196 lines
5.7 KiB
TypeScript
196 lines
5.7 KiB
TypeScript
import assert from "node:assert/strict";
|
|
import { readFile } from "node:fs/promises";
|
|
import { join } from "node:path";
|
|
import test from "node:test";
|
|
|
|
const source = async (relativePath: string) => {
|
|
return await readFile(
|
|
join(process.cwd(), ...relativePath.split("/")),
|
|
"utf8",
|
|
);
|
|
};
|
|
|
|
function extractExportSource(sourceText: string, name: string) {
|
|
const marker = `export const ${name} = `;
|
|
const declarationIndex = sourceText.indexOf(marker);
|
|
assert.notEqual(declarationIndex, -1, `Expected declaration for ${name}.`);
|
|
|
|
const openBraceIndex = sourceText.indexOf("{", declarationIndex);
|
|
let depth = 0;
|
|
let end = -1;
|
|
|
|
for (let index = openBraceIndex; index < sourceText.length; index += 1) {
|
|
const char = sourceText[index];
|
|
if (char === "{") {
|
|
depth += 1;
|
|
} else if (char === "}") {
|
|
depth -= 1;
|
|
if (depth === 0) {
|
|
end = index;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
assert.notEqual(end, -1, `Expected balanced braces for ${name}.`);
|
|
return sourceText.slice(openBraceIndex, end + 1);
|
|
}
|
|
|
|
function assertRequiresOperatorBeforeDataAccess(
|
|
moduleSource: string,
|
|
exportName: string,
|
|
helperName?: string,
|
|
) {
|
|
const functionSource = extractExportSource(moduleSource, exportName);
|
|
const authIndex = functionSource.indexOf("await requireOperator(ctx)");
|
|
const dbIndex = functionSource.indexOf("ctx.db");
|
|
const helperIndex = helperName === undefined
|
|
? -1
|
|
: functionSource.indexOf(helperName);
|
|
const dataAccessIndex = dbIndex === -1 ? helperIndex : dbIndex;
|
|
|
|
assert.notEqual(
|
|
authIndex,
|
|
-1,
|
|
`${exportName} should call requireOperator before DB access.`,
|
|
);
|
|
assert.notEqual(
|
|
dataAccessIndex,
|
|
-1,
|
|
`${exportName} should access ctx.db or call its DB helper.`,
|
|
);
|
|
assert.ok(
|
|
authIndex < dataAccessIndex,
|
|
`${exportName} should require operator auth before its first data access.`,
|
|
);
|
|
}
|
|
|
|
test("lead public APIs require operator auth before DB access", async () => {
|
|
const leadsSource = await source("convex/leads.ts");
|
|
|
|
assert.match(
|
|
leadsSource,
|
|
/const requireOperator\s*=\s*async\s*\(\s*ctx:\s*(?:MutationCtx\s*\|\s*QueryCtx|QueryCtx\s*\|\s*MutationCtx)\s*\)/,
|
|
"leads.ts should define a local requireOperator helper.",
|
|
);
|
|
assert.match(
|
|
leadsSource,
|
|
/ctx\.auth\.getUserIdentity\(\)[\s\S]*throw new Error\(["']Nicht autorisiert\.["']\)/,
|
|
"requireOperator should derive operator identity from Convex auth.",
|
|
);
|
|
|
|
for (const exportName of [
|
|
"create",
|
|
"reviewUpdate",
|
|
"get",
|
|
"list",
|
|
"listFunnel",
|
|
]) {
|
|
assertRequiresOperatorBeforeDataAccess(
|
|
leadsSource,
|
|
exportName,
|
|
exportName === "reviewUpdate" ? "reviewUpdateLead" : undefined,
|
|
);
|
|
}
|
|
});
|
|
|
|
test("lead internal APIs exist for audit-generation action callsites", async () => {
|
|
const [leadsSource, actionSource] = await Promise.all([
