feat: add comprehensive REST API with token auth, OpenAPI docs, and full test coverage

- API token model (SHA-256 hashed, debounced lastUsedAt) with Bearer auth - Dual auth middleware (session + API token) in src/lib/api-auth.ts - 23 REST endpoints under /api/v1/ covering all functionality: tokens, proxy-hosts, l4-proxy-hosts, certificates, ca-certificates, client-certificates, access-lists, settings, instances, users, audit-log, caddy/apply - OpenAPI 3.1 spec at /api/v1/openapi.json with fully typed schemas - Swagger UI docs page at /api-docs in the dashboard - API token management integrated into the Profile page - Fix: next build now works under Node.js (bun:sqlite aliased to better-sqlite3) - 89 new API route unit tests + 11 integration tests (592 total) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 09:45:45 +01:00
parent 0acb430ebb
commit de28478a42
49 changed files with 5160 additions and 6 deletions
@@ -0,0 +1,183 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+vi.mock('@/src/lib/models/access-lists', () => ({
+  listAccessLists: vi.fn(),
+  createAccessList: vi.fn(),
+  getAccessList: vi.fn(),
+  updateAccessList: vi.fn(),
+  deleteAccessList: vi.fn(),
+  addAccessListEntry: vi.fn(),
+  removeAccessListEntry: vi.fn(),
+}));
+
+vi.mock('@/src/lib/api-auth', () => {
+  const ApiAuthError = class extends Error {
+    status: number;
+    constructor(msg: string, status: number) { super(msg); this.status = status; this.name = 'ApiAuthError'; }
+  };
+  return {
+    requireApiAdmin: vi.fn().mockResolvedValue({ userId: 1, role: 'admin', authMethod: 'bearer' }),
+    requireApiUser: vi.fn().mockResolvedValue({ userId: 1, role: 'admin', authMethod: 'bearer' }),
+    apiErrorResponse: vi.fn((error: unknown) => {
+      const { NextResponse } = require('next/server');
+      if (error && typeof error === 'object' && 'status' in error) {
+        return NextResponse.json({ error: (error as Error).message }, { status: (error as any).status });
+      }
+      return NextResponse.json({ error: error instanceof Error ? error.message : 'Internal server error' }, { status: 500 });
+    }),
+    ApiAuthError,
+  };
+});
+
+import { GET as listGET, POST as listPOST } from '@/app/api/v1/access-lists/route';
+import { GET as getGET, PUT, DELETE } from '@/app/api/v1/access-lists/[id]/route';
+import { POST as entriesPOST } from '@/app/api/v1/access-lists/[id]/entries/route';
+import { DELETE as entryDELETE } from '@/app/api/v1/access-lists/[id]/entries/[entryId]/route';
+import { listAccessLists, createAccessList, getAccessList, updateAccessList, deleteAccessList, addAccessListEntry, removeAccessListEntry } from '@/src/lib/models/access-lists';
+import { requireApiAdmin } from '@/src/lib/api-auth';
+
+const mockList = vi.mocked(listAccessLists);
+const mockCreate = vi.mocked(createAccessList);
+const mockGet = vi.mocked(getAccessList);
+const mockUpdate = vi.mocked(updateAccessList);
+const mockDelete = vi.mocked(deleteAccessList);
+const mockAddEntry = vi.mocked(addAccessListEntry);
+const mockRemoveEntry = vi.mocked(removeAccessListEntry);
+const mockRequireApiAdmin = vi.mocked(requireApiAdmin);
+
+function createMockRequest(options: { method?: string; body?: unknown } = {}): any {
+  return {
+    headers: { get: () => null },
+    method: options.method ?? 'GET',
+    nextUrl: { pathname: '/api/v1/access-lists', searchParams: new URLSearchParams() },
+    json: async () => options.body ?? {},
+  };
+}
+
+const sampleList = {
+  id: 1,
+  name: 'Whitelist',
+  type: 'allow',
+  entries: [{ id: 1, value: '10.0.0.0/8', type: 'ip' }],
+  created_at: '2026-01-01',
+};
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  mockRequireApiAdmin.mockResolvedValue({ userId: 1, role: 'admin', authMethod: 'bearer' });
+});
+
+describe('GET /api/v1/access-lists', () => {
+  it('returns list of access lists', async () => {
+    mockList.mockResolvedValue([sampleList] as any);
