Files
simstudioai--sim/apps/sim/lib/invitations/direct-grant.test.ts
T
wehub-resource-sync d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

215 lines
7.5 KiB
TypeScript

/**
* @vitest-environment node
*/
import {
auditMock,
auditMockFns,
dbChainMock,
dbChainMockFns,
resetDbChainMock,
} from '@sim/testing'
import { beforeEach, describe, expect, it, vi } from 'vitest'
const {
mockGetUserOrganization,
mockSyncWorkspaceEnvCredentials,
mockCancelPendingInvitation,
mockSendWorkspaceAddedEmail,
mockCaptureServerEvent,
mockWorkspaceMemberAdded,
} = vi.hoisted(() => ({
mockGetUserOrganization: vi.fn(),
mockSyncWorkspaceEnvCredentials: vi.fn(),
mockCancelPendingInvitation: vi.fn(),
mockSendWorkspaceAddedEmail: vi.fn(),
mockCaptureServerEvent: vi.fn(),
mockWorkspaceMemberAdded: vi.fn(),
}))
vi.mock('@sim/db', () => dbChainMock)
vi.mock('@sim/audit', () => auditMock)
vi.mock('@/lib/billing/organizations/membership', () => ({
getUserOrganization: mockGetUserOrganization,
}))
vi.mock('@/lib/core/telemetry', () => ({
PlatformEvents: { workspaceMemberAdded: mockWorkspaceMemberAdded },
}))
vi.mock('@/lib/credentials/environment', () => ({
syncWorkspaceEnvCredentials: mockSyncWorkspaceEnvCredentials,
}))
vi.mock('@/lib/invitations/send', () => ({
cancelPendingInvitation: mockCancelPendingInvitation,
sendWorkspaceAddedEmail: mockSendWorkspaceAddedEmail,
}))
vi.mock('@/lib/posthog/server', () => ({
captureServerEvent: mockCaptureServerEvent,
}))
import { grantWorkspaceAccessDirectly, isSameOrgMember } from '@/lib/invitations/direct-grant'
/**
* Drives `db.select().from().where()` results in call order. Both an awaited
* `where()` and a chained `.limit()` resolve to the same per-call value.
*/
function queueWhereResponses(responses: unknown[][]) {
const queue = [...responses]
dbChainMockFns.where.mockImplementation(() => {
const result = queue.shift() ?? []
const thenable = Promise.resolve(result) as Promise<unknown[]> & {
limit: ReturnType<typeof vi.fn>
orderBy: ReturnType<typeof vi.fn>
returning: ReturnType<typeof vi.fn>
groupBy: ReturnType<typeof vi.fn>
}
thenable.limit = vi.fn(() => Promise.resolve(result))
thenable.orderBy = vi.fn(() => Promise.resolve(result))
thenable.returning = vi.fn(() => Promise.resolve(result))
thenable.groupBy = vi.fn(() => Promise.resolve(result))
return thenable as ReturnType<typeof dbChainMockFns.where>
})
}
const baseInput = {
userId: 'user-2',
email: 'Member@Example.com',
workspaceId: 'ws-1',
workspaceName: 'Workspace 1',
permission: 'write' as const,
organizationId: 'org-1',
actorId: 'user-1',
actorName: 'Owner',
actorEmail: 'owner@example.com',
}
describe('grantWorkspaceAccessDirectly', () => {
beforeEach(() => {
vi.clearAllMocks()
resetDbChainMock()
mockSendWorkspaceAddedEmail.mockResolvedValue({ success: true })
// Insert path reports the new row via `.returning()`.
