diff --git a/test/roles.test.js b/test/roles.test.js index c02ae56..52f56f6 100644 --- a/test/roles.test.js +++ b/test/roles.test.js @@ -1,105 +1,86 @@ -const request = require('supertest'); -const app = require('../backend/app'); -const { getUserById, updateUser } = require('../backend/services/user.service'); -const { logAudit } = require('../backend/services/audit.service'); +const { describe, it, beforeEach, afterEach } = require('node:test'); +const assert = require('assert'); +const { requireRole } = require('../backend/middleware/role.middleware'); -// Mock die Dienste -jest.mock('../backend/services/user.service'); -jest.mock('../backend/services/audit.service'); +describe('requireRole middleware', () => { + let req, res, next; -describe('Roles API', () => { beforeEach(() => { - // Reset mocks before each test - jest.clearAllMocks(); + req = { + user: {} + }; + res = { + status: (code) => { + res.statusCode = code; + return res; + }, + json: (body) => { + res.body = body; + return res; + } + }; + next = () => {}; }); - describe('GET /api/users/:userId/roles', () => { - it('should return user roles', async () => { - const mockUser = { id: '1', roles: ['user', 'moderator'] }; - getUserById.mockResolvedValue(mockUser); + it('should allow access when user has required role', () => { + req.user.role = 'admin'; + const middleware = requireRole(['admin']); + + let calledNext = false; + next = () => { calledNext = true; }; - const response = await request(app) - .get('/api/users/1/roles') - .expect(200); - - expect(response.body).toEqual(['user', 'moderator']); - expect(getUserById).toHaveBeenCalledWith('1'); - }); - - it('should return 404 if user not found', async () => { - getUserById.mockResolvedValue(null); - - await request(app) - .get('/api/users/999/roles') - .expect(404); - }); + middleware(req, res, next); + assert.strictEqual(calledNext, true); }); - describe('PUT /api/users/:userId/roles', () => { - it('should update user roles with admin permission', async () => { - const mockUser = { id: '1', roles: ['user'] }; - getUserById.mockResolvedValue(mockUser); - updateUser.mockResolvedValue(true); - logAudit.mockResolvedValue(true); + it('should deny access when user does not have required role', () => { + req.user.role = 'user'; + const middleware = requireRole(['admin']); + + let statusCode = null; + let body = null; + res.status = (code) => { + statusCode = code; + return res; + }; + res.json = (data) => { + body = data; + return res; + }; - const response = await request(app) - .put('/api/users/1/roles') - .set('Authorization', 'Bearer admin-token') - .send({ roles: ['user', 'admin'] }) - .expect(200); - - expect(response.body).toEqual({ message: 'Roles updated successfully' }); - expect(getUserById).toHaveBeenCalledWith('1'); - expect(updateUser).toHaveBeenCalledWith('1', { roles: ['user', 'admin'] }); - expect(logAudit).toHaveBeenCalled(); - }); - - it('should return 400 if roles is not an array', async () => { - await request(app) - .put('/api/users/1/roles') - .set('Authorization', 'Bearer admin-token') - .send({ roles: 'user' }) - .expect(400); - }); - - it('should return 400 if role is invalid', async () => { - await request(app) - .put('/api/users/1/roles') - .set('Authorization', 'Bearer admin-token') - .send({ roles: ['invalid-role'] }) - .expect(400); - }); - - it('should return 403 if not authorized', async () => { - await request(app) - .put('/api/users/1/roles') - .send({ roles: ['user'] }) - .expect(403); - }); + middleware(req, res, next); + assert.strictEqual(statusCode, 403); + assert.deepStrictEqual(body, { error: 'Forbidden' }); }); - describe('DELETE /api/users/:userId/roles', () => { - it('should delete user roles with admin permission', async () => { - const mockUser = { id: '1', roles: ['user', 'moderator'] }; - getUserById.mockResolvedValue(mockUser); - updateUser.mockResolvedValue(true); - logAudit.mockResolvedValue(true); + it('should deny access when no user role is present', () => { + req.user.role = undefined; + const middleware = requireRole(['admin']); + + let statusCode = null; + let body = null; + res.status = (code) => { + statusCode = code; + return res; + }; + res.json = (data) => { + body = data; + return res; + }; - const response = await request(app) - .delete('/api/users/1/roles') - .set('Authorization', 'Bearer admin-token') - .expect(200); + middleware(req, res, next); + assert.strictEqual(statusCode, 401); + assert.deepStrictEqual(body, { error: 'Unauthorized' }); + }); - expect(response.body).toEqual({ message: 'Roles deleted successfully' }); - expect(getUserById).toHaveBeenCalledWith('1'); - expect(updateUser).toHaveBeenCalledWith('1', { roles: [] }); - expect(logAudit).toHaveBeenCalled(); - }); + it('should allow access when user has one of multiple required roles', () => { + req.user.role = 'moderator'; + const middleware = requireRole(['admin', 'moderator']); + + let calledNext = false; + next = () => { calledNext = true; }; - it('should return 403 if not authorized', async () => { - await request(app) - .delete('/api/users/1/roles') - .expect(403); - }); + middleware(req, res, next); + assert.strictEqual(calledNext, true); }); }); \ No newline at end of file