tiennm99/llmapikey
1
0
Fork 0
mirror of https://github.com/tiennm99/llmapikey.git synced 2026-06-17 06:48:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
llmapikey/tests/admin-keys-authz.test.js
T
tiennm99 616f133989 feat: add gated admin console for api_keys registry (list/search/filter/revoke/mint) 
- env-allowlist authz via ADMIN_GITHUB_USER_IDS on numeric provider_id (no migration)
- server-side re-gated revoke + manual-mint actions
- parameterized search/filter/paginate queries
- shared mint-key extraction (DRY) from generate-key
- notFound() for non-admins (404 never leaks route existence)
- 3 unit-test suites (authz/queries/integration)
2026-06-13 21:16:57 +07:00

56 lines
1.7 KiB
JavaScript
Raw Permalink Blame History

import assert from "node:assert/strict";
import { test } from "node:test";
import { isAdmin } from "../lib/auth/admin-allowlist.js";
const ENV = "ADMIN_GITHUB_USER_IDS";
/**
* Authz-guard contract. Both admin server actions (`revokeKey`, `adminCreateKey`)
* gate on `requireAdminIdentity()`, which returns the identity only when
* `isAdmin(identity)` is true and `null` otherwise (the action then performs NO
* DB/OpenRouter work). The full action path needs Supabase + a DB, so here we
* assert the deterministic guard logic those actions depend on: a non-admin (or
* an empty allowlist) is never admitted, so the actions can only short-circuit
* to a rejection with no side effects.
*/
function withAllowlist(value, fn) {
const prev = process.env[ENV];
if (value === undefined) delete process.env[ENV];
else process.env[ENV] = value;
try {
fn();
} finally {
if (prev === undefined) delete process.env[ENV];
else process.env[ENV] = prev;
}
}
test("guard denies a non-admin identity (action would short-circuit, no side effects)", () => {
withAllowlist("12345", () => {
assert.equal(isAdmin({ githubUserId: "99999" }), false);
});
});
test("guard denies when no admins are configured (fail-closed)", () => {
withAllowlist("", () => {
assert.equal(isAdmin({ githubUserId: "12345" }), false);
});
withAllowlist(undefined, () => {
assert.equal(isAdmin({ githubUserId: "12345" }), false);
});
});
test("guard denies an unauthenticated caller (null identity)", () => {
withAllowlist("12345", () => {
assert.equal(isAdmin(null), false);
});
});
test("guard admits only an exact allowlisted id", () => {
withAllowlist("12345", () => {
assert.equal(isAdmin({ githubUserId: "12345" }), true);
});
});
Reference in New Issue View Git Blame Copy Permalink