authentication authorization

2025-12-26 15:32:22 +01:00
parent 68ae9da22a
commit 64377de548
54 changed files with 2833 additions and 95 deletions
--- a/apps/api/src/domain/auth/AuthController.test.ts
+++ b/apps/api/src/domain/auth/AuthController.test.ts
@@ -1,8 +1,18 @@
+import 'reflect-metadata';
+
+import { Reflector } from '@nestjs/core';
+import { Test } from '@nestjs/testing';
+import request from 'supertest';
 import { Mock, vi } from 'vitest';
 import { AuthController } from './AuthController';
 import { AuthService } from './AuthService';
 import { AuthSessionDTO, LoginParamsDTO, SignupParamsDTO } from './dtos/AuthDto';
 import type { CommandResultDTO } from './presenters/CommandResultPresenter';
+import { AuthenticationGuard } from './AuthenticationGuard';
+import { AuthorizationGuard } from './AuthorizationGuard';
+import type { AuthorizationService } from './AuthorizationService';
+import { FeatureAvailabilityGuard } from '../policy/FeatureAvailabilityGuard';
+import type { PolicyService, PolicySnapshot } from '../policy/PolicyService';

 describe('AuthController', () => {
  let controller: AuthController;
@@ -107,4 +117,72 @@ describe('AuthController', () => {
      expect(result).toEqual(dto);
    });
  });
+
+  describe('auth guards (HTTP)', () => {
+    let app: any;
+
+    const sessionPort: { getCurrentSession: () => Promise<null | { token: string; user: { id: string } }> } = {
+      getCurrentSession: vi.fn(async () => null),
+    };
+
+    const authorizationService: Pick<AuthorizationService, 'getRolesForUser'> = {
+      getRolesForUser: vi.fn(() => []),
+    };
+
+    const policyService: Pick<PolicyService, 'getSnapshot'> = {
+      getSnapshot: vi.fn(async (): Promise<PolicySnapshot> => ({
+        policyVersion: 1,
+        operationalMode: 'normal',
+        maintenanceAllowlist: { view: [], mutate: [] },
+        capabilities: {},
+        loadedFrom: 'defaults',
+        loadedAtIso: new Date(0).toISOString(),
+      })),
+    };
+
+    beforeEach(async () => {
+      const module = await Test.createTestingModule({
+        controllers: [AuthController],
+        providers: [
+          {
+            provide: AuthService,
+            useValue: {
+              getCurrentSession: vi.fn(async () => null),
+              loginWithEmail: vi.fn(),
+              signupWithEmail: vi.fn(),
+              logout: vi.fn(),
+              startIracingAuth: vi.fn(),
+              iracingCallback: vi.fn(),
+            },
+          },
+        ],
+      })
+        .overrideProvider(AuthController)
+        .useFactory({
+          factory: (authService: AuthService) => new AuthController(authService),
+          inject: [AuthService],
+        })
+        .compile();
+
+      app = module.createNestApplication();
+
+      const reflector = new Reflector();
+      app.useGlobalGuards(
+        new AuthenticationGuard(sessionPort as any),
+        new AuthorizationGuard(reflector, authorizationService as any),
+        new FeatureAvailabilityGuard(reflector, policyService as any),
+      );
+
+      await app.init();
+    });
+
+    afterEach(async () => {
+      await app?.close();
+      vi.clearAllMocks();
+    });
+
+    it('allows @Public() endpoint without a session', async () => {
+      await request(app.getHttpServer()).get('/auth/session').expect(200);
+    });
+  });
 });