test(security): add and refactor api security/idor coverage

2026-05-11 16:40:16 +02:00
parent 9b468d9a13
commit 1db30c9b6f
12 changed files with 1025 additions and 23 deletions
@@ -0,0 +1,100 @@
+import { UnauthorizedException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { RecipesController } from './recipes.controller';
+
+describe('Recipes controller security', () => {
+  const makeUser = (overrides: Partial<{ userId: number; role: string }> = {}) => ({
+    userId: 42,
+    role: 'user',
+    ...overrides,
+  });
+
+  const recipesServiceMock = {
+    findAll: jest.fn(),
+    findOne: jest.fn(),
+    create: jest.fn(),
+    update: jest.fn(),
+    remove: jest.fn(),
+    shareWithUser: jest.fn(),
+    unshareWithUser: jest.fn(),
+    setVisibility: jest.fn(),
+  };
+
+  const controller = new RecipesController(recipesServiceMock as any, {} as any);
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('JwtAuthGuard kräver autentisering på findAll', () => {
+    const guard = new JwtAuthGuard(new Reflector());
+
+    expect(() => guard.handleRequest(null, null, null)).toThrow(UnauthorizedException);
+  });
+
+  it('JwtAuthGuard tillåter autentiserad användare på findAll', () => {
+    const guard = new JwtAuthGuard(new Reflector());
+    const user = makeUser({ userId: 1 });
+
+    expect(guard.handleRequest(null, user, null)).toBe(user);
+  });
+
+  it('findOne vidarebefordrar @CurrentUser.userId till service', () => {
+    recipesServiceMock.findOne.mockResolvedValue({ id: 1 });
+
+    controller.findOne(1, makeUser());
+
+    expect(recipesServiceMock.findOne).toHaveBeenCalledWith(1, 42);
+  });
+
+  it('create vidarebefordrar @CurrentUser.userId till service', async () => {
+    const dto = { name: 'test' };
+    recipesServiceMock.create.mockResolvedValue({ id: 1 });
+
+    await controller.create(dto as any, makeUser());
+
+    expect(recipesServiceMock.create).toHaveBeenCalledWith(dto, 42);
+  });
+
+  it('update vidarebefordrar @CurrentUser.userId till service', async () => {
+    const dto = { name: 'updated' };
+    recipesServiceMock.update.mockResolvedValue({ id: 1 });
+
+    await controller.update(1, dto as any, makeUser());
+
+    expect(recipesServiceMock.update).toHaveBeenCalledWith(1, dto, 42);
+  });
+
+  it('remove vidarebefordrar @CurrentUser.userId till service', async () => {
+    recipesServiceMock.remove.mockResolvedValue(undefined);
+
+    await controller.remove(1, makeUser());
+
+    expect(recipesServiceMock.remove).toHaveBeenCalledWith(1, 42);
+  });
+
+  it('shareRecipe vidarebefordrar userId och trimmar username', async () => {
+    recipesServiceMock.shareWithUser.mockResolvedValue(undefined);
+
+    await controller.shareRecipe(1, { username: '  alice  ' } as any, makeUser());
+
+    expect(recipesServiceMock.shareWithUser).toHaveBeenCalledWith(1, 42, 'alice');
+  });
+
+  it('unshareRecipe vidarebefordrar userId och trimmar username', async () => {
+    recipesServiceMock.unshareWithUser.mockResolvedValue(undefined);
+
+    await controller.unshareRecipe(1, '  alice  ', makeUser());
+
+    expect(recipesServiceMock.unshareWithUser).toHaveBeenCalledWith(1, 42, 'alice');
+  });
+
+  it('setVisibility vidarebefordrar userId till service', async () => {
+    recipesServiceMock.setVisibility.mockResolvedValue(undefined);
+
+    await controller.setVisibility(1, { isPublic: true } as any, makeUser());
+
+    expect(recipesServiceMock.setVisibility).toHaveBeenCalledWith(1, 42, true);
+  });
+});