From 1fdbb9a44562881c84dbd4722d8706e6a1ef9e28 Mon Sep 17 00:00:00 2001 From: Maxim Dolgolyov Date: Fri, 22 May 2026 21:58:37 +0300 Subject: [PATCH] test(backend): +31 integration tests for permissions/overview/search/sessions/features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverage: - Permissions: role/user toggle + audit + token_version bump, /me, 403 non-admin (10 tests) - Admin overview: shape, all fields, types, auth guard, empty DB zeros (4 tests) - Cmd+K search: shape, min-query empty, SQL injection sanity, user lookup (5 tests) - Session delete: CASCADE, audit entry, 404 missing, 403 non-admin (4 tests) - Feature gates: disabled flag returns 404, enabled returns 401/200, admin API toggle (5 tests) - setup.js: add /api/permissions, /api/pet, /api/biochem routes for test coverage tests 66 (was 35) · pass 63 (was 32) · fail 3 (baseline auth.test.js, unchanged) Co-Authored-By: Claude Sonnet 4.6 --- backend/tests/admin-overview.test.js | 79 ++++++++++++ backend/tests/admin-search.test.js | 91 ++++++++++++++ backend/tests/admin-sessions.test.js | 114 +++++++++++++++++ backend/tests/feature-flags.test.js | 84 +++++++++++++ backend/tests/permissions.test.js | 177 +++++++++++++++++++++++++++ backend/tests/setup.js | 8 ++ 6 files changed, 553 insertions(+) create mode 100644 backend/tests/admin-overview.test.js create mode 100644 backend/tests/admin-search.test.js create mode 100644 backend/tests/admin-sessions.test.js create mode 100644 backend/tests/feature-flags.test.js create mode 100644 backend/tests/permissions.test.js diff --git a/backend/tests/admin-overview.test.js b/backend/tests/admin-overview.test.js new file mode 100644 index 0000000..b0817a9 --- /dev/null +++ b/backend/tests/admin-overview.test.js @@ -0,0 +1,79 @@ +'use strict'; +/** + * Integration tests: GET /api/admin/overview + * Covers: shape, required fields + types, auth guard, empty DB returns zeros. + */ +const { describe, it, before, after } = require('node:test'); +const assert = require('node:assert/strict'); +const { inject, getToken, cleanup } = require('./setup'); + +after(() => cleanup()); + +describe('Admin Overview', () => { + let adminToken, teacherToken; + + before(async () => { + const a = await getToken('admin'); + adminToken = a.token; + const t = await getToken('teacher'); + teacherToken = t.token; + }); + + // ── 1. 401 without token ────────────────────────────────────────────────── + it('returns 401 without auth token', async () => { + const res = await inject('GET', '/api/admin/overview', null, null); + assert.equal(res.status, 401, `expected 401, got ${res.status}`); + }); + + // ── 2. 403 for non-admin ────────────────────────────────────────────────── + it('returns 403 for teacher (non-admin)', async () => { + const res = await inject('GET', '/api/admin/overview', null, teacherToken); + assert.equal(res.status, 403, `expected 403, got ${res.status}`); + }); + + // ── 3. Returns expected shape ───────────────────────────────────────────── + it('returns correct shape with all required fields', async () => { + const res = await inject('GET', '/api/admin/overview', null, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + + const body = res.body; + // Numeric fields + const numericFields = [ + 'newUsers24h', 'newSessions24h', 'activeUsers24h', + 'classesTotal', 'abandonedSessions24h', + ]; + for (const field of numericFields) { + assert.ok(field in body, `missing field: ${field}`); + assert.equal(typeof body[field], 'number', `${field} should be a number, got ${typeof body[field]}`); + } + + // Array fields + const arrayFields = [ + 'stuckSessions', 'bannedThisWeek', 'topSessions24h', + 'worstSessions24h', 'sessionsBySubject24h', + ]; + for (const field of arrayFields) { + assert.ok(field in body, `missing array field: ${field}`); + assert.ok(Array.isArray(body[field]), `${field} should be an array`); + } + + // Sparks object + assert.ok('sparks' in body, 'missing sparks field'); + assert.ok(Array.isArray(body.sparks.users), 'sparks.users should be an array'); + assert.ok(Array.isArray(body.sparks.sessions), 'sparks.sessions should be an array'); + assert.ok(Array.isArray(body.sparks.active), 'sparks.active should be an array'); + + // Inventory object + assert.ok('inventory' in body, 'missing inventory field'); + assert.ok(typeof body.inventory === 'object', 'inventory should be an object'); + }); + + // ── 4. Empty DB (no sessions) returns zeros, not crashes ───────────────── + it('does