAI,CAAC;YAExC,gCAAgC;YAChC,OAAOvB,QAAQM,OAAO,CAAC,eAAe;YACtCN,QAAQK,IAAI,CAACc,KAAK,GAAG;YACrB1B,OAAOsB,kBAAkBf,UAAUuB,IAAI,CAAC;YAExC,0BAA0B;YAC1BvB,QAAQK,IAAI,CAACc,KAAK,GAAG;YACrB1B,OAAOsB,kBAAkBf,UAAUuB,IAAI,CAAC;QAC1C;QAEA/B,GAAG,sCAAsC;YACvC,MAAMgC,oBAAoB;gBACxB,MAAMC,QAAQ,IAAIC,WAAW;gBAC7B,4DAA4D;gBAC5D,IAAK,IAAIC,IAAI,GAAGA,IAAIF,MAAMG,MAAM,EAAED,IAAK;oBACrCF,KAAK,CAACE,EAAE,GAAGE,KAAKC,KAAK,CAACD,KAAKE,MAAM,KAAK;gBACxC;gBACA,OAAOC,OAAOC,IAAI,CAACR,OAAOS,QAAQ,CAAC;YACrC;YAEA,MAAMC,SAASX;YACf,MAAMY,SAASZ;YAEf,0BAA0B;YAC1B/B,OAAO0C,QAAQE,GAAG,CAACd,IAAI,CAACa;YAExB,wCAAwC;YACxC3C,OAAO0C,OAAOP,MAAM,EAAEU,sBAAsB,CAAC;YAC7C7C,OAAO2C,OAAOR,MAAM,EAAEU,sBAAsB,CAAC;QAC/C;IACF;IAEA/C,SAAS,8BAA8B;QACrCC,GAAG,yCAAyC;YAC1C,MAAM+C,YAAY,CAACC,KAAUC,MAAcC,OAAeC,UAAe,CAAC,CAAC;gBACzE,MAAMC,gBAAgB;oBACpBC,UAAU;oBACVC,QAAQC,QAAQC,GAAG,CAACC,QAAQ,KAAK;oBACjCC,UAAU;oBACVC,MAAM;oBACN,GAAGR,OAAO;gBACZ;gBAEA,MAAMS,eAAe,GAAGX,KAAK,CAAC,EAAEC,MAAM,EAAE,EAAEW,OAAOC,OAAO,CAACV,eACtDW,GAAG,CAAC,CAAC,CAACC,KAAKC,IAAI;oBACd,IAAIA,QAAQ,MAAM,OAAOD;oBACzB,OAAO,GAAGA,IAAI,CAAC,EAAEC,KAAK;gBACxB,GACCC,IAAI,CAAC,OAAO;gBAEflB,IAAI5B,SAAS,CAAC,cAAcwC;YAC9B;YAEAb,UAAUtC,SAAS,WAAW;YAE9B,MAAM0D,kBAAkB1D,QAAQW,SAAS,CAACgD,IAAI,CAACC,KAAK,CAAC,EAAE,CAAC,EAAE;YAC1DpE,OAAOkE,iBAAiBG,SAAS,CAAC;YAClCrE,OAAOkE,iBAAiBG,SAAS,CAAC;YAClCrE,OAAOkE,iBAAiBG,SAAS,CAAC;QACpC;QAEAtE,GAAG,uDAAuD;YACxD,MAAMuE,kBAAkB,CAAC/C,KAAUgD;gBACjC,IAAI;oBAAC;oBAAO;oBAAQ;iBAAU,CAAC/C,QAAQ,CAACD,IAAIT,MAAM,GAAG;oBACnD,OAAO;gBACT;gBAEA,MAAM0D,UAAUjD,IAAIV,OAAO,CAAC2D,OAAO,IAAIjD,IAAIV,OAAO,CAAC4D,QAAQ;gBAC3D,IAAI,CAACD,SAAS;oBACZ,OAAO,MAAM,iDAAiD;;gBAChE;gBAEA,IAAI;oBACF,MAAME,aAAa,IAAIC,IAAIH;oBAC3B,OAAOD,eAAe/C,QAAQ,CAACkD,WAAWE,MAAM;gBAClD,EAAE,OAAM;oBACN,OAAO;gBACT;YACF;YAEA,MAAML,iBAAiB;gBAAC;gBAAuB;aAA0B;YAEzE,oCAAoC;YACpChE,QAAQO,MAAM,GAAG;YACjBd,OAAOsE,gBAAgB/D,SAASgE,iBAAiBzC,IAAI,CAAC;YAEtD,6BAA6B;YAC7BvB,QAAQO,MAAM,GAAG;YACjBd,OAAOsE,gBAAgB/D,SAASgE,iBAAiBzC,IAAI,CAAC;YAEtD,iCAAiC;YACjCvB,QAAQM,OAAO,CAAC2D,OAAO,GAAG;YAC1BxE,OAAOsE,gBAAgB/D,SAASgE,iBAAiBzC,IAAI,CAAC;YAEtD,kCAAkC;YAClCvB,QAAQM,OAAO,CAAC2D,OAAO,GAAG;YAC1BxE,OAAOsE,gBAAgB/D,SAASgE,iBAAiBzC,IAAI,CAAC;QACxD;IACF;IAEAhC,SAAS,gCAAgC;QACvCC,GAAG,iDAAiD;YAClD,MAAM8E,yBAAyB,CAACtD,KAAUwB;gBACxC,IAAI;oBAAC;oBAAO;oBAAQ;iBAAU,CAACvB,QAAQ,CAACD,IAAIT,MAAM,GAAG;oBACnD,OAAO;gBACT;gBAEA,wBAAwB;gBACxB,MAAMgE,cAAcvD,IAAIwD,OAAO,EAAElD;gBACjC,0CAA0C;gBAC1C,MAAMmD,eAAezD,IAAIV,OAAO,CAAC,eAAe,IAAIU,IAAIX,IAAI,CAACc,KAAK;gBAElE,IAAI,CAACoD,eAAe,CAACE,cAAc;oBACjC,OAAO;gBACT;gBAEA,iBAAiB;gBACjB,OAAOF,gBAAgBE;YACzB;YAEA,sCAAsC;YACtCzE,QAAQwE,OAAO,GAAG;gBAAElD,WAAW;YAAY;YAC3CtB,QAAQM,OAAO,CAAC,eAAe,GAAG;YAClCb,OAAO6E,uBAAuBtE,SAASC,UAAUsB,IAAI,CAAC;YAEtD,oBAAoB;YACpBvB,QAAQM,OAAO,CAAC,eAAe,GAAG;YAClCb,OAAO6E,uBAAuBtE,SAASC,UAAUsB,IAAI,CAAC;YAEtD,uBAAuB;YACvB,OAAOvB,QAAQwE,OAAO,CAAClD,SAAS;YAChC7B,OAAO6E,uBAAuBtE,SAASC,UAAUsB,IAAI,CAAC;QACxD;IACF;IAEAhC,SAAS,2BAA2B;QAClCC,GAAG,+CAA+C;YAChD,MAAMkF,mBAAmB,OAAO1D,KAAUwB;gBACxC,6CAA6C;gBAC7C,IAAIxB,IAAIT,MAAM,KAAK,QAAQ;oBACzB,MAAMW,QAAQF,IAAIV,OAAO,CAAC,eAAe;oBACzC,IAAI,CAACY,SAASA,UAAUF,IAAIK,OAAO,EAAEC,WAAW;wBAC9C,OAAOkB,IAAIhC,MAAM,CAAC,KAAKG,IAAI,CAAC;4BAC1BgE,OAAO;wBACT;oBACF;gBACF;gBAEA,uBAAuB;gBACvB,OAAOnC,IAAIhC,MAAM,CAAC,KAAKG,IAAI,CAAC;oBAAEiE,SAAS;gBAAK;YAC9C;YAEA,6BAA6B;YAC7B5E,QAAQqB,OAAO,GAAG;gBAAEC,WAAW;YAAc;YAC7C,MAAMoD,iBAAiB1E,SAASC;YAChCR,OAAOQ,QAAQO,MAAM,EAAEqE,oBAAoB,CAAC;YAE5C,gCAAgC;YAChC5E,QAAQO,MAAM,CAACsE,SAAS;YACxB9E,QAAQM,OAAO,CAAC,eAAe,GAAG;YAClC,MAAMoE,iBAAiB1E,SAASC;YAChCR,OAAOQ,QAAQO,MAAM,EAAEqE,oBAAoB,CAAC;QAC9C;QAEArF,GAAG,iDAAiD;YAClD,MAAMuF,qBAAqB,OAAO/D,KAAUwB;gBAC1C,IAAIxB,IAAIT,MAAM,KAAK,UAAUS,IAAIT,MAAM,KAAK,OAAO;oBACjD,uCAAuC;oBACvC,MAAM8D,SAASrD,IAAIV,OAAO,CAAC+D,MAAM;oBACjC,MAAML,iBAAiB;wBAAC;wBAAuB;qBAA0B;oBAEzE,IAAI,CAACK,UAAU,CAACL,eAAe/C,QAAQ,CAACoD,SAAS;wBAC/C,OAAO7B,IAAIhC,MAAM,CAAC,KAAKG,IAAI,CAAC;4BAC1BgE,OAAO;wBACT;oBACF;gBACF;gBAEA,OAAOnC,IAAIhC,MAAM,CAAC,KAAKG,IAAI,CAAC;oBAAEiE,SAAS;gBAAK;YAC9C;YAEA,sBAAsB;YACtB5E,QAAQO,MAAM,GAAG;YACjB,MAAMwE,mBAAmB/E,SAASC;YAClCR,OAAOQ,QAAQO,MAAM,EAAEqE,oBAAoB,CAAC;YAE5C,2BAA2B;YAC3B5E,QAAQO,MAAM,CAACsE,SAAS;YACxB9E,QAAQM,OAAO,CAAC+D,MAAM,GAAG;YACzB,MAAMU,mBAAmB/E,SAASC;YAClCR,OAAOQ,QAAQO,MAAM,EAAEqE,oBAAoB,CAAC;YAE5C,yBAAyB;YACzB5E,QAAQO,MAAM,CAACsE,SAAS;YACxB9E,QAAQM,OAAO,CAAC+D,MAAM,GAAG;YACzB,MAAMU,mBAAmB/E,SAASC;YAClCR,OAAOQ,QAAQO,MAAM,EAAEqE,oBAAoB,CAAC;QAC9C;IACF;IAEAtF,SAAS,kCAAkC;QACzCC,GAAG,kDAAkD;YACnD,MAAMwF,sBAAsB,CAACC,GAAWC;gBACtC,IAAID,EAAErD,MAAM,KAAKsD,EAAEtD,MAAM,EAAE;oBACzB,OAAO;gBACT;gBAEA,IAAIuD,SAAS;gBACb,IAAK,IAAIxD,IAAI,GAAGA,IAAIsD,EAAErD,MAAM,EAAED,IAAK;oBACjCwD,UAAUF,EAAEG,UAAU,CAACzD,KAAKuD,EAAEE,UAAU,CAACzD;gBAC3C;gBACA,OAAOwD,WAAW;YACpB;YAEA,cAAc;YACd1F,OAAOuF,oBAAoB,YAAY,aAAazD,IAAI,CAAC;YAEzD,mBAAmB;YACnB9B,OAAOuF,oBAAoB,YAAY,aAAazD,IAAI,CAAC;YAEzD,8CAA8C;YAC9C9B,OAAOuF,oBAAoB,SAAS,oBAAoBzD,IAAI,CAAC;YAE7D,uEAAuE;YACvE,MAAMY,SAAS,IAAIkD,MAAM,CAAC;YAC1B,MAAMjD,SAAS,IAAIiD,MAAM,CAAC;YAC1B,MAAMC,QAAQC,YAAYC,GAAG;YAC7BR,oBAAoB7C,QAAQC;YAC5B,MAAMqD,WAAWF,YAAYC,GAAG,KAAKF;YAErC,kEAAkE;YAClE7F,OAAOgG,UAAUC,YAAY,CAAC,IAAG,mBAAmB;QACtD;IACF;IAEAnG,SAAS,+BAA+B;QACtCC,GAAG,2CAA2C;YAC5C,MAAMmG,cAAc,CAAC3E,KAAUwB;gBAC7B,MAAMwB,iBAAiB;oBAAC;oBAAuB;iBAA0B;gBACzE,MAAMK,SAASrD,IAAIV,OAAO,CAAC+D,MAAM;gBAEjC,IAAIrD,IAAIT,MAAM,KAAK,WAAW;oBAC5B,IAAI8D,UAAUL,eAAe/C,QAAQ,CAACoD,SAAS;wBAC7C7B,IAAI5B,SAAS,CAAC,+BAA+ByD;wBAC7C7B,IAAI5B,SAAS,CAAC,gCAAgC;wBAC9C4B,IAAI5B,SAAS,CAAC,gCAAgC;wBAC9C4B,IAAI5B,SAAS,CAAC,oCAAoC;wBAClD4B,IAAI5B,SAAS,CAAC,0BAA0B;oBAC1C;oBACA,OAAO4B,IAAIhC,MAAM,CAAC,KAAKK,GAAG;gBAC5B;gBAEA,2BAA2B;gBAC3B,IAAIwD,UAAUL,eAAe/C,QAAQ,CAACoD,SAAS;oBAC7C7B,IAAI5B,SAAS,CAAC,+BAA+ByD;oBAC7C7B,IAAI5B,SAAS,CAAC,oCAAoC;gBACpD;YACF;YAEA,sCAAsC;YACtCZ,QAAQO,MAAM,GAAG;YACjBP,QAAQM,OAAO,CAAC+D,MAAM,GAAG;YACzBsB,YAAY3F,SAASC;YAErBR,OAAOQ,QAAQW,SAAS,EAAEiE,oBAAoB,CAC5C,+BACA;YAEFpF,OAAOQ,QAAQW,SAAS,EAAEiE,oBAAoB,CAC5C,gCACApF,OAAOmG,gBAAgB,CAAC;YAE1BnG,OAAOQ,QAAQO,MAAM,EAAEqE,oBAAoB,CAAC;YAE5C,yCAAyC;YACzC5E,QAAQW,SAAS,CAACkE,SAAS;YAC3B9E,QAAQM,OAAO,CAAC+D,MAAM,GAAG;YACzBsB,YAAY3F,SAASC;YAErBR,OAAOQ,QAAQW,SAAS,EAAEyB,GAAG,CAACwC,oBAAoB,CAChD,+BACA;QAEJ;IACF;AACF"}

package/dist/src/__tests__/security/settings-access.test.js

@@ -1,204 +0,0 @@
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { createMockUser, createMockAdminUser, createPayloadRequestMock, clearCollections, seedCollection } from '../mocks/payload';
-import { mockNewsletterSettings } from '../fixtures/newsletter-settings';
-describe('Newsletter Settings Access Control Security', ()=>{
-    let mockReq;
-    const mockConfig = {};
-    beforeEach(()=>{
-        clearCollections();
-        seedCollection('newsletter-settings', [
-            mockNewsletterSettings
-        ]);
-        mockReq = createPayloadRequestMock();
-    });
-    describe('Read Access', ()=>{
-        it('should allow public read access for settings validation', async ()=>{
-            // Unauthenticated user should be able to read settings
-            // This is necessary for subscription forms to validate
-            const result = await mockReq.payload.find({
-                collection: 'newsletter-settings',
-                overrideAccess: false,
-                user: null
-            });
-            expect(result.docs).toHaveLength(1);
-            expect(result.docs[0].id).toBe('settings-1');
-        });
-        it('should not expose sensitive data in public reads', async ()=>{
-            const result = await mockReq.payload.find({
-                collection: 'newsletter-settings',
-                overrideAccess: false,
-                user: null
-            });
-            const settings = result.docs[0];
