aiolabs/nsecbunkerd
8
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

test(acl): DB-backed integration tests for checkIfPubkeyAllowed (#29) #33

Merged
padreug merged 1 commit from issue-29-acl-integration-tests into dev 2026-06-19 21:09:42 +00:00
Conversation 1 Commits 1 Files changed 5 +232 -2
padreug commented 2026-06-19 21:04:02 +00:00
Owner
Copy link

Closes #29. Fills the testing gap the #27 review flagged: the wiring that actually closes #24 — step-4 Token join filtered by liveWhere(now) — had no automated coverage; only the pure predicate (grantIsLive) was tested. Now covered end-to-end against a real (throwaway) SQLite DB + the real prisma client.

Harness (no new dependency)

pnpm add -D vitest is blocked by the nix-built node_modules hoist pattern (#29 background), so this stays on Node's built-in node:test + the already-present ts-node:

  • tests/register-ts.cjs — registers ts-node (transpile-only) and adds a CommonJS resolver that maps the app's .js ESM-style import specifiers to their .ts sources (the app is import x from './y.js', compiled by tsup; there's no y.js on disk). This is what lets a test require the real acl/db modules without a build or bundler.
  • Temp DB via prisma db push in before(), with a hard guard that refuses to run unless DATABASE_URL points at tests/.tmp/ — these tests truncate tables, so they can never touch a real DB.
  • Scripts: npm run test:integration, npm run test:all (unit + integration).

Coverage — 13 cases, all green

incl. the #24 regression guard (expired token → denied), plus revoked token, connect off a live token (and denied when expired), KeyUser.revokedAt beats a live token, live override grant, expired/revoked override ignored (falls through), deny beats grant, kind mismatch, and no-KeyUser.

ℹ tests 7   (unit: lifecycle)      pass 7
ℹ tests 13  (integration: acl)     pass 13

Also

  • acl/index.ts NDK import → import type (NostrEvent/NIP46Method are type-only) so the ACL module no longer pulls ESM-only NDK at runtime. Required for the CommonJS test import, and a correct cleanup on its own (the gatekeeper shouldn't need the NDK runtime).

Notes

  • Requires the prisma engine env (PRISMA_QUERY_ENGINE_LIBRARY etc.). Present in CI/nix; in the devShell it's pending #30 (which currently exports 7.x). Until #30 lands, run with the engine env pinned to prisma-engines_6.
  • tsc --noEmit unchanged (3 pre-existing, unrelated errors); npm run build clean.

Wiring CI to run test:all can ride in #30 (engine env) or a small follow-up.

