zenstack 0.1.41 → 1.0.0

package/tests/integration/tests/todo-e2e.test.ts

@@ -0,0 +1,577 @@
+import path from 'path';
+import { makeClient, run, setup } from './utils';
+
+describe('Todo E2E Tests', () => {
+    let workDir: string;
+    let origDir: string;
+
+    beforeAll(async () => {
+        origDir = path.resolve('.');
+        workDir = await setup('./tests/todo.zmodel');
+    });
+
+    afterAll(() => {
+        process.chdir(origDir);
+    });
+
+    beforeEach(() => {
+        run('npx prisma migrate reset --schema ./zenstack/schema.prisma -f');
+    });
+
+    it('user', async () => {
+        const userClient = makeClient('/api/data/User');
+        const user1 = {
+            id: 'user1',
+            email: 'user1@zenstack.dev',
+            name: 'User 1',
+        };
+        const user2 = {
+            id: 'user2',
+            email: 'user2@zenstack.dev',
+            name: 'User 2',
+        };
+        const user1Client = makeClient('/api/data/User/user1', user1.id);
+        const user2Client = makeClient('/api/data/User/user2', user1.id);
+
+        // create user1
+        await userClient
+            .post('/')
+            .send({
+                data: user1,
+            })
+            .expect(201)
+            .expect((resp) => {
+                expect(resp.body).toEqual(expect.objectContaining(user1));
+            });
+
+        const credClient = makeClient('/api/data/User', user1.id);
+
+        // find
+        await credClient
+            .get('/')
+            .expect(200)
+            .expect((resp) => {
+                expect(resp.body).toEqual([expect.objectContaining(user1)]);
+            });
+
+        // get
+        await user1Client
+            .get('/')
+            .expect(200)
+            .expect((resp) =>
+                expect(resp.body).toEqual(expect.objectContaining(user1))
+            );
+        await user2Client.get('/').expect(404);
+
+        // create user2
+        await userClient.post('/').send({
+            data: user2,
+        });
+
+        // find with user1 should only get user1
+        await credClient
+            .get('/')
+            .expect(200)
+            .expect((resp) => {
+                expect(resp.body).toHaveLength(1);
+                expect(resp.body).toEqual([expect.objectContaining(user1)]);
+            });
+
+        // get user2 as user1
+        await user2Client.get('/').expect(404);
+
+        // add both users into the same space
+        const spaceClient = makeClient('/api/data/Space', user1.id);
+        await spaceClient
+            .post('/')
+            .send({
+                data: {
+                    name: 'Space 1',
+                    slug: 'space1',
+                    owner: { connect: { id: user1.id } },
+                    members: {
+                        create: [
+                            {
+                                user: { connect: { id: user1.id } },
+                                role: 'ADMIN',
+                            },
+                            {
+                                user: { connect: { id: user2.id } },
+                                role: 'USER',
+                            },
+                        ],
+                    },
+                },
+            })
+            .expect(201);
+
+        // now both user1 and user2 should be visible
+        await credClient
+            .get('/')
+            .expect((resp) => expect(resp.body).toHaveLength(2));
+        await user2Client
+            .get('/')
+            .expect(200)
+            .expect((resp) =>
+                expect(resp.body).toEqual(expect.objectContaining(user2))
+            );
+
+        // update user2 as user1
+        await user2Client
+            .put('/')
+            .send({
+                data: {
+                    name: 'hello',
+                },
+            })
+            .expect(403);
+
+        // update user1 as user1
+        await user1Client
+            .put('/')
+            .send({
+                data: {
+                    name: 'hello',
+                },
+            })
+            .expect(200)
+            .expect((resp) => expect(resp.body.name).toBe('hello'));
+
+        // delete user2 as user1
+        await user2Client.delete('/').expect(403);
+
+        // delete user1 as user1
+        await user1Client.delete('/').expect(200);
+        await user1Client.get('/').expect(404);
+    });
+
+    it('todo list', async () => {
+        await createSpaceAndUsers();
+
+        const listClient = makeClient('/api/data/List');
+        await listClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list1',
+                    title: 'List 1',
+                    owner: { connect: { id: user1.id } },
+                    space: { connect: { id: space1.id } },
+                },
+            })
+            .expect(403);
+
+        const credClient = makeClient('/api/data/List', user1.id);
+        await credClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list1',
+                    title: 'List 1',
+                    owner: { connect: { id: user1.id } },
+                    space: { connect: { id: space1.id } },
+                },
+            })
+            .expect(201);
+
+        await credClient
+            .get('/')
+            .expect(200)
+            .expect((resp) => expect(resp.body).toHaveLength(1));
+
+        await listClient
+            .get('/')
+            .expect(200)
+            .expect((resp) => expect(resp.body).toHaveLength(0));
+
+        const list1Client = makeClient('/api/data/List/list1');
+        await list1Client.get('/').expect(404);
+
+        // accessible to owner
