* feat(db): add support for multiple users and organizations * feat: backfill entities with new organization id * refactor: filter all backend queries to surface only organization specific entities * refactor: each org has its own restic password * test: ensure organization is created * chore: pr feedbacks * refactor: filter by org id in all places * refactor: download restic password from stored db password * refactor(navigation): use volume id in urls instead of name * feat: disable registrations * refactor(auth): bubble up auth error to hono * refactor: use async local storage for cleaner context sharing * refactor: enable user registration vs disabling it * test: multi-org isolation * chore: final cleanup
207 lines
6.1 KiB
TypeScript
207 lines
6.1 KiB
TypeScript
import { test, describe, expect } from "bun:test";
|
|
import { createApp } from "~/server/app";
|
|
import { createTestSession } from "~/test/helpers/auth";
|
|
import { db } from "~/server/db/db";
|
|
import { repositoriesTable, volumesTable, backupSchedulesTable } from "~/server/db/schema";
|
|
import crypto from "node:crypto";
|
|
import { generateShortId } from "~/server/utils/id";
|
|
|
|
const app = createApp();
|
|
|
|
describe("multi-organization isolation", () => {
|
|
test("should not be able to access repositories from another organization", async () => {
|
|
const session1 = await createTestSession();
|
|
const session2 = await createTestSession();
|
|
|
|
expect(session1.organizationId).not.toBe(session2.organizationId);
|
|
|
|
const repoId = crypto.randomUUID();
|
|
const shortId = generateShortId();
|
|
await db.insert(repositoriesTable).values({
|
|
id: repoId,
|
|
shortId,
|
|
name: "Org 1 Repo",
|
|
type: "local",
|
|
config: { backend: "local", name: "org1repo", path: "/tmp/repo1" },
|
|
organizationId: session1.organizationId,
|
|
});
|
|
|
|
const res = await app.request(`/api/v1/repositories/${repoId}`, {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session2.token}`,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(404);
|
|
const body = await res.json();
|
|
expect(body.message).toBe("Repository not found");
|
|
|
|
const resOk = await app.request(`/api/v1/repositories/${repoId}`, {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session1.token}`,
|
|
},
|
|
});
|
|
expect(resOk.status).toBe(200);
|
|
});
|
|
|
|
test("should not list repositories from another organization", async () => {
|
|
const session1 = await createTestSession();
|
|
const session2 = await createTestSession();
|
|
|
|
await db.insert(repositoriesTable).values({
|
|
id: crypto.randomUUID(),
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Repo",
|
|
type: "local",
|
|
config: { backend: "local", name: "org1repo-list", path: "/tmp/repo1" },
|
|
organizationId: session1.organizationId,
|
|
});
|
|
|
|
await db.insert(repositoriesTable).values({
|
|
id: crypto.randomUUID(),
|
|
shortId: generateShortId(),
|
|
name: "Org 2 Repo",
|
|
type: "local",
|
|
config: { backend: "local", name: "org2repo-list", path: "/tmp/repo2" },
|
|
organizationId: session2.organizationId,
|
|
});
|
|
|
|
const res1 = await app.request("/api/v1/repositories", {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session1.token}`,
|
|
},
|
|
});
|
|
const list1 = await res1.json();
|
|
|
|
expect(list1.length).toBeGreaterThanOrEqual(1);
|
|
expect(list1.some((r: any) => r.name === "Org 2 Repo")).toBe(false);
|
|
|
|
const res2 = await app.request("/api/v1/repositories", {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session2.token}`,
|
|
},
|
|
});
|
|
const list2 = await res2.json();
|
|
expect(list2.some((r: any) => r.name === "Org 1 Repo")).toBe(false);
|
|
expect(list2.some((r: any) => r.name === "Org 2 Repo")).toBe(true);
|
|
});
|
|
|
|
test("should not be able to access volumes from another organization", async () => {
|
|
const session1 = await createTestSession();
|
|
const session2 = await createTestSession();
|
|
|
|
const volumeId = Math.floor(Math.random() * 1000000);
|
|
await db.insert(volumesTable).values({
|
|
id: volumeId,
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Volume",
|
|
type: "directory",
|
|
config: { backend: "directory", path: "/tmp/vol1" },
|
|
organizationId: session1.organizationId,
|
|
status: "unmounted",
|
|
});
|
|
|
|
const res = await app.request(`/api/v1/volumes/${volumeId}`, {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session2.token}`,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
test("should not be able to create a backup schedule referencing resources from another organization", async () => {
|
|
const session1 = await createTestSession();
|
|
const session2 = await createTestSession();
|
|
|
|
const vol1Id = Math.floor(Math.random() * 1000000);
|
|
await db.insert(volumesTable).values({
|
|
id: vol1Id,
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Volume",
|
|
type: "directory",
|
|
config: { backend: "directory", path: "/tmp/vol1" },
|
|
organizationId: session1.organizationId,
|
|
status: "unmounted",
|
|
});
|
|
|
|
const repo1Id = crypto.randomUUID();
|
|
await db.insert(repositoriesTable).values({
|
|
id: repo1Id,
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Repo",
|
|
type: "local",
|
|
config: { backend: "local", name: "org1repo", path: "/tmp/repo1" },
|
|
organizationId: session1.organizationId,
|
|
});
|
|
|
|
const res = await app.request("/api/v1/backups", {
|
|
method: "POST",
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session2.token}`,
|
|
"Content-Type": "application/json",
|
|
},
|
|
body: JSON.stringify({
|
|
name: "Malicious Schedule",
|
|
volumeId: vol1Id,
|
|
repositoryId: repo1Id,
|
|
enabled: true,
|
|
cronExpression: "0 0 * * *",
|
|
}),
|
|
});
|
|
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
test("should not be able to access backup schedules from another organization", async () => {
|
|
const session1 = await createTestSession();
|
|
const session2 = await createTestSession();
|
|
|
|
const vol1Id = Math.floor(Math.random() * 1000000);
|
|
await db.insert(volumesTable).values({
|
|
id: vol1Id,
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Volume",
|
|
type: "directory",
|
|
config: { backend: "directory", path: "/tmp/vol1" },
|
|
organizationId: session1.organizationId,
|
|
status: "unmounted",
|
|
});
|
|
const repo1Id = crypto.randomUUID();
|
|
await db.insert(repositoriesTable).values({
|
|
id: repo1Id,
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Repo",
|
|
type: "local",
|
|
config: { backend: "local", name: "org1repo", path: "/tmp/repo1" },
|
|
organizationId: session1.organizationId,
|
|
});
|
|
|
|
const [schedule] = await db
|
|
.insert(backupSchedulesTable)
|
|
.values({
|
|
shortId: generateShortId(),
|
|
name: "Org 1 Schedule",
|
|
volumeId: vol1Id,
|
|
repositoryId: repo1Id,
|
|
cronExpression: "0 0 * * *",
|
|
organizationId: session1.organizationId,
|
|
})
|
|
.returning();
|
|
|
|
const res = await app.request(`/api/v1/backups/${schedule.id}`, {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session2.token}`,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(404);
|
|
|
|
const resOk = await app.request(`/api/v1/backups/${schedule.id}`, {
|
|
headers: {
|
|
Cookie: `better-auth.session_token=${session1.token}`,
|
|
},
|
|
});
|
|
expect(resOk.status).toBe(200);
|
|
});
|
|
});
|