import test from "node:test"; import assert from "node:assert/strict"; import os from "node:os"; import path from "node:path"; import { mkdtemp, rm } from "node:fs/promises"; import { NextRequest } from "next/server"; let runtimeRoot = ""; let data: typeof import("../src/lib/boss-data"); let authCookie = ""; let getSessions: (typeof import("../src/app/api/v1/auth/sessions/route"))["GET"]; let postSessions: (typeof import("../src/app/api/v1/auth/sessions/route"))["POST"]; async function setup() { if (runtimeRoot) return; runtimeRoot = await mkdtemp(path.join(os.tmpdir(), "boss-auth-sessions-")); process.env.BOSS_RUNTIME_ROOT = runtimeRoot; process.env.BOSS_STATE_FILE = path.join(runtimeRoot, "boss-state.json"); const [dataModule, authModule, routeModule] = await Promise.all([ import("../src/lib/boss-data.ts"), import("../src/lib/boss-auth.ts"), import("../src/app/api/v1/auth/sessions/route.ts"), ]); data = dataModule; authCookie = authModule.AUTH_SESSION_COOKIE; getSessions = routeModule.GET; postSessions = routeModule.POST; } test.after(async () => { if (runtimeRoot) await rm(runtimeRoot, { recursive: true, force: true }); }); test.beforeEach(async () => { await setup(); const state = await data.readState(); await data.writeState({ ...state, authSessions: [], authAccounts: [ ...state.authAccounts.filter((account) => account.account !== "worker@example.com"), { id: "account-worker", account: "worker@example.com", passwordHash: "scrypt$test", displayName: "Worker", role: "member", createdAt: "2026-04-26T12:00:00+08:00", updatedAt: "2026-04-26T12:00:00+08:00", }, ], }); }); function requestWithSession(sessionToken: string, init: RequestInit = {}) { return new NextRequest("http://127.0.0.1:3000/api/v1/auth/sessions", { ...init, headers: { ...(init.headers ?? {}), cookie: `${authCookie}=${sessionToken}`, }, }); } test("member can see and revoke only their own active sessions", async () => { const first = await data.createAuthSession({ account: "worker@example.com", role: "member", displayName: "Worker", loginMethod: "password", }); const second = await data.createAuthSession({ account: "worker@example.com", role: "member", displayName: "Worker", loginMethod: "code", }); const admin = await data.createAuthSession({ account: "krisolo", role: "highest_admin", displayName: "Boss", loginMethod: "password", }); const getResponse = await getSessions(requestWithSession(second.sessionToken)); assert.equal(getResponse.status, 200); const getPayload = await getResponse.json(); assert.deepEqual( getPayload.sessions.map((session: { account: string }) => session.account), ["worker@example.com", "worker@example.com"], ); assert.equal(getPayload.sessions.some((session: { sessionToken?: string }) => session.sessionToken), false); assert.equal(getPayload.sessions.some((session: { restoreToken?: string }) => session.restoreToken), false); const forbidden = await postSessions(requestWithSession(second.sessionToken, { method: "POST", body: JSON.stringify({ action: "revoke_session", sessionId: admin.sessionId }), })); assert.equal(forbidden.status, 403); const revokeSelf = await postSessions(requestWithSession(second.sessionToken, { method: "POST", body: JSON.stringify({ action: "revoke_session", sessionId: first.sessionId }), })); assert.equal(revokeSelf.status, 200); const after = await getSessions(requestWithSession(second.sessionToken)); const afterPayload = await after.json(); assert.deepEqual( afterPayload.sessions.map((session: { sessionId: string }) => session.sessionId), [second.sessionId], ); }); test("highest admin can inspect and revoke all active sessions", async () => { const worker = await data.createAuthSession({ account: "worker@example.com", role: "member", displayName: "Worker", loginMethod: "password", }); const admin = await data.createAuthSession({ account: "krisolo", role: "highest_admin", displayName: "Boss", loginMethod: "password", }); const getResponse = await getSessions(requestWithSession(admin.sessionToken)); assert.equal(getResponse.status, 200); const getPayload = await getResponse.json(); assert.deepEqual( getPayload.sessions.map((session: { account: string }) => session.account).sort(), ["krisolo", "worker@example.com"], ); const revokeResponse = await postSessions(requestWithSession(admin.sessionToken, { method: "POST", body: JSON.stringify({ action: "revoke_session", sessionId: worker.sessionId }), })); assert.equal(revokeResponse.status, 200); assert.equal(await data.getAuthSession(worker.sessionToken), null); }); test("getAuthSession validates a session without touching lastSeenAt", async () => { const session = await data.createAuthSession({ account: "krisolo", role: "highest_admin", displayName: "Boss", loginMethod: "password", }); const stableLastSeenAt = "2026-04-26T12:00:00+08:00"; const state = await data.readState(); const storedSession = state.authSessions.find((item) => item.sessionId === session.sessionId); assert.ok(storedSession); storedSession.lastSeenAt = stableLastSeenAt; await data.writeState(state); const resolvedSession = await data.getAuthSession(session.sessionToken); assert.equal(resolvedSession?.lastSeenAt, stableLastSeenAt); const after = await data.readState(); assert.equal( after.authSessions.find((item) => item.sessionId === session.sessionId)?.lastSeenAt, stableLastSeenAt, ); }); test("primary admin session uses the current production admin account", async () => { const session = await data.createPrimaryAdminSession(); assert.equal(session.account, "krisolo"); const state = await data.readState(); assert.equal(state.user.account, "krisolo"); assert.equal(state.authAccounts.find((account) => account.account === "krisolo")?.isPrimary, true); });