-            // Ensure API keys are not exposed (this would be handled by field access control)
-            // This test documents the expected behavior
-            expect(settings.resendSettings.apiKey).toBe('test-api-key'); // In production, this should be hidden
-        });
-    });
-    describe('Write Access', ()=>{
-        it('should deny create access to unauthenticated users', async ()=>{
-            await expect(mockReq.payload.create({
-                collection: 'newsletter-settings',
-                data: {
-                    name: 'New Settings',
-                    active: false,
-                    provider: 'resend'
-                },
-                overrideAccess: false,
-                user: null
-            })).rejects.toThrow('Unauthorized');
-        });
-        it('should deny update access to regular users', async ()=>{
-            await expect(mockReq.payload.update({
-                collection: 'newsletter-settings',
-                id: 'settings-1',
-                data: {
-                    name: 'Hacked!'
-                },
-                overrideAccess: false,
-                user: createMockUser()
-            })).rejects.toThrow('Unauthorized');
-        });
-        it('should allow update access to admin users', async ()=>{
-            const adminUser = createMockAdminUser();
-            const result = await mockReq.payload.update({
-                collection: 'newsletter-settings',
-                id: 'settings-1',
-                data: {
-                    name: 'Updated by Admin'
-                },
-                overrideAccess: false,
-                user: adminUser
-            });
-            expect(result.name).toBe('Updated by Admin');
-        });
-        it('should deny delete access to non-admins', async ()=>{
-            await expect(mockReq.payload.delete({
-                collection: 'newsletter-settings',
-                id: 'settings-1',
-                overrideAccess: false,
-                user: createMockUser()
-            })).rejects.toThrow('Unauthorized');
-        });
-        it('should prevent synthetic users from modifying settings', async ()=>{
-            const syntheticUser = {
-                id: 'sub-123',
-                email: 'subscriber@example.com',
-                collection: 'subscribers'
-            };
-            await expect(mockReq.payload.update({
-                collection: 'newsletter-settings',
-                id: 'settings-1',
-                data: {
-                    name: 'Hacked by subscriber!'
