Matt
d3960af340
Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
127 lines
4.2 KiB
TypeScript
127 lines
4.2 KiB
TypeScript
/**
|
|
* Saved-views ownership enforcement — locks in the 403/404 split shipped
|
|
* in fix(auth). The route handlers preflight `assertViewOwner` BEFORE the
|
|
* service call, so even if the service's internal userId filter is later
|
|
* refactored, the route still rejects cross-user mutations.
|
|
*/
|
|
import { describe, it, expect, beforeAll } from 'vitest';
|
|
|
|
import { db } from '@/lib/db';
|
|
import { savedViewsService } from '@/lib/services/saved-views.service';
|
|
import { patchHandler, deleteHandler } from '@/app/api/v1/saved-views/[id]/handlers';
|
|
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
|
|
import { makePort } from '../../helpers/factories';
|
|
|
|
describe('saved-views ownership enforcement', () => {
|
|
let portId: string;
|
|
let viewId: string;
|
|
const ownerUserId = 'user-owner';
|
|
const otherUserId = 'user-other';
|
|
|
|
beforeAll(async () => {
|
|
const port = await makePort();
|
|
portId = port.id;
|
|
const view = await savedViewsService.create(portId, ownerUserId, {
|
|
entityType: 'clients',
|
|
name: 'Hot leads',
|
|
filters: { stage: 'hot_lead' } as Record<string, unknown>,
|
|
isShared: false,
|
|
isDefault: false,
|
|
});
|
|
if (!view) throw new Error('seed view failed');
|
|
viewId = view.id;
|
|
});
|
|
|
|
it('PATCH from owner: 200', async () => {
|
|
const ctx = makeMockCtx({ portId, userId: ownerUserId });
|
|
const res = await patchHandler(
|
|
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
|
|
body: { name: 'Renamed by owner' },
|
|
}),
|
|
ctx,
|
|
{ id: viewId },
|
|
);
|
|
expect(res.status).toBe(200);
|
|
const body = (await res.json()) as any;
|
|
expect(body.data.name).toBe('Renamed by owner');
|
|
});
|
|
|
|
it('PATCH from a different user: 403 (not 404)', async () => {
|
|
const ctx = makeMockCtx({ portId, userId: otherUserId });
|
|
const res = await patchHandler(
|
|
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
|
|
body: { name: 'Hostile rename' },
|
|
}),
|
|
ctx,
|
|
{ id: viewId },
|
|
);
|
|
expect(res.status).toBe(403);
|
|
|
|
// Verify the row was not mutated.
|
|
const row = await db.query.savedViews.findFirst({
|
|
where: (sv, { eq }) => eq(sv.id, viewId),
|
|
});
|
|
expect(row?.name).toBe('Renamed by owner');
|
|
});
|
|
|
|
it('DELETE from a different user: 403 and view still exists', async () => {
|
|
const ctx = makeMockCtx({ portId, userId: otherUserId });
|
|
const res = await deleteHandler(
|
|
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
|
|
ctx,
|
|
{ id: viewId },
|
|
);
|
|
expect(res.status).toBe(403);
|
|
|
|
const row = await db.query.savedViews.findFirst({
|
|
where: (sv, { eq }) => eq(sv.id, viewId),
|
|
});
|
|
expect(row).toBeTruthy();
|
|
});
|
|
|
|
it('PATCH on a non-existent id: 404', async () => {
|
|
const ctx = makeMockCtx({ portId, userId: ownerUserId });
|
|
const res = await patchHandler(
|
|
makeMockRequest(
|
|
'PATCH',
|
|
'http://localhost/api/v1/saved-views/00000000-0000-0000-0000-000000000000',
|
|
{ body: { name: 'no-op' } },
|
|
),
|
|
ctx,
|
|
{ id: '00000000-0000-0000-0000-000000000000' },
|
|
);
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('PATCH on a view in a different port: 404 (cross-port enumeration is blocked)', async () => {
|
|
// The view exists in `portId` but the auth context says we're operating
|
|
// in a different port. The lookup is scoped to `(id, portId)` so the row
|
|
// is invisible — should 404, not 403.
|
|
const otherPort = await makePort();
|
|
const ctx = makeMockCtx({ portId: otherPort.id, userId: ownerUserId });
|
|
const res = await patchHandler(
|
|
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
|
|
body: { name: 'cross-port attempt' },
|
|
}),
|
|
ctx,
|
|
{ id: viewId },
|
|
);
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('DELETE from owner: 200 and view is gone', async () => {
|
|
const ctx = makeMockCtx({ portId, userId: ownerUserId });
|
|
const res = await deleteHandler(
|
|
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
|
|
ctx,
|
|
{ id: viewId },
|
|
);
|
|
expect(res.status).toBe(200);
|
|
|
|
const row = await db.query.savedViews.findFirst({
|
|
where: (sv, { eq }) => eq(sv.id, viewId),
|
|
});
|
|
expect(row).toBeUndefined();
|
|
});
|
|
});
|