Skip to content

test(security): add security tests for auth and RLS enforcement#700

Open
magaret457 wants to merge 1 commit into
AnnabelJoe:mainfrom
magaret457:test/524-auth-rls-security-tests
Open

test(security): add security tests for auth and RLS enforcement#700
magaret457 wants to merge 1 commit into
AnnabelJoe:mainfrom
magaret457:test/524-auth-rls-security-tests

Conversation

@magaret457

Copy link
Copy Markdown
Contributor

Summary

Resolves #524

Adds a Vitest-based security test suite verifying auth flows and Supabase row-level security enforcement.

Test coverage

Acceptance criterion Test(s)
Unauthorized requests are rejected invalid Ed25519 sig → 401; malformed body → 400
Authenticated requests with insufficient scope fail inactive meter → 404; wrong meter key → 401
RLS rules validated by tests cross-tenant meter hidden → 404; INSERT RLS violation → 500

7 tests, all passing.

Files added / changed

  • apps/web/src/__tests__/auth-rls.security.test.ts — 7 security tests
  • apps/web/vitest.config.ts — Vitest config with @ alias
  • apps/web/package.json — added vitest@2.1.8 devDep + test script
  • .github/workflows/ci.yml — added pnpm test step to web job

Add vitest-based security tests covering:
- Unauthorized requests rejected (invalid Ed25519 signature → 401)
- Malformed/missing fields rejected (400)
- Inactive meter filtered out (simulates insufficient device scope → 404)
- Wrong meter key rejected (401)
- Cross-tenant RLS: meter row hidden from wrong cooperative (404)
- RLS INSERT violation surfaces correctly (500)

Also:
- Add vitest 2.1.8 to apps/web devDependencies
- Add vitest.config.ts with path aliases matching tsconfig
- Add 'pnpm test' step to CI web job

All 7 tests pass.

Closes AnnabelJoe#524
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add security tests for authentication and RLS enforcement

1 participant