boss/tests/auth-session-governance.test.ts

import test from "node:test";
import assert from "node:assert/strict";
import os from "node:os";
import path from "node:path";
import { mkdtemp, rm } from "node:fs/promises";
import { NextRequest } from "next/server";

let runtimeRoot = "";
let data: typeof import("../src/lib/boss-data");
let authCookie = "";
let getSessions: (typeof import("../src/app/api/v1/auth/sessions/route"))["GET"];
let postSessions: (typeof import("../src/app/api/v1/auth/sessions/route"))["POST"];

async function setup() {
  if (runtimeRoot) return;
  runtimeRoot = await mkdtemp(path.join(os.tmpdir(), "boss-auth-sessions-"));
  process.env.BOSS_RUNTIME_ROOT = runtimeRoot;
  process.env.BOSS_STATE_FILE = path.join(runtimeRoot, "boss-state.json");
  const [dataModule, authModule, routeModule] = await Promise.all([
    import("../src/lib/boss-data.ts"),
    import("../src/lib/boss-auth.ts"),
    import("../src/app/api/v1/auth/sessions/route.ts"),
  ]);
  data = dataModule;
  authCookie = authModule.AUTH_SESSION_COOKIE;
  getSessions = routeModule.GET;
  postSessions = routeModule.POST;
}

test.after(async () => {
  if (runtimeRoot) await rm(runtimeRoot, { recursive: true, force: true });
});

test.beforeEach(async () => {
  await setup();
  const state = await data.readState();
  await data.writeState({
    ...state,
    authSessions: [],
    authAccounts: [
      ...state.authAccounts.filter((account) => account.account !== "worker@example.com"),
      {
        id: "account-worker",
        account: "worker@example.com",
        passwordHash: "scrypt$test",
        displayName: "Worker",
        role: "member",
        createdAt: "2026-04-26T12:00:00+08:00",
        updatedAt: "2026-04-26T12:00:00+08:00",
      },
    ],
  });
});

function requestWithSession(sessionToken: string, init: RequestInit = {}) {
  return new NextRequest("http://127.0.0.1:3000/api/v1/auth/sessions", {
    ...init,
    headers: {
      ...(init.headers ?? {}),
      cookie: `${authCookie}=${sessionToken}`,
    },
  });
}

test("member can see and revoke only their own active sessions", async () => {
  const first = await data.createAuthSession({
    account: "worker@example.com",
    role: "member",
    displayName: "Worker",
    loginMethod: "password",
  });
  const second = await data.createAuthSession({
    account: "worker@example.com",
    role: "member",
    displayName: "Worker",
    loginMethod: "code",
  });
  const admin = await data.createAuthSession({
    account: "krisolo",
    role: "highest_admin",
    displayName: "Boss",
    loginMethod: "password",
  });

  const getResponse = await getSessions(requestWithSession(second.sessionToken));
  assert.equal(getResponse.status, 200);
  const getPayload = await getResponse.json();
  assert.deepEqual(
    getPayload.sessions.map((session: { account: string }) => session.account),
    ["worker@example.com", "worker@example.com"],
  );
  assert.equal(getPayload.sessions.some((session: { sessionToken?: string }) => session.sessionToken), false);
  assert.equal(getPayload.sessions.some((session: { restoreToken?: string }) => session.restoreToken), false);

  const forbidden = await postSessions(requestWithSession(second.sessionToken, {
    method: "POST",
    body: JSON.stringify({ action: "revoke_session", sessionId: admin.sessionId }),
  }));
  assert.equal(forbidden.status, 403);

  const revokeSelf = await postSessions(requestWithSession(second.sessionToken, {
    method: "POST",
    body: JSON.stringify({ action: "revoke_session", sessionId: first.sessionId }),
  }));
  assert.equal(revokeSelf.status, 200);

  const after = await getSessions(requestWithSession(second.sessionToken));
  const afterPayload = await after.json();
  assert.deepEqual(
    afterPayload.sessions.map((session: { sessionId: string }) => session.sessionId),
    [second.sessionId],
  );
});

test("highest admin can inspect and revoke all active sessions", async () => {
  const worker = await data.createAuthSession({
    account: "worker@example.com",
    role: "member",
    displayName: "Worker",
    loginMethod: "password",
  });
  const admin = await data.createAuthSession({
    account: "krisolo",
    role: "highest_admin",
    displayName: "Boss",
    loginMethod: "password",
  });

  const getResponse = await getSessions(requestWithSession(admin.sessionToken));
  assert.equal(getResponse.status, 200);
  const getPayload = await getResponse.json();
  assert.deepEqual(
    getPayload.sessions.map((session: { account: string }) => session.account).sort(),
    ["krisolo", "worker@example.com"],
  );

  const revokeResponse = await postSessions(requestWithSession(admin.sessionToken, {
    method: "POST",
    body: JSON.stringify({ action: "revoke_session", sessionId: worker.sessionId }),
  }));
  assert.equal(revokeResponse.status, 200);
  assert.equal(await data.getAuthSession(worker.sessionToken), null);
});

test("primary admin session uses the current production admin account", async () => {
  const session = await data.createPrimaryAdminSession();
  assert.equal(session.account, "krisolo");

  const state = await data.readState();
  assert.equal(state.user.account, "krisolo");
  assert.equal(state.authAccounts.find((account) => account.account === "krisolo")?.isPrimary, true);
});