feat(auth): implement JWT-based authentication with admin access controls

2025-06-08 07:19:31 +00:00
parent 61778bdba8
commit 5faca8c1b6
10 changed files with 617 additions and 92 deletions
--- a/test/test.protected-endpoint.ts
+++ b/test/test.protected-endpoint.ts
@ -0,0 +1,115 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { DcRouter } from '../ts/index.js';
+import { TypedRequest } from '@api.global/typedrequest';
+import * as interfaces from '../ts_interfaces/index.js';
+
+let testDcRouter: DcRouter;
+let adminIdentity: interfaces.data.IIdentity;
+
+tap.test('should start DCRouter with OpsServer', async () => {
+  testDcRouter = new DcRouter({
+    // Minimal config for testing
+  });
+  
+  await testDcRouter.start();
+  expect(testDcRouter.opsServer).toBeInstanceOf(Object);
+});
+
+tap.test('should login as admin', async () => {
+  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+    'http://localhost:3000/typedrequest',
+    'adminLoginWithUsernameAndPassword'
+  );
+  
+  const response = await loginRequest.fire({
+    username: 'admin',
+    password: 'admin'
+  });
+  
+  expect(response).toHaveProperty('identity');
+  adminIdentity = response.identity;
+  console.log('Admin logged in with JWT');
+});
+
+tap.test('should allow admin to update configuration', async () => {
+  const updateRequest = new TypedRequest<interfaces.requests.IReq_UpdateConfiguration>(
+    'http://localhost:3000/typedrequest',
+    'updateConfiguration'
+  );
+  
+  const response = await updateRequest.fire({
+    identity: adminIdentity,
+    section: 'security',
+    config: {
+      rateLimit: true,
+      spamDetection: true
+    }
+  });
+  
+  expect(response).toHaveProperty('updated');
+  expect(response.updated).toBeTrue();
+});
+
+tap.test('should reject configuration update without identity', async () => {
+  const updateRequest = new TypedRequest<interfaces.requests.IReq_UpdateConfiguration>(
+    'http://localhost:3000/typedrequest',
+    'updateConfiguration'
+  );
+  
+  try {
+    await updateRequest.fire({
+      section: 'security',
+      config: {
+        rateLimit: false
+      }
+    });
+    expect(true).toBeFalse(); // Should not reach here
+  } catch (error) {
+    expect(error).toBeTruthy();
+    console.log('Successfully rejected request without identity');
+  }
+});
+
+tap.test('should reject configuration update with invalid JWT', async () => {
+  const updateRequest = new TypedRequest<interfaces.requests.IReq_UpdateConfiguration>(
+    'http://localhost:3000/typedrequest',
+    'updateConfiguration'
+  );
+  
+  try {
+    await updateRequest.fire({
+      identity: {
+        ...adminIdentity,
+        jwt: 'invalid.jwt.token'
+      },
+      section: 'security',
+      config: {
+        rateLimit: false
+      }
+    });
+    expect(true).toBeFalse(); // Should not reach here
+  } catch (error) {
+    expect(error).toBeTruthy();
+    console.log('Successfully rejected request with invalid JWT');
+  }
+});
+
+tap.test('should allow access to public endpoints without auth', async () => {
+  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
+    'http://localhost:3000/typedrequest',
+    'getHealthStatus'
+  );
+  
+  // No identity provided
+  const response = await healthRequest.fire({});
+  
+  expect(response).toHaveProperty('health');
+  expect(response.health.healthy).toBeTrue();
+  console.log('Public endpoint accessible without auth');
+});
+
+tap.test('should stop DCRouter', async () => {
+  await testDcRouter.stop();
+});
+
+export default tap.start();