Corentin JOGUET
2ed73fa948
Some checks are pending
CI / Lint bridge (Biome) (push) Waiting to run
CI / Type-check bridge (push) Blocked by required conditions
CI / Tests unit bridge (push) Blocked by required conditions
CI / Tests integration bridge (push) Blocked by required conditions
CI / Security scan (push) Waiting to run
CI / Docker build + healthcheck (push) Blocked by required conditions
Pivot strategique : DocAdenice = produit Notion-like generique. Le bridge
est livre vide a un user qui cree ses tables Baserow comme il veut. Code
sans aucune ontologie metier.
Suppressions :
- 9 entites domain metier (Personne, Formation, Bloc, Module, Attribution,
Client, Projet, Tache, Intervention) + types.ts (Role, statuts)
- baserow-repo.ts (mega-fichier 554 LOC avec 9 repos heritant BaseRepo)
- 6 routes metier (personnes, formations, projets, modules, interventions,
attributions) + tests associes
- Lookup PersonneRepo.findByEmail dans middleware auth
- Mapping DEFAULT_ROLE_SCOPES dans middleware/scopes.ts
- Cascade rollup metier dans webhooks/baserow-handler.ts
Ajouts :
- Domain generique : Table, Row, Field, View + schemas zod refondus
- 4 repos generiques : tables / rows / fields / views
- Route unique routes/tables.ts avec 9 endpoints REST CRUD generiques
- Claim JWT acadenice_permissions[] lu directement dans le middleware auth
(alimente par RBAC dynamique cote DocAdenice en R2)
- examples/acadenice-formation-hub/ : README + seed-baserow.md schema
9 tables + example-roles.md (Formateur, Developpeur, Direction, Support,
Admin avec permissions generiques)
Refactors :
- BaserowClient etendu : listTables, getTable, listFields, listViews,
getGridViewRows
- middleware/auth.ts : extractPermissions(payload), AuthenticatedUser
remplace roles[] par permissions[]
- middleware/scopes.ts : computeOidcScopes(groups, permissions, map)
- webhooks/baserow-handler.ts : invalidation generique
bridge:tables:<tableId>:* sans cascade cross-table
- lib/cache.ts : invalidateEntity -> invalidateTable(redis, tableId, rowId?)
- container.ts : drop tableIds, RepoSet={tables, rows, fields, views}
- 501 NOT_IMPLEMENTED si DB token sur endpoints /tables qui exigent JWT
Tests : 250/250 verts (depuis 319). Coverage : domain 98.9%, adapters 89%,
auth 97.08%, rate-limit 100%, cache 100%, webhooks 100%.
Quality gates verts : typecheck, lint biome, vitest, coverage thresholds.
Refs: R1 dans le pivot strategique DocAdenice Notion-like generique.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
385 lines
12 KiB
TypeScript
385 lines
12 KiB
TypeScript
/**
|
|
* Tests integration des routes /api/webhooks/{baserow,docmost} (R1).
|
|
* Pas de vrai Redis : on injecte un fake qui implemente l'API minimale.
