binhdeptrai/FullStack-Blog-Nestjs-Nextjs-Postgres
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
main
FullStack-Blog-Nestjs-Nextj…/backend/test/rbac.e2e-spec.ts

126 lines
3.7 KiB
TypeScript
Raw Permalink Blame History

import { Test, TestingModule } from '@nestjs/testing';
import { INestApplication, ValidationPipe } from '@nestjs/common';
import * as request from 'supertest';
import * as cookieParser from 'cookie-parser';
import { AppModule } from '../src/app.module';
describe('RBAC (e2e)', () => {
let app: INestApplication;
// We'll store cookies per user role
let adminCookies: string[];
let managerCookies: string[];
let memberCookies: string[];
const ts = Date.now();
beforeAll(async () => {
const moduleFixture: TestingModule = await Test.createTestingModule({
imports: [AppModule],
}).compile();
app = moduleFixture.createNestApplication();
app.use(cookieParser());
app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
await app.init();
// Register three users, then promote via direct DB or use existing seed
// For simplicity, register all as MEMBER — we test permission differences
const adminEmail = `admin-rbac-${ts}@test.com`;
const managerEmail = `manager-rbac-${ts}@test.com`;
const memberEmail = `member-rbac-${ts}@test.com`;
const pw = 'RbacTest123!';
// Register all
await request(app.getHttpServer())
.post('/auth/register')
.send({ email: adminEmail, password: pw });
await request(app.getHttpServer())
.post('/auth/register')
.send({ email: managerEmail, password: pw });
const memberReg = await request(app.getHttpServer())
.post('/auth/register')
.send({ email: memberEmail, password: pw });
// Store member cookies
memberCookies = memberReg.headers['set-cookie'] as string[];
// Login as the newly registered users
const adminLogin = await request(app.getHttpServer())
.post('/auth/login')
.send({ email: adminEmail, password: pw });
adminCookies = adminLogin.headers['set-cookie'] as string[];
const managerLogin = await request(app.getHttpServer())
.post('/auth/login')
.send({ email: managerEmail, password: pw });
managerCookies = managerLogin.headers['set-cookie'] as string[];
});
afterAll(async () => {
await app.close();
});
describe('MEMBER permissions', () => {
it('should NOT be able to create a blog post', async () => {
await request(app.getHttpServer())
.post('/blog-posts')
.set('Cookie', memberCookies)
.send({ title: 'Member Post', content: 'Content' })
.expect(403);
});
it('should NOT be able to list users', async () => {
await request(app.getHttpServer())
.get('/users')
.set('Cookie', memberCookies)
.expect(403);
});
it('should be able to view dashboard', async () => {
await request(app.getHttpServer())
.get('/dashboard')
.set('Cookie', memberCookies)
.expect(200);
});
});
describe('Unauthenticated access', () => {
it('should allow access to public posts', async () => {
await request(app.getHttpServer())
.get('/blog-posts/public')
.expect(200);
});
it('should deny access to dashboard', async () => {
await request(app.getHttpServer())
.get('/dashboard')
.expect(401);
});
it('should deny access to users list', async () => {
await request(app.getHttpServer())
.get('/users')
.expect(401);
});
});
describe('Public endpoints', () => {
it('GET /health should be publicly accessible', async () => {
const res = await request(app.getHttpServer())
.get('/health')
.expect(200);
expect(res.body.status).toBe('ok');
});
it('GET / should be publicly accessible', async () => {
await request(app.getHttpServer())
.get('/')
.expect(200);
});
});
});
Reference in New Issue View Git Blame Copy Permalink