tests/unit/auth-public-paths.test.ts

/**
 * The external lunch dish-pick page is reached by attendees with NO account, via
 * a signed token link. It MUST be in the middleware public-path allowlist, or the
 * auth middleware redirects them to /login (a dead end for accountless users).
 */
import { describe, it, expect } from 'vitest'
import { authConfig } from '@/lib/auth.config'

function authorized(pathname: string, auth: unknown) {
  const fn = authConfig.callbacks!.authorized!
  return fn({
    auth: auth as never,
    request: { nextUrl: new URL(`http://localhost${pathname}`) } as never,
  } as never)
}

describe('middleware public paths', () => {
  it('allows the external lunch pick page without a session', () => {
    expect(authorized('/lunch/pick/some.signed.token', null)).toBe(true)
  })

  it('blocks a protected page without a session', () => {
    expect(authorized('/admin/logistics', null)).toBe(false)
  })

  // Grand finale: audience QR voting, public scoreboard, and the big-screen
  // ceremony view are all reached by attendees with NO account.
  it('allows audience voting pages without a session', () => {
    expect(authorized('/vote/competition/round123', null)).toBe(true)
    expect(authorized('/vote/session456', null)).toBe(true)
  })

  it('allows the public live scoreboard without a session', () => {
    expect(authorized('/live-scores/session456', null)).toBe(true)
  })

  it('allows the big-screen ceremony view without a session', () => {
    expect(authorized('/live/ceremony/round123', null)).toBe(true)
  })

  it('keeps jury and admin live surfaces private', () => {
    expect(authorized('/jury/competitions/round123/live', null)).toBe(false)
    expect(authorized('/admin', null)).toBe(false)
  })
})
fix(auth): allow /lunch/pick public access for accountless external attendees The external dish-picker page is reached via a signed token by attendees who have no account. The middleware authorized() callback redirected any non allowlisted path to /login, which is a dead end for accountless users — so the picker shipped in 8d4f0ba was unreachable in prod (307 → /login). Add /lunch/pick to publicPaths; data stays gated by token verification in tRPC. Adds a regression test asserting the path is public and a protected path is not. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-05 12:18:10 +02:00			`/**`
			`* The external lunch dish-pick page is reached by attendees with NO account, via`
			`* a signed token link. It MUST be in the middleware public-path allowlist, or the`
			`* auth middleware redirects them to /login (a dead end for accountless users).`
			`*/`
			`import { describe, it, expect } from 'vitest'`
			`import { authConfig } from '@/lib/auth.config'`

			`function authorized(pathname: string, auth: unknown) {`
			`const fn = authConfig.callbacks!.authorized!`
			`return fn({`
			`auth: auth as never,`
			request: { nextUrl: new URL(`http://localhost${pathname}`) } as never,
			`} as never)`
			`}`

			`describe('middleware public paths', () => {`
			`it('allows the external lunch pick page without a session', () => {`
			`expect(authorized('/lunch/pick/some.signed.token', null)).toBe(true)`
			`})`

			`it('blocks a protected page without a session', () => {`
			`expect(authorized('/admin/logistics', null)).toBe(false)`
			`})`
fix(auth): make audience vote, live-scores and ceremony routes public Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-10 18:02:08 +02:00
			`// Grand finale: audience QR voting, public scoreboard, and the big-screen`
			`// ceremony view are all reached by attendees with NO account.`
			`it('allows audience voting pages without a session', () => {`
			`expect(authorized('/vote/competition/round123', null)).toBe(true)`
			`expect(authorized('/vote/session456', null)).toBe(true)`
			`})`

			`it('allows the public live scoreboard without a session', () => {`
			`expect(authorized('/live-scores/session456', null)).toBe(true)`
			`})`

			`it('allows the big-screen ceremony view without a session', () => {`
			`expect(authorized('/live/ceremony/round123', null)).toBe(true)`
			`})`

			`it('keeps jury and admin live surfaces private', () => {`
			`expect(authorized('/jury/competitions/round123/live', null)).toBe(false)`
			`expect(authorized('/admin', null)).toBe(false)`
			`})`
fix(auth): allow /lunch/pick public access for accountless external attendees The external dish-picker page is reached via a signed token by attendees who have no account. The middleware authorized() callback redirected any non allowlisted path to /login, which is a dead end for accountless users — so the picker shipped in 8d4f0ba was unreachable in prod (307 → /login). Add /lunch/pick to publicPaths; data stays gated by token verification in tRPC. Adds a regression test asserting the path is public and a protected path is not. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-05 12:18:10 +02:00			`})`