const { getRequest } = require('../testServer'); describe('Admin Auth Middleware', () => { describe('Without Auth Token', () => { it('should reject requests without Authorization header', async () => { const response = await getRequest() .get('/api/admin/deletion-log') .expect(403); expect(response.body).toHaveProperty('error'); expect(response.body.message).toContain('Authorization header fehlt'); }); it('should reject requests with invalid Bearer format', async () => { const response = await getRequest() .get('/api/admin/deletion-log') .set('Authorization', 'InvalidFormat token123') .expect(403); expect(response.body).toHaveProperty('error'); expect(response.body.message).toContain('Ungültiges Authorization Format'); }); it('should reject requests with wrong token', async () => { const response = await getRequest() .get('/api/admin/deletion-log') .set('Authorization', 'Bearer wrong-token-123') .expect(403); expect(response.body).toHaveProperty('error'); expect(response.body.message).toContain('Ungültiger Admin-Token'); }); }); describe('With Valid Auth Token', () => { const validToken = process.env.ADMIN_API_KEY || 'test-admin-key-123'; beforeAll(() => { // Set test admin key process.env.ADMIN_API_KEY = validToken; }); it('should allow access with valid Bearer token', async () => { const response = await getRequest() .get('/api/admin/deletion-log') .set('Authorization', `Bearer ${validToken}`) .expect(200); expect(response.body).toHaveProperty('success'); }); it('should protect all admin endpoints', async () => { const endpoints = [ '/api/admin/deletion-log', '/api/admin/rate-limiter/stats', '/api/admin/management-audit', '/api/admin/groups' ]; for (const endpoint of endpoints) { const response = await getRequest() .get(endpoint) .set('Authorization', `Bearer ${validToken}`) .expect(200); expect(response.body).toBeDefined(); } }); }); });