directus

1
import { useEnv } from '@directus/env';
2
import jwt from 'jsonwebtoken';
3
import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
4
import getDatabase from '../database/index.js';
5
import { getAccountabilityForToken } from './get-accountability-for-token.js';
6

7
vi.mock('@directus/env');
8

9
vi.mock('../database/index', () => {
10
	const self: Record<string, any> = {
11
		select: vi.fn(() => self),
12
		from: vi.fn(() => self),
13
		leftJoin: vi.fn(() => self),
14
		where: vi.fn(() => self),
15
		first: vi.fn(),
16
	};
17

18
	return { default: vi.fn(() => self) };
19
});
20

21
beforeEach(() => {
22
	vi.mocked(useEnv).mockReturnValue({
23
		SECRET: 'super-secure-secret',
24
		EXTENSIONS_PATH: './extensions',
25
	});
26
});
27

28
afterEach(() => {
29
	vi.clearAllMocks();
30
});
31

32
describe('getAccountabilityForToken', async () => {
33
	test('minimal token payload', async () => {
34
		const token = jwt.sign({ role: '123-456-789', app_access: false, admin_access: false }, 'super-secure-secret', {
35
			issuer: 'directus',
36
		});
37

38
		const result = await getAccountabilityForToken(token);
39
		expect(result).toStrictEqual({ admin: false, app: false, role: '123-456-789', user: null });
40
	});
41

42
	test('full token payload', async () => {
43
		const token = jwt.sign(
44
			{
45
				share: 'share-id',
46
				share_scope: 'share-scope',
47
				id: 'user-id',
48
				role: 'role-id',
49
				admin_access: 1,
50
				app_access: 1,
51
			},
52
			'super-secure-secret',
53
			{ issuer: 'directus' },
54
		);
55

56
		const result = await getAccountabilityForToken(token);
57
		expect(result.admin).toBe(true);
58
		expect(result.app).toBe(true);
59
		expect(result.role).toBe('role-id');
60
		expect(result.share).toBe('share-id');
61
		expect(result.share_scope).toBe('share-scope');
62
		expect(result.user).toBe('user-id');
63
	});
64

65
	test('throws token expired error', async () => {
66
		const token = jwt.sign({ role: '123-456-789' }, 'super-secure-secret', { issuer: 'directus', expiresIn: -1 });
67
		expect(() => getAccountabilityForToken(token)).rejects.toThrow('Token expired.');
68
	});
69

70
	test('throws token invalid error', async () => {
71
		const token = jwt.sign({ role: '123-456-789' }, 'bad-secret', { issuer: 'directus' });
72
		expect(() => getAccountabilityForToken(token)).rejects.toThrow('Invalid token.');
73
	});
74

75
	test('find user in database', async () => {
76
		const db = getDatabase();
77

78
		vi.spyOn(db, 'first').mockReturnValue({
79
			id: 'user-id',
80
			role: 'role-id',
81
			admin_access: false,
82
			app_access: true,
83
		} as any);
84

85
		const token = jwt.sign({ role: '123-456-789' }, 'bad-secret');
86
		const result = await getAccountabilityForToken(token);
87

88
		expect(result).toStrictEqual({
89
			user: 'user-id',
90
			role: 'role-id',
91
			admin: false,
92
			app: true,
93
		});
94
	});
95

96
	test('no user found', async () => {
97
		const db = getDatabase();
98
		vi.spyOn(db, 'first').mockReturnValue(false as any);
99
		const token = jwt.sign({ role: '123-456-789' }, 'bad-secret');
100
		expect(() => getAccountabilityForToken(token)).rejects.toThrow('Invalid user credentials.');
101
	});
102
});
103