|
|
*/
|
|
|
|
import { createHmac } from 'node:crypto';
|
|
import { Hono } from 'hono';
|
|
import { afterEach, describe, expect, it } from 'vitest';
|
|
import type { RedisCache } from '../../src/adapters/redis-cache.js';
|
|
import { setContainer } from '../../src/lib/container.js';
|
|
import { logger } from '../../src/lib/logger.js';
|
|
import { errorHandler } from '../../src/middleware/error-handler.js';
|
|
import { webhooksRoutes } from '../../src/routes/webhooks.js';
|
|
|
|
const BASEROW_SECRET = 'baserow-test-secret-32chars-long-ok';
|
|
const DOCMOST_SECRET = 'docmost-test-secret-32chars-long-ok';
|
|
|
|
class FakeRedis {
|
|
public seen = new Set<string>();
|
|
public invalidated: string[] = [];
|
|
|
|
checkAndStoreEventId(id: string): Promise<boolean> {
|
|
if (this.seen.has(id)) return Promise.resolve(true);
|
|
this.seen.add(id);
|
|
return Promise.resolve(false);
|
|
}
|
|
|
|
invalidatePattern(pattern: string): Promise<number> {
|
|
this.invalidated.push(pattern);
|
|
return Promise.resolve(1);
|
|
}
|
|
}
|
|
|
|
function installContainer(redis: FakeRedis, withDocmostSecret = true) {
|
|
setContainer({
|
|
config: {
|
|
nodeEnv: 'test',
|
|
port: 0,
|
|
logLevel: 'fatal',
|
|
baserowApiUrl: 'http://localhost',
|
|
baserowApiToken: 'fake',
|
|
redisUrl: 'redis://localhost',
|
|
baserowWebhookSecret: BASEROW_SECRET,
|
|
docmostWebhookSecret: withDocmostSecret ? DOCMOST_SECRET : undefined,
|
|
bridgeApiTokens: undefined,
|
|
rateLimitGlobalMax: 10000,
|
|
rateLimitGlobalWindow: 60,
|
|
rateLimitMutationMax: 10000,
|
|
rateLimitMutationWindow: 60,
|
|
},
|
|
// biome-ignore lint/suspicious/noExplicitAny: fake injection
|
|
baserow: {} as any,
|
|
redis: redis as unknown as RedisCache,
|
|
// biome-ignore lint/suspicious/noExplicitAny: fake injection
|
|
repos: {} as any,
|
|
tokens: new Map(),
|
|
oidc: null,
|
|
groupsScopesMap: {},
|
|
logger,
|
|
});
|
|
}
|
|
|
|
function buildApp() {
|
|
const app = new Hono();
|
|
app.onError(errorHandler);
|
|
app.route('/api/webhooks', webhooksRoutes);
|
|
return app;
|
|
}
|
|
|
|
function sign(body: string, secret: string): string {
|
|
return createHmac('sha256', secret).update(body, 'utf8').digest('hex');
|
|
}
|
|
|
|
afterEach(() => {
|
|
setContainer(null);
|
|
});
|
|
|
|
describe('POST /api/webhooks/baserow', () => {
|
|
it('200 si HMAC valide + payload connu', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({
|
|
event_id: 'evt-baserow-1',
|
|
event_type: 'rows.created',
|
|
table_id: 42,
|
|
items: [{ id: 100 }],
|
|
});
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': sign(body, BASEROW_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(200);
|
|
const json = (await res.json()) as { status: string; tableId: number };
|
|
expect(json.status).toBe('processed');
|
|
expect(json.tableId).toBe(42);
|
|
expect(redis.invalidated).toContain('bridge:tables:42:list:*');
|
|
expect(redis.invalidated).toContain('bridge:tables:42:views:*');
|
|
});
|
|
|
|
it('401 AUTH_REQUIRED si header absent', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({}),
|
|
});
|
|
expect(res.status).toBe(401);
|
|
const json = (await res.json()) as { error: { code: string } };
|
|
expect(json.error.code).toBe('AUTH_REQUIRED');
|
|
});
|
|
|
|
it('401 AUTH_INVALID si HMAC mismatch', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({
|
|
event_id: 'evt',
|
|
event_type: 'rows.created',
|
|
table_id: 1,
|
|
});
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': 'a'.repeat(64),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(401);
|
|
const json = (await res.json()) as { error: { code: string } };
|
|
expect(json.error.code).toBe('AUTH_INVALID');
|
|
});
|
|
|
|
it('replay meme event_id -> 200 + status duplicate', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({
|
|
event_id: 'evt-dup',
|
|
event_type: 'rows.created',
|
|
table_id: 1,
|
|
items: [{ id: 1 }],
|
|
});
|
|
const headers = {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': sign(body, BASEROW_SECRET),
|
|
};
|
|
|
|
const res1 = await app.request('/api/webhooks/baserow', { method: 'POST', headers, body });
|
|
expect(res1.status).toBe(200);
|
|
const json1 = (await res1.json()) as { status: string };
|
|
expect(json1.status).toBe('processed');
|
|
|
|
const res2 = await app.request('/api/webhooks/baserow', { method: 'POST', headers, body });
|
|
expect(res2.status).toBe(200);
|
|
const json2 = (await res2.json()) as { status: string; eventId: string };
|
|
expect(json2.status).toBe('duplicate');
|
|
expect(json2.eventId).toBe('evt-dup');
|
|
});
|
|
|
|
it('table_id 0 -> 400 (validation zod : table_id positif)', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({
|
|
event_id: 'evt',
|
|
event_type: 'rows.created',
|
|
table_id: 0,
|
|
