janpeter/Scrum4Me
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

M12 / ST-1110: Demo gebruiker read-only (#17)

Browse source 
* feat(ST-1110.3): add proxy.ts demo-guard for non-GET API routes

* feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing

- proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel)
- pair/start: isDemo-check via cookies() guard
- pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie

* feat(ST-1110.5): unify demo write-button pattern to disabled+tooltip

Convert all !isDemo && <Button> patterns to <DemoTooltip show={isDemo}>
<Button disabled={isDemo}> so demo visitors see app capabilities.
Affects: pbi-list, story-panel, story-dialog, task-list, sprint-backlog,
token-manager, product-list, activate-product-button, leave-product-button,
settings page.

* test(ST-1110.6): proxy demo-guard coverage — 403 for demo+non-GET on /api/*

* docs(ST-1110.7): document three-layer demo-readonly policy and mirror plan
This commit is contained in:
Janpeter Visser 2026-04-29 18:44:14 +02:00 committed by GitHub
parent 8a9fb9d32b
commit 1cb5772edd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 413 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

8
__tests__/api/pair-claim.test.ts
View file

@ -103,7 +103,7 @@ describe('POST /api/auth/pair/claim', () => {
expect(mockClearPairCookie).toHaveBeenCalledTimes(1)
})
it('demo-user: isDemo doorgezet als vangnet', async () => {
it('demo-user: claim geblokkeerd met 403 (ST-1110.4)', async () => {
mockReadPairCookie.mockResolvedValue(COOKIE_TOKEN)
mockPrisma.loginPairing.updateMany.mockResolvedValue({ count: 1 })
mockPrisma.loginPairing.findUnique.mockResolvedValue({
@ -112,8 +112,10 @@ describe('POST /api/auth/pair/claim', () => {
})
const res = await POST(makePost({ pairingId: PAIRING_ID }))
expect(res.status).toBe(200)
expect(mockSession.isDemo).toBe(true)
expect(res.status).toBe(403)
const body = await res.json()
expect(body.error).toMatch(/demo-modus/i)
expect(mockClearPairCookie).toHaveBeenCalledTimes(1)
})
it('401 zonder s4m_pair-cookie', async () => {

7
__tests__/api/pair-start.test.ts
View file

@ -1,7 +1,12 @@
import { describe, it, expect, vi, beforeEach } from 'vitest'
const { cookieJar } = vi.hoisted(() => ({
const { cookieJar, mockGetIronSession } = vi.hoisted(() => ({
cookieJar: { set: vi.fn(), get: vi.fn(), delete: vi.fn() },
mockGetIronSession: vi.fn().mockResolvedValue({ isDemo: false }),
}))
vi.mock('iron-session', () => ({
getIronSession: mockGetIronSession,
}))
vi.mock('@/lib/prisma', () => ({