105 lines
3.7 KiB
TypeScript
105 lines
3.7 KiB
TypeScript
import { expect, type APIResponse, type Page, test } from '@playwright/test';
|
|
|
|
/**
|
|
* Cross-tenant isolation e2e (Workstream 8 / Workstream 2). Proves a non-global
|
|
* user of one organization cannot read, list, update, or delete a record owned
|
|
* by a second organization. Uses the seeded second-tenant owner (`owner2`, the
|
|
* `Rival Academy` org) and the primary-tenant owner (`owner`, `Demo Academy`).
|
|
*
|
|
* Requires the backend running with the database migrated + seeded, and the
|
|
* seed passwords in the environment.
|
|
*/
|
|
const USER_PASSWORD = 'flatlogicUser123!';
|
|
|
|
const BACKEND_API_URL =
|
|
process.env.VITE_BACKEND_API_URL || 'http://localhost:8080/api';
|
|
|
|
const PRIMARY_OWNER_EMAIL = 'owner@flatlogic.com';
|
|
const SECONDARY_OWNER_EMAIL = 'owner2@flatlogic.com';
|
|
|
|
const ACADEMIC_YEARS = `${BACKEND_API_URL}/academic_years`;
|
|
|
|
interface AcademicYearRow {
|
|
readonly id: string;
|
|
readonly name: string | null;
|
|
}
|
|
|
|
async function logout(page: Page): Promise<void> {
|
|
await page.request.post(`${BACKEND_API_URL}/auth/signout`);
|
|
await page.context().clearCookies();
|
|
}
|
|
|
|
async function login(page: Page, email: string, password: string): Promise<void> {
|
|
await logout(page);
|
|
await page.goto('/login');
|
|
await page.getByPlaceholder('you@school.edu').fill(email);
|
|
await page.getByPlaceholder('Enter your password').fill(password);
|
|
await page.getByRole('button', { name: 'Sign In', exact: true }).click();
|
|
await page.waitForURL((url) => !url.pathname.startsWith('/login'), {
|
|
timeout: 10_000,
|
|
});
|
|
}
|
|
|
|
async function listRows(page: Page): Promise<AcademicYearRow[]> {
|
|
const res = await page.request.get(ACADEMIC_YEARS);
|
|
expect(res.status()).toBe(200);
|
|
const body = (await res.json()) as { rows?: AcademicYearRow[] };
|
|
return body.rows ?? [];
|
|
}
|
|
|
|
async function findByName(
|
|
page: Page,
|
|
name: string,
|
|
): Promise<AcademicYearRow | undefined> {
|
|
return (await listRows(page)).find((row) => row.name === name);
|
|
}
|
|
|
|
test.describe('Cross-tenant isolation', () => {
|
|
test('a tenant cannot read, list, mutate, or delete another tenant record', async ({
|
|
page,
|
|
}) => {
|
|
const rivalName = `Rival Year ${Date.now()}`;
|
|
|
|
// 1. owner2 (Rival Academy) creates a record in its own tenant.
|
|
await login(page, SECONDARY_OWNER_EMAIL, USER_PASSWORD);
|
|
const created = await page.request.post(ACADEMIC_YEARS, {
|
|
data: { data: { name: rivalName } },
|
|
});
|
|
expect(created.status()).toBe(200);
|
|
|
|
const rival = await findByName(page, rivalName);
|
|
expect(rival, 'owner2 should see its own record').toBeTruthy();
|
|
const rivalId = rival!.id;
|
|
|
|
// 2. owner (Demo Academy) must not see it in any way.
|
|
await login(page, PRIMARY_OWNER_EMAIL, USER_PASSWORD);
|
|
|
|
// 2a. List isolation.
|
|
const primaryRows = await listRows(page);
|
|
expect(primaryRows.some((row) => row.id === rivalId)).toBe(false);
|
|
|
|
// 2b. Read-by-id isolation: tenant-scoped read returns no record.
|
|
const readRes = await page.request.get(`${ACADEMIC_YEARS}/${rivalId}`);
|
|
const readBody = await readRes.text();
|
|
expect(readBody).not.toContain(rivalName);
|
|
|
|
// 2c. Update isolation: a tenant-scoped update finds nothing → error.
|
|
const updateRes: APIResponse = await page.request.put(
|
|
`${ACADEMIC_YEARS}/${rivalId}`,
|
|
{ data: { id: rivalId, data: { name: 'Hijacked' } } },
|
|
);
|
|
expect(updateRes.ok()).toBe(false);
|
|
|
|
// 2d. Delete isolation: attempt to delete the rival record.
|
|
await page.request.delete(`${ACADEMIC_YEARS}/${rivalId}`);
|
|
|
|
// 3. owner2 confirms its record still exists and is unchanged.
|
|
await login(page, SECONDARY_OWNER_EMAIL, USER_PASSWORD);
|
|
const stillThere = await findByName(page, rivalName);
|
|
expect(
|
|
stillThere,
|
|
'the rival record must survive the cross-tenant update/delete attempts',
|
|
).toBeTruthy();
|
|
});
|
|
});
|