7cd0603cfb
BREAKING: dev_session cookie bypass removed. Admin access now requires a real Auth.js v5 session (Google OAuth in production). Provision users by inserting into users + tenant_users tables. New in this commit: - db/migrations/0001_init.sql: 18-table SaaS schema with RLS (tenants, users, tenant_users, plans, add_ons, subscriptions, tenant_add_ons, products, product_images, stops, customers, orders, order_items, brand_settings, email_templates, campaigns, files, audit_log) - db/schema/: Drizzle TypeScript mirror of every table - db/client.ts: withTenant() / withPlatformAdmin() query wrappers that set Postgres GUCs (app.current_tenant_id, app.platform_admin) for RLS enforcement. Never query a tenant-scoped table without one. - db/seed.ts: seeds 3 plans, 6 add-ons, 2 tenants (Tuxedo, Indian River Direct), brand_settings, sample products/stops/customers - scripts/migrate.js: applies migrations in lexical order with tracking - scripts/db-reset.js: drops + recreates DB, runs migrate + seed - DATABASE_URL now uses rc_app (non-superuser, NOBYPASSRLS). RLS is enforced even for the app user. DATABASE_ADMIN_URL for migrations. - src/lib/admin-permissions.ts: getAdminUser() reads Auth.js session, looks up user + tenant in Postgres. brand_id kept as alias for backward compat. - src/middleware.ts: Auth.js-only route protection, dev_session gone - src/app/login/LoginClient.tsx: Google OAuth only, no demo mode - src/components/admin/AdminSidebar.tsx + AdminHeader.tsx: signOutAction replaces supabase signout - @/db/* path aliases in tsconfig.json + vitest.config.ts - drizzle.config.ts added - db/auth_schema.sql removed (was a stub; replaced by real schema) - src/app/api/dev-login/route.ts deleted - tests: updated to remove dev_session coverage
62 lines
3.0 KiB
TypeScript
62 lines
3.0 KiB
TypeScript
import { test, expect, request } from "@playwright/test";
|
|
|
|
const BASE = process.env.PLAYWRIGHT_URL ?? "http://localhost:3000";
|
|
|
|
// ─────────────────────────────────────────────────────────────────────
|
|
// Auth.js v5 API endpoints
|
|
// ─────────────────────────────────────────────────────────────────────
|
|
test.describe("Auth.js v5 endpoints", () => {
|
|
test("/api/auth/providers returns the configured providers", async () => {
|
|
const ctx = await request.newContext({ baseURL: BASE });
|
|
const res = await ctx.get("/api/auth/providers");
|
|
expect(res.status()).toBe(200);
|
|
const providers = (await res.json()) as Record<string, unknown>;
|
|
// The Google provider is only present when AUTH_GOOGLE_ID +
|
|
// AUTH_GOOGLE_SECRET are set.
|
|
if (process.env.AUTH_GOOGLE_ID && process.env.AUTH_GOOGLE_SECRET) {
|
|
expect(providers).toHaveProperty("google");
|
|
}
|
|
await ctx.dispose();
|
|
});
|
|
|
|
test("/api/auth/csrf returns a valid CSRF token", async () => {
|
|
const ctx = await request.newContext({ baseURL: BASE });
|
|
const res = await ctx.get("/api/auth/csrf");
|
|
expect(res.status()).toBe(200);
|
|
const body = (await res.json()) as { csrfToken?: string };
|
|
expect(typeof body.csrfToken).toBe("string");
|
|
expect(body.csrfToken!.length).toBeGreaterThan(20);
|
|
await ctx.dispose();
|
|
});
|
|
|
|
test("/api/auth/session returns null when there is no session", async () => {
|
|
const ctx = await request.newContext({ baseURL: BASE });
|
|
const res = await ctx.get("/api/auth/session");
|
|
expect(res.status()).toBe(200);
|
|
const body = await res.json();
|
|
expect(body).toBeNull();
|
|
await ctx.dispose();
|
|
});
|
|
});
|
|
|
|
// ─────────────────────────────────────────────────────────────────────
|
|
// Middleware — protected route gating
|
|
// ─────────────────────────────────────────────────────────────────────
|
|
test.describe("Middleware — protected route gating", () => {
|
|
test("unauthed /login renders the login form (200)", async ({ page }) => {
|
|
const res = await page.goto(`${BASE}/login`);
|
|
expect(res?.status()).toBe(200);
|
|
await expect(page.locator("body")).toBeVisible();
|
|
});
|
|
|
|
test("unauthed /admin redirects to /login", async ({ page }) => {
|
|
await page.goto(`${BASE}/admin`, { waitUntil: "domcontentloaded" });
|
|
expect(page.url()).toMatch(/\/login/);
|
|
});
|
|
|
|
test("unauthed /wholesale redirects to /login", async ({ page }) => {
|
|
await page.goto(`${BASE}/wholesale`, { waitUntil: "domcontentloaded" });
|
|
expect(page.url()).toMatch(/\/login/);
|
|
});
|
|
});
|