name: Security Tests

on:
  pull_request:
  push:
    branches: [main]

jobs:
  security-non-db:
    runs-on: vps-host
    steps:
      - uses: actions/checkout@v4.2.2

      - name: Setup Node
        uses: actions/setup-node@v4.2.0
        with:
          node-version: "20"
          cache: "npm"
          cache-dependency-path: api/package-lock.json

      - name: Install API dependencies
        run: |
          cd api
          npm ci

      - name: Run OWASP security suite (non-DB)
        run: |
          cd api
          SECURITY_DB_TESTS=0 npx vitest run -c vitest.security.config.ts

  security-db:
    if: ${{ secrets.TEST_DATABASE_URL != '' }}
    runs-on: vps-host
    steps:
      - uses: actions/checkout@v4.2.2

      - name: Setup Node
        uses: actions/setup-node@v4.2.0
        with:
          node-version: "20"
          cache: "npm"
          cache-dependency-path: api/package-lock.json

      - name: Install API dependencies
        run: |
          cd api
          npm ci

      - name: Guard TEST_DATABASE_URL target
        env:
          TEST_DATABASE_URL: ${{ secrets.TEST_DATABASE_URL }}
          EXPECTED_PROD_DB_NAME: skymoney
          PROTECTED_DB_NAMES: skymoney,postgres,template0,template1
          REQUIRE_TEST_DB_NAME: "1"
        run: |
          chmod +x ./scripts/validate-test-db-target.sh
          bash ./scripts/validate-test-db-target.sh

      - name: Run OWASP security suite (DB-backed)
        env:
          TEST_DATABASE_URL: ${{ secrets.TEST_DATABASE_URL }}
          PROTECTED_DB_NAMES: skymoney,postgres,template0,template1
          REQUIRE_TEST_DB_NAME: "1"
        run: |
          cd api
          SECURITY_DB_TESTS=1 npx vitest run -c vitest.security.config.ts