55 lines
1.7 KiB
TypeScript
55 lines
1.7 KiB
TypeScript
import { describe, expect, it, vi } from 'vitest'
|
|
import type { NextFunction, Request, Response } from 'express'
|
|
|
|
import { requireRole } from './requireRole'
|
|
|
|
function responseStub() {
|
|
const res = { status: vi.fn(), json: vi.fn() }
|
|
res.status.mockReturnValue(res)
|
|
res.json.mockReturnValue(res)
|
|
return res as unknown as Response & typeof res
|
|
}
|
|
|
|
describe('requireRole middleware', () => {
|
|
it('rejects requests when company auth did not attach an employee', () => {
|
|
const req = {} as Request
|
|
const res = responseStub()
|
|
const next = vi.fn() as NextFunction
|
|
|
|
requireRole('AGENT' as any)(req, res, next)
|
|
|
|
expect(res.status).toHaveBeenCalledWith(401)
|
|
expect(res.json).toHaveBeenCalledWith({ error: 'unauthenticated', message: 'Authentication required', statusCode: 401 })
|
|
expect(next).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects employees below the required role and includes role context', () => {
|
|
const req = { employee: { role: 'AGENT' } } as Request
|
|
const res = responseStub()
|
|
const next = vi.fn() as NextFunction
|
|
|
|
requireRole('MANAGER' as any)(req, res, next)
|
|
|
|
expect(res.status).toHaveBeenCalledWith(403)
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: 'forbidden',
|
|
message: 'This action requires the MANAGER role or higher',
|
|
statusCode: 403,
|
|
requiredRole: 'MANAGER',
|
|
yourRole: 'AGENT',
|
|
})
|
|
expect(next).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('allows employees at or above the required role', () => {
|
|
const req = { employee: { role: 'OWNER' } } as Request
|
|
const res = responseStub()
|
|
const next = vi.fn() as NextFunction
|
|
|
|
requireRole('MANAGER' as any)(req, res, next)
|
|
|
|
expect(next).toHaveBeenCalledTimes(1)
|
|
expect(res.status).not.toHaveBeenCalled()
|
|
})
|
|
})
|