Citali/old.cms.fellies.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(mvp1): add owner invariants and media form coverage
Some checks failed
CMS CI / Governance Checks (push) Successful in 1m5s
Details
CMS CI / Lint Typecheck Unit E2E (push) Failing after 5m3s
Details

Browse Source
This commit is contained in:
Citali
2026-02-12 20:34:53 +01:00
parent d1face36c5
commit 37f62a8007
3 changed files with 360 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

238
apps/admin/src/lib/auth/server.test.ts Normal file
View File

@@ -0,0 +1,238 @@
import { beforeEach, describe, expect, it, vi } from "vitest"
const { mockDb, mockIsAdminSelfRegistrationEnabled, mockAuth, mockAuthRouteHandlers } = vi.hoisted(
() => {
const mockDb = {
user: {
count: vi.fn(),
findUnique: vi.fn(),
findMany: vi.fn(),
findFirst: vi.fn(),
update: vi.fn(),
updateMany: vi.fn(),
},
$transaction: vi.fn(),
}
return {
mockDb,
mockIsAdminSelfRegistrationEnabled: vi.fn(),
mockAuth: {
api: {
getSession: vi.fn(),
},
$context: Promise.resolve({
internalAdapter: {
findUserByEmail: vi.fn(),
linkAccount: vi.fn(),
createUser: vi.fn(),
},
password: {
hash: vi.fn(async (value: string) => `hashed:${value}`),
},
}),
},
mockAuthRouteHandlers: {
GET: vi.fn(),
POST: vi.fn(),
PATCH: vi.fn(),
PUT: vi.fn(),
DELETE: vi.fn(),
},
}
},
)
vi.mock("@cms/db", () => ({
db: mockDb,
isAdminSelfRegistrationEnabled: mockIsAdminSelfRegistrationEnabled,
}))
vi.mock("better-auth", () => ({
betterAuth: vi.fn(() => mockAuth),
}))
vi.mock("better-auth/adapters/prisma", () => ({
prismaAdapter: vi.fn(() => ({})),
}))
vi.mock("better-auth/next-js", () => ({
toNextJsHandler: vi.fn(() => mockAuthRouteHandlers),
}))
import {
canDeleteUserAccount,
enforceOwnerInvariant,
promoteFirstRegisteredUserToOwner,
} from "./server"
describe("auth owner/support invariants", () => {
beforeEach(() => {
mockIsAdminSelfRegistrationEnabled.mockReset()
mockDb.user.count.mockReset()
mockDb.user.findUnique.mockReset()
mockDb.user.findMany.mockReset()
mockDb.user.findFirst.mockReset()
mockDb.user.update.mockReset()
mockDb.user.updateMany.mockReset()
mockDb.$transaction.mockReset()
})
it("blocks deletion of protected users", async () => {
mockDb.user.findUnique.mockResolvedValue({
role: "support",
isProtected: true,
})
const allowed = await canDeleteUserAccount("user-protected")
expect(allowed).toBe(false)
})
it("allows deletion of non-owner non-protected users", async () => {
mockDb.user.findUnique.mockResolvedValue({
role: "editor",
isProtected: false,
})
const allowed = await canDeleteUserAccount("user-editor")
expect(allowed).toBe(true)
})
it("keeps sole owner non-deletable", async () => {
mockDb.user.findUnique.mockResolvedValue({
role: "owner",
isProtected: false,
})
mockDb.user.count.mockResolvedValue(1)
const allowed = await canDeleteUserAccount("owner-1")
expect(allowed).toBe(false)
})
it("promotes earliest non-support user when no owner exists", async () => {
const tx = {
user: {
findMany: vi.fn().mockResolvedValue([]),
findFirst: vi.fn().mockResolvedValue({ id: "candidate-1" }),
update: vi.fn().mockResolvedValue({ id: "candidate-1" }),
updateMany: vi.fn(),
},
}
mockDb.$transaction.mockImplementation(async (callback: (trx: typeof tx) => unknown) =>
callback(tx),
)
const result = await enforceOwnerInvariant()
expect(result).toEqual({
ownerId: "candidate-1",
ownerCount: 1,
repaired: true,
})
expect(tx.user.update).toHaveBeenCalledTimes(1)
})
it("demotes extra owners and repairs canonical owner protection", async () => {
const tx = {
user: {
findMany: vi.fn().mockResolvedValue([
{ id: "owner-a", isProtected: false, isBanned: true },
{ id: "owner-b", isProtected: true, isBanned: false },
]),
findFirst: vi.fn(),
update: vi.fn().mockResolvedValue({ id: "owner-a" }),
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
},
}
mockDb.$transaction.mockImplementation(async (callback: (trx: typeof tx) => unknown) =>
callback(tx),
)
const result = await enforceOwnerInvariant()
expect(result).toEqual({
ownerId: "owner-a",
ownerCount: 1,
repaired: true,
})
expect(tx.user.updateMany).toHaveBeenCalledWith({
where: { id: { in: ["owner-b"] } },
data: { role: "admin", isProtected: false },
})
expect(tx.user.update).toHaveBeenCalledWith({
where: { id: "owner-a" },
data: { isProtected: true, isBanned: false },
})
})
it("does not promote first registration when an owner already exists", async () => {
mockDb.$transaction.mockImplementationOnce(
async (
callback: (tx: {
user: { findFirst: () => Promise<{ id: string }>; update: () => void }
}) => unknown,
) =>
callback({
user: {
findFirst: vi.fn().mockResolvedValue({ id: "owner-existing" }),
update: vi.fn(),
},
}),
)
const promoted = await promoteFirstRegisteredUserToOwner("candidate")
expect(promoted).toBe(false)
})
it("promotes first registration and re-enforces owner invariant", async () => {
mockDb.$transaction
.mockImplementationOnce(
async (
callback: (tx: {
user: { findFirst: () => Promise<null>; update: () => Promise<{ id: string }> }
}) => unknown,
) =>
callback({
user: {
findFirst: vi.fn().mockResolvedValue(null),
update: vi.fn().mockResolvedValue({ id: "candidate" }),
},
}),
)
.mockImplementationOnce(
async (
callback: (tx: {
user: {
findMany: () => Promise<
Array<{ id: string; isProtected: boolean; isBanned: boolean }>
>
findFirst: () => void
update: () => void
updateMany: () => void
}
}) => unknown,
) =>
callback({
user: {
findMany: vi
.fn()
.mockResolvedValue([{ id: "candidate", isProtected: true, isBanned: false }]),
findFirst: vi.fn(),
update: vi.fn(),
updateMany: vi.fn(),
},
}),
)
const promoted = await promoteFirstRegisteredUserToOwner("candidate")
expect(promoted).toBe(true)
expect(mockDb.$transaction).toHaveBeenCalledTimes(2)
})
})