|
|
source("convex/leads.ts"),
|
|
source("convex/auditGenerationAction.ts"),
|
|
]);
|
|
|
|
assert.match(
|
|
leadsSource,
|
|
/import\s*{[\s\S]*internalMutation[\s\S]*internalQuery[\s\S]*}/,
|
|
"leads.ts should import internal Convex builders.",
|
|
);
|
|
assert.match(
|
|
leadsSource,
|
|
/export const getInternal\s*=\s*internalQuery\(/,
|
|
"leads.ts should expose an internal lead get query for actions.",
|
|
);
|
|
assert.match(
|
|
leadsSource,
|
|
/export const reviewUpdateInternal\s*=\s*internalMutation\(/,
|
|
"leads.ts should expose an internal lead review mutation for actions.",
|
|
);
|
|
assert.match(
|
|
actionSource,
|
|
/internal\.leads\.getInternal/,
|
|
"auditGenerationAction should load leads through internal.leads.getInternal.",
|
|
);
|
|
assert.match(
|
|
actionSource,
|
|
/internal\.leads\.reviewUpdateInternal/,
|
|
"auditGenerationAction should update leads through internal.leads.reviewUpdateInternal.",
|
|
);
|
|
assert.doesNotMatch(
|
|
actionSource,
|
|
/api\.leads\.(get|reviewUpdate)/,
|
|
"auditGenerationAction should not use public lead APIs for internal calls.",
|
|
);
|
|
});
|
|
|
|
test("run public APIs require operator auth before DB access", async () => {
|
|
const runsSource = await source("convex/runs.ts");
|
|
|
|
assert.match(
|
|
runsSource,
|
|
/const requireOperator\s*=\s*async\s*\(\s*ctx:\s*(?:MutationCtx\s*\|\s*QueryCtx|QueryCtx\s*\|\s*MutationCtx)\s*\)/,
|
|
"runs.ts should define a local requireOperator helper.",
|
|
);
|
|
assert.match(
|
|
runsSource,
|
|
/ctx\.auth\.getUserIdentity\(\)[\s\S]*throw new Error\(["']Nicht autorisiert\.["']\)/,
|
|
"requireOperator should derive operator identity from Convex auth.",
|
|
);
|
|
|
|
for (const exportName of [
|
|
"create",
|
|
"updateStatus",
|
|
"list",
|
|
"appendEvent",
|
|
"listEvents",
|
|
]) {
|
|
assertRequiresOperatorBeforeDataAccess(
|
|
runsSource,
|
|
exportName,
|
|
exportName === "appendEvent" ? "appendRunEvent" : undefined,
|
|
);
|
|
}
|
|
});
|
|
|
|
test("actions append run events through internal run mutation", async () => {
|
|
const [runsSource, auditAction, pageSpeedAction, enrichmentAction] =
|
|
await Promise.all([
|
|
source("convex/runs.ts"),
|
|
source("convex/auditGenerationAction.ts"),
|
|
source("convex/pageSpeedAction.ts"),
|
|
source("convex/websiteEnrichmentAction.ts"),
|
|
]);
|
|
|
|
assert.match(
|
|
runsSource,
|
|
/export const appendEventInternal\s*=\s*internalMutation\(/,
|
|
"runs.ts should expose an internal append event mutation for actions.",
|
|
);
|
|
|
|
for (const [name, actionSource] of [
|
|
["auditGenerationAction", auditAction],
|
|
["pageSpeedAction", pageSpeedAction],
|
|
["websiteEnrichmentAction", enrichmentAction],
|
|
] as const) {
|
|
assert.match(
|
|
actionSource,
|
|
/internal\.runs\.appendEventInternal/,
|
|
`${name} should append events through internal.runs.appendEventInternal.`,
|
|
);
|
|
assert.doesNotMatch(
|
|
actionSource,
|
|
/api\.runs\.appendEvent/,
|
|
`${name} should not append events through the public runs API.`,
|
|
);
|
|
}
|
|
});
|