matt/inventory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auth fixes, show correct cost each value on pos

Browse Source
This commit is contained in:
Matt
2026-05-28 14:15:13 -04:00
parent 421b3d5922
commit 8c707e28ea
21 changed files with 564 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files
inventory-server/shared/auth/middleware.test.js
+56
View File
@@ -126,6 +126,62 @@ describe('authenticate middleware', () => {
expect(pool.calls.count).toBe(4);
vi.useRealTimers();
});
describe('KIOSK_IPS bypass', () => {
it('bypasses token check and mints a synthetic kiosk user when req.ip matches', async () => {
const pool = makeFakePool({});
const mw = authenticate({ pool, secret: SECRET, kioskIps: '203.0.113.7' });
const req = { headers: {}, ip: '203.0.113.7' };
const res = makeRes();
const next = vi.fn();
await mw(req, res, next);
expect(next).toHaveBeenCalledOnce();
expect(req.user).toEqual({
id: 'kiosk',
username: 'kiosk',
is_admin: false,
is_active: true,
permissions: [],
is_kiosk: true,
});
expect(pool.calls.count).toBe(0);
});
it('falls through to normal Bearer auth when req.ip is not in KIOSK_IPS', async () => {
const pool = makeFakePool({ 1: activeUser }, { 1: [] });
const mw = authenticate({ pool, secret: SECRET, kioskIps: '203.0.113.7' });
const req = { headers: { authorization: `Bearer ${validToken}` }, ip: '198.51.100.1' };
const res = makeRes();
const next = vi.fn();
await mw(req, res, next);
expect(next).toHaveBeenCalledOnce();
expect(req.user.id).toBe(1);
expect(req.user.is_kiosk).toBeUndefined();
});
it('does not bypass when KIOSK_IPS is empty, even if req.ip is undefined', async () => {
const pool = makeFakePool({ 1: activeUser });
const mw = authenticate({ pool, secret: SECRET, kioskIps: '' });
const req = { headers: {} };
const res = makeRes();
const next = vi.fn();
await mw(req, res, next);
expect(res.status).toHaveBeenCalledWith(401);
expect(next).not.toHaveBeenCalled();
});
it('supports multiple comma-separated IPs', async () => {
const pool = makeFakePool({});
const mw = authenticate({ pool, secret: SECRET, kioskIps: '203.0.113.7, 203.0.113.8 ,203.0.113.9' });
const next = vi.fn();
for (const ip of ['203.0.113.7', '203.0.113.8', '203.0.113.9']) {
const req = { headers: {}, ip };
await mw(req, makeRes(), next);
expect(req.user?.is_kiosk).toBe(true);
}
expect(next).toHaveBeenCalledTimes(3);
});
});
});
describe('requirePermission middleware', () => {