test/test.api-token-manager.node.ts

import { tap, expect } from '@git.zone/tstest/tapbundle';
import { ApiTokenManager } from '../ts/config/classes.api-token-manager.js';
import { DcRouterDb } from '../ts/db/index.js';
import * as plugins from '../ts/plugins.js';

const createTestDb = async () => {
  const storagePath = plugins.path.join(
    plugins.os.tmpdir(),
    `dcrouter-api-token-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
  );

  DcRouterDb.resetInstance();
  const db = DcRouterDb.getInstance({
    storagePath,
    dbName: `dcrouter-api-token-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
  });
  await db.start();
  await db.getDb().mongoDb.createCollection('__test_init');

  return {
    async cleanup() {
      await db.stop();
      DcRouterDb.resetInstance();
      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
    },
  };
};

tap.test('ApiTokenManager seeds and rotates an env admin API token', async () => {
  const previousToken = process.env.DCROUTER_ADMIN_API_TOKEN;
  const previousName = process.env.DCROUTER_ADMIN_API_TOKEN_NAME;
  const testDb = await createTestDb();

  try {
    const rawToken1 = `dcr_${plugins.crypto.randomBytes(32).toString('base64url')}`;
    const rawToken2 = `dcr_${plugins.crypto.randomBytes(32).toString('base64url')}`;
    process.env.DCROUTER_ADMIN_API_TOKEN = rawToken1;
    process.env.DCROUTER_ADMIN_API_TOKEN_NAME = 'Onebox Managed Admin';

    const manager = new ApiTokenManager();
    await manager.initialize();

    const token1 = await manager.validateToken(rawToken1);
    expect(token1?.id).toEqual('env-admin-token');
    expect(token1?.name).toEqual('Onebox Managed Admin');
    expect(token1?.policy?.role).toEqual('admin');
    expect(manager.hasScope(token1!, 'tokens:manage')).toEqual(true);

    const listedToken = manager.listTokens().find((token) => token.id === 'env-admin-token') as any;
    expect(listedToken.tokenHash).toBeUndefined();

    process.env.DCROUTER_ADMIN_API_TOKEN = rawToken2;
    const rotatedManager = new ApiTokenManager();
    await rotatedManager.initialize();

    expect(await rotatedManager.validateToken(rawToken1)).toBeNull();
    const token2 = await rotatedManager.validateToken(rawToken2);
    expect(token2?.id).toEqual('env-admin-token');
    expect(token2?.policy?.role).toEqual('admin');
  } finally {
    if (previousToken === undefined) {
      delete process.env.DCROUTER_ADMIN_API_TOKEN;
    } else {
      process.env.DCROUTER_ADMIN_API_TOKEN = previousToken;
    }
    if (previousName === undefined) {
      delete process.env.DCROUTER_ADMIN_API_TOKEN_NAME;
    } else {
      process.env.DCROUTER_ADMIN_API_TOKEN_NAME = previousName;
    }
    await testDb.cleanup();
  }
});

export default tap.start();
feat(api-token-manager): seed and rotate the environment-managed admin API token during initialization 2026-05-09 17:30:37 +00:00			`import { tap, expect } from '@git.zone/tstest/tapbundle';`
			`import { ApiTokenManager } from '../ts/config/classes.api-token-manager.js';`
			`import { DcRouterDb } from '../ts/db/index.js';`
			`import * as plugins from '../ts/plugins.js';`

			`const createTestDb = async () => {`
			`const storagePath = plugins.path.join(`
			`plugins.os.tmpdir(),`
			`dcrouter-api-token-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
			`);`

			`DcRouterDb.resetInstance();`
			`const db = DcRouterDb.getInstance({`
			`storagePath,`
			dbName: `dcrouter-api-token-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
			`});`
			`await db.start();`
			`await db.getDb().mongoDb.createCollection('__test_init');`

			`return {`
			`async cleanup() {`
			`await db.stop();`
			`DcRouterDb.resetInstance();`
			`await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });`
			`},`
			`};`
			`};`

			`tap.test('ApiTokenManager seeds and rotates an env admin API token', async () => {`
			`const previousToken = process.env.DCROUTER_ADMIN_API_TOKEN;`
			`const previousName = process.env.DCROUTER_ADMIN_API_TOKEN_NAME;`
			`const testDb = await createTestDb();`

			`try {`
			const rawToken1 = `dcr_${plugins.crypto.randomBytes(32).toString('base64url')}`;
			const rawToken2 = `dcr_${plugins.crypto.randomBytes(32).toString('base64url')}`;
			`process.env.DCROUTER_ADMIN_API_TOKEN = rawToken1;`
			`process.env.DCROUTER_ADMIN_API_TOKEN_NAME = 'Onebox Managed Admin';`

			`const manager = new ApiTokenManager();`
			`await manager.initialize();`

			`const token1 = await manager.validateToken(rawToken1);`
			`expect(token1?.id).toEqual('env-admin-token');`
			`expect(token1?.name).toEqual('Onebox Managed Admin');`
			`expect(token1?.policy?.role).toEqual('admin');`
			`expect(manager.hasScope(token1!, 'tokens:manage')).toEqual(true);`

			`const listedToken = manager.listTokens().find((token) => token.id === 'env-admin-token') as any;`
			`expect(listedToken.tokenHash).toBeUndefined();`

			`process.env.DCROUTER_ADMIN_API_TOKEN = rawToken2;`
			`const rotatedManager = new ApiTokenManager();`
			`await rotatedManager.initialize();`

			`expect(await rotatedManager.validateToken(rawToken1)).toBeNull();`
			`const token2 = await rotatedManager.validateToken(rawToken2);`
			`expect(token2?.id).toEqual('env-admin-token');`
			`expect(token2?.policy?.role).toEqual('admin');`
			`} finally {`
			`if (previousToken === undefined) {`
			`delete process.env.DCROUTER_ADMIN_API_TOKEN;`
			`} else {`
			`process.env.DCROUTER_ADMIN_API_TOKEN = previousToken;`
			`}`
			`if (previousName === undefined) {`
			`delete process.env.DCROUTER_ADMIN_API_TOKEN_NAME;`
			`} else {`
			`process.env.DCROUTER_ADMIN_API_TOKEN_NAME = previousName;`
			`}`
			`await testDb.cleanup();`
			`}`
			`});`

			`export default tap.start();`