02b7522b87
Add `role: Role` to the shared `PublicUser` contract and return it from `GET /api/me` (defaulting to 'worker' when the session user has no role). This lets the planned admin app gate access by role. Also add the admin dev origin `http://localhost:5174` to the default `WEB_ORIGINS` (env.ts) and to `.env.example`, so the admin SPA on :5174 can reach the API at :3000 cross-origin (drives both hono/cors and better-auth trustedOrigins).
45 lines
1.5 KiB
TypeScript
45 lines
1.5 KiB
TypeScript
import { describe, it, expect } from 'vitest';
|
|
import { createApp } from '../src/app';
|
|
|
|
const ORIGIN = 'http://localhost:5173';
|
|
const ADMIN_ORIGIN = 'http://localhost:5174';
|
|
|
|
describe('cors', () => {
|
|
it('answers a CORS preflight for the SPA origin', async () => {
|
|
const app = createApp();
|
|
const res = await app.request('/api/activities', {
|
|
method: 'OPTIONS',
|
|
headers: {
|
|
Origin: ORIGIN,
|
|
'Access-Control-Request-Method': 'GET',
|
|
},
|
|
});
|
|
expect(res.headers.get('access-control-allow-origin')).toBe(ORIGIN);
|
|
const allowMethods = res.headers.get('access-control-allow-methods') ?? '';
|
|
expect(allowMethods).toContain('GET');
|
|
});
|
|
|
|
it('answers a CORS preflight for the admin SPA origin', async () => {
|
|
const app = createApp();
|
|
const res = await app.request('/api/activities', {
|
|
method: 'OPTIONS',
|
|
headers: {
|
|
Origin: ADMIN_ORIGIN,
|
|
'Access-Control-Request-Method': 'GET',
|
|
},
|
|
});
|
|
expect(res.headers.get('access-control-allow-origin')).toBe(ADMIN_ORIGIN);
|
|
const allowMethods = res.headers.get('access-control-allow-methods') ?? '';
|
|
expect(allowMethods).toContain('GET');
|
|
});
|
|
|
|
it('exposes set-auth-token to the SPA origin', async () => {
|
|
const app = createApp();
|
|
const res = await app.request('/api/activities', {
|
|
headers: { Origin: ORIGIN },
|
|
});
|
|
const expose = (res.headers.get('access-control-expose-headers') ?? '').toLowerCase();
|
|
expect(expose).toContain('set-auth-token');
|
|
});
|
|
});
|