chore: ran security check for OWASP top 10

api/tests/access-control.admin-rollover.test.ts

@@ -0,0 +1,113 @@
+import { randomUUID } from "node:crypto";
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import request from "supertest";
+import type { FastifyInstance } from "fastify";
+import { PrismaClient } from "@prisma/client";
+import argon2 from "argon2";
+import { buildApp } from "../src/server";
+
+const prisma = new PrismaClient();
+let authEnabledApp: FastifyInstance;
+let authDisabledApp: FastifyInstance;
+
+function readCookieValue(setCookie: string[] | undefined, cookieName: string): string | null {
+  if (!setCookie) return null;
+  for (const raw of setCookie) {
+    const firstPart = raw.split(";")[0] ?? "";
+    const [name, value] = firstPart.split("=");
+    if (name?.trim() === cookieName && value) return value.trim();
+  }
+  return null;
+}
+
+beforeAll(async () => {
+  authEnabledApp = await buildApp({ AUTH_DISABLED: false, SEED_DEFAULT_BUDGET: false });
+  await authEnabledApp.ready();
+
+  authDisabledApp = await buildApp({
+    NODE_ENV: "production",
+    AUTH_DISABLED: true,
+    ALLOW_INSECURE_AUTH_FOR_DEV: true,
+    SEED_DEFAULT_BUDGET: false,
+    CORS_ORIGINS: "https://allowed.example.com",
+    APP_ORIGIN: "https://allowed.example.com",
+  });
+  await authDisabledApp.ready();
+});
+
+afterAll(async () => {
+  if (authEnabledApp) await authEnabledApp.close();
+  if (authDisabledApp) await authDisabledApp.close();
+  await prisma.$disconnect();
+});
+
+describe("/admin/rollover access control", () => {
+  it("returns 401 without a valid authenticated session when AUTH_DISABLED=false", async () => {
+    const res = await request(authEnabledApp.server)
+      .post("/admin/rollover")
+      .send({ dryRun: true });
+    expect(res.status).toBe(401);
+    expect(res.body.code).toBe("UNAUTHENTICATED");
+  });
+
+  it("returns 403 for authenticated users when AUTH_DISABLED=false", async () => {
+    const agent = request.agent(authEnabledApp.server);
+    const email = `rollover-auth-${Date.now()}@test.dev`;
+    const password = "SupersAFE123!";
+
+    await prisma.user.create({
+      data: {
+        email,
+        passwordHash: await argon2.hash(password),
+        emailVerified: true,
+      },
+    });
+
+    try {
+      const login = await agent.post("/auth/login").send({ email, password });
+      expect(login.status).toBe(200);
+      const csrf = readCookieValue(login.headers["set-cookie"], "csrf");
+      expect(csrf).toBeTruthy();
+
+      const res = await agent
+        .post("/admin/rollover")
+        .set("x-csrf-token", csrf as string)
+        .send({ dryRun: true });
+
+      expect(res.status).toBe(403);
+      expect(res.body.ok).toBe(false);
+    } finally {
+      await prisma.user.deleteMany({ where: { email } });
+    }
+  });
+
+  it("returns 403 for non-internal client IP when AUTH_DISABLED=true", async () => {
+    const csrf = randomUUID().replace(/-/g, "");
+    const res = await request(authDisabledApp.server)
+      .post("/admin/rollover")
+      .set("x-user-id", `external-${Date.now()}`)
+      .set("x-csrf-token", csrf)
+      .set("Cookie", `csrf=${csrf}`)
+      .set("x-forwarded-for", "8.8.8.8")
+      .send({ dryRun: true });
+
+    expect(res.status).toBe(403);
+    expect(res.body.ok).toBe(false);
+  });
+
+  it("allows internal client IP when AUTH_DISABLED=true", async () => {
+    const csrf = randomUUID().replace(/-/g, "");
+    const res = await request(authDisabledApp.server)
+      .post("/admin/rollover")
+      .set("x-user-id", `internal-${Date.now()}`)
+      .set("x-csrf-token", csrf)
+      .set("Cookie", `csrf=${csrf}`)
+      .set("x-forwarded-for", "10.23.45.67")
+      .send({ dryRun: true });
+
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
+    expect(res.body.dryRun).toBe(true);
+    expect(typeof res.body.processed).toBe("number");
+  });
+});