+        const list1CredClientUser1 = makeClient(
+            '/api/data/List/list1',
+            user1.id
+        );
+        await list1CredClientUser1
+            .get('/')
+            .expect(200)
+            .expect((resp) =>
+                expect(resp.body).toEqual(
+                    expect.objectContaining({ id: 'list1', title: 'List 1' })
+                )
+            );
+
+        // accessible to user in the space
+        const list1CredClientUser2 = makeClient(
+            '/api/data/List/list1',
+            user2.id
+        );
+        await list1CredClientUser2.get('/').expect(200);
+
+        // inaccessible to user not in the space
+        const list1CredClientUser3 = makeClient(
+            '/api/data/List/list1',
+            user3.id
+        );
+        await list1CredClientUser3.get('/').expect(404);
+
+        // make a private list
+        await credClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list2',
+                    title: 'List 2',
+                    private: true,
+                    owner: { connect: { id: user1.id } },
+                    space: { connect: { id: space1.id } },
+                },
+            })
+            .expect(201);
+
+        // accessible to owner
+        const list2CredClientUser1 = makeClient(
+            '/api/data/List/list2',
+            user1.id
+        );
+        await list2CredClientUser1.get('/').expect(200);
+
+        // inaccessible to other user in the space
+        const list2CredClientUser2 = makeClient(
+            '/api/data/List/list2',
+            user2.id
+        );
+        await list2CredClientUser2.get('/').expect(404);
+
+        // create a list which doesn't match credential should fail
+        await credClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list3',
+                    title: 'List 3',
+                    owner: { connect: { id: user2.id } },
+                    space: { connect: { id: space1.id } },
+                },
+            })
+            .expect(403);
+
+        // create a list which doesn't match credential's space should fail
+        await credClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list3',
+                    title: 'List 3',
+                    owner: { connect: { id: user1.id } },
+                    space: { connect: { id: space2.id } },
+                },
+            })
+            .expect(403);
+
+        // update list
+        await list1CredClientUser1
+            .put('/')
+            .send({
+                data: {
+                    title: 'List 1 updated',
+                },
+            })
+            .expect(200)
+            .expect((resp) => expect(resp.body.title).toBe('List 1 updated'));
+
+        await list1CredClientUser2
+            .put('/')
+            .send({
+                data: {
+                    title: 'List 1 updated',
+                },
+            })
+            .expect(403);
+
+        // delete list
+        await list1CredClientUser2.delete('/').expect(403);
+        await list1CredClientUser1.delete('/').expect(200);
+        await list1CredClientUser1.get('/').expect(404);
+    });
+
+    it('todo', async () => {
+        await createSpaceAndUsers();
+
+        const listClient = makeClient('/api/data/List', user1.id);
+        await listClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list1',
+                    title: 'List 1',
+                    owner: { connect: { id: user1.id } },
+                    space: { connect: { id: space1.id } },
+                },
+            })
+            .expect(201);
+
+        const todoClientUser1 = makeClient('/api/data/Todo', user1.id);
+        const todoClientUser2 = makeClient('/api/data/Todo', user2.id);
+
+        // create
+        await todoClientUser1
+            .post('/')
+            .send({
+                data: {
+                    id: 'todo1',
+                    title: 'Todo 1',
+                    owner: { connect: { id: user1.id } },
+                    list: {
+                        connect: { id: 'list1' },
+                    },
+                },
+            })
+            .expect(201);
+        await todoClientUser2
+            .post('/')
+            .send({
+                data: {
+                    id: 'todo2',
+                    title: 'Todo 2',
+                    owner: { connect: { id: user2.id } },
+                    list: {
+                        connect: { id: 'list1' },
+                    },
+                },
+            })
+            .expect(201);
+
+        // read
+        await todoClientUser1
+            .get('/')
+            .expect(200)
+            .expect((resp) => expect(resp.body).toHaveLength(2));
+        await todoClientUser2
+            .get('/')
+            .expect(200)
+            .expect((resp) => expect(resp.body).toHaveLength(2));
+
+        const todo1ClientUser1 = makeClient('/api/data/Todo/todo1', user1.id);
+        const todo2ClientUser1 = makeClient('/api/data/Todo/todo2', user1.id);
+
+        // update, user in the same space can freely update
+        await todo1ClientUser1
+            .put('/')
+            .send({
+                data: {
+                    title: 'Todo 1 updated',
+                },
+            })
+            .expect(200);
+        await todo2ClientUser1
+            .put('/')
+            .send({
+                data: {
+                    title: 'Todo 2 updated',
+                },
+            })
+            .expect(200);
+
+        // create a private list
+        await listClient
+            .post('/')
+            .send({
+                data: {
+                    id: 'list2',
+                    private: true,