items: [],
|
|
});
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': sign(body, BASEROW_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
it('payload malforme (event_id manquant) -> 400 VALIDATION_ERROR', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({ event_type: 'rows.created', table_id: 1 });
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': sign(body, BASEROW_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
const json = (await res.json()) as { error: { code: string } };
|
|
expect(json.error.code).toBe('VALIDATION_ERROR');
|
|
});
|
|
|
|
it('body JSON invalide -> 400 VALIDATION_ERROR', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = 'not-json{';
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': sign(body, BASEROW_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
const json = (await res.json()) as { error: { code: string } };
|
|
expect(json.error.code).toBe('VALIDATION_ERROR');
|
|
});
|
|
|
|
it('event_type non supporte -> 400 VALIDATION_ERROR', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({
|
|
event_id: 'evt',
|
|
event_type: 'rows.weird',
|
|
table_id: 1,
|
|
items: [],
|
|
});
|
|
const res = await app.request('/api/webhooks/baserow', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Baserow-Signature': sign(body, BASEROW_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
});
|
|
|
|
describe('POST /api/webhooks/docmost', () => {
|
|
it('200 si HMAC valide + payload minimal', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({
|
|
event_id: 'doc-1',
|
|
event_type: 'page.updated',
|
|
page_id: 'p-42',
|
|
});
|
|
const res = await app.request('/api/webhooks/docmost', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Docmost-Signature': sign(body, DOCMOST_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(200);
|
|
const json = (await res.json()) as { status: string; eventType: string };
|
|
expect(json.status).toBe('logged');
|
|
expect(json.eventType).toBe('page.updated');
|
|
});
|
|
|
|
it('200 sans event_id (skip idempotence)', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({ event_type: 'page.created' });
|
|
const res = await app.request('/api/webhooks/docmost', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Docmost-Signature': sign(body, DOCMOST_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(200);
|
|
const json = (await res.json()) as { status: string };
|
|
expect(json.status).toBe('logged');
|
|
});
|
|
|
|
it('401 si header absent', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const res = await app.request('/api/webhooks/docmost', {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: '{}',
|
|
});
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
it('401 si HMAC mismatch', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({ event_type: 'page.updated' });
|
|
const res = await app.request('/api/webhooks/docmost', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Docmost-Signature': 'a'.repeat(64),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(401);
|
|
const json = (await res.json()) as { error: { code: string } };
|
|
expect(json.error.code).toBe('AUTH_INVALID');
|
|
});
|
|
|
|
it('replay meme event_id -> duplicate', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({ event_id: 'doc-dup', event_type: 'page.updated' });
|
|
const headers = {
|
|
'Content-Type': 'application/json',
|
|
'X-Docmost-Signature': sign(body, DOCMOST_SECRET),
|
|
};
|
|
|
|
const res1 = await app.request('/api/webhooks/docmost', { method: 'POST', headers, body });
|
|
expect(res1.status).toBe(200);
|
|
const json1 = (await res1.json()) as { status: string };
|
|
expect(json1.status).toBe('logged');
|
|
|
|
const res2 = await app.request('/api/webhooks/docmost', { method: 'POST', headers, body });
|
|
expect(res2.status).toBe(200);
|
|
const json2 = (await res2.json()) as { status: string };
|
|
expect(json2.status).toBe('duplicate');
|
|
});
|
|
|
|
it('401 si docmostWebhookSecret absent (stub bloque)', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis, false);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({ event_type: 'page.updated' });
|
|
const res = await app.request('/api/webhooks/docmost', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Docmost-Signature': sign(body, DOCMOST_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
it('payload sans event_type -> 400', async () => {
|
|
const redis = new FakeRedis();
|
|
installContainer(redis);
|
|
const app = buildApp();
|
|
|
|
const body = JSON.stringify({ foo: 'bar' });
|
|
const res = await app.request('/api/webhooks/docmost', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'X-Docmost-Signature': sign(body, DOCMOST_SECRET),
|
|
},
|
|
body,
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
});
|