vvzvlad/gitmost
1
0
Fork 0
Code Issues 15 Pull Requests 12 Packages Projects Releases Activity

test: cover features since 053a9c0d + repair test tooling

Browse Source 
Add ~330 tests across server (Jest), client (Vitest), editor-ext (Vitest)
and packages/mcp (node:test) for the gitmost features added since
053a9c0d: AI chat, AI agent roles, public-share assistant, MCP per-user
auth, HTML embed, page templates/embed, realtime tree, tree
expand/collapse, and the AI-settings UI.

Test-tooling fixes (prerequisite, were silently hiding coverage):
- Repair 3 page-template specs broken by the 11-arg TransclusionService
  constructor; they never compiled, so template access-control / content
  -leak / unsync-strip coverage was fictitious.
- Build @docmost/editor-ext before server tests via a `pretest` hook;
  the stale dist omitted the new HtmlEmbed/PageEmbed exports (TS2305).
- Let jest resolve the .tsx email templates: add `tsx` to
  moduleFileExtensions and widen the ts-jest transform to (t|j)sx?.

Behaviour-preserving "extract pure core" refactors that the tests drive:
- server: resolveShareAssistantRequest + uiMessageTextLength
  (public-share controller), decideBasicGate + mapAuthResultToResponse
  (mcp), buildErrorAssistantRecord (ai-chat), jsonbObject export (roles).
- client: render-raw-html + shouldExecute/canEdit, decide-embed-state,
  page-embed picker utils, tree-socket reducers, open/close branch maps,
  isEndpointConfigured/resolveKeyField; buildTreeWithChildren now treats
  a permission-trimmed orphan as a root instead of crashing.

Deferred (need a test DB or HTTP harness, documented in the specs):
repo-level Postgres integration tests and the public-share XFF E2E.
Pre-existing DI/lib0-ESM suite failures are untouched and out of scope.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
claude_code
2026-06-20 23:40:40 +03:00
parent 692c0abe13
commit 90d3fab483
56 changed files with 5668 additions and 447 deletions
Download Patch File Download Diff File Expand all files Collapse all files

233
apps/server/src/core/auth/services/verify-user-credentials.live.spec.ts Normal file
View File

