const { getRequest } = require('../testServer'); describe('Admin API - Security', () => { describe('Authentication & Authorization', () => { const adminEndpoints = [ { method: 'get', path: '/api/admin/deletion-log' }, { method: 'get', path: '/api/admin/deletion-log/csv' }, { method: 'post', path: '/api/admin/cleanup/run' }, { method: 'get', path: '/api/admin/cleanup/status' }, { method: 'get', path: '/api/admin/rate-limiter/stats' }, { method: 'get', path: '/api/admin/management-audit' }, { method: 'get', path: '/api/admin/groups' }, { method: 'put', path: '/api/admin/groups/test-id/approve' }, { method: 'delete', path: '/api/admin/groups/test-id' } ]; adminEndpoints.forEach(({ method, path }) => { it(`should protect ${method.toUpperCase()} ${path} without authorization`, async () => { await getRequest() [method](path) .expect(403); }); }); }); describe('GET /api/admin/deletion-log', () => { it('should require authorization header', async () => { const response = await getRequest() .get('/api/admin/deletion-log') .expect(403); expect(response.body).toHaveProperty('error'); }); }); describe('GET /api/admin/cleanup/status', () => { it('should require authorization', async () => { await getRequest() .get('/api/admin/cleanup/status') .expect(403); }); }); describe('GET /api/admin/rate-limiter/stats', () => { it('should require authorization', async () => { await getRequest() .get('/api/admin/rate-limiter/stats') .expect(403); }); }); describe('GET /api/admin/groups', () => { it('should require authorization', async () => { await getRequest() .get('/api/admin/groups') .expect(403); }); it('should validate query parameters with authorization', async () => { // This test would need a valid admin token // For now, we just test that invalid params are rejected await getRequest() .get('/api/admin/groups?status=invalid_status') .expect(403); // Still 403 without auth, but validates endpoint exists }); }); });