air-watcher/test/apiAuth.test.js

"use strict";

const test = require("node:test");
const assert = require("node:assert/strict");
const { isAuthorizedRequest, resolveApiAuth } = require("../src/apiAuth");

test("resolveApiAuth requires token by default in production", () => {
  assert.throws(() => resolveApiAuth({ nodeEnv: "production" }), /DASHBOARD_API_TOKEN/);
});

test("resolveApiAuth is disabled by default in non-production", () => {
  const authConfig = resolveApiAuth({ nodeEnv: "development" });
  assert.equal(authConfig.enabled, false);
  assert.equal(authConfig.token, "");
});

test("isAuthorizedRequest supports bearer and x-api-key headers", () => {
  const authConfig = resolveApiAuth({
    nodeEnv: "production",
    apiToken: "top-secret-token",
  });

  assert.equal(
    isAuthorizedRequest(
      {
        authorization: "Bearer top-secret-token",
      },
      authConfig
    ),
    true
  );

  assert.equal(
    isAuthorizedRequest(
      {
        "x-api-key": "top-secret-token",
      },
      authConfig
    ),
    true
  );

  assert.equal(
    isAuthorizedRequest(
      {
        authorization: "Bearer wrong-token",
      },
      authConfig
    ),
    false
  );
});