dbChainMockFns.returning.mockResolvedValue([{ id: 'perm-new' }])
})
it('inserts a permission row when the user has no existing access', async () => {
const result = await grantWorkspaceAccessDirectly({ ...baseInput })
expect(result).toEqual({ outcome: 'added', permission: 'write' })
expect(dbChainMockFns.insert).toHaveBeenCalled()
expect(dbChainMockFns.update).not.toHaveBeenCalled()
expect(auditMockFns.mockRecordAudit).toHaveBeenCalledWith(
expect.objectContaining({ action: 'member.added', resourceId: 'ws-1' })
)
expect(mockWorkspaceMemberAdded).toHaveBeenCalledWith(
expect.objectContaining({ workspaceId: 'ws-1' })
)
expect(mockSendWorkspaceAddedEmail).toHaveBeenCalledWith(
expect.objectContaining({ email: 'member@example.com', workspaceId: 'ws-1' })
)
})
it('reports unchanged (no audit/email) when a concurrent insert wins the race', async () => {
dbChainMockFns.returning.mockResolvedValueOnce([])
const result = await grantWorkspaceAccessDirectly({ ...baseInput })
expect(result).toEqual({ outcome: 'unchanged', permission: 'write' })
expect(dbChainMockFns.insert).toHaveBeenCalled()
expect(auditMockFns.mockRecordAudit).not.toHaveBeenCalled()
expect(mockWorkspaceMemberAdded).not.toHaveBeenCalled()
expect(mockSendWorkspaceAddedEmail).not.toHaveBeenCalled()
})
it('does not upgrade an existing lower permission (invites never modify access)', async () => {
dbChainMockFns.limit.mockResolvedValueOnce([{ id: 'perm-1', permissionType: 'read' }])
const result = await grantWorkspaceAccessDirectly({ ...baseInput, permission: 'admin' })
expect(result).toEqual({ outcome: 'unchanged', permission: 'read' })
expect(dbChainMockFns.update).not.toHaveBeenCalled()
expect(dbChainMockFns.insert).not.toHaveBeenCalled()
expect(auditMockFns.mockRecordAudit).not.toHaveBeenCalled()
expect(mockSendWorkspaceAddedEmail).not.toHaveBeenCalled()
})
it('no-ops when the user already has access', async () => {
dbChainMockFns.limit.mockResolvedValueOnce([{ id: 'perm-1', permissionType: 'admin' }])
const result = await grantWorkspaceAccessDirectly({ ...baseInput, permission: 'write' })
expect(result).toEqual({ outcome: 'unchanged', permission: 'admin' })
expect(dbChainMockFns.insert).not.toHaveBeenCalled()
expect(dbChainMockFns.update).not.toHaveBeenCalled()
expect(auditMockFns.mockRecordAudit).not.toHaveBeenCalled()
expect(mockWorkspaceMemberAdded).not.toHaveBeenCalled()
expect(mockSendWorkspaceAddedEmail).not.toHaveBeenCalled()
})
it('skips the email when notify is false', async () => {
const result = await grantWorkspaceAccessDirectly({ ...baseInput, notify: false })
expect(result.outcome).toBe('added')
expect(auditMockFns.mockRecordAudit).toHaveBeenCalled()
expect(mockSendWorkspaceAddedEmail).not.toHaveBeenCalled()
})
it('syncs workspace env credentials when env variables exist', async () => {
dbChainMockFns.limit
.mockResolvedValueOnce([]) // existing permission lookup
.mockResolvedValueOnce([{ variables: { API_KEY: 'x', BASE_URL: 'y' } }]) // env lookup
await grantWorkspaceAccessDirectly({ ...baseInput })
expect(mockSyncWorkspaceEnvCredentials).toHaveBeenCalledWith(
expect.objectContaining({
workspaceId: 'ws-1',
actingUserId: 'user-2',
envKeys: ['API_KEY', 'BASE_URL'],
})
)
})
it('supersedes lingering pending workspace invitations for the same email', async () => {
queueWhereResponses([
[], // existing permission lookup (transaction)
[{ invitationId: 'old-inv' }], // supersede lookup
[], // env lookup
])
await grantWorkspaceAccessDirectly({ ...baseInput })
expect(mockCancelPendingInvitation).toHaveBeenCalledWith('old-inv')
})
})
describe('isSameOrgMember', () => {
beforeEach(() => {
vi.clearAllMocks()
resetDbChainMock()
})
it('returns false when the workspace has no organization', async () => {
expect(await isSameOrgMember('user-2', null)).toBe(false)
expect(mockGetUserOrganization).not.toHaveBeenCalled()
})
it('returns false when the user belongs to no organization', async () => {
mockGetUserOrganization.mockResolvedValueOnce(null)
expect(await isSameOrgMember('user-2', 'org-1')).toBe(false)
})
it('returns true when the user belongs to the workspace organization', async () => {
mockGetUserOrganization.mockResolvedValueOnce({ organizationId: 'org-1', role: 'member' })
expect(await isSameOrgMember('user-2', 'org-1')).toBe(true)
})
it('returns false when the user belongs to a different organization', async () => {
mockGetUserOrganization.mockResolvedValueOnce({ organizationId: 'org-2', role: 'member' })
expect(await isSameOrgMember('user-2', 'org-1')).toBe(false)
})
})