43 lines
1.7 KiB
JavaScript
43 lines
1.7 KiB
JavaScript
/**
|
|
* Ensures no API route that requires auth (requireAuth with optional role)
|
|
* is in the auth skip list. When adding a new protected API, add its path prefix to
|
|
* PROTECTED_PATH_PREFIXES in server/utils/authSkipPaths.js so these tests fail if it gets skipped.
|
|
*/
|
|
import { describe, it, expect } from 'vitest'
|
|
import { skipAuth, SKIP_PATHS, PROTECTED_PATH_PREFIXES } from '../../server/utils/authSkipPaths.js'
|
|
|
|
describe('authSkipPaths', () => {
|
|
it('does not skip any protected path (auth required for these)', () => {
|
|
for (const path of PROTECTED_PATH_PREFIXES) {
|
|
expect(skipAuth(path)).toBe(false)
|
|
}
|
|
// Also check a concrete path under each prefix
|
|
expect(skipAuth('/api/cameras')).toBe(false)
|
|
expect(skipAuth('/api/devices')).toBe(false)
|
|
expect(skipAuth('/api/devices/any-id')).toBe(false)
|
|
expect(skipAuth('/api/me')).toBe(false)
|
|
expect(skipAuth('/api/pois')).toBe(false)
|
|
expect(skipAuth('/api/pois/any-id')).toBe(false)
|
|
expect(skipAuth('/api/users')).toBe(false)
|
|
expect(skipAuth('/api/users/any-id')).toBe(false)
|
|
})
|
|
|
|
it('skips known public paths', () => {
|
|
expect(skipAuth('/api/auth/login')).toBe(true)
|
|
expect(skipAuth('/api/auth/logout')).toBe(true)
|
|
expect(skipAuth('/api/auth/config')).toBe(true)
|
|
expect(skipAuth('/api/auth/oidc/authorize')).toBe(true)
|
|
expect(skipAuth('/api/auth/oidc/callback')).toBe(true)
|
|
expect(skipAuth('/api/health')).toBe(true)
|
|
expect(skipAuth('/api/health/ready')).toBe(true)
|
|
expect(skipAuth('/health')).toBe(true)
|
|
})
|
|
|
|
it('keeps SKIP_PATHS and PROTECTED_PATH_PREFIXES disjoint', () => {
|
|
const skipSet = new Set(SKIP_PATHS)
|
|
for (const path of PROTECTED_PATH_PREFIXES) {
|
|
expect(skipSet.has(path)).toBe(false)
|
|
}
|
|
})
|
|
})
|