mirror change from https://github.com/binhkid2/FullStack-Blog-Nestjs-Nextjs-Postgres

backend/test/rbac.e2e-spec.ts

@@ -0,0 +1,125 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { INestApplication, ValidationPipe } from '@nestjs/common';
+import * as request from 'supertest';
+import * as cookieParser from 'cookie-parser';
+import { AppModule } from '../src/app.module';
+
+describe('RBAC (e2e)', () => {
+  let app: INestApplication;
+
+  // We'll store cookies per user role
+  let adminCookies: string[];
+  let managerCookies: string[];
+  let memberCookies: string[];
+
+  const ts = Date.now();
+
+  beforeAll(async () => {
+    const moduleFixture: TestingModule = await Test.createTestingModule({
+      imports: [AppModule],
+    }).compile();
+
+    app = moduleFixture.createNestApplication();
+    app.use(cookieParser());
+    app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
+    await app.init();
+
+    // Register three users, then promote via direct DB or use existing seed
+    // For simplicity, register all as MEMBER — we test permission differences
+
+    const adminEmail = `admin-rbac-${ts}@test.com`;
+    const managerEmail = `manager-rbac-${ts}@test.com`;
+    const memberEmail = `member-rbac-${ts}@test.com`;
+    const pw = 'RbacTest123!';
+
+    // Register all
+    await request(app.getHttpServer())
+      .post('/auth/register')
+      .send({ email: adminEmail, password: pw });
+
+    await request(app.getHttpServer())
+      .post('/auth/register')
+      .send({ email: managerEmail, password: pw });
+
+    const memberReg = await request(app.getHttpServer())
+      .post('/auth/register')
+      .send({ email: memberEmail, password: pw });
+
+    // Store member cookies
+    memberCookies = memberReg.headers['set-cookie'] as string[];
+
+    // Login as the newly registered users
+    const adminLogin = await request(app.getHttpServer())
+      .post('/auth/login')
+      .send({ email: adminEmail, password: pw });
+    adminCookies = adminLogin.headers['set-cookie'] as string[];
+
+    const managerLogin = await request(app.getHttpServer())
+      .post('/auth/login')
+      .send({ email: managerEmail, password: pw });
+    managerCookies = managerLogin.headers['set-cookie'] as string[];
+  });
+
+  afterAll(async () => {
+    await app.close();
+  });
+
+  describe('MEMBER permissions', () => {
+    it('should NOT be able to create a blog post', async () => {
+      await request(app.getHttpServer())
+        .post('/blog-posts')
+        .set('Cookie', memberCookies)
+        .send({ title: 'Member Post', content: 'Content' })
+        .expect(403);
+    });
+
+    it('should NOT be able to list users', async () => {
+      await request(app.getHttpServer())
+        .get('/users')
+        .set('Cookie', memberCookies)
+        .expect(403);
+    });
+
+    it('should be able to view dashboard', async () => {
+      await request(app.getHttpServer())
+        .get('/dashboard')
+        .set('Cookie', memberCookies)
+        .expect(200);
+    });
+  });
+
+  describe('Unauthenticated access', () => {
+    it('should allow access to public posts', async () => {
+      await request(app.getHttpServer())
+        .get('/blog-posts/public')
+        .expect(200);
+    });
+
+    it('should deny access to dashboard', async () => {
+      await request(app.getHttpServer())
+        .get('/dashboard')
+        .expect(401);
+    });
+
+    it('should deny access to users list', async () => {
+      await request(app.getHttpServer())
+        .get('/users')
+        .expect(401);
+    });
+  });
+
+  describe('Public endpoints', () => {
+    it('GET /health should be publicly accessible', async () => {
+      const res = await request(app.getHttpServer())
+        .get('/health')
+        .expect(200);
+      expect(res.body.status).toBe('ok');
+    });
+
+    it('GET / should be publicly accessible', async () => {
+      await request(app.getHttpServer())
+        .get('/')
+        .expect(200);
+    });
+  });
+});