azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 10:41:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-457] [AZ-459] [AZ-465] [AZ-481] Batch 2 - auth/enum/i18n/CI tests

Browse Source 
Implements 22 blackbox test scenarios across the four batch-2 tasks:

AZ-457 - Auth & token handling (11 scenarios, fast + e2e):
- src/api/client.test.ts: FT-P-02, NFT-SEC-04, NFT-PERF-02, NFT-RES-01,
  NFT-RES-08 (apiClient surface)
- src/auth/AuthContext.test.tsx: FT-P-01 (it.fails - Step 4 drift),
  FT-P-03, NFT-SEC-01, NFT-SEC-02
- src/auth/ProtectedRoute.test.tsx: FT-N-04, NFT-RES-08 (router half)
- e2e/tests/auth.e2e.ts: FT-P-02 e2e, NFT-SEC-01/02/03 (cookie attrs
  via Playwright context.cookies(), gated by suite stack)

AZ-459 - Wire-contract enums (4 scenarios):
- tests/wire_contract.test.ts: FT-P-04 (AnnotationStatus, it.fails),
  FT-P-05 (MediaStatus + Affiliation it.fails; CombatReadiness skip
  per verification_pending), FT-P-06 (AnnotationSource control +
  spec value-set membership), FT-N-15 (typed-enum shape + skip for
  value-set verification)
- e2e/tests/wire_contract.e2e.ts: FT-P-06 against real annotations/
  service, drift-gated via AZAION_RUN_DRIFT_E2E
- scripts/run-tests.sh STC-FN15: ripgrep static for MediaType
  magic-literal hygiene

AZ-465 - i18n (4 scenarios, all static + quarantined fast):
- scripts/check-i18n-coverage.mjs: FT-P-22 (en vs ua key parity) +
  FT-P-23 (no raw user strings outside t() in src/**/*.tsx); refined
  JSX text-node regex with negative lookbehind to drop TS generics
  + arrow-function false positives
- tests/i18n-allowlist.json: snapshot of current pre-existing raw
  strings (CI gates growth per AZ-465 Constraints)
- tests/i18n.test.tsx: FT-P-24 + FT-P-25 it.skip (QUARANTINE - i18n
  detector + persistence not wired today; control tests assert the
  gap so the skip flips to a real test once Step 4 lands)

AZ-481 - CI image labels (3 scenarios, static against
  .woodpecker/build-arm.yml):
- scripts/check-ci-image-labels.mjs: NFT-RES-LIM-11 (tag scheme
  ${CI_COMMIT_BRANCH}-arm), NFT-RES-LIM-12 (revision/created/source
  PASS, image.title reported as DRIFT - foundation/CI-CD owns the
  fix), NFT-RES-LIM-13 (revision = $CI_COMMIT_SHA)

Cross-cutting:
- scripts/run-tests.sh: src_grep now excludes *.test.{ts,tsx} +
  *.spec.{ts,tsx} so production-source static checks (STC-SEC4,
  STC-FN15, etc.) don't false-positive on test prose
- tsconfig.json: exclude src/**/*.{test,spec}.{ts,tsx} so production
  tsc -b doesn't see jest-dom matchers
- _docs/03_implementation/batch_02_report.md: full per-task AC
  coverage matrix + drift inventory + verification run
- _docs/_autodev_state.md: 22 tasks remain after batch 2

Verification (host):
  fast    : 7 files, 38 passed | 4 skipped (quarantined)
  static  : 19/19 checks PASS (was 13 in batch 1; +6 from batch 2)
  e2e     : not run on host (Risk 4 - requires suite docker stack)

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 03:27:55 +03:00
parent 496b089102
commit ab22223580
18 changed files with 1910 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/api/client.test.ts
+276
View File
@@ -0,0 +1,276 @@
import { afterEach, describe, expect, it, vi } from 'vitest'
import { http, HttpResponse } from 'msw'
import { server } from '../../tests/msw/server'
import { api, getToken, setToken } from './client'
import { seedBearer, clearBearer } from '../../tests/helpers/auth'
import { seedNavigateToLogin } from '../../tests/helpers/navigate'
// AZ-457 — Auth & token-handling at the apiClient surface.
