aris/apps/aelis-backend/src/auth/admin-middleware.test.ts

import { Hono } from "hono"
import { describe, expect, test } from "bun:test"

import type { Auth } from "./index.ts"
import type { AuthSession, AuthUser } from "./session.ts"

import { createRequireAdmin } from "./admin-middleware.ts"

function makeUser(role: string | null): AuthUser {
	const now = new Date()
	return {
		id: "user-1",
		name: "Test User",
		email: "test@example.com",
		emailVerified: true,
		image: null,
		createdAt: now,
		updatedAt: now,
		role,
		banned: false,
		banReason: null,
		banExpires: null,
	}
}

function makeSession(): AuthSession {
	const now = new Date()
	return {
		id: "sess-1",
		userId: "user-1",
		token: "tok-1",
		expiresAt: new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000),
		ipAddress: "127.0.0.1",
		userAgent: "test",
		createdAt: now,
		updatedAt: now,
	}
}

function mockAuth(sessionResult: { user: AuthUser; session: AuthSession } | null): Auth {
	return {
		api: {
			getSession: async () => sessionResult,
		},
	} as unknown as Auth
}

function createApp(auth: Auth) {
	const app = new Hono()
	const middleware = createRequireAdmin(auth)
	app.get("/api/admin/test", middleware, (c) => c.json({ ok: true }))
	return app
}

describe("createRequireAdmin", () => {
	test("returns 401 when no session", async () => {
		const app = createApp(mockAuth(null))

		const res = await app.request("/api/admin/test")

		expect(res.status).toBe(401)
		const body = (await res.json()) as { error: string }
		expect(body.error).toBe("Unauthorized")
	})

	test("returns 403 when user is not admin", async () => {
		const app = createApp(mockAuth({ user: makeUser("user"), session: makeSession() }))

		const res = await app.request("/api/admin/test")

		expect(res.status).toBe(403)
		const body = (await res.json()) as { error: string }
		expect(body.error).toBe("Forbidden")
	})

	test("returns 403 when role is null", async () => {
		const app = createApp(mockAuth({ user: makeUser(null), session: makeSession() }))

		const res = await app.request("/api/admin/test")

		expect(res.status).toBe(403)
	})

	test("allows admin users through and sets context", async () => {
		const user = makeUser("admin")
		const session = makeSession()
		const app = createApp(mockAuth({ user, session }))

		const res = await app.request("/api/admin/test")

		expect(res.status).toBe(200)
		const body = (await res.json()) as { ok: boolean }
		expect(body.ok).toBe(true)
	})
})
feat(backend): add admin API with provider config endpoint (#83) * feat(backend): add admin API with provider config endpoint Add /api/admin/* route group with admin role middleware and a PUT /api/admin/:sourceId/config endpoint for updating feed source provider config at runtime. Currently supports aelis.weather. Co-authored-by: Ona <no-reply@ona.com> * test: remove weak active session test Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com> 2026-03-21 19:01:43 +00:00			`import { Hono } from "hono"`
			`import { describe, expect, test } from "bun:test"`

			`import type { Auth } from "./index.ts"`
			`import type { AuthSession, AuthUser } from "./session.ts"`

			`import { createRequireAdmin } from "./admin-middleware.ts"`

			`function makeUser(role: string \| null): AuthUser {`
			`const now = new Date()`
			`return {`
			`id: "user-1",`
			`name: "Test User",`
			`email: "test@example.com",`
			`emailVerified: true,`
			`image: null,`
			`createdAt: now,`
			`updatedAt: now,`
			`role,`
			`banned: false,`
			`banReason: null,`
			`banExpires: null,`
			`}`
			`}`

			`function makeSession(): AuthSession {`
			`const now = new Date()`
			`return {`
			`id: "sess-1",`
			`userId: "user-1",`
			`token: "tok-1",`
			`expiresAt: new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000),`
			`ipAddress: "127.0.0.1",`
			`userAgent: "test",`
			`createdAt: now,`
			`updatedAt: now,`
			`}`
			`}`

			`function mockAuth(sessionResult: { user: AuthUser; session: AuthSession } \| null): Auth {`
			`return {`
			`api: {`
			`getSession: async () => sessionResult,`
			`},`
			`} as unknown as Auth`
			`}`

			`function createApp(auth: Auth) {`
			`const app = new Hono()`
			`const middleware = createRequireAdmin(auth)`
			`app.get("/api/admin/test", middleware, (c) => c.json({ ok: true }))`
			`return app`
			`}`

			`describe("createRequireAdmin", () => {`
			`test("returns 401 when no session", async () => {`
			`const app = createApp(mockAuth(null))`

			`const res = await app.request("/api/admin/test")`

			`expect(res.status).toBe(401)`
			`const body = (await res.json()) as { error: string }`
			`expect(body.error).toBe("Unauthorized")`
			`})`

			`test("returns 403 when user is not admin", async () => {`
			`const app = createApp(mockAuth({ user: makeUser("user"), session: makeSession() }))`

			`const res = await app.request("/api/admin/test")`

			`expect(res.status).toBe(403)`
			`const body = (await res.json()) as { error: string }`
			`expect(body.error).toBe("Forbidden")`
			`})`

			`test("returns 403 when role is null", async () => {`
			`const app = createApp(mockAuth({ user: makeUser(null), session: makeSession() }))`

			`const res = await app.request("/api/admin/test")`

			`expect(res.status).toBe(403)`
			`})`

			`test("allows admin users through and sets context", async () => {`
			`const user = makeUser("admin")`
			`const session = makeSession()`
			`const app = createApp(mockAuth({ user, session }))`

			`const res = await app.request("/api/admin/test")`

			`expect(res.status).toBe(200)`
			`const body = (await res.json()) as { ok: boolean }`
			`expect(body.ok).toBe(true)`
			`})`
			`})`