test(it): add JWT auth for PostgREST mutation access control (#1875)

ekremney · claude · web-flow · commit d8254f5ac4c7 · 2026-02-27T18:53:35.000+01:00
## Summary Adapts IT tests for [mysticat-data-service PR #92](adobe/mysticat-data-service#92) which introduces the `postgrest_writer` role for JWT-based mutation access control. - Add `postgrest-jwt.js` utility for HS256 JWT generation (mirrors `_make_jwt()` from mysticat-data-service) - Configure `PGRST_JWT_SECRET` in docker-compose.yml - Pass `POSTGREST_API_KEY` to dev server for postgres mode - Bump mysticat-data-service image to v1.13.0 After this change, DELETE and UPDATE operations through PostgREST require JWT authentication, while SELECT and INSERT remain anonymous. ## Test plan - [x] PostgreSQL IT tests pass (277 passing) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/test/it/env.js b/test/it/env.js
@@ -10,6 +10,8 @@
  * governing permissions and limitations under the License.
  */
 
+import { POSTGREST_WRITER_JWT } from './shared/postgrest-jwt.js';
+
 /**
  * Builds the full mandatory env matrix for the IT dev server.
  *
@@ -77,6 +79,7 @@ export function buildEnv(mode, publicKeyB64) {
       DATA_SERVICE_PROVIDER: 'postgres',
       POSTGREST_URL: 'http://localhost:3300',
       POSTGREST_SCHEMA: 'public',
+      POSTGREST_API_KEY: POSTGREST_WRITER_JWT,
     });
   }
 
diff --git a/test/it/postgres/docker-compose.yml b/test/it/postgres/docker-compose.yml
@@ -26,7 +26,7 @@ services:
       retries: 30
 
   data-service:
-    image: 682033462621.dkr.ecr.us-east-1.amazonaws.com/mysticat-data-service:v1.11.0
+    image: 682033462621.dkr.ecr.us-east-1.amazonaws.com/mysticat-data-service:v1.13.0
     container_name: spacecat-it-data-service
     depends_on:
       db:
@@ -39,6 +39,7 @@ services:
       PGRST_DB_ANON_ROLE: postgrest_anon
       PGRST_DB_EXTRA_SEARCH_PATH: ""
       PGRST_LOG_LEVEL: warn
+      PGRST_JWT_SECRET: local-dev-jwt-secret-for-postgrest-only
       PGRST_ADMIN_SERVER_PORT: 3001
       PGRST_OPENAPI_SERVER_PROXY_URI: "http://localhost:${IT_POSTGREST_PORT:-3300}"
     command: ["sh", "-c", "dbmate -d db/migrations up && exec postgrest"]
diff --git a/test/it/shared/postgrest-jwt.js b/test/it/shared/postgrest-jwt.js
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+/**
+ * PostgREST JWT utilities for IT tests.
+ *
+ * Creates minimal HS256 JWTs for PostgREST authentication.
+ * Mirrors the _make_jwt() function from mysticat-data-service/tests/conftest.py
+ *
+ * After PR #92 (postgrest_writer role), DELETE and UPDATE operations require
+ * JWT authentication. The dev server uses POSTGREST_API_KEY to authenticate
+ * to PostgREST via @adobe/spacecat-shared-data-access.
+ */
+
+import crypto from 'crypto';
+
+// Must match PGRST_JWT_SECRET in docker-compose.yml
+export const POSTGREST_JWT_SECRET = 'local-dev-jwt-secret-for-postgrest-only';
+
+/**
+ * Base64url encode (RFC 4648 §5).
+ * @param {string|Buffer} data - Data to encode
+ * @returns {string} Base64url-encoded string
+ */
+function base64url(data) {
+  const buf = Buffer.isBuffer(data) ? data : Buffer.from(data);
+  return buf
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+}
+
+/**
+ * Creates a minimal HS256 JWT for PostgREST authentication.
+ *
+ * @param {string} secret - JWT secret (must match PGRST_JWT_SECRET)
+ * @param {string} role - PostgreSQL role to assume (e.g., 'postgrest_writer')
+ * @returns {string} Signed JWT token
+ */
+export function makePostgrestJwt(secret, role) {
+  const header = base64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+  const payload = base64url(JSON.stringify({ role }));
+  const signature = base64url(
+    crypto.createHmac('sha256', secret)
+      .update(`${header}.${payload}`)
+      .digest(),
+  );
+  return `${header}.${payload}.${signature}`;
+}
+
+/**
+ * Pre-generated JWT for postgrest_writer role.
+ * Used by the dev server to authenticate DELETE/UPDATE operations to PostgREST.
+ */
+export const POSTGREST_WRITER_JWT = makePostgrestJwt(
+  POSTGREST_JWT_SECRET,
+  'postgrest_writer',
+);

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@`
`10`	`10`	`* governing permissions and limitations under the License.`
`11`	`11`	`*/`
`12`	`12`
	`13`	`+import { POSTGREST_WRITER_JWT } from './shared/postgrest-jwt.js';`
	`14`	`+`
`13`	`15`	`/**`
`14`	`16`	`* Builds the full mandatory env matrix for the IT dev server.`
`15`	`17`	`*`
`@@ -77,6 +79,7 @@ export function buildEnv(mode, publicKeyB64) {`
`77`	`79`	`DATA_SERVICE_PROVIDER: 'postgres',`
`78`	`80`	`POSTGREST_URL: 'http://localhost:3300',`
`79`	`81`	`POSTGREST_SCHEMA: 'public',`
	`82`	`+ POSTGREST_API_KEY: POSTGREST_WRITER_JWT,`
`80`	`83`	`});`
`81`	`84`	`}`
`82`	`85`