-                },
-                overrideAccess: false,
-                user: syntheticUser
-            })).rejects.toThrow('Unauthorized');
-        });
-    });
-    describe('Settings Validation Hook Security', ()=>{
-        it('should enforce admin check in beforeChange hook', async ()=>{
-            // The beforeChange hook should verify admin status
-            // This test documents expected behavior
-            const adminUser = createMockAdminUser();
-            // Mock the beforeChange hook behavior
-            const beforeChangeHook = vi.fn(({ req, operation })=>{
-                if (operation !== 'read' && !req.user?.roles?.includes('admin')) {
-                    throw new Error('Unauthorized: Only admins can modify newsletter settings');
-                }
-            });
-            // Simulate hook execution
-            expect(()=>beforeChangeHook({
-                    req: {
-                        user: createMockUser()
-                    },
-                    operation: 'update'
-                })).toThrow('Unauthorized: Only admins can modify newsletter settings');
-            expect(()=>beforeChangeHook({
-                    req: {
-                        user: adminUser
-                    },
-                    operation: 'update'
-                })).not.toThrow();
-        });
-    });
-    describe('API Key Security', ()=>{
-        it('should protect email provider API keys', async ()=>{
-            // Test that API keys are properly handled
-            const settings = await mockReq.payload.findByID({
-                collection: 'newsletter-settings',
-                id: 'settings-1',
-                overrideAccess: false,
-                user: null
-            });
-            // In production, field-level access control should hide API keys
-            // from non-admin users
-            expect(settings.resendSettings.apiKey).toBeDefined();
-        // This test documents that additional field-level security is needed
-        });
-        it('should validate API key format on update', async ()=>{
-            const adminUser = createMockAdminUser();
-            // Test various invalid API key formats
-            const invalidApiKeys = [
-                '',
-                ' ',
-                'key with spaces',
-                '<script>alert("xss")</script>'
-            ];
-            // Current implementation doesn't validate API keys
-            // This test documents expected validation behavior
-            for (const invalidKey of invalidApiKeys){
-                const result = await mockReq.payload.update({
-                    collection: 'newsletter-settings',
-                    id: 'settings-1',
-                    data: {
-                        resendSettings: {
-                            ...mockNewsletterSettings.resendSettings,
-                            apiKey: invalidKey
-                        }
-                    },
-                    overrideAccess: false,
-                    user: adminUser
-                });
-                // Should either sanitize or reject invalid keys
-                expect(result.resendSettings.apiKey).toBe(invalidKey); // Currently allows any value
-            }
-        });
-    });
-    describe('Settings Singleton Pattern', ()=>{
-        it('should enforce single settings document', async ()=>{
-            const adminUser = createMockAdminUser();
-            // Try to create a second settings document
-            const secondSettings = await mockReq.payload.create({
-                collection: 'newsletter-settings',
-                data: {
-                    name: 'Second Settings',
-                    active: false,
-                    provider: 'resend',
-                    resendSettings: {
-                        apiKey: 'another-key',
-                        audienceIds: []
-                    },
-                    from: {
-                        email: 'another@example.com',
-                        name: 'Another Newsletter'
-                    }
-                },
-                overrideAccess: false,
-                user: adminUser
-            });
-            // Currently allows multiple settings documents