// FT-P-02 / rows 03, 12 — 401 → refresh → retry sequence (fast profile)
// NFT-SEC-04 / row 06 — credentials:'include' on the cookie-bound refresh
// NFT-PERF-02 / row 12 — exactly one /auth/refresh per refresh cycle
// NFT-RES-01 / rows 03, 11 — apiClient half of transparent recovery
// (render stability lives in AuthContext.test.tsx)
// NFT-RES-08 — expired refresh cookie → setNavigateToLogin spy fires
//
// FT-P-01 (bootstrap refresh credentials:'include') exercises the React
// composition root (<AuthContext>'s mount-time fetch) and lives in
// src/auth/AuthContext.test.tsx — the bootstrap path goes through api.get()
// today, which does NOT thread credentials. Row 02 is `quarantined` until
// the Step 4 bootstrap fix lands; the inverted assertion lives next to its
// system-under-test.
//
// Black-box discipline (per AZ-457 AC-2): we only import the three public
// accessors `setToken / getToken / setNavigateToLogin` plus the `api` wrapper
// itself. We do NOT reach into request() / refreshToken() / handleResponse().
// Outbound requests are observed via MSW `server.use(...)` interception.
describe('AZ-457 / src/api/client.ts — auth & token handling', () => {
afterEach(() => {
clearBearer()
})
describe('FT-P-02 (rows 03, 12) — 401 → refresh → retry sequence', () => {
it('refreshes once, retries the original request, returns 200', async () => {
// Arrange
seedBearer('expiring-bearer')
let getHits = 0
let refreshHits = 0
const observedAuthHeaders: Array<string | null> = []
server.use(
http.get('/api/admin/users/me', ({ request }) => {
getHits += 1
observedAuthHeaders.push(request.headers.get('Authorization'))
if (getHits === 1) {
return new HttpResponse(null, { status: 401 })
}
return HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })
}),
http.post('/api/admin/auth/refresh', () => {
refreshHits += 1
return HttpResponse.json({ token: 'rotated-bearer' })
}),
)
// Act
const me = await api.get<{ id: string; email: string }>('/api/admin/users/me')
// Assert — sequence per row 03 + count per row 12.
expect(refreshHits).toBe(1)
expect(getHits).toBe(2) // first 401, then retry
expect(observedAuthHeaders[0]).toBe('Bearer expiring-bearer')
expect(observedAuthHeaders[1]).toBe('Bearer rotated-bearer')
expect(me.id).toBe('user-alice')
expect(getToken()).toBe('rotated-bearer')
})
it('does NOT refresh when there is no bearer (no in-flight session)', async () => {
// Arrange — no seedBearer call → getToken() === null.
let refreshHits = 0
server.use(
http.get('/api/admin/users/me', () => new HttpResponse(null, { status: 401 })),
http.post('/api/admin/auth/refresh', () => {
refreshHits += 1
return HttpResponse.json({ token: 'should-not-be-issued' })
}),
)
// Act + Assert — request() short-circuits the refresh branch when
// accessToken is null (refreshing without a session would be a security
// anti-pattern).
await expect(api.get('/api/admin/users/me')).rejects.toThrow(/^401:/)
expect(refreshHits).toBe(0)
})
})
describe('NFT-SEC-04 (row 06) — credentials:\'include\' on the cookie-bound refresh', () => {
it('the 401-recovery POST /auth/refresh carries credentials:\'include\'', async () => {
// Arrange
seedBearer('expiring-bearer')
let refreshCredentials: RequestCredentials | null = null
let refreshMethod: string | null = null
server.use(
http.get('/api/admin/users/me', () => new HttpResponse(null, { status: 401 })),
http.post('/api/admin/auth/refresh', ({ request }) => {
refreshCredentials = request.credentials
refreshMethod = request.method
return new HttpResponse(null, { status: 401 })
}),
)
const navSpy = seedNavigateToLogin()
// Act
await expect(api.get('/api/admin/users/me')).rejects.toThrow('Session expired')
// Assert
expect(refreshMethod).toBe('POST')
expect(refreshCredentials).toBe('include')
expect(navSpy).toHaveBeenCalledTimes(1)
})
// The broader "every authed fetch" claim is `quarantined` per row 02 in
// results_report.md. Today the apiClient does NOT thread credentials onto
// non-refresh requests; only the cookie-bound refreshToken() helper does.
