MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b66e2071f9c2937e6cb4c2ccb0cbfdd7629e53e9
MOPC-Portal/tests/unit/auth-public-paths.test.ts

26 lines
900 B
TypeScript
Raw Normal View History

fix(auth): allow /lunch/pick public access for accountless external attendees The external dish-picker page is reached via a signed token by attendees who have no account. The middleware authorized() callback redirected any non allowlisted path to /login, which is a dead end for accountless users — so the picker shipped in 8d4f0ba was unreachable in prod (307 → /login). Add /lunch/pick to publicPaths; data stays gated by token verification in tRPC. Adds a regression test asserting the path is public and a protected path is not. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 12:18:10 +02:00
/**
* The external lunch dish-pick page is reached by attendees with NO account, via
* a signed token link. It MUST be in the middleware public-path allowlist, or the
* auth middleware redirects them to /login (a dead end for accountless users).
*/
import { describe, it, expect } from 'vitest'
import { authConfig } from '@/lib/auth.config'
function authorized(pathname: string, auth: unknown) {
const fn = authConfig.callbacks!.authorized!
return fn({
auth: auth as never,
request: { nextUrl: new URL(`http://localhost${pathname}`) } as never,
} as never)
}
describe('middleware public paths', () => {
it('allows the external lunch pick page without a session', () => {
expect(authorized('/lunch/pick/some.signed.token', null)).toBe(true)
})
it('blocks a protected page without a session', () => {
expect(authorized('/admin/logistics', null)).toBe(false)
})
})
Reference in New Issue Copy Permalink