nilsjohan/recipe-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
30d27d6b8aabf340d0721b75a9be0fe22dacd4a0
recipe-app/backend/src/inventory/inventory.security.spec.ts
T
Nils-Johan Gynther 1db30c9b6f
Test Suite / test (24.15.0) (push) Has been cancelled
Details
test(security): add and refactor api security/idor coverage
2026-05-11 16:40:16 +02:00

79 lines
2.9 KiB
TypeScript
Raw Blame History

import { ForbiddenException, UnauthorizedException } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { JwtAuthGuard } from '../auth/jwt-auth.guard';
import { RolesGuard } from '../auth/roles.guard';
import { InventoryController } from './inventory.controller';
import { getRolesMetadata, mockHttpContext } from '../test-utils/security-test-helpers';
describe('Inventory admin security', () => {
const adminHandlers: Array<[string, Function]> = [
['findAllAdmin', InventoryController.prototype.findAllAdmin],
['createAdmin', InventoryController.prototype.createAdmin],
['updateAdmin', InventoryController.prototype.updateAdmin],
['removeAdmin', InventoryController.prototype.removeAdmin],
['mergeAdmin', InventoryController.prototype.mergeAdmin],
['previewMergeAdmin', InventoryController.prototype.previewMergeAdmin],
];
it('alla admin-endpoints har @Roles("admin") metadata', () => {
for (const [, handler] of adminHandlers) {
expect(getRolesMetadata(handler)).toEqual(['admin']);
}
});
it.each(adminHandlers)('RolesGuard nekar icke-admin (403) på %s', (_name, handler) => {
const reflector = new Reflector();
const guard = new RolesGuard(reflector);
const context = mockHttpContext({
handler,
clazz: InventoryController,
user: { role: 'user' },
});
expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
});
it.each(adminHandlers)('RolesGuard tillåter admin (200/allow) på %s', (_name, handler) => {
const reflector = new Reflector();
const guard = new RolesGuard(reflector);
const context = mockHttpContext({
handler,
clazz: InventoryController,
user: { role: 'admin' },
});
expect(guard.canActivate(context)).toBe(true);
});
it('JwtAuthGuard mappar saknad användare till 401', () => {
const guard = new JwtAuthGuard(new Reflector());
expect(() => guard.handleRequest(null, null, null)).toThrow(UnauthorizedException);
});
it('JwtAuthGuard släpper igenom autentiserad användare (200/allow)', () => {
const guard = new JwtAuthGuard(new Reflector());
const user = { userId: 42, role: 'admin' };
expect(guard.handleRequest(null, user, null)).toBe(user);
});
it('JwtAuthGuard-logg innehåller userId men inte token', () => {
const guard = new JwtAuthGuard(new Reflector());
const logSpy = jest.fn();
(guard as any).logger = { log: logSpy };
const user = {
userId: 77,
role: 'admin',
accessToken: 'secret-token-should-not-appear',
};
guard.handleRequest(null, user, null);
expect(logSpy).toHaveBeenCalledTimes(1);
const loggedMessage = String(logSpy.mock.calls[0][0] ?? '');
expect(loggedMessage).toContain('77');
expect(loggedMessage).not.toContain('secret-token-should-not-appear');
});
});
Reference in New Issue View Git Blame Copy Permalink