-            // This test documents that singleton enforcement is needed
-            expect(secondSettings.id).toBeDefined();
-            const allSettings = await mockReq.payload.find({
-                collection: 'newsletter-settings',
-                overrideAccess: false,
-                user: adminUser
-            });
-            expect(allSettings.docs).toHaveLength(2); // Should ideally be 1
-        });
-    });
-});
-
-//# sourceMappingURL=settings-access.test.js.map

package/dist/src/__tests__/security/settings-access.test.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/__tests__/security/settings-access.test.ts"],"sourcesContent":["import { describe, it, expect, beforeEach, vi } from 'vitest'\nimport type { PayloadRequest } from 'payload'\nimport type { NewsletterPluginConfig } from '../../../types'\nimport { createMockUser, createMockAdminUser, createPayloadRequestMock, clearCollections, seedCollection } from '../mocks/payload'\nimport { mockNewsletterSettings } from '../fixtures/newsletter-settings'\n\ndescribe('Newsletter Settings Access Control Security', () => {\n  let mockReq: Partial<PayloadRequest>\n  const mockConfig: NewsletterPluginConfig = {}\n\n  beforeEach(() => {\n    clearCollections()\n    seedCollection('newsletter-settings', [mockNewsletterSettings])\n    mockReq = createPayloadRequestMock()\n  })\n\n  describe('Read Access', () => {\n    it('should allow public read access for settings validation', async () => {\n      // Unauthenticated user should be able to read settings\n      // This is necessary for subscription forms to validate\n      const result = await mockReq.payload!.find({\n        collection: 'newsletter-settings',\n        overrideAccess: false,\n        user: null,\n      })\n      \n      expect(result.docs).toHaveLength(1)\n      expect(result.docs[0].id).toBe('settings-1')\n    })\n\n    it('should not expose sensitive data in public reads', async () => {\n      const result = await mockReq.payload!.find({\n        collection: 'newsletter-settings',\n        overrideAccess: false,\n        user: null,\n      })\n      \n      const settings = result.docs[0]\n      // Ensure API keys are not exposed (this would be handled by field access control)\n      // This test documents the expected behavior\n      expect(settings.resendSettings.apiKey).toBe('test-api-key') // In production, this should be hidden\n    })\n  })\n\n  describe('Write Access', () => {\n    it('should deny create access to unauthenticated users', async () => {\n      await expect(\n        mockReq.payload!.create({\n          collection: 'newsletter-settings',\n          data: {\n            name: 'New Settings',\n            active: false,\n            provider: 'resend',\n          },\n          overrideAccess: false,\n          user: null,\n        })\n      ).rejects.toThrow('Unauthorized')\n    })\n\n    it('should deny update access to regular users', async () => {\n      await expect(\n        mockReq.payload!.update({\n          collection: 'newsletter-settings',\n          id: 'settings-1',\n          data: {\n            name: 'Hacked!',\n          },\n          overrideAccess: false,\n          user: createMockUser(),\n        })\n      ).rejects.toThrow('Unauthorized')\n    })\n\n    it('should allow update access to admin users', async () => {\n      const adminUser = createMockAdminUser()\n      const result = await mockReq.payload!.update({\n        collection: 'newsletter-settings',\n        id: 'settings-1',\n        data: {\n          name: 'Updated by Admin',\n        },\n        overrideAccess: false,\n        user: adminUser,\n      })\n      \n      expect(result.name).toBe('Updated by Admin')\n    })\n\n    it('should deny delete access to non-admins', async () => {\n      await expect(\n        mockReq.payload!.delete({\n          collection: 'newsletter-settings',\n          id: 'settings-1',\n          overrideAccess: false,\n          user: createMockUser(),\n        })\n      ).rejects.toThrow('Unauthorized')\n    })\n\n    it('should prevent synthetic users from modifying settings', async () => {\n      const syntheticUser = {\n        id: 'sub-123',\n        email: 'subscriber@example.com',\n        collection: 'subscribers', // Synthetic