mirror of
https://github.com/kikootwo/ReadMeABook.git
synced 2026-06-03 21:00:09 +00:00
kikootwo
af0eaceb98
Introduce a provider-based notification system and wire it through the API and admin UI. Added INotificationProvider + notification service implementation and providers (apprise, discord, ntfy, pushover), plus a GET /api/admin/notifications/providers endpoint to expose provider metadata. Refactored code to use provider type strings (removed enum coupling), updated masking/encryption calls, and simplified the test notification endpoint to accept backendId or type+config and call sendToBackend directly. UI: NotificationsTab now fetches provider metadata and renders provider cards and dynamic config forms (fields driven by provider metadata). Added config field rendering, improved backend cards, and edit/delete actions. APIs: New providers route, updated admin notification CRUD routes to validate provider types dynamically, updated test route schema. Added download-client categories POST API to fetch categories from clients and wired postImportCategory handling in download-client routes. Other notable changes: BookDate now fetches Claude models dynamically from Anthropic's Models API; added paginated model fetch helper. Added ALLOW_WEAK_PASSWORD flag exposure to auth providers and password change logic. Doc updates and various tests added/updated. File-organization doc clarifies EPERM fix using stream-based copy.
338 lines
12 KiB
TypeScript
338 lines
12 KiB
TypeScript
/**
|
|
* Component: Local Auth Provider Tests
|
|
* Documentation: documentation/backend/services/auth.md
|
|
*/
|
|
|
|
import { beforeEach, describe, expect, it, vi } from 'vitest';
|
|
import { createPrismaMock } from '../../helpers/prisma';
|
|
|
|
const prismaMock = createPrismaMock();
|
|
const configMock = vi.hoisted(() => ({ get: vi.fn() }));
|
|
const encryptionMock = vi.hoisted(() => ({
|
|
encrypt: vi.fn((value: string) => `enc:${value}`),
|
|
decrypt: vi.fn((value: string) => value.replace('enc:', '')),
|
|
}));
|
|
|
|
const bcryptCompare = vi.fn();
|
|
const bcryptHash = vi.fn();
|
|
|
|
vi.mock('@/lib/db', () => ({
|
|
prisma: prismaMock,
|
|
}));
|
|
|
|
vi.mock('@/lib/services/config.service', () => ({
|
|
getConfigService: () => configMock,
|
|
}));
|
|
|
|
vi.mock('@/lib/services/encryption.service', () => ({
|
|
getEncryptionService: () => encryptionMock,
|
|
}));
|
|
|
|
vi.mock('bcrypt', () => ({
|
|
default: { compare: bcryptCompare, hash: bcryptHash },
|
|
compare: bcryptCompare,
|
|
hash: bcryptHash,
|
|
}));
|
|
|
|
describe('LocalAuthProvider', () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks();
|
|
});
|
|
|
|
it('logs in approved local users with valid password', async () => {
|
|
prismaMock.user.findFirst.mockResolvedValue({
|
|
id: 'user-1',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'user',
|
|
authProvider: 'local',
|
|
authToken: 'enc:hash',
|
|
registrationStatus: 'approved',
|
|
deletedAt: null,
|
|
});
|
|
prismaMock.user.update.mockResolvedValue({});
|
|
bcryptCompare.mockResolvedValue(true);
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: 'user', password: 'pass' });
|
|
|
|
expect(result.success).toBe(true);
|
|
expect(result.user?.authProvider).toBe('local');
|
|
expect(result.tokens?.accessToken).toBeTruthy();
|
|
expect(result.tokens?.refreshToken).toBeTruthy();
|
|
});
|
|
|
|
it('rejects login when credentials are missing', async () => {
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: '', password: '' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toContain('Username and password required');
|
|
});
|
|
|
|
it('blocks login when approval is pending', async () => {
|
|
prismaMock.user.findFirst.mockResolvedValue({
|
|
id: 'user-2',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'user',
|
|
authProvider: 'local',
|
|
authToken: 'enc:hash',
|
|
registrationStatus: 'pending_approval',
|
|
deletedAt: null,
|
|
});
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: 'user', password: 'pass' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.requiresApproval).toBe(true);
|
|
});
|
|
|
|
it('rejects login when account is rejected', async () => {
|
|
prismaMock.user.findFirst.mockResolvedValue({
|
|
id: 'user-2b',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'user',
|
|
authProvider: 'local',
|
|
authToken: 'enc:hash',
|
|
registrationStatus: 'rejected',
|
|
deletedAt: null,
|
|
});
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: 'user', password: 'pass' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toContain('rejected');
|
|
});
|
|
|
|
it('rejects login with invalid password', async () => {
|
|
prismaMock.user.findFirst.mockResolvedValue({
|
|
id: 'user-3',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'user',
|
|
authProvider: 'local',
|
|
authToken: 'enc:hash',
|
|
registrationStatus: 'approved',
|
|
deletedAt: null,
|
|
});
|
|
bcryptCompare.mockResolvedValue(false);
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: 'user', password: 'bad' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toMatch(/invalid username or password/i);
|
|
});
|
|
|
|
it('rejects login when password hash cannot be decrypted', async () => {
|
|
prismaMock.user.findFirst.mockResolvedValue({
|
|
id: 'user-4',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'user',
|
|
authProvider: 'local',
|
|
authToken: 'enc:hash',
|
|
registrationStatus: 'approved',
|
|
deletedAt: null,
|
|
});
|
|
encryptionMock.decrypt.mockImplementationOnce(() => {
|
|
throw new Error('decrypt failed');
|
|
});
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: 'user', password: 'pass' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toMatch(/invalid username or password/i);
|
|
});
|
|
|
|
