letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
feat/mobile-foundation
pn-new-crm/tests/integration/api/saved-views-ownership.test.ts

127 lines
4.2 KiB
TypeScript
Raw Permalink Normal View History

test(audit-fixes): cover the new permission and webhook surfaces Adds integration coverage for the routes / handlers shipped in the preceding audit-fix commits, plus refactors two route files to expose inner handlers from a sibling `handlers.ts` (the pattern used elsewhere in `src/app/api/v1`) so tests can call them without the `withAuth(withPermission(…))` wrapper. New tests (18 cases across 4 files): - `tests/integration/portal-auth.test.ts` (6) — verifyPortalToken rejects tokens missing `aud: 'portal'` or `iss: 'pn-crm'`, with the wrong audience (CRM-session-replay shape) or wrong issuer, plus a round-trip happy path. Locks in the portal-vs-CRM token isolation. - `tests/integration/api/saved-views-ownership.test.ts` (6) — patch and delete handlers return 403 for a different user, 404 for an unknown id or cross-port id, and 200 for the owner. Ownership is enforced at the route layer regardless of the service's internal filtering. - `tests/integration/api/berth-reservations-list.test.ts` (3) — the new global list returns rows for the current port only and honors pagination params. A reservation in a different port never leaks. - `tests/integration/documents-expired-webhook.test.ts` (3) — handleDocumentExpired flips the document to `expired`, also flips the linked interest's `eoiStatus`, writes a `documentEvents` row, and is a no-op (not a throw) when the documensoId is unknown. Refactors: - `src/app/api/v1/saved-views/[id]/route.ts` extracts `patchHandler` / `deleteHandler` (and the shared `assertViewOwner`) into `handlers.ts`. The route file is now a 4-line `withAuth(handler)` wrapper. - `src/app/api/v1/berth-reservations/route.ts` extracts `listHandler` similarly. Tests import directly from `handlers.ts`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:17:08 +02:00
/**
* Saved-views ownership enforcement locks in the 403/404 split shipped
* in fix(auth). The route handlers preflight `assertViewOwner` BEFORE the
* service call, so even if the service's internal userId filter is later
* refactored, the route still rejects cross-user mutations.
*/
import { describe, it, expect, beforeAll } from 'vitest';
import { db } from '@/lib/db';
import { savedViewsService } from '@/lib/services/saved-views.service';
import { patchHandler, deleteHandler } from '@/app/api/v1/saved-views/[id]/handlers';
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
import { makePort } from '../../helpers/factories';
describe('saved-views ownership enforcement', () => {
let portId: string;
let viewId: string;
const ownerUserId = 'user-owner';
const otherUserId = 'user-other';
beforeAll(async () => {
const port = await makePort();
portId = port.id;
const view = await savedViewsService.create(portId, ownerUserId, {
entityType: 'clients',
name: 'Hot leads',
filters: { stage: 'hot_lead' } as Record<string, unknown>,
isShared: false,
isDefault: false,
});
if (!view) throw new Error('seed view failed');
viewId = view.id;
});
it('PATCH from owner: 200', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'Renamed by owner' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(200);
const body = await res.json();
expect(body.data.name).toBe('Renamed by owner');
});
it('PATCH from a different user: 403 (not 404)', async () => {
const ctx = makeMockCtx({ portId, userId: otherUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'Hostile rename' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(403);
// Verify the row was not mutated.
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row?.name).toBe('Renamed by owner');
});
it('DELETE from a different user: 403 and view still exists', async () => {
const ctx = makeMockCtx({ portId, userId: otherUserId });
const res = await deleteHandler(
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
ctx,
{ id: viewId },
);
expect(res.status).toBe(403);
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row).toBeTruthy();
});
it('PATCH on a non-existent id: 404', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest(
'PATCH',
'http://localhost/api/v1/saved-views/00000000-0000-0000-0000-000000000000',
{ body: { name: 'no-op' } },
),
ctx,
{ id: '00000000-0000-0000-0000-000000000000' },
);
expect(res.status).toBe(404);
});
it('PATCH on a view in a different port: 404 (cross-port enumeration is blocked)', async () => {
// The view exists in `portId` but the auth context says we're operating
// in a different port. The lookup is scoped to `(id, portId)` so the row
// is invisible — should 404, not 403.
const otherPort = await makePort();
const ctx = makeMockCtx({ portId: otherPort.id, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'cross-port attempt' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(404);
});
it('DELETE from owner: 200 and view is gone', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await deleteHandler(
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
ctx,
{ id: viewId },
);
expect(res.status).toBe(200);
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row).toBeUndefined();
});
});
Reference in New Issue Copy Permalink