janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Scrum4Me/__tests__/proxy/demo-guard.test.ts
Madhura68 a1d1f99216 proxy: add /ideas to protectedRoutes; verify demo-guard for /api/ideas (M12 T-501) 
- proxy.ts: /ideas added to protectedRoutes — unauthenticated users get
  redirected to /login when navigating to /ideas or /ideas/[id]
- existing demo-guard catch-all (\`/api/* + non-GET\`) already blocks
  POST/PATCH/DELETE /api/ideas* with 403 — confirmed via 3 new tests
- server-action endpoints (start-grill / start-make-plan / materialize /
  promote-to-idea) carry their own \`session.isDemo\` checks inside
  actions/ideas.ts and actions/todos.ts (defense in depth)

Tests: 9/9 in proxy demo-guard suite (added 3 idea cases).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 19:56:41 +02:00

98 lines
3.4 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest'
const { mockUnsealData } = vi.hoisted(() => ({
mockUnsealData: vi.fn(),
}))
vi.mock('iron-session', () => ({
unsealData: mockUnsealData,
}))
vi.mock('@/lib/session', () => ({
sessionOptions: { cookieName: 'scrum4me-session', password: 'test-secret' },
}))
import { NextRequest } from 'next/server'
import { proxy } from '@/proxy'
const COOKIE_NAME = 'scrum4me-session'
const RAW_COOKIE = 'sealed-cookie-value'
function makeRequest(method: string, path: string, withCookie = false): NextRequest {
const url = `http://localhost:3000${path}`
const headers = new Headers()
if (withCookie) headers.set('Cookie', `${COOKIE_NAME}=${RAW_COOKIE}`)
return new NextRequest(url, { method, headers })
}
beforeEach(() => {
vi.clearAllMocks()
})
describe('proxy demo-guard', () => {
it('demo + POST /api/ideas → 403 (M12)', async () => {
mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
const req = makeRequest('POST', '/api/ideas', true)
const res = await proxy(req)
expect(res?.status).toBe(403)
})
it('demo + PATCH /api/ideas/abc → 403 (M12)', async () => {
mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
const req = makeRequest('PATCH', '/api/ideas/abc', true)
const res = await proxy(req)
expect(res?.status).toBe(403)
})
it('demo + GET /api/ideas → passthrough (M12)', async () => {
const req = makeRequest('GET', '/api/ideas', true)
const res = await proxy(req)
expect(res?.status).not.toBe(403)
})
it('demo + POST /api/todos → 403', async () => {
mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
const req = makeRequest('POST', '/api/todos', true)
const res = await proxy(req)
expect(res?.status).toBe(403)
const body = await res?.json()
expect(body.error).toMatch(/demo-modus/i)
})
it('demo + GET /api/todos → passthrough (GET is veilig)', async () => {
const req = makeRequest('GET', '/api/todos', true)
const res = await proxy(req)
// NextResponse.next() heeft geen status 403
expect(res?.status).not.toBe(403)
// unsealData nooit aangeroepen voor GET
expect(mockUnsealData).not.toHaveBeenCalled()
})
it('non-demo + POST /api/todos → passthrough', async () => {
mockUnsealData.mockResolvedValue({ userId: 'real-user', isDemo: false })
const req = makeRequest('POST', '/api/todos', true)
const res = await proxy(req)
expect(res?.status).not.toBe(403)
})
it('geen cookie + POST /api/todos → passthrough (geen sessie = niet geblokkeerd)', async () => {
const req = makeRequest('POST', '/api/todos', false)
const res = await proxy(req)
expect(mockUnsealData).not.toHaveBeenCalled()
expect(res?.status).not.toBe(403)
})
it('demo + POST /api/cron/expire-questions → passthrough (cron in allowlist)', async () => {
const req = makeRequest('POST', '/api/cron/expire-questions', true)
const res = await proxy(req)
expect(mockUnsealData).not.toHaveBeenCalled()
expect(res?.status).not.toBe(403)
})
it('demo + POST /api/auth/pair/start → 403 (M11-keuze: blokken)', async () => {
mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
const req = makeRequest('POST', '/api/auth/pair/start', true)
const res = await proxy(req)
expect(res?.status).toBe(403)
})
})
Reference in a new issue View git blame Copy permalink