import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest' import { safeCompare, requireRole } from '@/lib/auth' // Mock dependencies that auth.ts imports vi.mock('@/lib/db', () => ({ getDatabase: vi.fn(), })) vi.mock('@/lib/password', () => ({ hashPassword: vi.fn((p: string) => `hashed:${p}`), verifyPassword: vi.fn(() => false), })) // Prevent event-bus singleton side-effects vi.mock('@/lib/event-bus', () => ({ eventBus: { broadcast: vi.fn(), on: vi.fn(), emit: vi.fn() }, })) describe('safeCompare', () => { it('returns true for matching strings', () => { expect(safeCompare('abc123', 'abc123')).toBe(true) }) it('returns false for non-matching strings of same length', () => { expect(safeCompare('abc123', 'xyz789')).toBe(false) }) it('returns false for different length strings', () => { expect(safeCompare('short', 'muchlonger')).toBe(false) }) it('returns true for two empty strings', () => { expect(safeCompare('', '')).toBe(true) }) it('returns false when one string is empty', () => { expect(safeCompare('', 'notempty')).toBe(false) expect(safeCompare('notempty', '')).toBe(false) }) it('returns false for non-string inputs', () => { expect(safeCompare(null as any, 'a')).toBe(false) expect(safeCompare('a', undefined as any)).toBe(false) }) }) describe('requireRole', () => { const originalEnv = process.env beforeEach(() => { process.env = { ...originalEnv, API_KEY: 'test-api-key-secret' } }) afterEach(() => { process.env = originalEnv }) function makeRequest(headers: Record = {}): Request { return new Request('http://localhost/api/test', { headers: new Headers(headers), }) } it('returns 401 when no authentication is provided', () => { const result = requireRole(makeRequest(), 'viewer') expect(result.status).toBe(401) expect(result.error).toBe('Authentication required') expect(result.user).toBeUndefined() }) it('returns 401 when API key is wrong', () => { const result = requireRole( makeRequest({ 'x-api-key': 'wrong-key' }), 'viewer', ) expect(result.status).toBe(401) expect(result.error).toBe('Authentication required') }) it('returns user when API key is valid and role is sufficient', () => { const result = requireRole( makeRequest({ 'x-api-key': 'test-api-key-secret' }), 'admin', ) expect(result.status).toBeUndefined() expect(result.error).toBeUndefined() expect(result.user).toBeDefined() expect(result.user!.username).toBe('api') expect(result.user!.role).toBe('admin') }) it('returns user for lower role requirement with API key (admin >= viewer)', () => { const result = requireRole( makeRequest({ 'x-api-key': 'test-api-key-secret' }), 'viewer', ) expect(result.user).toBeDefined() expect(result.user!.role).toBe('admin') }) it('returns user for operator role requirement with API key (admin >= operator)', () => { const result = requireRole( makeRequest({ 'x-api-key': 'test-api-key-secret' }), 'operator', ) expect(result.user).toBeDefined() }) it('accepts Authorization Bearer API key', () => { const result = requireRole( makeRequest({ authorization: 'Bearer test-api-key-secret' }), 'admin', ) expect(result.user).toBeDefined() expect(result.user!.username).toBe('api') }) it('rejects API key auth when API_KEY is not configured', () => { process.env = { ...originalEnv, API_KEY: '' } const result = requireRole( makeRequest({ 'x-api-key': 'test-api-key-secret' }), 'viewer', ) expect(result.status).toBe(401) expect(result.user).toBeUndefined() }) })