// The inverted assertion below documents the divergence so a future fix
// is a deliberate decision (the test starts failing the day every authed
// fetch carries credentials:'include' — at which point the it.fails
// wrapper is removed in the same commit as the production fix).
it.fails('every authed apiClient fetch carries credentials:\'include\' (quarantined — Step 4 bootstrap fix pending)', async () => {
// Arrange
seedBearer('test-bearer-default')
const credentialsByUrl: Record<string, RequestCredentials> = {}
server.use(
http.all('/api/admin/*', ({ request }) => {
credentialsByUrl[request.url] = request.credentials
return new HttpResponse(null, { status: 204 })
}),
)
// Act
await api.get('/api/admin/users/me')
// Assert — intentionally fails today; row 02 quarantined.
expect(Object.values(credentialsByUrl).every((c) => c === 'include')).toBe(true)
})
})
describe('NFT-PERF-02 (row 12) — exactly one refresh round trip per cycle', () => {
it('a single 401-retry cycle issues exactly one /auth/refresh', async () => {
// Arrange
seedBearer('expiring-bearer')
let refreshHits = 0
const status401Once = vi.fn<() => Response>(() => new HttpResponse(null, { status: 401 }) as Response)
let firstGet = true
server.use(
http.get('/api/admin/users/me', () => {
if (firstGet) {
firstGet = false
return status401Once()
}
return HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })
}),
http.post('/api/admin/auth/refresh', () => {
refreshHits += 1
return HttpResponse.json({ token: 'one-time-rotation' })
}),
)
// Act
await api.get('/api/admin/users/me')
// Assert
expect(refreshHits).toBe(1)
expect(status401Once).toHaveBeenCalledTimes(1)
})
it('two parallel authed requests, both 401 → still one refresh per call (no global de-dupe expected)', async () => {
// Arrange — Today's client.ts does NOT coalesce parallel refreshes. Each
// 401 in-flight produces its own refresh round trip. This test pins the
// current behavior so a future "race-coalescing" change is a deliberate
// decision (one-cycle == one-refresh per row 12; cycles are per call).
seedBearer('expiring-bearer')
const tokens = ['rot1', 'rot2']
let refreshHits = 0
const seenAuthHeaders: string[] = []
server.use(
http.get('/api/admin/users/me', ({ request }) => {
const h = request.headers.get('Authorization')
seenAuthHeaders.push(h ?? '<none>')
if (h === 'Bearer expiring-bearer') return new HttpResponse(null, { status: 401 })
return HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })
}),
http.get('/api/admin/users', ({ request }) => {
const h = request.headers.get('Authorization')
seenAuthHeaders.push(h ?? '<none>')
if (h === 'Bearer expiring-bearer') return new HttpResponse(null, { status: 401 })
return HttpResponse.json({ items: [], totalCount: 0, page: 1, pageSize: 10 })
}),
http.post('/api/admin/auth/refresh', () => {
const t = tokens[refreshHits] ?? 'rot-fallback'
refreshHits += 1
return HttpResponse.json({ token: t })
}),
)
// Act
await Promise.all([api.get('/api/admin/users/me'), api.get('/api/admin/users')])
// Assert — two independent cycles → two refreshes (no coalescing).
expect(refreshHits).toBe(2)
// Both retries reissued with a non-stale bearer.
expect(seenAuthHeaders.filter((h) => h === 'Bearer expiring-bearer')).toHaveLength(2)
})
})
describe('NFT-RES-01 (rows 03, 11) — apiClient half of transparent recovery', () => {
it('callers observe a 200 response with no error surface after refresh+retry', async () => {
// Arrange — render-stability half lives in AuthContext.test.tsx; this is
// strictly the apiClient observable: from the caller's perspective, the
// 401 was invisible.
seedBearer('expiring-bearer')
let firstHit = true
server.use(
http.get('/api/admin/users/me', () => {
if (firstHit) {
firstHit = false
return new HttpResponse(null, { status: 401 })
}
return HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })
}),
http.post('/api/admin/auth/refresh', () =>
HttpResponse.json({ token: 'transparent-recovery' }),
),
)
// Act
const result = await api.get<{ id: string }>('/api/admin/users/me')
// Assert — caller saw success, never an exception.
expect(result.id).toBe('user-alice')
// Side-effect: bearer was silently rotated (rows 03, 11).
