hobbyhimmel/Project-Image-Uploader
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b2386e7f11
Project-Image-Uploader/backend/tests/api/admin.test.js
matthias.lotz 6332b82c6a Feature Request: admin session security 
- replace bearer auth with session+CSRF flow and add admin user directory

- update frontend moderation flow, force password change gate, and new CLI

- refresh changelog/docs/feature plan + ensure swagger dev experience
2025-11-23 21:18:42 +01:00

68 lines
2.2 KiB
JavaScript
Raw Blame History

const { getRequest } = require('../testServer');
describe('Admin API - Security', () => {
describe('Authentication & Authorization', () => {
const adminEndpoints = [
{ method: 'get', path: '/api/admin/deletion-log' },
{ method: 'get', path: '/api/admin/deletion-log/csv' },
{ method: 'post', path: '/api/admin/cleanup/run' },
{ method: 'get', path: '/api/admin/cleanup/status' },
{ method: 'get', path: '/api/admin/rate-limiter/stats' },
{ method: 'get', path: '/api/admin/management-audit' },
{ method: 'get', path: '/api/admin/groups' },
{ method: 'put', path: '/api/admin/groups/test-id/approve' },
{ method: 'delete', path: '/api/admin/groups/test-id' }
];
adminEndpoints.forEach(({ method, path }) => {
it(`should protect ${method.toUpperCase()} ${path} without authorization`, async () => {
await getRequest()
[method](path)
.expect(403);
});
});
});
describe('GET /api/admin/deletion-log', () => {
it('should require authorization header', async () => {
const response = await getRequest()
.get('/api/admin/deletion-log')
.expect(403);
expect(response.body).toHaveProperty('reason', 'SESSION_REQUIRED');
});
});
describe('GET /api/admin/cleanup/status', () => {
it('should require authorization', async () => {
await getRequest()
.get('/api/admin/cleanup/status')
.expect(403);
});
});
describe('GET /api/admin/rate-limiter/stats', () => {
it('should require authorization', async () => {
await getRequest()
.get('/api/admin/rate-limiter/stats')
.expect(403);
});
});
describe('GET /api/admin/groups', () => {
it('should require authorization', async () => {
await getRequest()
.get('/api/admin/groups')
.expect(403);
});
it('should validate query parameters with authorization', async () => {
// This test would require a logged-in admin session
// For now, we just ensure the endpoint rejects unauthenticated access
await getRequest()
.get('/api/admin/groups?status=invalid_status')
.expect(403); // Still 403 without auth, but validates endpoint exists
});
});
});
Reference in New Issue View Git Blame Copy Permalink