krisolo/boss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4b5350afa1f061f77d9df43086023d27cfebc21
boss/tests/auth-session-governance.test.ts
AI Bot 3b51641d99 chore: checkpoint Boss app v2.5.11
2026-06-08 12:22:50 +08:00

177 lines
6.0 KiB
TypeScript
Raw Blame History

import test from "node:test";
import assert from "node:assert/strict";
import os from "node:os";
import path from "node:path";
import { mkdtemp, rm } from "node:fs/promises";
import { NextRequest } from "next/server";
let runtimeRoot = "";
let data: typeof import("../src/lib/boss-data");
let authCookie = "";
let getSessions: (typeof import("../src/app/api/v1/auth/sessions/route"))["GET"];
let postSessions: (typeof import("../src/app/api/v1/auth/sessions/route"))["POST"];
async function setup() {
if (runtimeRoot) return;
runtimeRoot = await mkdtemp(path.join(os.tmpdir(), "boss-auth-sessions-"));
process.env.BOSS_RUNTIME_ROOT = runtimeRoot;
process.env.BOSS_STATE_FILE = path.join(runtimeRoot, "boss-state.json");
const [dataModule, authModule, routeModule] = await Promise.all([
import("../src/lib/boss-data.ts"),
import("../src/lib/boss-auth.ts"),
import("../src/app/api/v1/auth/sessions/route.ts"),
]);
data = dataModule;
authCookie = authModule.AUTH_SESSION_COOKIE;
getSessions = routeModule.GET;
postSessions = routeModule.POST;
}
test.after(async () => {
if (runtimeRoot) await rm(runtimeRoot, { recursive: true, force: true });
});
test.beforeEach(async () => {
await setup();
const state = await data.readState();
await data.writeState({
...state,
authSessions: [],
authAccounts: [
...state.authAccounts.filter((account) => account.account !== "worker@example.com"),
{
id: "account-worker",
account: "worker@example.com",
passwordHash: "scrypt$test",
displayName: "Worker",
role: "member",
createdAt: "2026-04-26T12:00:00+08:00",
updatedAt: "2026-04-26T12:00:00+08:00",
},
],
});
});
function requestWithSession(sessionToken: string, init: RequestInit = {}) {
return new NextRequest("http://127.0.0.1:3000/api/v1/auth/sessions", {
...init,
headers: {
...(init.headers ?? {}),
cookie: `${authCookie}=${sessionToken}`,
},
});
}
test("member can see and revoke only their own active sessions", async () => {
const first = await data.createAuthSession({
account: "worker@example.com",
role: "member",
displayName: "Worker",
loginMethod: "password",
});
const second = await data.createAuthSession({
account: "worker@example.com",
role: "member",
displayName: "Worker",
loginMethod: "code",
});
const admin = await data.createAuthSession({
account: "krisolo",
role: "highest_admin",
displayName: "Boss",
loginMethod: "password",
});
const getResponse = await getSessions(requestWithSession(second.sessionToken));
assert.equal(getResponse.status, 200);
const getPayload = await getResponse.json();
assert.deepEqual(
getPayload.sessions.map((session: { account: string }) => session.account),
["worker@example.com", "worker@example.com"],
);
assert.equal(getPayload.sessions.some((session: { sessionToken?: string }) => session.sessionToken), false);
assert.equal(getPayload.sessions.some((session: { restoreToken?: string }) => session.restoreToken), false);
const forbidden = await postSessions(requestWithSession(second.sessionToken, {
method: "POST",
body: JSON.stringify({ action: "revoke_session", sessionId: admin.sessionId }),
}));
assert.equal(forbidden.status, 403);
const revokeSelf = await postSessions(requestWithSession(second.sessionToken, {
method: "POST",
body: JSON.stringify({ action: "revoke_session", sessionId: first.sessionId }),
}));
assert.equal(revokeSelf.status, 200);
const after = await getSessions(requestWithSession(second.sessionToken));
const afterPayload = await after.json();
assert.deepEqual(
afterPayload.sessions.map((session: { sessionId: string }) => session.sessionId),
[second.sessionId],
);
});
test("highest admin can inspect and revoke all active sessions", async () => {
const worker = await data.createAuthSession({
account: "worker@example.com",
role: "member",
displayName: "Worker",
loginMethod: "password",
});
const admin = await data.createAuthSession({
account: "krisolo",
role: "highest_admin",
displayName: "Boss",
loginMethod: "password",
});
const getResponse = await getSessions(requestWithSession(admin.sessionToken));
assert.equal(getResponse.status, 200);
const getPayload = await getResponse.json();
assert.deepEqual(
getPayload.sessions.map((session: { account: string }) => session.account).sort(),
["krisolo", "worker@example.com"],
);
const revokeResponse = await postSessions(requestWithSession(admin.sessionToken, {
method: "POST",
body: JSON.stringify({ action: "revoke_session", sessionId: worker.sessionId }),
}));
assert.equal(revokeResponse.status, 200);
assert.equal(await data.getAuthSession(worker.sessionToken), null);
});
test("getAuthSession validates a session without touching lastSeenAt", async () => {
const session = await data.createAuthSession({
account: "krisolo",
role: "highest_admin",
displayName: "Boss",
loginMethod: "password",
});
const stableLastSeenAt = "2026-04-26T12:00:00+08:00";
const state = await data.readState();
const storedSession = state.authSessions.find((item) => item.sessionId === session.sessionId);
assert.ok(storedSession);
storedSession.lastSeenAt = stableLastSeenAt;
await data.writeState(state);
const resolvedSession = await data.getAuthSession(session.sessionToken);
assert.equal(resolvedSession?.lastSeenAt, stableLastSeenAt);
const after = await data.readState();
assert.equal(
after.authSessions.find((item) => item.sessionId === session.sessionId)?.lastSeenAt,
stableLastSeenAt,
);
});
test("primary admin session uses the current production admin account", async () => {
const session = await data.createPrimaryAdminSession();
assert.equal(session.account, "krisolo");
const state = await data.readState();
assert.equal(state.user.account, "krisolo");
assert.equal(state.authAccounts.find((account) => account.account === "krisolo")?.isPrimary, true);
});
Reference in New Issue View Git Blame Copy Permalink