+                    title: 'List 2',
+                    owner: { connect: { id: user1.id } },
+                    space: { connect: { id: space1.id } },
+                },
+            })
+            .expect(201);
+
+        // create
+        await todoClientUser1
+            .post('/')
+            .send({
+                data: {
+                    id: 'todo3',
+                    title: 'Todo 3',
+                    owner: { connect: { id: user1.id } },
+                    list: {
+                        connect: { id: 'list2' },
+                    },
+                },
+            })
+            .expect(201);
+        await todoClientUser2
+            .post('/')
+            .send({
+                data: {
+                    id: 'todo4',
+                    title: 'Todo 4',
+                    owner: { connect: { id: user2.id } },
+                    list: {
+                        connect: { id: 'list2' },
+                    },
+                },
+            })
+            .expect(403);
+
+        // update, only owner can update todo in a private list
+        const todo3ClientUser1 = makeClient('/api/data/Todo/todo3', user1.id);
+        const todo3ClientUser2 = makeClient('/api/data/Todo/todo3', user2.id);
+        await todo3ClientUser1
+            .put('/')
+            .send({
+                data: {
+                    title: 'Todo 3 updated',
+                },
+            })
+            .expect(200);
+        await todo3ClientUser2
+            .put('/')
+            .send({
+                data: {
+                    title: 'Todo 3 updated',
+                },
+            })
+            .expect(403);
+    });
+
+    it('relation query', async () => {
+        await createSpaceAndUsers();
+        const listClient = makeClient('/api/data/List', user1.id);
+        await listClient.post('/').send({
+            data: {
+                id: 'list1',
+                title: 'List 1',
+                owner: { connect: { id: user1.id } },
+                space: { connect: { id: space1.id } },
+            },
+        });
+        await listClient.post('/').send({
+            data: {
+                id: 'list2',
+                title: 'List 2',
+                private: true,
+                owner: { connect: { id: user1.id } },
+                space: { connect: { id: space1.id } },
+            },
+        });
+
+        const spaceClientUser1 = makeClient(
+            `/api/data/Space/space1`,
+            user1.id,
+            {
+                include: { lists: true },
+            }
+        );
+        await spaceClientUser1.get('/').expect((resp) => {
+            expect(resp.body.lists).toHaveLength(2);
+        });
+
+        const spaceClientUser2 = makeClient(
+            `/api/data/Space/space1`,
+            user2.id,
+            {
+                include: { lists: true },
+            }
+        );
+        await spaceClientUser2.get('/').expect((resp) => {
+            expect(resp.body.lists).toHaveLength(1);
+        });
+    });
+});
+
+const user1 = {
+    id: 'user1',
+    email: 'user1@zenstack.dev',
+    name: 'User 1',
+};
+
+const user2 = {
+    id: 'user2',
+    email: 'user2@zenstack.dev',
+    name: 'User 2',
+};
+
+const user3 = {
+    id: 'user3',
+    email: 'user3@zenstack.dev',
+    name: 'User 3',
+};
+
+const space1 = {
+    id: 'space1',
+    name: 'Space 1',
+    slug: 'space1',
+};
+
+const space2 = {
+    id: 'space2',
+    name: 'Space 2',
+    slug: 'space2',
+};
+
+async function createSpaceAndUsers() {
+    const userClient = makeClient('/api/data/User');
+    // create users
+    await userClient
+        .post('/')
+        .send({
+            data: user1,
+        })
+        .expect(201);
+    await userClient
+        .post('/')
+        .send({
+            data: user2,
+        })
+        .expect(201);
+    await userClient
+        .post('/')
+        .send({
+            data: user3,
+        })
+        .expect(201);
+
+    // add user1 and user2 into space1
+    const spaceClientUser1 = makeClient('/api/data/Space', user1.id);
+    await spaceClientUser1
+        .post('/')
+        .send({
+            data: {
+                ...space1,
+                members: {
+                    create: [
+                        {
+                            user: { connect: { id: user1.id } },
+                            role: 'ADMIN',
+                        },
+                        {
+                            user: { connect: { id: user2.id } },
+                            role: 'USER',
+                        },
+                    ],
+                },
+            },
+        })
+        .expect(201);
+
+    // add user3 to space2
+    const spaceClientUser3 = makeClient('/api/data/Space', user3.id);
+    await spaceClientUser3
+        .post('/')
+        .send({
+            data: {
+                ...space2,
+                members: {
+                    create: [
+                        {
+                            user: { connect: { id: user3.id } },
+                            role: 'ADMIN',
+                        },
+                    ],
+                },
+            },
+        })
+        .expect(201);
+}

package/tests/integration/tests/todo.zmodel

@@ -0,0 +1,123 @@
+/*
+* Sample model for a collaborative Todo app
+*/
+
+datasource db {
+    provider = 'sqlite'
+    url = 'file:./todo.db'
+}
+
+model Space {
+    id String @id @default(uuid())
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+    name String @length(1, 100)
+    slug String @unique @length(1, 20)
+
+    owner User? @relation(fields: [ownerId], references: [id])
+    ownerId String?