expect(getToken()).toBe('transparent-recovery')
})
})
describe('NFT-RES-08 — expired refresh cookie → setNavigateToLogin spy fires', () => {
it('clears bearer and invokes navigateToLogin spy when refresh returns 401', async () => {
// Arrange
seedBearer('expired-bearer')
const navSpy = seedNavigateToLogin()
server.use(
http.get('/api/admin/users/me', () => new HttpResponse(null, { status: 401 })),
http.post('/api/admin/auth/refresh', () => new HttpResponse(null, { status: 401 })),
)
// Act + Assert
await expect(api.get('/api/admin/users/me')).rejects.toThrow('Session expired')
expect(navSpy).toHaveBeenCalledTimes(1)
expect(navSpy).toHaveBeenCalledWith() // AC-4 — no args
expect(getToken()).toBeNull() // bearer cleared
})
it('does not navigate or clear bearer when 401 occurs without a session', async () => {
// Arrange — refresh-bridge invariant: navigate only after a refresh
// attempt failed (not on every 401).
const navSpy = seedNavigateToLogin()
server.use(
http.get('/api/admin/users/me', () => new HttpResponse(null, { status: 401 })),
)
// Act + Assert
await expect(api.get('/api/admin/users/me')).rejects.toThrow(/^401:/)
expect(navSpy).not.toHaveBeenCalled()
expect(getToken()).toBeNull()
})
})
})
// FT-P-01 (row 02) bootstrap-credentials assertion lives in
// src/auth/AuthContext.test.tsx because it observes <AuthProvider>'s
// mount-time fetch. Splitting it out keeps the system-under-test obvious.
// Compile-time guard — the test never imports a private symbol from client.ts.
type _PublicSurface = typeof setToken extends (t: string | null) => void ? true : never
const _checkPublicSurface: _PublicSurface = true
void _checkPublicSurface
src/auth/AuthContext.test.tsx
+278
View File
@@ -0,0 +1,278 @@
import { afterEach, beforeEach, describe, expect, it } from 'vitest'
import { http, HttpResponse } from 'msw'
import { act, useRef } from 'react'
import { server } from '../../tests/msw/server'
import { renderWithProviders, screen, waitFor } from '../../tests/helpers/render'
import { api, getToken, setToken } from '../api/client'
import { seedBearer, clearBearer } from '../../tests/helpers/auth'
// AZ-457 — Auth & token-handling at the React composition root.
// FT-P-01 / row 02 — bootstrap refresh sends credentials:'include'
// (currently `quarantined` — bootstrap goes through
// api.get which doesn't thread credentials; row 02
// in results_report.md flags Step 4 fix pending)
// FT-P-03 / row 11 — refresh transparency — children don't unmount;
// re-render delta ≤ 1
// NFT-SEC-01 / row 04 — bearer never written to localStorage/sessionStorage
// (over the entire test lifetime, not just at one
// snapshot — AC-3)
// NFT-SEC-02 / rows 05+ — refresh token not exposed via document.cookie at
// runtime (the static counterpart lives in
// scripts/run-tests.sh)
//
// Black-box discipline: the test imports the public AuthProvider component,
// the public setToken / getToken accessors, and React itself. It never
// reaches into AuthContext's internals (state setters, context value, etc.).
// All assertions are observable at the DOM, network, or storage surface.
interface StorageProbe {
writes: Array<{ store: 'local' | 'session'; key: string; value: string }>
values: Array<{ store: 'local' | 'session'; key: string; value: string }>
cookieReads: number
cookieWrites: string[]
restore: () => void
}
function instrumentStorage(): StorageProbe {
const probe: StorageProbe = {
writes: [],
values: [],
cookieReads: 0,
cookieWrites: [],
restore: () => {
/* installed below */
},
}
const originalLocalSet = Storage.prototype.setItem
const wrappedSet = function (this: Storage, key: string, value: string) {
const store: 'local' | 'session' = this === window.localStorage ? 'local' : 'session'
probe.writes.push({ store, key, value })
return originalLocalSet.call(this, key, value)
}
Storage.prototype.setItem = wrappedSet
// Patch document.cookie getter/setter on the document instance so reads /
// writes surface in the probe without escaping jsdom's defaults.
