(t *testing.T)
| 179 | } |
| 180 | |
| 181 | func TestFGA(t *testing.T) { |
| 182 | cfg := getTestConfig() |
| 183 | ts, eng := initFGATestSetup(t, cfg) |
| 184 | req, ctx := createContext(ts) |
| 185 | |
| 186 | // Create + log in a regular user; their token sub is the principal. |
| 187 | email := "fga_test_" + uuid.New().String() + "@authorizer.dev" |
| 188 | password := "Password@123" |
| 189 | _, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{ |
| 190 | Email: &email, Password: password, ConfirmPassword: password, |
| 191 | }) |
| 192 | require.NoError(t, err) |
| 193 | loginRes, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{Email: &email, Password: password}) |
| 194 | require.NoError(t, err) |
| 195 | require.NotNil(t, loginRes) |
| 196 | userID := loginRes.User.ID |
| 197 | sessionToken := latestAppSessionCookie(ts) |
| 198 | require.NotEmpty(t, sessionToken) |
| 199 | |
| 200 | // ---- Admin: write the authorization model. ---- |
| 201 | t.Run("_fga_write_model requires super admin", func(t *testing.T) { |
| 202 | clearCookies(ts) |
| 203 | res, err := ts.GraphQLProvider.FgaWriteModel(ctx, &model.FgaWriteModelInput{Dsl: fgaTestModel}) |
| 204 | assert.Error(t, err) |
| 205 | assert.Nil(t, res) |
| 206 | }) |
| 207 | |
| 208 | setAdminCookie(t, ts) |
| 209 | |
| 210 | // ---- Admin: a fresh store (no model yet) is an empty state, NOT an error. ---- |
| 211 | t.Run("_fga_get_model returns empty model on a fresh store", func(t *testing.T) { |
| 212 | res, err := ts.GraphQLProvider.FgaGetModel(ctx) |
| 213 | require.NoError(t, err, "no model yet must be an empty state, not an error") |
| 214 | require.NotNil(t, res) |
| 215 | assert.Empty(t, res.ID) |
| 216 | assert.Empty(t, res.Dsl) |
| 217 | }) |
| 218 | |
| 219 | modelRes, err := ts.GraphQLProvider.FgaWriteModel(ctx, &model.FgaWriteModelInput{Dsl: fgaTestModel}) |
| 220 | require.NoError(t, err) |
| 221 | require.NotNil(t, modelRes) |
| 222 | require.NotEmpty(t, modelRes.ID) |
| 223 | |
| 224 | // ---- Admin: write tuples granting THIS user viewer on document:1 only. ---- |
| 225 | _, err = ts.GraphQLProvider.FgaWriteTuples(ctx, &model.FgaWriteTuplesInput{ |
| 226 | Tuples: []*model.FgaTupleInput{ |
| 227 | {User: "user:" + userID, Relation: "viewer", Object: "document:1"}, |
| 228 | }, |
| 229 | }) |
| 230 | require.NoError(t, err) |
| 231 | |
| 232 | // ---- Admin: a tuple that doesn't match the model gets a friendly error. ---- |
| 233 | t.Run("_fga_write_tuples maps model-validation errors to an actionable message", func(t *testing.T) { |
| 234 | _, err := ts.GraphQLProvider.FgaWriteTuples(ctx, &model.FgaWriteTuplesInput{ |
| 235 | Tuples: []*model.FgaTupleInput{ |
| 236 | {User: "user:" + userID, Relation: "owner", Object: "document:1"}, |
| 237 | }, |
| 238 | }) |
nothing calls this directly
no test coverage detected