feat: adds unit tests for impersonation session feature (#2452)

* added unit tests for impersonation session route

* fixed test identation and spacing

* fixed unecessary imports and variable in tests

* fixed comments on tests

* fixed naming mistake in test

* fixed failing test

Author: Suvidh-kaushik

test/unit/middlewares/addAuthorizationForImpersonation.test.ts

@@ -0,0 +1,130 @@
+import { expect } from "chai";
+import sinon from "sinon";
+import { NextFunction, Response } from "express";
+import { addAuthorizationForImpersonation } from "../../../middlewares/addAuthorizationForImpersonation";
+import { ImpersonationRequestResponse, ImpersonationSessionRequest } from "../../../types/impersonationRequest";
+import { INVALID_ACTION_PARAM, OPERATION_NOT_ALLOWED } from "../../../constants/requests";
+
+describe("addAuthorizationForImpersonation", () => {
+  let req;
+  let res: Partial<Response> & {
+    boom: {
+      badRequest: sinon.SinonSpy;
+      unauthorized: sinon.SinonSpy;
+      forbidden: sinon.SinonSpy;
+      badImplementation: sinon.SinonSpy;
+    };
+  };
+  let next: sinon.SinonSpy;
+  let boomBadRequest: sinon.SinonSpy;
+  let boomForbidden: sinon.SinonSpy;
+  let boomUnauthorized: sinon.SinonSpy;
+
+  beforeEach(() => {
+    boomBadRequest = sinon.spy();
+    boomForbidden = sinon.spy();
+    boomUnauthorized = sinon.spy();
+
+    req = {
+      query: {},
+      userData: {
+        roles: {
+          super_user: true,
+        },
+      },
+    };
+
+    res = {
+      boom: {
+        badRequest: boomBadRequest,
+        badImplementation: sinon.spy(),
+        forbidden: boomForbidden,
+        unauthorized: boomUnauthorized,
+      },
+    };
+
+    next = sinon.spy();
+  });
+
+  it("should call next when user has super_user role and action is START", () => {
+    req.query = { action: "START" };
+
+    addAuthorizationForImpersonation(
+      req as ImpersonationSessionRequest,
+      res as ImpersonationRequestResponse,
+      next as NextFunction
+    );
+
+    expect(next.calledOnce).to.be.true;
+    expect(boomBadRequest.notCalled).to.be.true;
+  });
+
+  it("should not call next if user doesn't have super_user role", () => {
+    req.query = { action: "START" };
+    req.userData = { roles: {} };
+
+    addAuthorizationForImpersonation(
+      req as ImpersonationSessionRequest,
+      res as ImpersonationRequestResponse,
+      next
+    );
+
+    expect(boomUnauthorized.calledOnce).to.be.true;
+    expect(next.notCalled).to.be.true;
+  });
+
+  it("should call next directly for action=STOP if an impersonation session is in progress", () => {
+    req.query = { action: "STOP" };
+    req.isImpersonating = true;
+
+    addAuthorizationForImpersonation(
+      req as ImpersonationSessionRequest,
+      res as ImpersonationRequestResponse,
+      next
+    );
+
+    expect(next.calledOnce).to.be.true;
+  });
+
+  it("should return 403 Forbidden if action=STOP and an impersonation session is not in progress", () => {
+    req.query = { action: "STOP" };
+    req.isImpersonating = false;
+
+    addAuthorizationForImpersonation(
+      req as ImpersonationSessionRequest,
+      res as ImpersonationRequestResponse,
+      next
+    );
+
+    expect(boomForbidden.calledOnce).to.be.true;
+    expect(next.notCalled).to.be.true;
+  });
+
+  it("should call badRequest for invalid action", () => {
+    req.query = { action: "INVALID" };
+
+    addAuthorizationForImpersonation(
+      req as ImpersonationSessionRequest,
+      res as ImpersonationRequestResponse,
+      next
+    );
+
+    expect(boomBadRequest.calledOnce).to.be.true;
+    expect(boomBadRequest.firstCall.args[0]).to.equal(INVALID_ACTION_PARAM);
+    expect(next.notCalled).to.be.true;
+  });
+
+  it("should call badRequest if action is missing", () => {
+    req.query = {};
+
+    addAuthorizationForImpersonation(
+      req as ImpersonationSessionRequest,
+      res as ImpersonationRequestResponse,
+      next
+    );
+
+    expect(boomBadRequest.calledOnce).to.be.true;
+    expect(boomBadRequest.firstCall.args[0]).to.equal(INVALID_ACTION_PARAM);
+    expect(next.notCalled).to.be.true;
+  });
+});