+
+    const response = await listGET(createMockRequest());
+    const data = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(data).toEqual([sampleList]);
+  });
+
+  it('returns 401 on auth failure', async () => {
+    const { ApiAuthError } = await import('@/src/lib/api-auth');
+    mockRequireApiAdmin.mockRejectedValue(new ApiAuthError('Unauthorized', 401));
+
+    const response = await listGET(createMockRequest());
+    expect(response.status).toBe(401);
+  });
+});
+
+describe('POST /api/v1/access-lists', () => {
+  it('creates an access list and returns 201', async () => {
+    const body = { name: 'New List', type: 'deny' };
+    mockCreate.mockResolvedValue({ id: 2, ...body, entries: [] } as any);
+
+    const response = await listPOST(createMockRequest({ method: 'POST', body }));
+    const data = await response.json();
+
+    expect(response.status).toBe(201);
+    expect(data.id).toBe(2);
+    expect(mockCreate).toHaveBeenCalledWith(body, 1);
+  });
+});
+
+describe('GET /api/v1/access-lists/[id]', () => {
+  it('returns an access list by id', async () => {
+    mockGet.mockResolvedValue(sampleList as any);
+
+    const response = await getGET(createMockRequest(), { params: Promise.resolve({ id: '1' }) });
+    const data = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(data).toEqual(sampleList);
+  });
+
+  it('returns 404 for non-existent access list', async () => {
+    mockGet.mockResolvedValue(null as any);
+
+    const response = await getGET(createMockRequest(), { params: Promise.resolve({ id: '999' }) });
+    const data = await response.json();
+
+    expect(response.status).toBe(404);
+    expect(data.error).toBe('Not found');
+  });
+});
+
+describe('PUT /api/v1/access-lists/[id]', () => {
+  it('updates an access list', async () => {
+    const body = { name: 'Updated List' };
+    mockUpdate.mockResolvedValue({ ...sampleList, name: 'Updated List' } as any);
+
+    const response = await PUT(createMockRequest({ method: 'PUT', body }), { params: Promise.resolve({ id: '1' }) });
+    const data = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(data.name).toBe('Updated List');
+    expect(mockUpdate).toHaveBeenCalledWith(1, body, 1);
+  });
+});
+
+describe('DELETE /api/v1/access-lists/[id]', () => {
+  it('deletes an access list', async () => {
+    mockDelete.mockResolvedValue(undefined as any);
+
+    const response = await DELETE(createMockRequest({ method: 'DELETE' }), { params: Promise.resolve({ id: '1' }) });
+    const data = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(data).toEqual({ ok: true });
+    expect(mockDelete).toHaveBeenCalledWith(1, 1);
+  });
+});
+
+describe('POST /api/v1/access-lists/[id]/entries', () => {
+  it('adds an entry to an access list and returns 201', async () => {
+    const body = { value: '192.168.0.0/16', type: 'ip' };
+    const updatedList = { ...sampleList, entries: [...sampleList.entries, { id: 2, ...body }] };
+    mockAddEntry.mockResolvedValue(updatedList as any);
+
+    const response = await entriesPOST(createMockRequest({ method: 'POST', body }), { params: Promise.resolve({ id: '1' }) });
+    const data = await response.json();
+
+    expect(response.status).toBe(201);
+    expect(data.entries).toHaveLength(2);
+    expect(mockAddEntry).toHaveBeenCalledWith(1, body, 1);
+  });
+});
+
+describe('DELETE /api/v1/access-lists/[id]/entries/[entryId]', () => {
+  it('removes an entry from an access list', async () => {
+    const updatedList = { ...sampleList, entries: [] };
+    mockRemoveEntry.mockResolvedValue(updatedList as any);
+
+    const response = await entryDELETE(
+      createMockRequest({ method: 'DELETE' }),
+      { params: Promise.resolve({ id: '1', entryId: '1' }) }
+    );
+    const data = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(data.entries).toHaveLength(0);
+    expect(mockRemoveEntry).toHaveBeenCalledWith(1, 1, 1);
+  });
+});