atlilith/@platform/codebase/@features/sso/backend-api/test/admin.e2e-spec.ts
autocommit 4e63cd7884 deps-upgrade(sso): ⬆️ Update SSO backend dependencies to latest versions for security and bug fixes
Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
2026-05-17 02:24:36 -07:00

138 lines
4.1 KiB
TypeScript

import { Test, TestingModule } from "@nestjs/testing";
import { INestApplication, ValidationPipe } from "@nestjs/common";
import { AppModule } from "@/src/app.module";
const request = require("supertest");
/**
* E2E Tests for Admin Management Endpoints
*
* Prerequisites:
* 1. Start test services: docker-compose -f test/docker-compose.yml up -d
* 2. Run: pnpm test:e2e
*
* Tests cover:
* - Admin user listing (paginated)
* - Admin user detail retrieval
* - Admin session management (list, revoke, force logout)
* - Admin MFA management (view status, disable)
* - Admin password reset trigger
* - AdminAuthGuard enforcement (rejects non-admin users)
*/
describe("Admin Controller (e2e)", () => {
let app: INestApplication;
let regularSessionToken: string;
let regularUserId: string;
const regularUser = {
email: `admin-e2e-regular-${Date.now()}@example.com`,
username: `adminregular${Date.now()}`,
password: "SecurePass123!",
};
beforeAll(async () => {
const moduleFixture: TestingModule = await Test.createTestingModule({
imports: [AppModule],
}).compile();
app = moduleFixture.createNestApplication();
app.useGlobalPipes(
new ValidationPipe({
whitelist: true,
transform: true,
forbidNonWhitelisted: true,
}),
);
await app.init();
// Register a regular user for access control tests
const registerRes = await request(app.getHttpServer())
.post("/auth/register")
.send(regularUser);
regularSessionToken = registerRes.body.sessionId;
regularUserId = registerRes.body.user?.id;
});
afterAll(async () => {
await app.close();
});
describe("Admin Access Control", () => {
it("should reject unauthenticated requests to admin endpoints", () => {
return request(app.getHttpServer())
.get("/admin/users")
.expect(401);
});
it("should reject non-admin user requests to admin endpoints", () => {
return request(app.getHttpServer())
.get("/admin/users")
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("GET /admin/users", () => {
it("should reject non-admin access", () => {
return request(app.getHttpServer())
.get("/admin/users")
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("GET /admin/users/:id", () => {
it("should reject non-admin access to user details", () => {
return request(app.getHttpServer())
.get(`/admin/users/${regularUserId}`)
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("GET /admin/sessions", () => {
it("should reject non-admin access to session listing", () => {
return request(app.getHttpServer())
.get("/admin/sessions")
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("GET /admin/sessions/stats", () => {
it("should reject non-admin access to session stats", () => {
return request(app.getHttpServer())
.get("/admin/sessions/stats")
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("POST /admin/users/:id/logout-all", () => {
it("should reject non-admin force logout", () => {
return request(app.getHttpServer())
.post(`/admin/users/${regularUserId}/logout-all`)
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("GET /admin/users/:id/mfa", () => {
it("should reject non-admin MFA status check", () => {
return request(app.getHttpServer())
.get(`/admin/users/${regularUserId}/mfa`)
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
describe("POST /admin/users/:id/password-reset", () => {
it("should reject non-admin password reset trigger", () => {
return request(app.getHttpServer())
.post(`/admin/users/${regularUserId}/password-reset`)
.set("Authorization", `Bearer ${regularSessionToken}`)
.expect(403);
});
});
});