Jennie Robinson Faber
025c1a180f
Adds schema-based input validation across helcim, events, members, series, admin, and updates API endpoints. Removes the peer-support debug test endpoint. Adds validation test coverage.
52 lines
1.7 KiB
JavaScript
52 lines
1.7 KiB
JavaScript
import { describe, it, expect, vi, beforeEach } from 'vitest'
|
|
|
|
// Test that the three Helcim admin endpoints require admin auth.
|
|
// We verify the handler files import/call requireAdmin by checking
|
|
// the module source, and we test that requireAdmin rejects properly
|
|
// via the existing auth.test.js infrastructure.
|
|
|
|
// We test the schema + handler wiring by reading the file and
|
|
// confirming requireAdmin is the first call in the handler.
|
|
|
|
import { readFileSync } from 'node:fs'
|
|
import { resolve } from 'node:path'
|
|
|
|
const serverDir = resolve(import.meta.dirname, '../../../server/api/helcim')
|
|
|
|
describe('Helcim admin endpoint auth guards', () => {
|
|
const files = [
|
|
'create-plan.post.js',
|
|
'plans.get.js',
|
|
'subscriptions.get.js'
|
|
]
|
|
|
|
for (const file of files) {
|
|
describe(file, () => {
|
|
const source = readFileSync(resolve(serverDir, file), 'utf-8')
|
|
|
|
it('calls requireAdmin', () => {
|
|
expect(source).toContain('requireAdmin(event)')
|
|
})
|
|
|
|
it('calls requireAdmin before any business logic', () => {
|
|
const adminIndex = source.indexOf('requireAdmin(event)')
|
|
const readBodyIndex = source.indexOf('readBody(event)')
|
|
const validateBodyIndex = source.indexOf('validateBody(event')
|
|
const fetchIndex = source.indexOf('fetch(')
|
|
|
|
expect(adminIndex).toBeGreaterThan(-1)
|
|
|
|
// requireAdmin must come before readBody/validateBody/fetch
|
|
if (readBodyIndex > -1) {
|
|
expect(adminIndex).toBeLessThan(readBodyIndex)
|
|
}
|
|
if (validateBodyIndex > -1) {
|
|
expect(adminIndex).toBeLessThan(validateBodyIndex)
|
|
}
|
|
if (fetchIndex > -1) {
|
|
expect(adminIndex).toBeLessThan(fetchIndex)
|
|
}
|
|
})
|
|
})
|
|
}
|
|
})
|