@@ -0,0 +1,233 @@
import { UnauthorizedException } from '@nestjs/common';
import { AuthService } from './auth.service';
import { CREDENTIALS_MISMATCH_MESSAGE } from '../auth.constants';
import { hashPassword } from '../../../common/helpers';
/**
* LIVE security contract for AuthService.verifyUserCredentials / login (M4
* item 5).
*
* The (now-fixed) jest config CAN import AuthService at the module level (the
* `^src/(.*)$` moduleNameMapper resolves the transitive `src/...` imports and the
* ts-jest transform loads the graph). AuthService cannot be `.compile()`-d via
* the Nest TestingModule (its full provider graph is not wired here), but it can
* be constructed directly with mocked collaborators — which is exactly what we
* need to exercise the credential-check decision live.
*
* The load-bearing property: verifyUserCredentials (and login(), which reuses it)
* throws EXACTLY the shared CREDENTIALS_MISMATCH_MESSAGE for all three
* credentials-failure cases — unknown email, disabled user, wrong password. The
* /mcp Basic brute-force limiter only counts a failure when it recognises THIS
* exact message (isCredentialsFailure in mcp-auth.helpers matches the same shared
* constant); a reword that diverged here would silently turn /mcp Basic into an
* unthrottled password-guessing oracle.
*/
const WORKSPACE_ID = 'ws-1';
// Build an AuthService with the dependencies verifyUserCredentials/login touch
// stubbed, and a userRepo whose findByEmail is overridable per test. Only the
// collaborators actually reached on these paths need real behaviour; the rest
// are inert mocks (constructor wiring only).
function makeAuthService(over: {
findByEmail?: jest.Mock;
} = {}): {
service: AuthService;
userRepo: { findByEmail: jest.Mock; updateLastLogin: jest.Mock };
sessionService: { createSessionAndToken: jest.Mock };
auditService: { log: jest.Mock };
} {
const userRepo = {
findByEmail: over.findByEmail ?? jest.fn(),
updateLastLogin: jest.fn().mockResolvedValue(undefined),
};
const sessionService = {
createSessionAndToken: jest.fn().mockResolvedValue('issued-token'),
};
const auditService = { log: jest.fn() };
// environmentService: isCloud() false (so throwIfEmailNotVerified does not
// require verification) + a stable app secret.
const environmentService = {
isCloud: jest.fn().mockReturnValue(false),
getAppSecret: jest.fn().mockReturnValue('test-secret'),
};
// Constructor signature (auth.service.ts): signupService, tokenService,
// sessionService, userSessionRepo, userRepo, userTokenRepo, mailService,
// domainService, environmentService, db, auditService.
const service = new (AuthService as unknown as new (...args: unknown[]) => AuthService)(
{}, // signupService
{}, // tokenService
sessionService, // sessionService
{}, // userSessionRepo
userRepo, // userRepo
{}, // userTokenRepo
{}, // mailService
{}, // domainService
environmentService, // environmentService
{}, // db
auditService, // auditService
);
return { service, userRepo, sessionService, auditService };
}
describe('AuthService.verifyUserCredentials (live credentials-mismatch contract)', () => {
it('UNKNOWN email -> throws exactly CREDENTIALS_MISMATCH_MESSAGE', async () => {
const { service } = makeAuthService({
findByEmail: jest.fn().mockResolvedValue(undefined),
});
await expect(
service.verifyUserCredentials(
{ email: 'nobody@example.com', password: 'whatever' },
WORKSPACE_ID,
),
).rejects.toMatchObject({ message: CREDENTIALS_MISMATCH_MESSAGE });
await expect(
service.verifyUserCredentials(
{ email: 'nobody@example.com', password: 'whatever' },
WORKSPACE_ID,
),
).rejects.toBeInstanceOf(UnauthorizedException);
});
it('DISABLED user -> throws exactly CREDENTIALS_MISMATCH_MESSAGE (no password oracle)', async () => {
// A deactivated user must be indistinguishable from a wrong password: same
// message, before any password comparison.
const passwordHash = await hashPassword('correct-horse');
const disabledUser = {
id: 'u-1',
email: 'disabled@example.com',
password: passwordHash,
deactivatedAt: new Date(),
deletedAt: null,
emailVerifiedAt: new Date(),
};
const { service } = makeAuthService({
findByEmail: jest.fn().mockResolvedValue(disabledUser),
});
await expect(
service.verifyUserCredentials(
{ email: 'disabled@example.com', password: 'correct-horse' },
WORKSPACE_ID,
),
).rejects.toMatchObject({ message: CREDENTIALS_MISMATCH_MESSAGE });
});
it('WRONG password -> throws exactly CREDENTIALS_MISMATCH_MESSAGE', async () => {
const passwordHash = await hashPassword('correct-horse');
const user = {
id: 'u-1',
email: 'user@example.com',
password: passwordHash,
deactivatedAt: null,
deletedAt: null,
emailVerifiedAt: new Date(),
};
const { service } = makeAuthService({
findByEmail: jest.fn().mockResolvedValue(user),
});
await expect(
service.verifyUserCredentials(
{ email: 'user@example.com', password: 'wrong-password' },
WORKSPACE_ID,
),
).rejects.toMatchObject({ message: CREDENTIALS_MISMATCH_MESSAGE });
});
it('CORRECT credentials -> resolves the matched user (no side effects here)', async () => {
const passwordHash = await hashPassword('correct-horse');
const user = {
id: 'u-1',
email: 'user@example.com',
password: passwordHash,
deactivatedAt: null,
deletedAt: null,
emailVerifiedAt: new Date(),
};
const { service, sessionService, auditService, userRepo } =
makeAuthService({ findByEmail: jest.fn().mockResolvedValue(user) });
const result = await service.verifyUserCredentials(
{ email: 'user@example.com', password: 'correct-horse' },
WORKSPACE_ID,
);
expect(result).toBe(user);
// verifyUserCredentials is non-side-effecting: no session/audit/lastLogin.
expect(sessionService.createSessionAndToken).not.toHaveBeenCalled();
expect(auditService.log).not.toHaveBeenCalled();
expect(userRepo.updateLastLogin).not.toHaveBeenCalled();
});
});
describe('AuthService.login (live credentials-mismatch contract via verifyUserCredentials)', () => {
it('UNKNOWN email -> login throws exactly CREDENTIALS_MISMATCH_MESSAGE, mints NO session', async () => {
const { service, sessionService } = makeAuthService({
findByEmail: jest.fn().mockResolvedValue(undefined),
});
await expect(
service.login(
{ email: 'nobody@example.com', password: 'whatever' },
WORKSPACE_ID,
),
).rejects.toMatchObject({ message: CREDENTIALS_MISMATCH_MESSAGE });
expect(sessionService.createSessionAndToken).not.toHaveBeenCalled();
});
it('WRONG password -> login throws exactly CREDENTIALS_MISMATCH_MESSAGE', async () => {
const passwordHash = await hashPassword('correct-horse');
const user = {
id: 'u-1',
email: 'user@example.com',
password: passwordHash,
deactivatedAt: null,
deletedAt: null,
emailVerifiedAt: new Date(),
};
const { service } = makeAuthService({
findByEmail: jest.fn().mockResolvedValue(user),
});
await expect(
service.login(
{ email: 'user@example.com', password: 'wrong-password' },
WORKSPACE_ID,
),
).rejects.toMatchObject({ message: CREDENTIALS_MISMATCH_MESSAGE });
});
it('CORRECT credentials -> login mints the session (the side-effecting path)', async () => {
const passwordHash = await hashPassword('correct-horse');
const user = {
id: 'u-1',
email: 'user@example.com',
password: passwordHash,
deactivatedAt: null,
deletedAt: null,
emailVerifiedAt: new Date(),
};
const { service, sessionService, auditService, userRepo } =
makeAuthService({ findByEmail: jest.fn().mockResolvedValue(user) });
await expect(
service.login(
{ email: 'user@example.com', password: 'correct-horse' },
WORKSPACE_ID,
),
).resolves.toBe('issued-token');
// login() reuses verifyUserCredentials but DOES run the three side effects.
expect(userRepo.updateLastLogin).toHaveBeenCalledWith('u-1', WORKSPACE_ID);
expect(auditService.log).toHaveBeenCalled();
expect(sessionService.createSessionAndToken).toHaveBeenCalledWith(user);
});
it('the message login throws is the SAME shared constant the /mcp limiter matches', () => {
// Cross-file coupling lock: the constant is the single source of truth shared
// by AuthService and mcp-auth.helpers.isCredentialsFailure.
expect(CREDENTIALS_MISMATCH_MESSAGE).toBe('Email or password does not match');
});
});