M12 / ST-1110: Demo gebruiker read-only (#17)

* feat(ST-1110.3): add proxy.ts demo-guard for non-GET API routes * feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing - proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel) - pair/start: isDemo-check via cookies() guard - pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie * feat(ST-1110.5): unify demo write-button pattern to disabled+tooltip Convert all !isDemo && <Button> patterns to <DemoTooltip show={isDemo}> <Button disabled={isDemo}> so demo visitors see app capabilities. Affects: pbi-list, story-panel, story-dialog, task-list, sprint-backlog, token-manager, product-list, activate-product-button, leave-product-button, settings page. * test(ST-1110.6): proxy demo-guard coverage — 403 for demo+non-GET on /api/* * docs(ST-1110.7): document three-layer demo-readonly policy and mirror plan
2026-04-29 18:44:14 +02:00 · 2026-04-29 18:44:14 +02:00 · 1cb5772edd
commit 1cb5772edd
parent 8a9fb9d32b
19 changed files with 413 additions and 142 deletions
--- a/tests/proxy/demo-guard.test.ts
+++ b/tests/proxy/demo-guard.test.ts
@ -0,0 +1,78 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+const { mockUnsealData } = vi.hoisted(() => ({
+  mockUnsealData: vi.fn(),
+}))
+
+vi.mock('iron-session', () => ({
+  unsealData: mockUnsealData,
+}))
+
+vi.mock('@/lib/session', () => ({
+  sessionOptions: { cookieName: 'scrum4me-session', password: 'test-secret' },
+}))
+
+import { NextRequest } from 'next/server'
+import { proxy } from '@/proxy'
+
+const COOKIE_NAME = 'scrum4me-session'
+const RAW_COOKIE = 'sealed-cookie-value'
+
+function makeRequest(method: string, path: string, withCookie = false): NextRequest {
+  const url = `http://localhost:3000${path}`
+  const headers = new Headers()
+  if (withCookie) headers.set('Cookie', `${COOKIE_NAME}=${RAW_COOKIE}`)
+  return new NextRequest(url, { method, headers })
+}
+
+beforeEach(() => {
+  vi.clearAllMocks()
+})
+
+describe('proxy demo-guard', () => {
+  it('demo + POST /api/todos → 403', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
+    const req = makeRequest('POST', '/api/todos', true)
+    const res = await proxy(req)
+    expect(res?.status).toBe(403)
+    const body = await res?.json()
+    expect(body.error).toMatch(/demo-modus/i)
+  })
+
+  it('demo + GET /api/todos → passthrough (GET is veilig)', async () => {
+    const req = makeRequest('GET', '/api/todos', true)
+    const res = await proxy(req)
+    // NextResponse.next() heeft geen status 403
+    expect(res?.status).not.toBe(403)
+    // unsealData nooit aangeroepen voor GET
+    expect(mockUnsealData).not.toHaveBeenCalled()
+  })
+
+  it('non-demo + POST /api/todos → passthrough', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'real-user', isDemo: false })
+    const req = makeRequest('POST', '/api/todos', true)
+    const res = await proxy(req)
+    expect(res?.status).not.toBe(403)
+  })
+
+  it('geen cookie + POST /api/todos → passthrough (geen sessie = niet geblokkeerd)', async () => {
+    const req = makeRequest('POST', '/api/todos', false)
+    const res = await proxy(req)
+    expect(mockUnsealData).not.toHaveBeenCalled()
+    expect(res?.status).not.toBe(403)
+  })
+
+  it('demo + POST /api/cron/expire-questions → passthrough (cron in allowlist)', async () => {
+    const req = makeRequest('POST', '/api/cron/expire-questions', true)
+    const res = await proxy(req)
+    expect(mockUnsealData).not.toHaveBeenCalled()
+    expect(res?.status).not.toBe(403)
+  })
+
+  it('demo + POST /api/auth/pair/start → 403 (M11-keuze: blokken)', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
+    const req = makeRequest('POST', '/api/auth/pair/start', true)
+    const res = await proxy(req)
+    expect(res?.status).toBe(403)
+  })
+})