it('rejects login when user is not found', async () => {
|
|
prismaMock.user.findFirst.mockResolvedValue(null);
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.handleCallback({ username: 'user', password: 'pass' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toMatch(/invalid username or password/i);
|
|
});
|
|
|
|
it('blocks registration when disabled', async () => {
|
|
configMock.get.mockResolvedValueOnce('false');
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.register({ username: 'user', password: 'password123' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toMatch(/registration is disabled/i);
|
|
});
|
|
|
|
it('rejects short usernames or passwords on registration', async () => {
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
|
|
let result = await provider.register({ username: 'ab', password: 'password123' });
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toContain('Username');
|
|
|
|
result = await provider.register({ username: 'user', password: 'short' });
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toContain('Password');
|
|
});
|
|
|
|
it('allows short passwords when ALLOW_WEAK_PASSWORD is enabled', async () => {
|
|
process.env.ALLOW_WEAK_PASSWORD = 'true';
|
|
configMock.get.mockResolvedValueOnce('true'); // registration enabled
|
|
configMock.get.mockResolvedValueOnce('false'); // no admin approval
|
|
prismaMock.user.findFirst.mockResolvedValue(null);
|
|
prismaMock.user.count.mockResolvedValue(0);
|
|
prismaMock.user.create.mockResolvedValue({
|
|
id: 'user-1',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'admin',
|
|
});
|
|
bcryptHash.mockResolvedValue('hash');
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.register({ username: 'user', password: 'ab' });
|
|
|
|
expect(result.success).toBe(true);
|
|
delete process.env.ALLOW_WEAK_PASSWORD;
|
|
});
|
|
|
|
it('still rejects empty passwords when ALLOW_WEAK_PASSWORD is enabled', async () => {
|
|
process.env.ALLOW_WEAK_PASSWORD = 'true';
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.register({ username: 'user', password: '' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toContain('required');
|
|
delete process.env.ALLOW_WEAK_PASSWORD;
|
|
});
|
|
|
|
it('rejects registration when username is taken', async () => {
|
|
configMock.get.mockResolvedValueOnce('true');
|
|
prismaMock.user.findFirst.mockResolvedValue({ id: 'user-10' });
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.register({ username: 'user', password: 'password123' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.error).toContain('Username already taken');
|
|
});
|
|
|
|
it('creates admin user on first registration', async () => {
|
|
configMock.get.mockResolvedValueOnce('true'); // registration enabled
|
|
configMock.get.mockResolvedValueOnce('false'); // no admin approval
|
|
prismaMock.user.findFirst.mockResolvedValue(null);
|
|
prismaMock.user.count.mockResolvedValue(0);
|
|
prismaMock.user.create.mockResolvedValue({
|
|
id: 'user-1',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'admin',
|
|
});
|
|
bcryptHash.mockResolvedValue('hash');
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.register({ username: 'user', password: 'password123' });
|
|
|
|
expect(result.success).toBe(true);
|
|
expect(result.user?.role).toBe('admin');
|
|
});
|
|
|
|
it('returns pending approval when admin approval is required', async () => {
|
|
configMock.get.mockResolvedValueOnce('true'); // registration enabled
|
|
configMock.get.mockResolvedValueOnce('true'); // admin approval required
|
|
prismaMock.user.findFirst.mockResolvedValue(null);
|
|
prismaMock.user.count.mockResolvedValue(2);
|
|
prismaMock.user.create.mockResolvedValue({
|
|
id: 'user-11',
|
|
plexId: 'local-user',
|
|
plexUsername: 'user',
|
|
role: 'user',
|
|
});
|
|
bcryptHash.mockResolvedValue('hash');
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const result = await provider.register({ username: 'user', password: 'password123' });
|
|
|
|
expect(result.success).toBe(false);
|
|
expect(result.requiresApproval).toBe(true);
|
|
});
|
|
|
|
it('returns false for non-local or missing users during access validation', async () => {
|
|
prismaMock.user.findUnique.mockResolvedValueOnce(null);
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const missing = await provider.validateAccess({ id: 'user-12', username: 'x' });
|
|
|
|
expect(missing).toBe(false);
|
|
|
|
prismaMock.user.findUnique.mockResolvedValueOnce({
|
|
id: 'user-13',
|
|
authProvider: 'plex',
|
|
deletedAt: null,
|
|
registrationStatus: 'approved',
|
|
});
|
|
|
|
const notLocal = await provider.validateAccess({ id: 'user-13', username: 'x' });
|
|
expect(notLocal).toBe(false);
|
|
});
|
|
|
|
it('returns null for refresh token placeholder', async () => {
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
|
|
const tokens = await provider.refreshToken('refresh');
|
|
expect(tokens).toBeNull();
|
|
});
|
|
|
|
it('rejects access for deleted or unapproved users', async () => {
|
|
prismaMock.user.findUnique.mockResolvedValueOnce({
|
|
id: 'user-4',
|
|
authProvider: 'local',
|
|
deletedAt: new Date(),
|
|
registrationStatus: 'approved',
|
|
});
|
|
|
|
const { LocalAuthProvider } = await import('@/lib/services/auth/LocalAuthProvider');
|
|
const provider = new LocalAuthProvider();
|
|
const deletedAccess = await provider.validateAccess({ id: 'user-4', username: 'x' });
|
|
|
|
expect(deletedAccess).toBe(false);
|
|
|
|
prismaMock.user.findUnique.mockResolvedValueOnce({
|
|
id: 'user-5',
|
|
authProvider: 'local',
|
|
deletedAt: null,
|
|
registrationStatus: 'pending_approval',
|
|
});
|
|
|
|
const pendingAccess = await provider.validateAccess({ id: 'user-5', username: 'x' });
|
|
expect(pendingAccess).toBe(false);
|
|
});
|
|
});
|
|
|
|
|
|
|