zerobyte/app/server/__tests__/isolation.test.ts
Nico 451aed8983
Multi users (#381)
* feat(db): add support for multiple users and organizations

* feat: backfill entities with new organization id

* refactor: filter all backend queries to surface only organization specific entities

* refactor: each org has its own restic password

* test: ensure organization is created

* chore: pr feedbacks

* refactor: filter by org id in all places

* refactor: download restic password from stored db password

* refactor(navigation): use volume id in urls instead of name

* feat: disable registrations

* refactor(auth): bubble up auth error to hono

* refactor: use async local storage for cleaner context sharing

* refactor: enable user registration vs disabling it

* test: multi-org isolation

* chore: final cleanup
2026-01-20 22:28:22 +01:00

207 lines
6.1 KiB
TypeScript

import { test, describe, expect } from "bun:test";
import { createApp } from "~/server/app";
import { createTestSession } from "~/test/helpers/auth";
import { db } from "~/server/db/db";
import { repositoriesTable, volumesTable, backupSchedulesTable } from "~/server/db/schema";
import crypto from "node:crypto";
import { generateShortId } from "~/server/utils/id";
const app = createApp();
describe("multi-organization isolation", () => {
test("should not be able to access repositories from another organization", async () => {
const session1 = await createTestSession();
const session2 = await createTestSession();
expect(session1.organizationId).not.toBe(session2.organizationId);
const repoId = crypto.randomUUID();
const shortId = generateShortId();
await db.insert(repositoriesTable).values({
id: repoId,
shortId,
name: "Org 1 Repo",
type: "local",
config: { backend: "local", name: "org1repo", path: "/tmp/repo1" },
organizationId: session1.organizationId,
});
const res = await app.request(`/api/v1/repositories/${repoId}`, {
headers: {
Cookie: `better-auth.session_token=${session2.token}`,
},
});
expect(res.status).toBe(404);
const body = await res.json();
expect(body.message).toBe("Repository not found");
const resOk = await app.request(`/api/v1/repositories/${repoId}`, {
headers: {
Cookie: `better-auth.session_token=${session1.token}`,
},
});
expect(resOk.status).toBe(200);
});
test("should not list repositories from another organization", async () => {
const session1 = await createTestSession();
const session2 = await createTestSession();
await db.insert(repositoriesTable).values({
id: crypto.randomUUID(),
shortId: generateShortId(),
name: "Org 1 Repo",
type: "local",
config: { backend: "local", name: "org1repo-list", path: "/tmp/repo1" },
organizationId: session1.organizationId,
});
await db.insert(repositoriesTable).values({
id: crypto.randomUUID(),
shortId: generateShortId(),
name: "Org 2 Repo",
type: "local",
config: { backend: "local", name: "org2repo-list", path: "/tmp/repo2" },
organizationId: session2.organizationId,
});
const res1 = await app.request("/api/v1/repositories", {
headers: {
Cookie: `better-auth.session_token=${session1.token}`,
},
});
const list1 = await res1.json();
expect(list1.length).toBeGreaterThanOrEqual(1);
expect(list1.some((r: any) => r.name === "Org 2 Repo")).toBe(false);
const res2 = await app.request("/api/v1/repositories", {
headers: {
Cookie: `better-auth.session_token=${session2.token}`,
},
});
const list2 = await res2.json();
expect(list2.some((r: any) => r.name === "Org 1 Repo")).toBe(false);
expect(list2.some((r: any) => r.name === "Org 2 Repo")).toBe(true);
});
test("should not be able to access volumes from another organization", async () => {
const session1 = await createTestSession();
const session2 = await createTestSession();
const volumeId = Math.floor(Math.random() * 1000000);
await db.insert(volumesTable).values({
id: volumeId,
shortId: generateShortId(),
name: "Org 1 Volume",
type: "directory",
config: { backend: "directory", path: "/tmp/vol1" },
organizationId: session1.organizationId,
status: "unmounted",
});
const res = await app.request(`/api/v1/volumes/${volumeId}`, {
headers: {
Cookie: `better-auth.session_token=${session2.token}`,
},
});
expect(res.status).toBe(404);
});
test("should not be able to create a backup schedule referencing resources from another organization", async () => {
const session1 = await createTestSession();
const session2 = await createTestSession();
const vol1Id = Math.floor(Math.random() * 1000000);
await db.insert(volumesTable).values({
id: vol1Id,
shortId: generateShortId(),
name: "Org 1 Volume",
type: "directory",
config: { backend: "directory", path: "/tmp/vol1" },
organizationId: session1.organizationId,
status: "unmounted",
});
const repo1Id = crypto.randomUUID();
await db.insert(repositoriesTable).values({
id: repo1Id,
shortId: generateShortId(),
name: "Org 1 Repo",
type: "local",
config: { backend: "local", name: "org1repo", path: "/tmp/repo1" },
organizationId: session1.organizationId,
});
const res = await app.request("/api/v1/backups", {
method: "POST",
headers: {
Cookie: `better-auth.session_token=${session2.token}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
name: "Malicious Schedule",
volumeId: vol1Id,
repositoryId: repo1Id,
enabled: true,
cronExpression: "0 0 * * *",
}),
});
expect(res.status).toBe(404);
});
test("should not be able to access backup schedules from another organization", async () => {
const session1 = await createTestSession();
const session2 = await createTestSession();
const vol1Id = Math.floor(Math.random() * 1000000);
await db.insert(volumesTable).values({
id: vol1Id,
shortId: generateShortId(),
name: "Org 1 Volume",
type: "directory",
config: { backend: "directory", path: "/tmp/vol1" },
organizationId: session1.organizationId,
status: "unmounted",
});
const repo1Id = crypto.randomUUID();
await db.insert(repositoriesTable).values({
id: repo1Id,
shortId: generateShortId(),
name: "Org 1 Repo",
type: "local",
config: { backend: "local", name: "org1repo", path: "/tmp/repo1" },
organizationId: session1.organizationId,
});
const [schedule] = await db
.insert(backupSchedulesTable)
.values({
shortId: generateShortId(),
name: "Org 1 Schedule",
volumeId: vol1Id,
repositoryId: repo1Id,
cronExpression: "0 0 * * *",
organizationId: session1.organizationId,
})
.returning();
const res = await app.request(`/api/v1/backups/${schedule.id}`, {
headers: {
Cookie: `better-auth.session_token=${session2.token}`,
},
});
expect(res.status).toBe(404);
const resOk = await app.request(`/api/v1/backups/${schedule.id}`, {
headers: {
Cookie: `better-auth.session_token=${session1.token}`,
},
});
expect(resOk.status).toBe(200);
});
});