🤖 Generated with Claude Code

Closes #29. Fills the testing gap the #27 review flagged: the wiring that actually closes #24 — step-4 `Token` join filtered by `liveWhere(now)` — had no automated coverage; only the pure predicate (`grantIsLive`) was tested. Now covered end-to-end against a real (throwaway) SQLite DB + the real prisma client. ## Harness (no new dependency) `pnpm add -D vitest` is blocked by the nix-built `node_modules` hoist pattern (#29 background), so this stays on Node's built-in `node:test` + the already-present `ts-node`: - **`tests/register-ts.cjs`** — registers ts-node (transpile-only) and adds a CommonJS resolver that maps the app's `.js` ESM-style import specifiers to their `.ts` sources (the app is `import x from './y.js'`, compiled by tsup; there's no `y.js` on disk). This is what lets a test `require` the real `acl`/`db` modules without a build or bundler. - **Temp DB** via `prisma db push` in `before()`, with a hard guard that **refuses to run unless `DATABASE_URL` points at `tests/.tmp/`** — these tests truncate tables, so they can never touch a real DB. - Scripts: `npm run test:integration`, `npm run test:all` (unit + integration). ## Coverage — 13 cases, all green incl. the **#24 regression guard** (`expired token → denied`), plus revoked token, `connect` off a live token (and denied when expired), `KeyUser.revokedAt` beats a live token, live override grant, **expired/revoked override ignored** (falls through), **deny beats grant**, kind mismatch, and no-`KeyUser`. ``` ℹ tests 7 (unit: lifecycle) pass 7 ℹ tests 13 (integration: acl) pass 13 ``` ## Also - `acl/index.ts` NDK import → `import type` (`NostrEvent`/`NIP46Method` are type-only) so the ACL module no longer pulls **ESM-only NDK** at runtime. Required for the CommonJS test import, and a correct cleanup on its own (the gatekeeper shouldn't need the NDK runtime). ## Notes - Requires the prisma engine env (`PRISMA_QUERY_ENGINE_LIBRARY` etc.). Present in CI/nix; in the devShell it's pending **#30** (which currently exports 7.x). Until #30 lands, run with the engine env pinned to `prisma-engines_6`. - `tsc --noEmit` unchanged (3 pre-existing, unrelated errors); `npm run build` clean. Wiring CI to run `test:all` can ride in #30 (engine env) or a small follow-up. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
test(acl)(#29): DB-backed integration tests for checkIfPubkeyAllowed
Some checks failed
Docker image / build-and-push-image (push) Has been cancelled
Details
bbcc9cd998 
Closes the gap flagged in #27 review: the wiring that actually closes
#24 (step-4 Token join filtered by liveWhere) was untested — only the
pure predicate was. Now covered end-to-end against a throwaway SQLite DB
+ the real prisma client.

Harness (no new dependency; pnpm add is blocked by the nix node_modules
hoist pattern):
- tests/register-ts.cjs: ts-node (transpile-only) + a CommonJS resolver
  that maps the app's '.js' ESM-style specifiers to their '.ts' sources.
- node:test temp DB via 'prisma db push'; a before() guard refuses to run
  unless DATABASE_URL points at tests/.tmp/ (never truncates a real DB).
- npm run test:integration / test:all.

13 cases incl. the #24 regression guard (expired token -> denied),
revoke, connect-off-live-token, override expiry/revoke ignored,
deny-beats-grant, kind mismatch, no-KeyUser.

Also: acl/index.ts NDK import -> 'import type' (NostrEvent/NIP46Method are
type-only) so the ACL module no longer pulls ESM-only NDK at runtime —
required for the CommonJS test import, and a correct cleanup besides.

Requires the prisma engine env (CI/nix ok; devShell pending #30).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
padreug deleted branch issue-29-acl-integration-tests 2026-06-19 21:09:42 +00:00
padreug commented 2026-06-20 18:50:43 +00:00
Author
Owner
Copy link

Correction to the "Notes" section above: the devShell-pending-#30 caveat is wrong — I'd misdiagnosed #30 (now closed as invalid).

The flake pins nixos-25.05, whose prisma-engines is 6.7.0 (ships libquery_engine.node), so the integration suite runs in the devShell out of the box, no manual engine env:

$ nix develop -c npm run test:integration
# tests 13   # pass 13   # fail 0

The 7.x I hit during #27 was the system/unstable channel via <nixpkgs>, never the flake's devShell. So this PR has no #30 dependency — nix develop -c npm run test:all just works, which also makes it straightforward to wire into CI later (the one real blocker there is the stale lockfile, #2).

**Correction to the "Notes" section above:** the devShell-pending-#30 caveat is wrong — I'd misdiagnosed #30 (now closed as invalid). The flake pins nixos-25.05, whose `prisma-engines` is **6.7.0** (ships `libquery_engine.node`), so the integration suite runs in the devShell **out of the box, no manual engine env**: ``` $ nix develop -c npm run test:integration # tests 13 # pass 13 # fail 0 ``` The 7.x I hit during #27 was the system/unstable channel via `<nixpkgs>`, never the flake's devShell. So this PR has no #30 dependency — `nix develop -c npm run test:all` just works, which also makes it straightforward to wire into CI later (the one real blocker there is the stale lockfile, #2).
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
aiolabs/nsecbunkerd!33
No description provided.