feat(ST-1004): add SSE /api/auth/pair/stream with cookie auth

GET /api/auth/pair/stream/[pairingId]: - runtime: 'nodejs', maxDuration: 300, dynamic: 'force-dynamic' - Auth via s4m_pair HttpOnly cookie (readPairCookie + verifyToken tegen desktop_token_hash); 401 zonder cookie of bij hash-mismatch, 404 als pairing onbekend, 410 als verlopen — geen geheim materiaal in URL of querystring - Hergebruikt LISTEN/NOTIFY-pattern uit app/api/realtime/solo/route.ts: ReadableStream + dedicated pg.Client + heartbeat 25s + hard-close 240s - Channel: scrum4me_pairing; filter notifies op pairing_id-match - Initial 'state'-event direct na connect met huidige status (voorkomt race waarbij approve net vóór SSE-open landt — desktop ziet 'm alsnog) - Auto-close zodra status consumed/cancelled binnenkomt - Fallback DIRECT_URL → DATABASE_URL (de eerste staat lokaal op een placeholder) Tests __tests__/api/pair-stream.test.ts (4 cases — auth-paden): - 401 zonder cookie (en geen DB-call gedaan) - 404 op onbekende pairingId - 410 op verlopen pairing - 401 op cookie/hash-mismatch Full-stream-test (LISTEN+notify-roundtrip) is een handmatige acceptatietest in ST-1008 — niet zinvol te mocken voor v1. Quality gates: lint 0 errors, tsc clean, vitest 121/121. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 22:42:07 +02:00 · 2026-04-27 22:42:07 +02:00 · 2a0c6a512d
commit 2a0c6a512d
parent e0bec8c55c
2 changed files with 275 additions and 0 deletions
--- a/tests/api/pair-stream.test.ts
+++ b/tests/api/pair-stream.test.ts
@ -0,0 +1,84 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+// Mock the cookie helper directly — easier than mocking next/headers + reasoning
+// over the cookies() async wrapper. The actual cookie wiring is tested in
+// pair-start.test.ts.
+const { mockReadPairCookie } = vi.hoisted(() => ({
+  mockReadPairCookie: vi.fn(),
+}))
+
+vi.mock('@/lib/auth/pair-cookie', () => ({
+  readPairCookie: mockReadPairCookie,
+  setPairCookie: vi.fn(),
+  clearPairCookie: vi.fn(),
+}))
+
+vi.mock('@/lib/prisma', () => ({
+  prisma: {
+    loginPairing: {
+      findUnique: vi.fn(),
+    },
+  },
+}))
+
+import { prisma } from '@/lib/prisma'
+import { hashToken } from '@/lib/auth/pairing'
+import type { NextRequest } from 'next/server'
+import { GET } from '@/app/api/auth/pair/stream/[pairingId]/route'
+
+const mockPrisma = prisma as unknown as {
+  loginPairing: { findUnique: ReturnType<typeof vi.fn> }
+}
+
+function makeReq(): NextRequest {
+  // Minimaal NextRequest-shape voor de auth-paden — we komen niet aan signal/url toe
+  // omdat de auth-checks vóór de stream-setup falen.
+  return { signal: new AbortController().signal } as unknown as NextRequest
+}
+
+const params = (id: string) =>
+  ({ params: Promise.resolve({ pairingId: id }) }) as { params: Promise<{ pairingId: string }> }
+
+beforeEach(() => {
+  vi.clearAllMocks()
+})
+
+describe('GET /api/auth/pair/stream/[pairingId]', () => {
+  it('401 zonder s4m_pair-cookie', async () => {
+    mockReadPairCookie.mockResolvedValue(null)
+    const res = await GET(makeReq(), params('pair-x'))
+    expect(res.status).toBe(401)
+    const body = await res.json()
+    expect(body.error).toMatch(/cookie/i)
+    expect(mockPrisma.loginPairing.findUnique).not.toHaveBeenCalled()
+  })
+
+  it('404 als pairing onbekend is', async () => {
+    mockReadPairCookie.mockResolvedValue('whatever-token')
+    mockPrisma.loginPairing.findUnique.mockResolvedValue(null)
+    const res = await GET(makeReq(), params('pair-onbekend'))
+    expect(res.status).toBe(404)
+  })
+
+  it('410 als pairing verlopen is', async () => {
+    mockReadPairCookie.mockResolvedValue('correct-token')
+    mockPrisma.loginPairing.findUnique.mockResolvedValue({
+      desktop_token_hash: hashToken('correct-token'),
+      status: 'pending',
+      expires_at: new Date(Date.now() - 1000),
+    })
+    const res = await GET(makeReq(), params('pair-verlopen'))
+    expect(res.status).toBe(410)
+  })
+
+  it('401 als cookie hashed naar andere desktop_token_hash', async () => {
+    mockReadPairCookie.mockResolvedValue('verkeerd-token')
+    mockPrisma.loginPairing.findUnique.mockResolvedValue({
+      desktop_token_hash: hashToken('echt-token'),
+      status: 'pending',
+      expires_at: new Date(Date.now() + 60_000),
+    })
+    const res = await GET(makeReq(), params('pair-mismatch'))
+    expect(res.status).toBe(401)
+  })
+})