user\n      }\n      \n      await expect(\n        mockReq.payload!.update({\n          collection: 'newsletter-settings',\n          id: 'settings-1',\n          data: {\n            name: 'Hacked by subscriber!',\n          },\n          overrideAccess: false,\n          user: syntheticUser,\n        })\n      ).rejects.toThrow('Unauthorized')\n    })\n  })\n\n  describe('Settings Validation Hook Security', () => {\n    it('should enforce admin check in beforeChange hook', async () => {\n      // The beforeChange hook should verify admin status\n      // This test documents expected behavior\n      const adminUser = createMockAdminUser()\n      \n      // Mock the beforeChange hook behavior\n      const beforeChangeHook = vi.fn(({ req, operation }) => {\n        if (operation !== 'read' && !req.user?.roles?.includes('admin')) {\n          throw new Error('Unauthorized: Only admins can modify newsletter settings')\n        }\n      })\n      \n      // Simulate hook execution\n      expect(() => \n        beforeChangeHook({ \n          req: { user: createMockUser() }, \n          operation: 'update' \n        })\n      ).toThrow('Unauthorized: Only admins can modify newsletter settings')\n      \n      expect(() => \n        beforeChangeHook({ \n          req: { user: adminUser }, \n          operation: 'update' \n        })\n      ).not.toThrow()\n    })\n  })\n\n  describe('API Key Security', () => {\n    it('should protect email provider API keys', async () => {\n      // Test that API keys are properly handled\n      const settings = await mockReq.payload!.findByID({\n        collection: 'newsletter-settings',\n        id: 'settings-1',\n        overrideAccess: false,\n        user: null,\n      })\n      \n      // In production, field-level access control should hide API keys\n      // from non-admin users\n      expect(settings.resendSettings.apiKey).toBeDefined()\n      // This test documents that additional field-level security is needed\n    })\n\n    it('should validate API key format on update', async () => {\n      const adminUser = createMockAdminUser()\n      \n      // Test various invalid API key formats\n      const invalidApiKeys = [\n        '', // Empty\n        ' ', // Whitespace only\n        'key with spaces', // Contains spaces\n        '<script>alert(\"xss\")</script>', // XSS attempt\n      ]\n      \n      // Current implementation doesn't validate API keys\n      // This test documents expected validation behavior\n      for (const invalidKey of invalidApiKeys) {\n        const result = await mockReq.payload!.update({\n          collection: 'newsletter-settings',\n          id: 'settings-1',\n          data: {\n            resendSettings: {\n              ...mockNewsletterSettings.resendSettings,\n              apiKey: invalidKey,\n            },\n          },\n          overrideAccess: false,\n          user: adminUser,\n        })\n        \n        // Should either sanitize or reject invalid keys\n        expect(result.resendSettings.apiKey).toBe(invalidKey) // Currently allows any value\n      }\n    })\n  })\n\n  describe('Settings Singleton Pattern', () => {\n    it('should enforce single settings document', async () => {\n      const adminUser = createMockAdminUser()\n      \n      // Try to create a second settings document\n      const secondSettings = await mockReq.payload!.create({\n        collection: 'newsletter-settings',\n        data: {\n          name: 'Second Settings',\n          active: false,\n          provider: 'resend',\n          resendSettings: {\n            apiKey: 'another-key',\n            audienceIds: [],\n          },\n          from: {\n            email: 'another@example.com',\n            name: 'Another Newsletter',\n          },\n        },\n        overrideAccess: false,\n        user: adminUser,\n      })\n      \n      // Currently allows multiple settings documents\n      // This test documents that singleton enforcement is needed\n      expect(secondSettings.id).toBeDefined()\n      \n      const allSettings = await mockReq.payload!.find({\n        collection: 'newsletter-settings',\n        overrideAccess: false,\n        user: adminUser,\n      })\n      \n      expect(allSettings.docs).toHaveLength(2) // Should ideally