letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
49d34e00c8f7788d7513a3d36fbc3467e49d785c
pn-new-crm/tests/integration/api/saved-views-ownership.test.ts
Matt Ciaccio e2398099c4 test(audit-fixes): cover the new permission and webhook surfaces 
Adds integration coverage for the routes / handlers shipped in the
preceding audit-fix commits, plus refactors two route files to expose
inner handlers from a sibling `handlers.ts` (the pattern used elsewhere
in `src/app/api/v1`) so tests can call them without the
`withAuth(withPermission(…))` wrapper.

New tests (18 cases across 4 files):
- `tests/integration/portal-auth.test.ts` (6) — verifyPortalToken
  rejects tokens missing `aud: 'portal'` or `iss: 'pn-crm'`, with the
  wrong audience (CRM-session-replay shape) or wrong issuer, plus a
  round-trip happy path. Locks in the portal-vs-CRM token isolation.
- `tests/integration/api/saved-views-ownership.test.ts` (6) — patch
  and delete handlers return 403 for a different user, 404 for an
  unknown id or cross-port id, and 200 for the owner. Ownership is
  enforced at the route layer regardless of the service's internal
  filtering.
- `tests/integration/api/berth-reservations-list.test.ts` (3) — the
  new global list returns rows for the current port only and honors
  pagination params. A reservation in a different port never leaks.
- `tests/integration/documents-expired-webhook.test.ts` (3) —
  handleDocumentExpired flips the document to `expired`, also flips
  the linked interest's `eoiStatus`, writes a `documentEvents` row,
  and is a no-op (not a throw) when the documensoId is unknown.

Refactors:
- `src/app/api/v1/saved-views/[id]/route.ts` extracts `patchHandler` /
  `deleteHandler` (and the shared `assertViewOwner`) into
  `handlers.ts`. The route file is now a 4-line `withAuth(handler)`
  wrapper.
- `src/app/api/v1/berth-reservations/route.ts` extracts `listHandler`
  similarly. Tests import directly from `handlers.ts`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:17:08 +02:00

127 lines
4.2 KiB
TypeScript
Raw Blame History

/**
* Saved-views ownership enforcement — locks in the 403/404 split shipped
* in fix(auth). The route handlers preflight `assertViewOwner` BEFORE the
* service call, so even if the service's internal userId filter is later
* refactored, the route still rejects cross-user mutations.
*/
import { describe, it, expect, beforeAll } from 'vitest';
import { db } from '@/lib/db';
import { savedViewsService } from '@/lib/services/saved-views.service';
import { patchHandler, deleteHandler } from '@/app/api/v1/saved-views/[id]/handlers';
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
import { makePort } from '../../helpers/factories';
describe('saved-views ownership enforcement', () => {
let portId: string;
let viewId: string;
const ownerUserId = 'user-owner';
const otherUserId = 'user-other';
beforeAll(async () => {
const port = await makePort();
portId = port.id;
const view = await savedViewsService.create(portId, ownerUserId, {
entityType: 'clients',
name: 'Hot leads',
filters: { stage: 'hot_lead' } as Record<string, unknown>,
isShared: false,
isDefault: false,
});
if (!view) throw new Error('seed view failed');
viewId = view.id;
});
it('PATCH from owner: 200', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'Renamed by owner' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(200);
const body = await res.json();
expect(body.data.name).toBe('Renamed by owner');
});
it('PATCH from a different user: 403 (not 404)', async () => {
const ctx = makeMockCtx({ portId, userId: otherUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'Hostile rename' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(403);
// Verify the row was not mutated.
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row?.name).toBe('Renamed by owner');
});
it('DELETE from a different user: 403 and view still exists', async () => {
const ctx = makeMockCtx({ portId, userId: otherUserId });
const res = await deleteHandler(
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
ctx,
{ id: viewId },
);
expect(res.status).toBe(403);
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row).toBeTruthy();
});
it('PATCH on a non-existent id: 404', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest(
'PATCH',
'http://localhost/api/v1/saved-views/00000000-0000-0000-0000-000000000000',
{ body: { name: 'no-op' } },
),
ctx,
{ id: '00000000-0000-0000-0000-000000000000' },
);
expect(res.status).toBe(404);
});
it('PATCH on a view in a different port: 404 (cross-port enumeration is blocked)', async () => {
// The view exists in `portId` but the auth context says we're operating
// in a different port. The lookup is scoped to `(id, portId)` so the row
// is invisible — should 404, not 403.
const otherPort = await makePort();
const ctx = makeMockCtx({ portId: otherPort.id, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'cross-port attempt' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(404);
});
it('DELETE from owner: 200 and view is gone', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await deleteHandler(
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
ctx,
{ id: viewId },
);
expect(res.status).toBe(200);
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row).toBeUndefined();
});
});
Reference in New Issue View Git Blame Copy Permalink