46 lines
1.7 KiB
TypeScript
46 lines
1.7 KiB
TypeScript
/**
|
|
* The external lunch dish-pick page is reached by attendees with NO account, via
|
|
* a signed token link. It MUST be in the middleware public-path allowlist, or the
|
|
* auth middleware redirects them to /login (a dead end for accountless users).
|
|
*/
|
|
import { describe, it, expect } from 'vitest'
|
|
import { authConfig } from '@/lib/auth.config'
|
|
|
|
function authorized(pathname: string, auth: unknown) {
|
|
const fn = authConfig.callbacks!.authorized!
|
|
return fn({
|
|
auth: auth as never,
|
|
request: { nextUrl: new URL(`http://localhost${pathname}`) } as never,
|
|
} as never)
|
|
}
|
|
|
|
describe('middleware public paths', () => {
|
|
it('allows the external lunch pick page without a session', () => {
|
|
expect(authorized('/lunch/pick/some.signed.token', null)).toBe(true)
|
|
})
|
|
|
|
it('blocks a protected page without a session', () => {
|
|
expect(authorized('/admin/logistics', null)).toBe(false)
|
|
})
|
|
|
|
// Grand finale: audience QR voting, public scoreboard, and the big-screen
|
|
// ceremony view are all reached by attendees with NO account.
|
|
it('allows audience voting pages without a session', () => {
|
|
expect(authorized('/vote/competition/round123', null)).toBe(true)
|
|
expect(authorized('/vote/session456', null)).toBe(true)
|
|
})
|
|
|
|
it('allows the public live scoreboard without a session', () => {
|
|
expect(authorized('/live-scores/session456', null)).toBe(true)
|
|
})
|
|
|
|
it('allows the big-screen ceremony view without a session', () => {
|
|
expect(authorized('/live/ceremony/round123', null)).toBe(true)
|
|
})
|
|
|
|
it('keeps jury and admin live surfaces private', () => {
|
|
expect(authorized('/jury/competitions/round123/live', null)).toBe(false)
|
|
expect(authorized('/admin', null)).toBe(false)
|
|
})
|
|
})
|