tests/integration/portal-auth.test.ts

/**
 * Portal JWT verification — locks in the audience/issuer hardening shipped
 * in fix(auth): a token without `aud: 'portal'` + `iss: 'pn-crm'` claims
 * must NOT verify, even if it's signed with the correct shared secret.
 *
 * Without these claims the CRM (better-auth) and portal sessions are
 * structurally identical, so a portal token could be replayed against any
 * `verifyPortalToken` consumer (and vice versa).
 */
import { describe, expect, it } from 'vitest';
import { SignJWT } from 'jose';

import { createPortalToken, verifyPortalToken } from '@/lib/portal/auth';

const SECRET = new TextEncoder().encode(process.env.BETTER_AUTH_SECRET);

const SESSION = {
  clientId: '11111111-1111-1111-1111-111111111111',
  portId: '22222222-2222-2222-2222-222222222222',
  email: 'client@example.com',
};

describe('portal JWT', () => {
  it('round-trips a token signed with createPortalToken', async () => {
    const token = await createPortalToken(SESSION);
    const verified = await verifyPortalToken(token);
    expect(verified).toMatchObject(SESSION);
  });

  it('rejects a token missing the `aud: portal` claim', async () => {
    // Issuer present, audience absent — exactly the shape an old (pre-fix)
    // portal session would have.
    const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)
      .setProtectedHeader({ alg: 'HS256' })
      .setIssuer('pn-crm')
      .setExpirationTime('24h')
      .setIssuedAt()
      .sign(SECRET);

    expect(await verifyPortalToken(token)).toBeNull();
  });

  it('rejects a token missing the `iss: pn-crm` claim', async () => {
    const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)
      .setProtectedHeader({ alg: 'HS256' })
      .setAudience('portal')
      .setExpirationTime('24h')
      .setIssuedAt()
      .sign(SECRET);

    expect(await verifyPortalToken(token)).toBeNull();
  });

  it('rejects a token with the wrong audience (CRM session replay shape)', async () => {
    // What a better-auth session token might roughly look like — same secret,
    // different audience. Must not verify against the portal path.
    const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)
      .setProtectedHeader({ alg: 'HS256' })
      .setAudience('crm')
      .setIssuer('pn-crm')
      .setExpirationTime('24h')
      .setIssuedAt()
      .sign(SECRET);

    expect(await verifyPortalToken(token)).toBeNull();
  });

  it('rejects a token with the wrong issuer', async () => {
    const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)
      .setProtectedHeader({ alg: 'HS256' })
      .setAudience('portal')
      .setIssuer('attacker')
      .setExpirationTime('24h')
      .setIssuedAt()
      .sign(SECRET);

    expect(await verifyPortalToken(token)).toBeNull();
  });

  it('rejects garbage', async () => {
    expect(await verifyPortalToken('not.a.jwt')).toBeNull();
    expect(await verifyPortalToken('')).toBeNull();
  });
});
test(audit-fixes): cover the new permission and webhook surfaces Adds integration coverage for the routes / handlers shipped in the preceding audit-fix commits, plus refactors two route files to expose inner handlers from a sibling `handlers.ts` (the pattern used elsewhere in `src/app/api/v1`) so tests can call them without the `withAuth(withPermission(…))` wrapper. New tests (18 cases across 4 files): - `tests/integration/portal-auth.test.ts` (6) — verifyPortalToken rejects tokens missing `aud: 'portal'` or `iss: 'pn-crm'`, with the wrong audience (CRM-session-replay shape) or wrong issuer, plus a round-trip happy path. Locks in the portal-vs-CRM token isolation. - `tests/integration/api/saved-views-ownership.test.ts` (6) — patch and delete handlers return 403 for a different user, 404 for an unknown id or cross-port id, and 200 for the owner. Ownership is enforced at the route layer regardless of the service's internal filtering. - `tests/integration/api/berth-reservations-list.test.ts` (3) — the new global list returns rows for the current port only and honors pagination params. A reservation in a different port never leaks. - `tests/integration/documents-expired-webhook.test.ts` (3) — handleDocumentExpired flips the document to `expired`, also flips the linked interest's `eoiStatus`, writes a `documentEvents` row, and is a no-op (not a throw) when the documensoId is unknown. Refactors: - `src/app/api/v1/saved-views/[id]/route.ts` extracts `patchHandler` / `deleteHandler` (and the shared `assertViewOwner`) into `handlers.ts`. The route file is now a 4-line `withAuth(handler)` wrapper. - `src/app/api/v1/berth-reservations/route.ts` extracts `listHandler` similarly. Tests import directly from `handlers.ts`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 23:17:08 +02:00			`/**`
			`* Portal JWT verification — locks in the audience/issuer hardening shipped`
			* in fix(auth): a token without `aud: 'portal'` + `iss: 'pn-crm'` claims
			`* must NOT verify, even if it's signed with the correct shared secret.`
			`*`
			`* Without these claims the CRM (better-auth) and portal sessions are`
			`* structurally identical, so a portal token could be replayed against any`
			* `verifyPortalToken` consumer (and vice versa).
			`*/`
			`import { describe, expect, it } from 'vitest';`
			`import { SignJWT } from 'jose';`

