test(security): add and refactor api security/idor coverage

2026-05-11 16:40:16 +02:00
parent 9b468d9a13
commit 1db30c9b6f
12 changed files with 1025 additions and 23 deletions
@@ -1,27 +1,9 @@
-import { ExecutionContext, ForbiddenException, UnauthorizedException } from '@nestjs/common';
+import { ForbiddenException, UnauthorizedException } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { JwtAuthGuard } from '../auth/jwt-auth.guard';
-import { ROLES_KEY } from '../auth/decorators/roles.decorator';
 import { RolesGuard } from '../auth/roles.guard';
 import { InventoryController } from './inventory.controller';
-
-type MockHttpContextOptions = {
-  handler: Function;
-  clazz: Function;
-  user?: any;
-};
-
-function mockHttpContext(options: MockHttpContextOptions): ExecutionContext {
-  return {
-    getClass: () => options.clazz,
-    getHandler: () => options.handler,
-    switchToHttp: () => ({
-      getRequest: () => ({ user: options.user }),
-      getResponse: () => ({}),
-      getNext: () => undefined,
-    }),
-  } as unknown as ExecutionContext;
-}
+import { getRolesMetadata, mockHttpContext } from '../test-utils/security-test-helpers';

 describe('Inventory admin security', () => {
  const adminHandlers: Array<[string, Function]> = [
@@ -33,9 +15,10 @@ describe('Inventory admin security', () => {
    ['previewMergeAdmin', InventoryController.prototype.previewMergeAdmin],
  ];

-  it.each(adminHandlers)('admin-endpoint %s har @Roles("admin") metadata', (_name, handler) => {
-    const roles = Reflect.getMetadata(ROLES_KEY, handler) as string[] | undefined;
-    expect(roles).toEqual(['admin']);
+  it('alla admin-endpoints har @Roles("admin") metadata', () => {
+    for (const [, handler] of adminHandlers) {
+      expect(getRolesMetadata(handler)).toEqual(['admin']);
+    }
  });

  it.each(adminHandlers)('RolesGuard nekar icke-admin (403) på %s', (_name, handler) => {