NextEdu/tests/integration/proxy-guard.test.ts

import { describe, expect, it, vi } from "vitest"

const { getTokenMock } = vi.hoisted(() => ({
  getTokenMock: vi.fn(),
}))

vi.mock("next-auth/jwt", () => ({
  getToken: getTokenMock,
}))

import { middleware } from "@/proxy"

const createRequest = (pathname: string) => ({
  nextUrl: {
    pathname,
    clone: () => new URL(`http://localhost${pathname}`),
  },
  url: `http://localhost${pathname}`,
})

describe("proxy route guard", () => {
  it("redirects unauthenticated requests to login with callback", async () => {
    getTokenMock.mockResolvedValue(null)
    const response = await middleware(createRequest("/teacher/dashboard") as never)
    expect(response.status).toBe(307)
    const location = response.headers.get("location") ?? ""
    expect(location).toContain("/login")
    expect(location).toContain("callbackUrl=")
    expect(decodeURIComponent(location)).toContain("/teacher/dashboard")
  })

  it("redirects user without school:manage permission away from admin routes", async () => {
    getTokenMock.mockResolvedValue({
      permissions: ["homework:submit"],
      roles: ["student"],
    })
    const response = await middleware(createRequest("/admin/dashboard") as never)
    expect(response.status).toBe(307)
    expect(response.headers.get("location")).toContain("/student/dashboard")
  })

  it("redirects user without grade:manage permission away from management routes", async () => {
    getTokenMock.mockResolvedValue({
      permissions: ["exam:read"],
      roles: ["parent"],
    })
    const response = await middleware(createRequest("/management/grade/insights") as never)
    expect(response.status).toBe(307)
    expect(response.headers.get("location")).toContain("/parent/dashboard")
  })

  it("allows user with grade:manage permission to access management routes", async () => {
    getTokenMock.mockResolvedValue({
      permissions: ["exam:read", "grade:manage"],
      roles: ["teacher"],
    })
    const response = await middleware(createRequest("/management/grade/insights") as never)
    expect(response.status).toBe(200)
    expect(response.headers.get("location")).toBeNull()
  })
})