			`import { createPortalToken, verifyPortalToken } from '@/lib/portal/auth';`

			`const SECRET = new TextEncoder().encode(process.env.BETTER_AUTH_SECRET);`

			`const SESSION = {`
			`clientId: '11111111-1111-1111-1111-111111111111',`
			`portId: '22222222-2222-2222-2222-222222222222',`
			`email: 'client@example.com',`
			`};`

			`describe('portal JWT', () => {`
			`it('round-trips a token signed with createPortalToken', async () => {`
			`const token = await createPortalToken(SESSION);`
			`const verified = await verifyPortalToken(token);`
			`expect(verified).toMatchObject(SESSION);`
			`});`

			it('rejects a token missing the `aud: portal` claim', async () => {
			`// Issuer present, audience absent — exactly the shape an old (pre-fix)`
			`// portal session would have.`
			`const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)`
			`.setProtectedHeader({ alg: 'HS256' })`
			`.setIssuer('pn-crm')`
			`.setExpirationTime('24h')`
			`.setIssuedAt()`
			`.sign(SECRET);`

			`expect(await verifyPortalToken(token)).toBeNull();`
			`});`

			it('rejects a token missing the `iss: pn-crm` claim', async () => {
			`const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)`
			`.setProtectedHeader({ alg: 'HS256' })`
			`.setAudience('portal')`
			`.setExpirationTime('24h')`
			`.setIssuedAt()`
			`.sign(SECRET);`

			`expect(await verifyPortalToken(token)).toBeNull();`
			`});`

			`it('rejects a token with the wrong audience (CRM session replay shape)', async () => {`
			`// What a better-auth session token might roughly look like — same secret,`
			`// different audience. Must not verify against the portal path.`
			`const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)`
			`.setProtectedHeader({ alg: 'HS256' })`
			`.setAudience('crm')`
			`.setIssuer('pn-crm')`
			`.setExpirationTime('24h')`
			`.setIssuedAt()`
			`.sign(SECRET);`

			`expect(await verifyPortalToken(token)).toBeNull();`
			`});`

			`it('rejects a token with the wrong issuer', async () => {`
			`const token = await new SignJWT(SESSION as unknown as Record<string, unknown>)`
			`.setProtectedHeader({ alg: 'HS256' })`
			`.setAudience('portal')`
			`.setIssuer('attacker')`
			`.setExpirationTime('24h')`
			`.setIssuedAt()`
			`.sign(SECRET);`

			`expect(await verifyPortalToken(token)).toBeNull();`
			`});`

			`it('rejects garbage', async () => {`
			`expect(await verifyPortalToken('not.a.jwt')).toBeNull();`
			`expect(await verifyPortalToken('')).toBeNull();`
			`});`
			`});`