import { describe, expect, it } from "vitest"; import { assertBoardOrgAccess, assertCompanyAccess, hasBoardOrgAccess } from "../routes/authz.js"; function makeReq(input: { method?: string; actor: Express.Request["actor"]; }) { return { method: input.method ?? "GET", actor: input.actor, } as Express.Request; } describe("assertCompanyAccess", () => { it("allows viewer memberships to read", () => { const req = makeReq({ method: "GET", actor: { type: "board", userId: "user-1", source: "session", companyIds: ["company-1"], memberships: [ { companyId: "company-1", membershipRole: "viewer", status: "active" }, ], }, }); expect(() => assertCompanyAccess(req, "company-1")).not.toThrow(); }); it("rejects viewer memberships for writes", () => { const req = makeReq({ method: "PATCH", actor: { type: "board", userId: "user-1", source: "session", companyIds: ["company-1"], memberships: [ { companyId: "company-1", membershipRole: "viewer", status: "active" }, ], }, }); expect(() => assertCompanyAccess(req, "company-1")).toThrow("Viewer access is read-only"); }); it("rejects writes when membership details are present but omit the target company", () => { const req = makeReq({ method: "POST", actor: { type: "board", userId: "user-1", source: "session", companyIds: ["company-1"], memberships: [], }, }); expect(() => assertCompanyAccess(req, "company-1")).toThrow("User does not have active company access"); }); it("allows legacy board actors that only provide company ids", () => { const req = makeReq({ method: "POST", actor: { type: "board", userId: "user-1", source: "session", companyIds: ["company-1"], }, }); expect(() => assertCompanyAccess(req, "company-1")).not.toThrow(); }); it("rejects signed-in instance admins without explicit company access", () => { const req = makeReq({ method: "GET", actor: { type: "board", userId: "admin-1", source: "session", isInstanceAdmin: true, companyIds: [], memberships: [], }, }); expect(() => assertCompanyAccess(req, "company-1")).toThrow("User does not have access to this company"); }); it("allows local trusted board access without explicit membership", () => { const req = makeReq({ method: "GET", actor: { type: "board", userId: "local-board", source: "local_implicit", isInstanceAdmin: true, }, }); expect(() => assertCompanyAccess(req, "company-1")).not.toThrow(); }); }); describe("assertBoardOrgAccess", () => { it("allows signed-in board users with active company access", () => { const req = makeReq({ actor: { type: "board", userId: "user-1", source: "session", companyIds: ["company-1"], memberships: [{ companyId: "company-1", membershipRole: "operator", status: "active" }], isInstanceAdmin: false, }, }); expect(hasBoardOrgAccess(req)).toBe(true); expect(() => assertBoardOrgAccess(req)).not.toThrow(); }); it("allows instance admins without company memberships", () => { const req = makeReq({ actor: { type: "board", userId: "admin-1", source: "session", companyIds: [], memberships: [], isInstanceAdmin: true, }, }); expect(hasBoardOrgAccess(req)).toBe(true); expect(() => assertBoardOrgAccess(req)).not.toThrow(); }); it("rejects signed-in users without company access or instance admin rights", () => { const req = makeReq({ actor: { type: "board", userId: "outsider-1", source: "session", companyIds: [], memberships: [], isInstanceAdmin: false, }, }); expect(hasBoardOrgAccess(req)).toBe(false); expect(() => assertBoardOrgAccess(req)).toThrow("Company membership or instance admin access required"); }); });