+
+    members SpaceUser[]
+    lists List[]
+
+    // require login
+    @@deny('all', auth() == null)
+
+    // everyone can create a space
+    @@allow('create', true)
+
+    // any user in the space can read the space
+    @@allow('read', members?[user == auth()])
+
+    // space admin can update and delete
+    @@allow('update,delete', members?[user == auth() && role == "ADMIN"])
+}
+
+model SpaceUser {
+    id String @id @default(uuid())
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+    space Space @relation(fields:[spaceId], references: [id], onDelete: Cascade)
+    spaceId String
+    user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+    userId String
+    role String
+    
+    @@unique([userId, spaceId])
+
+    // require login
+    @@deny('all', auth() == null)
+
+    // space admin can create/update/delete
+    @@allow('create,update,delete', space.owner == auth() || space.members?[user == auth() && role == "ADMIN"])
+
+    // user can read entries for spaces which he's a member of
+    @@allow('read', space.members?[user == auth()])
+}
+
+model User {
+    id String @id @default(uuid())
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+    email String @unique @email
+    emailVerified DateTime?
+    password String?
+    name String? @length(1, 100)
+    
+    ownedSpaces Space[]
+
+    spaces SpaceUser[]
+    image String? @url
+    lists List[]
+    todos Todo[]
+
+    // can be created by anyone, even not logged in
+    @@allow('create', true)
+
+    // can be read by users sharing any space
+    @@allow('read', auth() == this || spaces?[space.members?[user == auth()]])
+
+    // can only be updated and deleted by himeself
+    @@allow('update,delete', auth() == this) 
+}
+
+model List {
+    id String @id @default(uuid())
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+    space Space @relation(fields: [spaceId], references: [id], onDelete: Cascade)
+    spaceId String
+    owner User @relation(fields: [ownerId], references: [id], onDelete: Cascade)
+    ownerId String
+    title String @length(1, 20)
+    private Boolean @default(false)
+    todos Todo[]
+
+    // require login
+    @@deny('all', auth() == null)
+
+    // can be read by owner or space members (only if not private) 
+    @@allow('read', owner == auth() || (space.members?[user == auth()] && !private))
+
+    // can be updated/deleted by owner with a valid space
+    @@allow('create,update,delete', owner == auth() && space.members?[user == auth()]) 
+}
+
+model Todo {
+    id String @id @default(uuid())
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+    owner User @relation(fields: [ownerId], references: [id], onDelete: Cascade)
+    ownerId String
+    list List @relation(fields: [listId], references: [id], onDelete: Cascade)
+    listId String
+    title String
+    completedAt DateTime?
+
+    // require login
+    @@deny('all', auth() == null)
+
+    // owner has full access, also space members have full access (if the parent List is not private)
+    @@allow('all', list.owner == auth())
+    @@allow('all', list.space.members?[user == auth()] && !list.private)
+}

package/tests/integration/tests/tsconfig.template.json

@@ -0,0 +1,10 @@
+{
+    "compilerOptions": {
+        "target": "es2016",
+        "module": "commonjs",
+        "esModuleInterop": true,
+        "forceConsistentCasingInFileNames": true,
+        "strict": true,
+        "skipLibCheck": true
+    }
+}