MCPcopy
hub / github.com/dosco/graphjin / TestSourceModeHTTPJWTIdentityAndSystemRoots

Function TestSourceModeHTTPJWTIdentityAndSystemRoots

serv/source_mode_http_test.go:26–111  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

24}
25
26func TestSourceModeHTTPJWTIdentityAndSystemRoots(t *testing.T) {
27 handler := newSourceModeJWTHTTPTestHandler(t)
28 memberToken := signSourceModeJWT(t, jwt.MapClaims{
29 "sub": "user_member",
30 "roles": []string{"member"},
31 "account_id": "acct_1",
32 })
33 adminToken := signSourceModeJWT(t, jwt.MapClaims{
34 "sub": "admin_user",
35 "roles": []string{"admin"},
36 "account_id": "acct_admin",
37 })
38
39 usersResp := postGraphQLJWT(t, handler, memberToken, `query {
40 users(order_by: { id: asc }) { id name account_id }
41 }`, map[string]any{"account_id": "acct_2"})
42 assertNoGraphQLErrors(t, usersResp)
43
44 var usersOut struct {
45 Users []struct {
46 ID int `json:"id"`
47 Name string `json:"name"`
48 AccountID string `json:"account_id"`
49 } `json:"users"`
50 }
51 if err := json.Unmarshal(usersResp.Data, &usersOut); err != nil {
52 t.Fatalf("decode users response: %v\n%s", err, string(usersResp.Data))
53 }
54 if len(usersOut.Users) != 2 || usersOut.Users[0].ID != 1 || usersOut.Users[1].ID != 3 {
55 t.Fatalf("expected account-scoped rows for acct_1, got %s", string(usersResp.Data))
56 }
57 for _, user := range usersOut.Users {
58 if user.AccountID != "acct_1" {
59 t.Fatalf("client-supplied account_id should not override JWT claim, got %+v", usersOut.Users)
60 }
61 }
62
63 catalogResp := postGraphQLJWT(t, handler, memberToken, `query {
64 gj_catalog(limit: 1) { id }
65 }`, nil)
66 assertNoGraphQLErrors(t, catalogResp)
67 var catalogOut struct {
68 Catalog []struct {
69 ID string `json:"id"`
70 } `json:"gj_catalog"`
71 }
72 if err := json.Unmarshal(catalogResp.Data, &catalogOut); err != nil {
73 t.Fatalf("decode catalog response: %v\n%s", err, string(catalogResp.Data))
74 }
75 if len(catalogOut.Catalog) == 0 {
76 t.Fatalf("expected authenticated user to read gj_catalog, got %s", string(catalogResp.Data))
77 }
78
79 securityDenied := postGraphQLJWT(t, handler, memberToken, `query {
80 gj_security(id: "summary") { id }
81 }`, nil)
82 var deniedOut struct {
83 Security *struct {

Callers

nothing calls this directly

Calls 4

signSourceModeJWTFunction · 0.85
postGraphQLJWTFunction · 0.85
assertNoGraphQLErrorsFunction · 0.85

Tested by

no test coverage detected