not crash on empty DB — returns zero counts', async () => { + const res = await inject('GET', '/api/admin/overview', null, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}`); + // counts should be >= 0 (not negative, not NaN, not null) + assert.ok(res.body.newSessions24h >= 0, 'newSessions24h should be >= 0'); + assert.ok(res.body.abandonedSessions24h >= 0, 'abandonedSessions24h should be >= 0'); + }); +}); diff --git a/backend/tests/admin-search.test.js b/backend/tests/admin-search.test.js new file mode 100644 index 0000000..c93e0f3 --- /dev/null +++ b/backend/tests/admin-search.test.js @@ -0,0 +1,91 @@ +'use strict'; +/** + * Integration tests: GET /api/admin/search (Cmd+K palette) + * Covers: shape, min-query guard, SQL-injection sanity, auth. + */ +const { describe, it, before, after } = require('node:test'); +const assert = require('node:assert/strict'); +const { inject, getToken, cleanup } = require('./setup'); + +after(() => cleanup()); + +describe('Admin Search (Cmd+K)', () => { + let adminToken, studentToken; + + before(async () => { + const a = await getToken('admin'); + adminToken = a.token; + const s = await getToken('student'); + studentToken = s.token; + }); + + // ── 1. Auth guard ──────────────────────────────────────────────────────── + it('returns 401 without auth token', async () => { + const res = await inject('GET', '/api/admin/search?q=test', null, null); + assert.equal(res.status, 401, `expected 401, got ${res.status}`); + }); + + it('returns 403 for student (non-admin)', async () => { + const res = await inject('GET', '/api/admin/search?q=test', null, studentToken); + assert.equal(res.status, 403, `expected 403, got ${res.status}`); + }); + + // ── 2. Short query returns empty arrays ─────────────────────────────────── + it('q shorter than 2 chars returns empty arrays without error', async () => { + const res = await inject('GET', '/api/admin/search?q=x', null, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}`); + assert.ok(Array.isArray(res.body.users), 'users should be array'); + assert.ok(Array.isArray(res.body.tests), 'tests should be array'); + assert.ok(Array.isArray(res.body.classes), 'classes should be array'); + assert.equal(res.body.users.length, 0, 'users should be empty for q.length < 2'); + assert.equal(res.body.tests.length, 0, 'tests should be empty for q.length < 2'); + assert.equal(res.body.classes.length, 0, 'classes should be empty for q.length < 2'); + }); + + it('missing q param returns empty arrays', async () => { + const res = await inject('GET', '/api/admin/search', null, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}`); + assert.equal(res.body.users.length, 0); + }); + + // ── 3. Valid query returns expected shape ───────────────────────────────── + it('valid query returns shape with users, tests, classes arrays', async () => { + const res = await inject('GET', '/api/admin/search?q=test', null, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + assert.ok(Array.isArray(res.body.users), 'users must be array'); + assert.ok(Array.isArray(res.body.tests), 'tests must be array'); + assert.ok(Array.isArray(res.body.classes), 'classes must be array'); + }); + + // ── 4. SQL injection sanity: parameterized — no crash ──────────────────── + it('SQL injection in q does not crash the server', async () => { + const injected = encodeURIComponent("%' OR 1=1 --"); + const res = await inject('GET', `/api/admin/search?q=${injected}`, null, adminToken); + // Must not 500 — should return 200 with arrays (possibly empty) + assert.ok(res.status < 500, `server crashed with SQL injection input: status ${res.status}`); + if (res.status === 200) { + assert.ok(Array.isArray(res.body.users), 'users should still be array'); + } + }); + + // ── 5. Search finds existing user ──────────────────────────────────────── + it('search finds a registered user by partial name', async () => { + // Create a user with a unique name we can search + const uniqueName = `Findable-${Date.now()}`; + const reg = await inject('POST', '/api/auth/register', { + email: `findable_${Date.now()}@search.test`, + password: 'password123', + name: uniqueName, + }); + assert.equal(reg.status, 201); + + const q = encodeURIComponent(uniqueName.slice(0, 8)); + const res = await inject('GET', `/api/admin/search?q=${q}`, null, adminToken); + assert.equal(res.status, 200); + const found = res.body.users.find(u => u.name === uniqueName); + assert.ok(found, `Expected to find user "${uniqueName}" in search results`); + assert.ok('id' in found, 'user result should have id'); + assert.ok('email' in found, 'user result should have email'); + assert.ok('role' in found, 'user result should have role'); + }); +}); diff --git a/backend/tests/admin-sessions.test.js b/backend/tests/admin-sessions.test.js new file mode 100644 index 0000000..ef7f2f9 --- /dev/null +++ b/backend/tests/admin-sessions.test.js @@ -0,0 +1,114 @@ +'use strict'; +/** + * Integration tests: DELETE /api/admin/sessions/:id + * Covers: session removal + cascade, audit entry, 404 for missing, 403 for non-admin. + */ +const { describe, it, before, after } = require('node:test'); +const assert = require('node:assert/strict'); +const { db, inject, getToken, cleanup } = require('./setup'); + +after(() => cleanup()); + +describe('Admin Session Delete', () => { + let adminToken, studentUser, subjectId, sessionId; + + before(async () => { + const a = await getToken('admin'); + adminToken = a.token; + + const s = await getToken('student'); + studentUser = s; + + // Ensure subject exists + let subj = db.prepare("SELECT id FROM subjects WHERE slug = 'admin-sess-test'").get(); + if (!subj) { + db.prepare("INSERT INTO subjects (slug, name, icon) VALUES ('admin-sess-test', 'Admin Sess Test', 'test')").run(); + subj = db.prepare("SELECT id FROM subjects WHERE slug = 'admin-sess-test'").get(); + } + subjectId = subj.id; + + // Create a question with options + const qId = db.prepare( + 'INSERT INTO questions (subject_id, text, difficulty) VALUES (?, ?, 1)' + ).run(subjectId, 'Admin session delete test question').lastInsertRowid; + db.prepare('INSERT INTO options (question_id, text, is_correct) VALUES (?, ?, 0)').run(qId, 'Wrong'); + db.prepare('INSERT INTO options (question_id, text, is_correct) VALUES (?, ?, 1)').run(qId, 'Correct'); + + // Start a session via API + const sessRes = await inject('POST', '/api/sessions', { + subject_slug: 'admin-sess-test', count: 1, mode: 'exam', + }, studentUser.token); + assert.equal(sessRes.status, 201, `session create failed: ${JSON.stringify(sessRes.body)}`); + sessionId = sessRes.body.session_id; + + // Answer to create user_answers row + const q = sessRes.body.questions[0]; + await inject('POST', `/api/sessions/${sessionId}/answer`, { + question_id: q.id, option_id: q.options[0].id, + }, studentUser.token); + }); + + // ── 1. Non-admin gets 403 ──────────────────────────────────────────────── + it('student gets 403 when trying to delete a session', async () => { + const res = await inject('DELETE', `/api/admin/sessions/${sessionId}`, null, studentUser.token); + assert.equal(res.status, 403, `expected 403, got ${res.status}`); + }); + + // ── 2. 404 for non-existent session ───────────────────────────────────── + it('returns 404 for non-existent session id', async () => { + const res = await inject('DELETE', '/api/admin/sessions/999999', null, adminToken); + assert.equal(res.status, 404, `expected 404, got ${res.status}: ${JSON.stringify(res.body)}`); + }); + + // ── 3. Session delete cascades user_answers and session_questions ───────── + it('deletes session and cascades related rows', async () => { + // Verify rows exist before delete + const answersBefore = db.prepare('SELECT COUNT(*) AS n FROM user_answers WHERE session_id = ?') + .get(sessionId).n; + const sqBefore = db.prepare('SELECT COUNT(*) AS n FROM session_questions WHERE session_id = ?') + .get(sessionId).n; + + // The session must still exist + const sessBefore = db.prepare('SELECT id FROM test_sessions WHERE id = ?').get(sessionId); + assert.ok(sessBefore, 'session should exist before delete'); + + const res = await inject('DELETE', `/api/admin/sessions/${sessionId}`, null, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + assert.equal(res.body.ok, true); + + // Session gone + const sessAfter = db.prepare('SELECT id FROM test_sessions WHERE id = ?').get(sessionId); + assert.equal(sessAfter, undefined, 'session should be deleted'); + + // user_answers gone + const answersAfter = db.prepare('SELECT COUNT(*) AS n FROM user_answers WHERE session_id = ?') + .get(sessionId).n; + assert.equal(answersAfter, 0, 'user_answers should be cleared after session delete'); + + // session_questions gone + const sqAfter = db.prepare('SELECT COUNT(*) AS n FROM session_questions WHERE session_id = ?') + .get(sessionId).n; + assert.equal(sqAfter, 0, 'session_questions should be cleared after session delete'); + }); + + // ── 4. Audit entry