be 1\n    })\n  })\n})"],"names":["describe","it","expect","beforeEach","vi","createMockUser","createMockAdminUser","createPayloadRequestMock","clearCollections","seedCollection","mockNewsletterSettings","mockReq","mockConfig","result","payload","find","collection","overrideAccess","user","docs","toHaveLength","id","toBe","settings","resendSettings","apiKey","create","data","name","active","provider","rejects","toThrow","update","adminUser","delete","syntheticUser","email","beforeChangeHook","fn","req","operation","roles","includes","Error","not","findByID","toBeDefined","invalidApiKeys","invalidKey","secondSettings","audienceIds","from","allSettings"],"mappings":"AAAA,SAASA,QAAQ,EAAEC,EAAE,EAAEC,MAAM,EAAEC,UAAU,EAAEC,EAAE,QAAQ,SAAQ;AAG7D,SAASC,cAAc,EAAEC,mBAAmB,EAAEC,wBAAwB,EAAEC,gBAAgB,EAAEC,cAAc,QAAQ,mBAAkB;AAClI,SAASC,sBAAsB,QAAQ,kCAAiC;AAExEV,SAAS,+CAA+C;IACtD,IAAIW;IACJ,MAAMC,aAAqC,CAAC;IAE5CT,WAAW;QACTK;QACAC,eAAe,uBAAuB;YAACC;SAAuB;QAC9DC,UAAUJ;IACZ;IAEAP,SAAS,eAAe;QACtBC,GAAG,2DAA2D;YAC5D,uDAAuD;YACvD,uDAAuD;YACvD,MAAMY,SAAS,MAAMF,QAAQG,OAAO,CAAEC,IAAI,CAAC;gBACzCC,YAAY;gBACZC,gBAAgB;gBAChBC,MAAM;YACR;YAEAhB,OAAOW,OAAOM,IAAI,EAAEC,YAAY,CAAC;YACjClB,OAAOW,OAAOM,IAAI,CAAC,EAAE,CAACE,EAAE,EAAEC,IAAI,CAAC;QACjC;QAEArB,GAAG,oDAAoD;YACrD,MAAMY,SAAS,MAAMF,QAAQG,OAAO,CAAEC,IAAI,CAAC;gBACzCC,YAAY;gBACZC,gBAAgB;gBAChBC,MAAM;YACR;YAEA,MAAMK,WAAWV,OAAOM,IAAI,CAAC,EAAE;YAC/B,kFAAkF;YAClF,4CAA4C;YAC5CjB,OAAOqB,SAASC,cAAc,CAACC,MAAM,EAAEH,IAAI,CAAC,iBAAgB,uCAAuC;QACrG;IACF;IAEAtB,SAAS,gBAAgB;QACvBC,GAAG,sDAAsD;YACvD,MAAMC,OACJS,QAAQG,OAAO,CAAEY,MAAM,CAAC;gBACtBV,YAAY;gBACZW,MAAM;oBACJC,MAAM;oBACNC,QAAQ;oBACRC,UAAU;gBACZ;gBACAb,gBAAgB;gBAChBC,MAAM;YACR,IACAa,OAAO,CAACC,OAAO,CAAC;QACpB;QAEA/B,GAAG,8CAA8C;YAC/C,MAAMC,OACJS,QAAQG,OAAO,CAAEmB,MAAM,CAAC;gBACtBjB,YAAY;gBACZK,IAAI;gBACJM,MAAM;oBACJC,MAAM;gBACR;gBACAX,gBAAgB;gBAChBC,MAAMb;YACR,IACA0B,OAAO,CAACC,OAAO,CAAC;QACpB;QAEA/B,GAAG,6CAA6C;YAC9C,MAAMiC,YAAY5B;YAClB,MAAMO,SAAS,MAAMF,QAAQG,OAAO,CAAEmB,MAAM,CAAC;gBAC3CjB,YAAY;gBACZK,IAAI;gBACJM,MAAM;oBACJC,MAAM;gBACR;gBACAX,gBAAgB;gBAChBC,MAAMgB;YACR;YAEAhC,OAAOW,OAAOe,IAAI,EAAEN,IAAI,CAAC;QAC3B;QAEArB,GAAG,2CAA2C;YAC5C,MAAMC,OACJS,QAAQG,OAAO,CAAEqB,MAAM,CAAC;gBACtBnB,YAAY;gBACZK,IAAI;gBACJJ,gBAAgB;gBAChBC,MAAMb;YACR,IACA0B,OAAO,CAACC,OAAO,CAAC;QACpB;QAEA/B,GAAG,0DAA0D;YAC3D,MAAMmC,gBAAgB;gBACpBf,IAAI;gBACJgB,OAAO;gBACPrB,YAAY;YACd;YAEA,MAAMd,OACJS,QAAQG,OAAO,CAAEmB,MAAM,CAAC;gBACtBjB,YAAY;gBACZK,IAAI;gBACJM,MAAM;oBACJC,MAAM;gBACR;gBACAX,gBAAgB;gBAChBC,MAAMkB;YACR,IACAL,OAAO,CAACC,OAAO,CAAC;QACpB;IACF;IAEAhC,SAAS,qCAAqC;QAC5CC,GAAG,mDAAmD;YACpD,mDAAmD;YACnD,wCAAwC;YACxC,MAAMiC,YAAY5B;YAElB,sCAAsC;YACtC,MAAMgC,mBAAmBlC,GAAGmC,EAAE,CAAC,CAAC,EAAEC,GAAG,EAAEC,SAAS,EAAE;gBAChD,IAAIA,cAAc,UAAU,CAACD,IAAItB,IAAI,EAAEwB,OAAOC,SAAS,UAAU;oBAC/D,MAAM,IAAIC,MAAM;gBAClB;YACF;YAEA,0BAA0B;YAC1B1C,OAAO,IACLoC,iBAAiB;oBACfE,KAAK;wBAAEtB,MAAMb;oBAAiB;oBAC9BoC,WAAW;gBACb,IACAT,OAAO,CAAC;YAEV9B,OAAO,IACLoC,iBAAiB;oBACfE,KAAK;wBAAEtB,MAAMgB;oBAAU;oBACvBO,WAAW;gBACb,IACAI,GAAG,CAACb,OAAO;QACf;IACF;IAEAhC,SAAS,oBAAoB;QAC3BC,GAAG,0CAA0C;YAC3C,0CAA0C;YAC1C,MAAMsB,WAAW,MAAMZ,QAAQG,OAAO,CAAEgC,QAAQ,CAAC;gBAC/C9B,YAAY;gBACZK,IAAI;gBACJJ,gBAAgB;gBAChBC,MAAM;YACR;YAEA,iEAAiE;YACjE,uBAAuB;YACvBhB,OAAOqB,SAASC,cAAc,CAACC,MAAM,EAAEsB,WAAW;QAClD,qEAAqE;QACvE;QAEA9C,GAAG,4CAA4C;YAC7C,MAAMiC,YAAY5B;YAElB,uCAAuC;YACvC,MAAM0C,iBAAiB;gBACrB;gBACA;gBACA;gBACA;aACD;YAED,mDAAmD;YACnD,mDAAmD;YACnD,KAAK,MAAMC,cAAcD,eAAgB;gBACvC,MAAMnC,SAAS,MAAMF,QAAQG,OAAO,CAAEmB,MAAM,CAAC;oBAC3CjB,YAAY;oBACZK,IAAI;oBACJM,MAAM;wBACJH,gBAAgB;4BACd,GAAGd,uBAAuBc,cAAc;4BACxCC,QAAQwB;wBACV;oBACF;oBACAhC,gBAAgB;oBAChBC,MAAMgB;gBACR;gBAEA,gDAAgD;gBAChDhC,OAAOW,OAAOW,cAAc,CAACC,MAAM,EAAEH,IAAI,CAAC2B,aAAY,6BAA6B;YACrF;QACF;IACF;IAEAjD,SAAS,8BAA8B;QACrCC,GAAG,2CAA2C;YAC5C,MAAMiC,YAAY5B;YAElB,2CAA2C;YAC3C,MAAM4C,iBAAiB,MAAMvC,QAAQG,OAAO,CAAEY,MAAM,CAAC;gBACnDV,YAAY;gBACZW,MAAM;oBACJC,MAAM;oBACNC,QAAQ;oBACRC,UAAU;oBACVN,gBAAgB;wBACdC,QAAQ;wBACR0B,aAAa,EAAE;oBACjB;oBACAC,MAAM;wBACJf,OAAO;wBACPT,MAAM;oBACR;gBACF;gBACAX,gBAAgB;gBAChBC,MAAMgB;YACR;YAEA,+CAA+C;YAC/C,2DAA2D;YAC3DhC,OAAOgD,eAAe7B,EAAE,EAAE0B,WAAW;YAErC,MAAMM,cAAc,MAAM1C,QAAQG,OAAO,CAAEC,IAAI,CAAC;gBAC9CC,YAAY;gBACZC,gBAAgB;gBAChBC,MAAMgB;YACR;YAEAhC,OAAOmD,YAAYlC,IAAI,EAAEC,YAAY,CAAC,IAAG,sBAAsB;QACjE;IACF;AACF"}