test/unit/middlewares/authenticate.test.js

@@ -113,4 +113,88 @@ describe("Authentication Middleware", function () {
       expect(nextSpy.notCalled).to.equal(true);
     });
   });
+
+  describe("Impersonation and Refresh Logic", function () {
+    it("should allow impersonation and set userData of impersonated user", async function () {
+      const user = { id: "user123", roles: { restricted: false } };
+
+      const verifyAuthTokenStub = Sinon.stub(authService, "verifyAuthToken").returns({
+        userId: "admin",
+        impersonatedUserId: user.id,
+      });
+
+      const retrieveUsersStub = Sinon.stub(dataAccess, "retrieveUsers").resolves({ user });
+
+      req.cookies = {
+        [config.get("userToken.cookieName")]: "validToken",
+      };
+
+      req.method = "GET";
+      req.baseUrl = "/impersonation";
+      req.path = "/abc123";
+      req.query = {};
+
+      await authMiddleware(req, res, nextSpy);
+
+      expect(verifyAuthTokenStub.calledOnce).to.equal(true);
+      expect(retrieveUsersStub.calledOnce).to.equal(true);
+
+      expect(req.userData.id).to.equal(user.id);
+      expect(req.isImpersonating).to.equal(true);
+      expect(nextSpy.calledOnce).to.equal(true);
+      expect(res.boom.unauthorized.notCalled).to.equal(true);
+      expect(res.boom.forbidden.notCalled).to.equal(true);
+    });
+
+    it("should restrict all write/update type requests during impersonation", async function () {
+      req.method = "POST";
+      req.baseUrl = "/impersonation";
+      req.path = "/abc123";
+      req.query = {};
+
+      Sinon.stub(authService, "verifyAuthToken").returns({ userId: "admin", impersonatedUserId: "impUser" });
+      Sinon.stub(dataAccess, "retrieveUsers").resolves({ user: { id: "impUser", roles: {} } });
+
+      await authMiddleware(req, res, nextSpy);
+
+      expect(req.isImpersonating).to.equal(true);
+      expect(res.boom.forbidden.calledOnce).to.equal(true);
+      expect(res.boom.forbidden.firstCall.args[0]).to.include("Only viewing is permitted");
+    });
+
+    it("should allow PATCH STOP request during impersonation", async function () {
+      req.method = "PATCH";
+      req.baseUrl = "/impersonation";
+      req.path = "/randomId";
+      req.query = { action: "STOP" };
+
+      Sinon.stub(authService, "verifyAuthToken").returns({ userId: "admin", impersonatedUserId: "impUser" });
+      Sinon.stub(dataAccess, "retrieveUsers").resolves({ user: { id: "impUser", roles: {} } });
+
+      await authMiddleware(req, res, nextSpy);
+
+      expect(req.isImpersonating).to.equal(true);
+      expect(nextSpy.calledOnce).to.equal(true);
+    });
+
+    it("should refresh token if expired and within TTL", async function () {
+      const now = Math.floor(Date.now() / 1000);
+      req.cookies[config.get("userToken.cookieName")] = "expiredToken";
+
+      Sinon.stub(authService, "verifyAuthToken").throws({ name: "TokenExpiredError" });
+      Sinon.stub(authService, "decodeAuthToken").returns({
+        userId: "user123",
+        impersonatedUserId: "impUserId",
+        iat: now - 10,
+      });
+      Sinon.stub(authService, "generateAuthToken").returns("newToken");
+      Sinon.stub(dataAccess, "retrieveUsers").resolves({ user: { id: "user123", roles: {} } });
+
+      await authMiddleware(req, res, nextSpy);
+
+      expect(res.cookie.calledOnce).to.equal(true);
+      expect(res.cookie.firstCall.args[1]).to.equal("newToken");
+      expect(nextSpy.calledOnce).to.equal(true);
+    });
+  });
 });

