Project-Image-Uploader/backend/tests/api/admin-auth.test.js

const { getRequest } = require('../testServer');

describe('Admin Auth Middleware', () => {
  describe('Without Auth Token', () => {
    it('should reject requests without Authorization header', async () => {
      const response = await getRequest()
        .get('/api/admin/deletion-log')
        .expect(403);

      expect(response.body).toHaveProperty('error');
      expect(response.body.message).toContain('Authorization header fehlt');
    });

    it('should reject requests with invalid Bearer format', async () => {
      const response = await getRequest()
        .get('/api/admin/deletion-log')
        .set('Authorization', 'InvalidFormat token123')
        .expect(403);

      expect(response.body).toHaveProperty('error');
      expect(response.body.message).toContain('Ungültiges Authorization Format');
    });

    it('should reject requests with wrong token', async () => {
      const response = await getRequest()
        .get('/api/admin/deletion-log')
        .set('Authorization', 'Bearer wrong-token-123')
        .expect(403);

      expect(response.body).toHaveProperty('error');
      expect(response.body.message).toContain('Ungültiger Admin-Token');
    });
  });

  describe('With Valid Auth Token', () => {
    const validToken = process.env.ADMIN_API_KEY || 'test-admin-key-123';

    beforeAll(() => {
      // Set test admin key
      process.env.ADMIN_API_KEY = validToken;
    });

    it('should allow access with valid Bearer token', async () => {
      const response = await getRequest()
        .get('/api/admin/deletion-log')
        .set('Authorization', `Bearer ${validToken}`)
        .expect(200);

      expect(response.body).toHaveProperty('success');
    });

    it('should protect all admin endpoints', async () => {
      const endpoints = [
        '/api/admin/deletion-log',
        '/api/admin/rate-limiter/stats',
        '/api/admin/management-audit',
        '/api/admin/groups'
      ];

      for (const endpoint of endpoints) {
        const response = await getRequest()
          .get(endpoint)
          .set('Authorization', `Bearer ${validToken}`)
          .expect(200);

        expect(response.body).toBeDefined();
      }
    });
  });
});