const cookieDescriptor = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document), 'cookie')
if (cookieDescriptor) {
Object.defineProperty(document, 'cookie', {
configurable: true,
get() {
probe.cookieReads += 1
return cookieDescriptor.get?.call(document) ?? ''
},
set(v: string) {
probe.cookieWrites.push(v)
cookieDescriptor.set?.call(document, v)
},
})
}
probe.restore = () => {
Storage.prototype.setItem = originalLocalSet
if (cookieDescriptor) {
Object.defineProperty(document, 'cookie', cookieDescriptor)
}
}
return probe
}
function snapshotAllStorageValues(): Array<{ store: 'local' | 'session'; key: string; value: string }> {
const out: Array<{ store: 'local' | 'session'; key: string; value: string }> = []
for (let i = 0; i < window.localStorage.length; i += 1) {
const k = window.localStorage.key(i)!
out.push({ store: 'local', key: k, value: window.localStorage.getItem(k) ?? '' })
}
for (let i = 0; i < window.sessionStorage.length; i += 1) {
const k = window.sessionStorage.key(i)!
out.push({ store: 'session', key: k, value: window.sessionStorage.getItem(k) ?? '' })
}
return out
}
describe('AZ-457 / src/auth/AuthContext.tsx — bootstrap, refresh, storage discipline', () => {
let probe: StorageProbe
beforeEach(() => {
probe = instrumentStorage()
})
afterEach(() => {
probe.restore()
window.localStorage.clear()
window.sessionStorage.clear()
clearBearer()
})
describe('FT-P-01 (row 02) — bootstrap refresh', () => {
it.fails('AuthProvider mount sends credentials:\'include\' on the bootstrap refresh (quarantined — Step 4 fix pending)', async () => {
// Arrange — the production bootstrap path goes through `api.get(...)`,
// which does NOT thread credentials. Row 02 in results_report.md is
// `quarantined` until the bootstrap fetch is migrated to a path that
// sets credentials:'include'. The inverted assertion below documents the
// divergence next to its system-under-test; the day the production code
// sends credentials:'include' on bootstrap, this test starts failing
// and the it.fails wrapper is removed.
let bootstrapCredentials: RequestCredentials | null = null
server.use(
http.get('/api/admin/auth/refresh', ({ request }) => {
bootstrapCredentials = request.credentials
return HttpResponse.json({
user: { id: 'user-alice', email: 'op_alice@test.local', name: 'Alice', role: 'op', permissions: [] },
token: 'bootstrap-bearer',
})
}),
)
// Act
renderWithProviders(<div data-testid="app-root">app</div>)
await waitFor(() => expect(bootstrapCredentials).not.toBeNull())
// Assert — intentionally fails today.
expect(bootstrapCredentials).toBe('include')
})
})
describe('FT-P-03 (row 11) — refresh transparency: children stay mounted, re-render delta ≤ 1', () => {
it('mid-session refresh does not unmount the protected child; re-render delta ≤ 1', async () => {
// Arrange — a stable child component records its render counter.
const renderTimes: number[] = []
function StableChild() {
const ref = useRef(0)
ref.current += 1
renderTimes.push(ref.current)
return <div data-testid="stable-child">child #{ref.current}</div>
}
// Bootstrap returns a logged-in session (so the AuthProvider settles
// immediately), then we trigger a 401-retry cycle on a downstream call.
server.use(
http.get('/api/admin/auth/refresh', () =>
HttpResponse.json({
user: { id: 'user-alice', email: 'op_alice@test.local', name: 'Alice', role: 'op', permissions: [] },
token: 'bootstrap-bearer',
}),
),
)
renderWithProviders(<StableChild />)
await screen.findByTestId('stable-child')
const renderCountAfterBootstrap = renderTimes.length
// Force a 401-retry cycle on a downstream authed call.
let firstHit = true
let refreshHits = 0
server.use(
http.get('/api/admin/users/me', () => {
if (firstHit) {
firstHit = false
return new HttpResponse(null, { status: 401 })
}
return HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })
}),
http.post('/api/admin/auth/refresh', () => {
refreshHits += 1
return HttpResponse.json({ token: 'rotated-bearer' })
}),
)
// Act
await act(async () => {
await api.get('/api/admin/users/me')
})
// Assert — child stayed mounted (no unmount/remount); render delta ≤ 1.
