authentication authorization

2025-12-26 15:32:22 +01:00
parent 68ae9da22a
commit 64377de548
54 changed files with 2833 additions and 95 deletions
--- a/apps/api/src/domain/driver/DriverController.test.ts
+++ b/apps/api/src/domain/driver/DriverController.test.ts
@@ -1,8 +1,17 @@
+import 'reflect-metadata';
+
+import { Reflector } from '@nestjs/core';
 import { Test, TestingModule } from '@nestjs/testing';
+import request from 'supertest';
 import { vi } from 'vitest';
 import { DriverController } from './DriverController';
 import { DriverService } from './DriverService';
 import type { Request } from 'express';
+import { AuthenticationGuard } from '../auth/AuthenticationGuard';
+import { AuthorizationGuard } from '../auth/AuthorizationGuard';
+import type { AuthorizationService } from '../auth/AuthorizationService';
+import { FeatureAvailabilityGuard } from '../policy/FeatureAvailabilityGuard';
+import type { PolicyService, PolicySnapshot } from '../policy/PolicyService';

 interface AuthenticatedRequest extends Request {
  user?: { userId: string };
@@ -160,4 +169,75 @@ describe('DriverController', () => {
      expect(result).toEqual(updated);
    });
  });
+
+  describe('auth guards (HTTP)', () => {
+    let app: any;
+
+    const sessionPort: { getCurrentSession: () => Promise<null | { token: string; user: { id: string } }> } = {
+      getCurrentSession: vi.fn(async () => null),
+    };
+
+    const authorizationService: Pick<AuthorizationService, 'getRolesForUser'> = {
+      getRolesForUser: vi.fn(() => []),
+    };
+
+    const policyService: Pick<PolicyService, 'getSnapshot'> = {
+      getSnapshot: vi.fn(async (): Promise<PolicySnapshot> => ({
+        policyVersion: 1,
+        operationalMode: 'normal',
+        maintenanceAllowlist: { view: [], mutate: [] },
+        capabilities: {},
+        loadedFrom: 'defaults',
+        loadedAtIso: new Date(0).toISOString(),
+      })),
+    };
+
+    beforeEach(async () => {
+      const module = await Test.createTestingModule({
+        controllers: [DriverController],
+        providers: [
+          {
+            provide: DriverService,
+            useValue: {
+              getDriversLeaderboard: vi.fn(async () => ({ drivers: [], totalRaces: 0, totalWins: 0, activeCount: 0 })),
+              getCurrentDriver: vi.fn(async () => ({ id: 'd1' })),
+            },
+          },
+        ],
+      }).compile();
+
+      app = module.createNestApplication();
+
+      const reflector = new Reflector();
+      app.useGlobalGuards(
+        new AuthenticationGuard(sessionPort as any),
+        new AuthorizationGuard(reflector, authorizationService as any),
+        new FeatureAvailabilityGuard(reflector, policyService as any),
+      );
+
+      await app.init();
+    });
+
+    afterEach(async () => {
+      await app?.close();
+      vi.clearAllMocks();
+    });
+
+    it('allows @Public() endpoint without a session', async () => {
+      await request(app.getHttpServer()).get('/drivers/leaderboard').expect(200);
+    });
+
+    it('denies non-public endpoint by default when not authenticated (401)', async () => {
+      await request(app.getHttpServer()).get('/drivers/current').expect(401);
+    });
+
+    it('allows non-public endpoint when authenticated via session port', async () => {
+      vi.mocked(sessionPort.getCurrentSession).mockResolvedValueOnce({
+        token: 't',
+        user: { id: 'user-1' },
+      });
+
+      await request(app.getHttpServer()).get('/drivers/current').expect(200);
+    });
+  });
 });
--- a/apps/api/src/domain/driver/DriverController.ts
+++ b/apps/api/src/domain/driver/DriverController.ts
@@ -1,6 +1,7 @@
 import { Body, Controller, Get, Param, Post, Put, Req, Inject } from '@nestjs/common';
 import { ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';

+import { Public } from '../auth/Public';
 import { DriverService } from './DriverService';
 import { CompleteOnboardingInputDTO } from './dtos/CompleteOnboardingInputDTO';

@@ -20,6 +21,7 @@ import { GetDriverProfileOutputDTO } from './dtos/GetDriverProfileOutputDTO';
 export class DriverController {
  constructor(@Inject(DriverService) private readonly driverService: DriverService) {}

+  @Public()
  @Get('leaderboard')
  @ApiOperation({ summary: 'Get drivers leaderboard' })
  @ApiResponse({ status: 200, description: 'List of drivers for the leaderboard', type: DriversLeaderboardDTO })
@@ -27,6 +29,7 @@ export class DriverController {
    return await this.driverService.getDriversLeaderboard();
  }

+  @Public()
  @Get('total-drivers')
  @ApiOperation({ summary: 'Get the total number of drivers' })
  @ApiResponse({ status: 200, description: 'Total number of drivers', type: DriverStatsDTO })
@@ -61,6 +64,7 @@ export class DriverController {
    return await this.driverService.completeOnboarding(userId, input);
  }

+  @Public()
  @Get(':driverId/races/:raceId/registration-status')
  @ApiOperation({ summary: 'Get driver registration status for a specific race' })
  @ApiResponse({ status: 200, description: 'Driver registration status', type: DriverRegistrationStatusDTO })
@@ -71,6 +75,7 @@ export class DriverController {
    return await this.driverService.getDriverRegistrationStatus({ driverId, raceId });
  }

+  @Public()
  @Get(':driverId')
  @ApiOperation({ summary: 'Get driver by ID' })
  @ApiResponse({ status: 200, description: 'Driver data', type: GetDriverOutputDTO })
@@ -79,6 +84,7 @@ export class DriverController {
    return await this.driverService.getDriver(driverId);
  }

+  @Public()
  @Get(':driverId/profile')
  @ApiOperation({ summary: 'Get driver profile with full details' })
  @ApiResponse({ status: 200, description: 'Driver profile data', type: GetDriverProfileOutputDTO })