const { describe, it, beforeEach, afterEach } = require('node:test'); const assert = require('assert'); const { requireRole } = require('../backend/middleware/role.middleware'); describe('requireRole middleware', () => { let req, res, next; beforeEach(() => { req = { user: {} }; res = { status: (code) => { res.statusCode = code; return res; }, json: (body) => { res.body = body; return res; } }; next = () => {}; }); it('should allow access when user has required role', () => { req.user.role = 'admin'; const middleware = requireRole(['admin']); let calledNext = false; next = () => { calledNext = true; }; middleware(req, res, next); assert.strictEqual(calledNext, true); }); it('should deny access when user does not have required role', () => { req.user.role = 'user'; const middleware = requireRole(['admin']); let statusCode = null; let body = null; res.status = (code) => { statusCode = code; return res; }; res.json = (data) => { body = data; return res; }; middleware(req, res, next); assert.strictEqual(statusCode, 403); assert.deepStrictEqual(body, { error: 'Forbidden' }); }); it('should deny access when no user role is present', () => { req.user.role = undefined; const middleware = requireRole(['admin']); let statusCode = null; let body = null; res.status = (code) => { statusCode = code; return res; }; res.json = (data) => { body = data; return res; }; middleware(req, res, next); assert.strictEqual(statusCode, 401); assert.deepStrictEqual(body, { error: 'Unauthorized' }); }); it('should allow access when user has one of multiple required roles', () => { req.user.role = 'moderator'; const middleware = requireRole(['admin', 'moderator']); let calledNext = false; next = () => { calledNext = true; }; middleware(req, res, next); assert.strictEqual(calledNext, true); }); });