expect(screen.getByTestId('stable-child')).toBeInTheDocument()
expect(refreshHits).toBe(1)
const reRenderDelta = renderTimes.length - renderCountAfterBootstrap
expect(reRenderDelta).toBeLessThanOrEqual(1) // row 11 — exact bound
})
})
describe('NFT-SEC-01 (row 04) — bearer never in localStorage / sessionStorage', () => {
it('over the entire test lifetime: no setItem call, no key/value contains the bearer', async () => {
// Arrange — full bootstrap + refresh + downstream-authed call lifecycle.
const BEARER = 'leak-trap-bearer-' + Date.now()
let firstUsersMe = true
server.use(
http.get('/api/admin/auth/refresh', () =>
HttpResponse.json({
user: { id: 'user-alice', email: 'op_alice@test.local', name: 'Alice', role: 'op', permissions: [] },
token: BEARER,
}),
),
http.post('/api/admin/auth/refresh', () => HttpResponse.json({ token: BEARER + '-rotated' })),
http.get('/api/admin/users/me', () => {
if (firstUsersMe) {
firstUsersMe = false
return new HttpResponse(null, { status: 401 })
}
return HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })
}),
)
// Act — boot, then drive a refresh+retry cycle, then settle.
renderWithProviders(<div data-testid="app">app</div>)
await waitFor(() => expect(getToken()).toBe(BEARER))
await act(async () => {
await api.get('/api/admin/users/me')
})
await waitFor(() => expect(getToken()).toBe(BEARER + '-rotated'))
// Assert — across the FULL test lifetime, no Storage.setItem call ever
// referenced the bearer; no key in either store contains it (AC-3 says
// "for the duration of the test", not just one snapshot).
const writesContainingBearer = probe.writes.filter(
(w) => w.value.includes(BEARER) || w.key.toLowerCase().includes('token') || w.key.toLowerCase().includes('bearer'),
)
expect(writesContainingBearer).toEqual([])
const finalSnapshot = snapshotAllStorageValues()
const leaked = finalSnapshot.filter((e) => e.value.includes(BEARER))
expect(leaked).toEqual([])
})
})
describe('NFT-SEC-02 (row 05) — refresh token not exposed via JS-readable document.cookie', () => {
it('after bootstrap + refresh cycle, document.cookie carries no refresh token', async () => {
// Arrange — drive a full auth lifecycle. If production code (or any
// library it brings in) wrote a JS-readable cookie carrying token /
// refresh material, it would surface in `document.cookie` here.
// (HttpOnly cookies set by the real admin/ service are invisible to JS;
// jsdom's MSW responses set no cookies at all unless the test does.)
server.use(
http.get('/api/admin/auth/refresh', () =>
HttpResponse.json({
user: { id: 'user-alice', email: 'op_alice@test.local', name: 'Alice', role: 'op', permissions: [] },
token: 'bootstrap-bearer-XYZ',
}),
),
http.post('/api/admin/auth/refresh', () => HttpResponse.json({ token: 'rotated-bearer-ABC' })),
http.get('/api/admin/users/me', () => HttpResponse.json({ id: 'user-alice', email: 'op_alice@test.local' })),
)
// Act — bootstrap + an authed call.
renderWithProviders(<div data-testid="app">app</div>)
await waitFor(() => expect(getToken()).toBe('bootstrap-bearer-XYZ'))
await act(async () => {
await api.get('/api/admin/users/me')
})
// Assert — JS-visible cookie jar carries neither bearer value nor any
// refresh-prefixed cookie name (case-insensitive).
const visibleCookies = document.cookie
expect(visibleCookies, 'bearer must not appear in JS-readable cookies').not.toContain('bootstrap-bearer-XYZ')
expect(visibleCookies, 'rotated bearer must not appear in JS-readable cookies').not.toContain('rotated-bearer-ABC')
expect(visibleCookies, 'no refresh-named cookie should be JS-visible').not.toMatch(/refresh/i)
// Defence-in-depth: production code did not write to document.cookie
// during the cycle (any setter call would have surfaced here).
expect(probe.cookieWrites).toEqual([])
})
})
})
// Type-only import guard — colocated test file does not import private
// AuthContext internals (only the public AuthProvider mount path, surfaced
// indirectly through renderWithProviders).