created on delete ───────────────────────────────────── + it('creates audit log entry on session delete', async () => { + // Create and immediately delete another session + const sessRes = await inject('POST', '/api/sessions', { + subject_slug: 'admin-sess-test', count: 1, mode: 'practice', + }, studentUser.token); + assert.equal(sessRes.status, 201); + const newSessId = sessRes.body.session_id; + + const countBefore = db.prepare( + "SELECT COUNT(*) AS n FROM admin_audit_log WHERE action = 'session.delete'" + ).get().n; + + await inject('DELETE', `/api/admin/sessions/${newSessId}`, null, adminToken); + + const countAfter = db.prepare( + "SELECT COUNT(*) AS n FROM admin_audit_log WHERE action = 'session.delete'" + ).get().n; + assert.ok(countAfter > countBefore, 'Expected session.delete audit entry to be created'); + }); +}); diff --git a/backend/tests/feature-flags.test.js b/backend/tests/feature-flags.test.js new file mode 100644 index 0000000..b8f6e6e --- /dev/null +++ b/backend/tests/feature-flags.test.js @@ -0,0 +1,84 @@ +'use strict'; +/** + * Integration tests: Feature flag gates (requireFeature middleware). + * Toggles app_settings directly in DB. Checks that disabled feature = 404, + * enabled feature = 401 (route exists, auth required, not feature-blocked). + */ +const { describe, it, before, after } = require('node:test'); +const assert = require('node:assert/strict'); +const { db, inject, getToken, cleanup } = require('./setup'); + +after(() => cleanup()); + +/** + * Helper: set a feature flag in app_settings. + * @param {string} name e.g. 'pet', 'biochem' + * @param {boolean} enabled + */ +function setFeature(name, enabled) { + db.prepare( + "INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)" + ).run(`feature_${name}_enabled`, enabled ? '1' : '0'); +} + +describe('Feature Flag Gates', () => { + let adminToken; + + before(async () => { + const a = await getToken('admin'); + adminToken = a.token; + }); + + // ── 1. /api/pet disabled → 404 ─────────────────────────────────────────── + it('GET /api/pet returns 404 when pet feature is disabled', async () => { + setFeature('pet', false); + const res = await inject('GET', '/api/pet', null, adminToken); + assert.equal(res.status, 404, `expected 404 when pet disabled, got ${res.status}`); + }); + + // ── 2. /api/pet enabled → 401 (route works, auth required, not feature-blocked) + it('GET /api/pet returns 401 (not 404) when pet feature is enabled and no token', async () => { + setFeature('pet', true); + const res = await inject('GET', '/api/pet', null, null); + // Feature not disabled, so middleware passes. Auth fails → 401. + assert.equal(res.status, 401, `expected 401 when pet enabled but no token, got ${res.status}`); + }); + + // ── 3. /api/biochem/elements disabled → 404 ───────────────────────────── + it('GET /api/biochem/elements returns 404 when biochem feature is disabled', async () => { + setFeature('biochem', false); + const res = await inject('GET', '/api/biochem/elements', null, adminToken); + assert.equal(res.status, 404, `expected 404 when biochem disabled, got ${res.status}`); + }); + + // ── 4. /api/biochem/elements enabled → 200 (authenticated admin) + it('GET /api/biochem/elements is accessible when biochem feature is enabled', async () => { + setFeature('biochem', true); + const res = await inject('GET', '/api/biochem/elements', null, adminToken); + // Feature not disabled; admin is authenticated → should get data (200) not feature-block (404) + assert.notEqual(res.status, 404, `expected feature to be accessible (not 404), got ${res.status}`); + assert.ok(res.status < 500, `unexpected server error: ${res.status}`); + }); + + // ── 5. Feature toggle via admin API also works ──────────────────────────── + it('admin PATCH /api/admin/features can disable pet, then re-enable', async () => { + // Enable first + const enableRes = await inject('PATCH', '/api/admin/features', { pet: true }, adminToken); + assert.equal(enableRes.status, 200, `expected 200, got ${enableRes.status}`); + + // Check feature is accessible (auth required, no token → 401, not 404) + const accessible = await inject('GET', '/api/pet', null, null); + assert.equal(accessible.status, 401, `expected 401 (feature on), got ${accessible.status}`); + + // Disable via admin API + const disableRes = await inject('PATCH', '/api/admin/features', { pet: false }, adminToken); + assert.equal(disableRes.status, 200); + + // Now should be 404 + const blocked = await inject('GET', '/api/pet', null, adminToken); + assert.equal(blocked.status, 404, `expected 404 after disabling pet, got ${blocked.status}`); + + // Re-enable for other tests + await inject('PATCH', '/api/admin/features', { pet: true }, adminToken); + }); +}); diff --git a/backend/tests/permissions.test.js b/backend/tests/permissions.test.js new file mode 100644 index 0000000..1ba9b29 --- /dev/null +++ b/backend/tests/permissions.test.js @@ -0,0 +1,177 @@ +'use strict'; +/** + * Integration tests: /api/permissions + * Covers: role toggle + audit + token_version bump, user override, reset, /me, 403 for non-admin. + */ +const { describe, it, before, after } = require('node:test'); +const assert = require('node:assert/strict'); +const { db, inject, getToken, cleanup } = require('./setup'); + +after(() => cleanup()); + +describe('Permissions', () => { + let adminToken, teacherUser, studentUser; + + before(async () => { + const a = await getToken('admin'); + adminToken = a.token; + + teacherUser = await getToken('teacher'); + studentUser = await getToken('student'); + }); + + // ── 1. Non-admin gets 403 on POST /api/permissions ──────────────────────── + it('non-admin (teacher) gets 403 on POST /api/permissions', async () => { + const res = await inject('POST', '/api/permissions', { + role: 'student', permission: 'tests.free', enabled: false, + }, teacherUser.token); + assert.equal(res.status, 403, `expected 403, got ${res.status}`); + }); + + it('non-admin (student) gets 403 on POST /api/permissions', async () => { + const res = await inject('POST', '/api/permissions', { + role: 'student', permission: 'tests.free', enabled: false, + }, studentUser.token); + assert.equal(res.status, 403, `expected 403, got ${res.status}`); + }); + + // ── 2. No token gets 401 on GET /api/permissions ────────────────────────── + it('unauthenticated request gets 401 on GET /api/permissions', async () => { + const res = await inject('GET', '/api/permissions', null, null); + assert.equal(res.status, 401, `expected 401, got ${res.status}`); + }); + + // ── 3. Admin can toggle role-level permission + token_version bumped ─────── + it('admin toggles role permission and student token_version is bumped', async () => { + const tvBefore = db.prepare('SELECT token_version FROM users WHERE id = ?') + .get(studentUser.userId).token_version; + + const res = await inject('POST', '/api/permissions', { + role: 'student', permission: 'tests.free', enabled: false, + }, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + assert.equal(res.body.ok, true); + + const tvAfter = db.prepare('SELECT token_version FROM users WHERE id = ?') + .get(studentUser.userId).token_version; + assert.ok(tvAfter > tvBefore, `token_version should increase (was ${tvBefore}, got ${tvAfter})`); + + // Restore + await inject('POST', '/api/permissions', { + role: 'student', permission: 'tests.free', enabled: true, + }, adminToken); + }); + + // ── 4. Audit entry created for role permission toggle ───────────────────── + it('audit entry created when role permission is toggled', async () => { + // Clear audit log first to count new entries + const countBefore = db.prepare( + "SELECT COUNT(*) AS n FROM admin_audit_log WHERE action = 'permission.set'" + ).get().n; + + await inject('POST', '/api/permissions', { + role: 'teacher', permission: 'questions.manage', enabled: true, + }, adminToken); + + const countAfter = db.prepare( + "SELECT COUNT(*) AS n FROM admin_audit_log WHERE action = 'permission.set'" + ).get().n; + + assert.ok(countAfter > countBefore, 'Expected new permission.set audit entry'); + }); + + // ── 5. POST /api/permissions/users/:id sets user override + bumps token_version + it('admin sets user override and target token_version bumped', async () => { + const tvBefore = db.prepare('SELECT token_version FROM users WHERE id = ?') + .get(studentUser.userId).token_version; + + const res = await inject('POST', `/api/permissions/users/${studentUser.userId}`, { + permission: 'shop.purchase', enabled: false, + }, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + assert.equal(res.body.ok, true); + + const tvAfter = db.prepare('SELECT token_version FROM users WHERE id = ?') + .get(studentUser.userId).token_version; + assert.ok(tvAfter > tvBefore, `token_version should increase for targeted user`); + + // Verify the override was persisted + const row = db.prepare( + 'SELECT enabled FROM user_permissions WHERE user_id = ? AND permission = ?' + ).get(studentUser.userId, 'shop.purchase'); + assert.ok(row, 'user_permissions row should exist'); + assert.equal(row.enabled, 0, 'override should be disabled'); + }); + + // ── 6. Audit entry created for user override ───────────────────────────── + it('audit entry created when user override is set', async () => { + const countBefore = db.prepare( + "SELECT COUNT(*) AS n FROM admin_audit_log WHERE action = 'permission.user_set'" + ).get().n; + + await inject('POST', `/api/permissions/users/${teacherUser.userId}`, { + permission: 'results.export', enabled: false, + }, adminToken); + + const countAfter = db.prepare( + "SELECT COUNT(*) AS n FROM admin_audit_log WHERE action = 'permission.user_set'" + ).get().n; + assert.ok(countAfter > countBefore, 'Expected new permission.user_set audit entry'); + }); + + // ── 7. DELETE /api/permissions/users/:id/reset clears overrides, bumps tv ─ + it('reset user permissions clears overrides and bumps token_version', async () => { + // Ensure there's at least one override + await inject('POST', `/api/permissions/users/${studentUser.userId}`, { + permission: 'board.post', enabled: false, + }, adminToken); + + const tvBefore = db.prepare('SELECT token_version FROM users WHERE id = ?') + .get(studentUser.userId).token_version; + + const res = await inject('DELETE', `/api/permissions/users/${studentUser.userId}/reset`, {}, adminToken); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + assert.equal(res.body.ok, true); + + const tvAfter = db.prepare('SELECT token_version FROM users WHERE id = ?') + .get(studentUser.userId).token_version; + assert.ok(tvAfter > tvBefore, 'token_version should increase after reset'); + + // No more overrides in user_permissions + const rows = db.prepare('SELECT * FROM user_permissions WHERE user_id = ?') + .all(studentUser.userId); + assert.equal(rows.length, 0, 'user_permissions should be empty after reset'); + }); + + // ── 8. GET /api/permissions/me returns effective permissions ────────────── + it('GET /api/permissions/me returns role and permissions array for student', async () => { + // Use a fresh student whose token_version has not been bumped by earlier tests + const freshStudent = await getToken('student'); + const res = await inject('GET', '/api/permissions/me', null, freshStudent.token); + assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); + assert.equal(res.body.role, 'student'); + assert.ok(Array.isArray(res.body.permissions), 'permissions should be an array'); + assert.ok(res.body.permissions.length > 0, 'permissions array should not be empty'); + // Each entry must have key and effective + for (const p of res.body.permissions) { + assert.ok('key' in p, 'permission entry missing key'); + assert.ok('effective' in p, 'permission entry missing effective'); + } + }); + + it('GET /api/permissions/me for admin returns empty permissions (admin bypasses all)', async () => { + const res = await inject('GET', '/api/permissions/me', null, adminToken); + assert.equal(res.status, 200); + assert.equal(res.body.role, 'admin'); + assert.ok(Array.isArray(res.body.permissions), 'admin permissions should be an array'); + assert.equal(res.body.permissions.length, 0, 'admin should have empty permissions list'); + }); + + // ── 9. Invalid role rejected ─────────────────────────────────────────────── + it('POST /api/permissions with invalid role returns 400', async () => { + const res = await inject('POST', '/api/permissions', { + role: 'superadmin', permission: 'tests.free', enabled: true, + }, adminToken); + assert.equal(res.status, 400); + }); +}); diff --git a/backend/tests/setup.js b/backend/tests/setup.js index 84550d3..905484b 100644 --- a/backend/tests/setup.js +++ b/backend/tests/setup.js @@ -42,6 +42,14 @@ app.use('/api/admin', require('../src/routes/admin')); app.use('/api/subjects', require('../src/routes/subjects')); app.use('/api/questions', require('../src/routes/questions')); +// Additional routes for integration tests +app.use('/api/permissions', require('../src/routes/permissions')); + +// Feature-gated routes (requireFeature checks app_settings in DB) +const { requireFeature } = require('../src/middleware/features'); +app.use('/api/pet', requireFeature('pet'), require('../src/routes/pet')); +app.use('/api/biochem', requireFeature('biochem'), require('../src/routes/biochem')); + // Error handler app.use((err, _req, res, _next) => { res.status(err.status || 500).json({ error: err.message || 'Server error' });