test/unit/middlewares/impersonationRequests.test.ts

@@ -4,19 +4,20 @@ import {
   createImpersonationRequestValidator,
   getImpersonationRequestByIdValidator,
   getImpersonationRequestsValidator,
-  updateImpersonationRequestValidator
+  updateImpersonationRequestValidator,
+  impersonationSessionValidator
 } from "../../../middlewares/validators/impersonationRequests";
 import {
   CreateImpersonationRequest,
   CreateImpersonationRequestBody,
   ImpersonationRequestResponse,
   GetImpersonationControllerRequest,
+  ImpersonationSessionRequest,
   GetImpersonationRequestByIdRequest,
   UpdateImpersonationRequest,
   UpdateImpersonationRequestStatusBody,
 } from "../../../types/impersonationRequest";
 import { Request, Response } from "express";
-import { getImpersonationRequestById } from "../../../models/impersonationRequests";
 
 const { expect } = chai;
 
@@ -232,4 +233,32 @@ describe("Impersonation Request Validators", function () {
       expect(nextSpy.called).to.be.false;
     });
   });
+
+    describe("impersonationSessionValidator", function(){
+     it("should validate for a valid impersonation session request", async function () {
+      req = {
+        query: {action:"START", dev:"true"}
+      };
+      await impersonationSessionValidator(req as ImpersonationSessionRequest,res as ImpersonationRequestResponse, nextSpy);
+      expect(nextSpy.calledOnce).to.be.true;
+    });
+
+    it("should not validate for an invalid session request on missing action", async function () {
+      req = {
+        query:{action:""}
+      };
+      await impersonationSessionValidator(req as  ImpersonationSessionRequest,res as ImpersonationRequestResponse, nextSpy);
+      expect(res.boom.badRequest.calledOnce).to.be.true;
+      expect(nextSpy.called).to.be.false;
+    });
+
+    it("should invalidate if action field is not of correct type", async function () {
+      req = {
+        query:{action:"ACTIVE",dev:"true"}
+      };
+      await impersonationSessionValidator(req as ImpersonationSessionRequest,res as ImpersonationRequestResponse, nextSpy);
+      expect(res.boom.badRequest.calledOnce).to.be.true;
+      expect(nextSpy.called).to.be.false;
+    });
+  })
 });

test/unit/services/authService.test.js

@@ -28,4 +28,30 @@ describe("authService", function () {
 
     return done();
   });
+
+  describe("generateImpersonationAuthToken", function () {
+    const payload = { userId: "devUser123", impersonatedUserId: "testUser456" };
+
+    it("should generate a valid JWT with correct payload", function (done) {
+      const jwtToken = authService.generateImpersonationAuthToken(payload);
+      const decoded = authService.verifyAuthToken(jwtToken); // Assuming verifyAuthToken uses the same public key
+
+      expect(decoded).to.have.all.keys("userId", "impersonatedUserId", "iat", "exp");
+      expect(decoded.userId).to.equal(payload.userId);
+      expect(decoded.impersonatedUserId).to.equal(payload.impersonatedUserId);
+
+      return done();
+    });
+
+    it("should decode the impersonation JWT without verifying", function (done) {
+      const jwtToken = authService.generateImpersonationAuthToken(payload);
+      const decoded = authService.decodeAuthToken(jwtToken); // No signature verification
+
+      expect(decoded).to.have.all.keys("userId", "impersonatedUserId", "iat", "exp");
+      expect(decoded.userId).to.equal(payload.userId);
+      expect(decoded.impersonatedUserId).to.equal(payload.impersonatedUserId);
+
+      return done();
+    });
+  });
 });