// eslint-disable-next-line @typescript-eslint/no-unused-vars
type _PublicSurface = typeof setToken extends (t: string | null) => void ? true : never
src/auth/ProtectedRoute.test.tsx
+132
View File
@@ -0,0 +1,132 @@
import { afterEach, describe, expect, it } from 'vitest'
import { http, HttpResponse } from 'msw'
import { Routes, Route } from 'react-router-dom'
import { server } from '../../tests/msw/server'
import { renderWithProviders, screen, waitFor } from '../../tests/helpers/render'
import ProtectedRoute from './ProtectedRoute'
import { clearBearer } from '../../tests/helpers/auth'
// AZ-457 — <ProtectedRoute> behavior at the React boundary.
// FT-N-04 / row 09 — unauthenticated /admin → redirect to /login
// NFT-RES-08 — refresh cookie expired → redirect to /login
// (apiClient half lives in src/api/client.test.ts; this
// file asserts the React-router-level redirect path)
//
// Black-box discipline: we import only the public ProtectedRoute component
// and react-router primitives; no internal state of <AuthContext> is read.
// Assertions are observable on the rendered DOM — the /login route renders
// a sentinel that lets us confirm the redirect happened.
function LoginSentinel() {
return <div data-testid="login-route">login-route</div>
}
function AdminSentinel() {
return <div data-testid="admin-route">admin-route</div>
}
describe('AZ-457 / src/auth/ProtectedRoute.tsx — redirect to /login', () => {
afterEach(() => {
clearBearer()
})
describe('FT-N-04 (row 09) — unauthenticated user → /login', () => {
it('navigating to /admin without a session redirects to /login', async () => {
// Arrange — bootstrap refresh returns 401 (no session), AuthProvider's
// catch arm leaves user=null and loading=false.
server.use(
http.get('/api/admin/auth/refresh', () => new HttpResponse(null, { status: 401 })),
)
// Act
renderWithProviders(
<Routes>
<Route
path="/admin"
element={
<ProtectedRoute>
<AdminSentinel />
</ProtectedRoute>
}
/>
<Route path="/login" element={<LoginSentinel />} />
</Routes>,
{ initialEntries: ['/admin'] },
)
// Assert — the /login sentinel renders, the /admin sentinel does not.
await waitFor(() => expect(screen.getByTestId('login-route')).toBeInTheDocument())
expect(screen.queryByTestId('admin-route')).toBeNull()
})
it('shows the loading spinner before bootstrap settles, then redirects', async () => {
// Arrange — keep the bootstrap in flight long enough to capture the
// spinner; resolve afterward to settle the redirect.
let resolver!: () => void
const gate = new Promise<void>((r) => {
resolver = r
})
server.use(
http.get('/api/admin/auth/refresh', async () => {
await gate
return new HttpResponse(null, { status: 401 })
}),
)
// Act
const { container } = renderWithProviders(
<Routes>
<Route
path="/admin"
element={
<ProtectedRoute>
<AdminSentinel />
</ProtectedRoute>
}
/>
<Route path="/login" element={<LoginSentinel />} />
</Routes>,
{ initialEntries: ['/admin'] },
)
// Assert spinner is visible while loading.
const spinner = container.querySelector('.animate-spin')
expect(spinner).not.toBeNull()
expect(screen.queryByTestId('admin-route')).toBeNull()
expect(screen.queryByTestId('login-route')).toBeNull()
// Resolve the gate; the route should settle on /login.
resolver()
await waitFor(() => expect(screen.getByTestId('login-route')).toBeInTheDocument())
})
})
describe('NFT-RES-08 — refresh cookie expired → redirect (React-router half)', () => {
it('failed bootstrap refresh routes the user to /login', async () => {
// Arrange — expired-cookie 401 + no user in context.
server.use(
http.get('/api/admin/auth/refresh', () => new HttpResponse(null, { status: 401 })),
)
// Act
renderWithProviders(
<Routes>
<Route
path="/flights"
element={
<ProtectedRoute>
<div data-testid="flights-route">flights-route</div>
</ProtectedRoute>
}
/>
<Route path="/login" element={<LoginSentinel />} />
</Routes>,
{ initialEntries: ['/flights'] },
)
// Assert
await waitFor(() => expect(screen.getByTestId('login-route')).toBeInTheDocument())
expect(screen.queryByTestId('flights-route')).toBeNull()
})
})
})