diff --git a/src/auth-providers/apply.test.ts b/src/auth-providers/apply.test.ts index 76cefb9..74024fd 100644 --- a/src/auth-providers/apply.test.ts +++ b/src/auth-providers/apply.test.ts @@ -1,5 +1,5 @@ import { describe, expect, it } from 'vitest'; -import { extractEnvKeys, filterCollidingEnvLines } from './apply.js'; +import { extractEnvKeys, extractEnvPairs, filterCollidingEnvLines, refreshStaleEnvDefaults } from './apply.js'; describe('extractEnvKeys', () => { it('finds plain KEY=value lines', () => { @@ -45,3 +45,81 @@ describe('filterCollidingEnvLines', () => { expect(filtered).toBe(append); }); }); + +describe('extractEnvPairs', () => { + it('returns KEY → value pairs', () => { + const m = extractEnvPairs('FOO=1\nBAR=hello world\n'); + expect(m.get('FOO')).toBe('1'); + expect(m.get('BAR')).toBe('hello world'); + }); + it('preserves URL-style values verbatim', () => { + const m = extractEnvPairs('DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/insforge\n'); + expect(m.get('DATABASE_URL')).toBe('postgresql://postgres:postgres@127.0.0.1:5432/insforge'); + }); +}); + +describe('refreshStaleEnvDefaults', () => { + it('replaces user value when it matches manifest default and platform has real value', () => { + const existing = 'DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/insforge\nFOO=keep-me\n'; + const defaults = new Map([ + ['DATABASE_URL', 'postgresql://postgres:postgres@127.0.0.1:5432/insforge'], + ]); + const platform = new Map([ + ['DATABASE_URL', 'postgresql://postgres:secret@cloud.host:5432/db?sslmode=require'], + ]); + const { updated, refreshed } = refreshStaleEnvDefaults(existing, defaults, platform); + expect(refreshed).toEqual(['DATABASE_URL']); + expect(updated).toContain('DATABASE_URL=postgresql://postgres:secret@cloud.host:5432/db?sslmode=require'); + expect(updated).not.toContain('127.0.0.1'); + expect(updated).toContain('FOO=keep-me'); + }); + + it('preserves user value when it differs from the manifest default', () => { + const existing = 'DATABASE_URL=postgresql://customized@host/db\n'; + const defaults = new Map([ + ['DATABASE_URL', 'postgresql://postgres:postgres@127.0.0.1:5432/insforge'], + ]); + const platform = new Map([ + ['DATABASE_URL', 'postgresql://cloud@host/db?sslmode=require'], + ]); + const { updated, refreshed } = refreshStaleEnvDefaults(existing, defaults, platform); + expect(refreshed).toEqual([]); + expect(updated).toContain('postgresql://customized@host/db'); + }); + + it('skips refresh when platform has no real value (self-hosted, helper returned null)', () => { + const existing = 'DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/insforge\n'; + const defaults = new Map([ + ['DATABASE_URL', 'postgresql://postgres:postgres@127.0.0.1:5432/insforge'], + ]); + const platform = new Map([ + ['DATABASE_URL', 'postgresql://postgres:postgres@127.0.0.1:5432/insforge'], + ]); + const { updated, refreshed } = refreshStaleEnvDefaults(existing, defaults, platform); + expect(refreshed).toEqual([]); + expect(updated).toBe(existing); + }); + + it('handles multiple keys, refreshing only the stale ones', () => { + const existing = [ + 'DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/insforge', + 'BETTER_AUTH_SECRET=user-set-this-already', + 'INSFORGE_JWT_SECRET=replace-with-output-of-cli-secrets-get-JWT_SECRET', + ].join('\n') + '\n'; + const defaults = new Map([ + ['DATABASE_URL', 'postgresql://postgres:postgres@127.0.0.1:5432/insforge'], + ['BETTER_AUTH_SECRET', 'replace-with-32-random-bytes'], + ['INSFORGE_JWT_SECRET', 'replace-with-output-of-cli-secrets-get-JWT_SECRET'], + ]); + const platform = new Map([ + ['DATABASE_URL', 'postgresql://cloud@host/db?sslmode=require'], + ['BETTER_AUTH_SECRET', 'random-bytes-1234'], + ['INSFORGE_JWT_SECRET', 'real-jwt-secret-from-platform'], + ]); + const { updated, refreshed } = refreshStaleEnvDefaults(existing, defaults, platform); + expect(refreshed.sort()).toEqual(['DATABASE_URL', 'INSFORGE_JWT_SECRET']); + expect(updated).toContain('DATABASE_URL=postgresql://cloud@host/db?sslmode=require'); + expect(updated).toContain('BETTER_AUTH_SECRET=user-set-this-already'); + expect(updated).toContain('INSFORGE_JWT_SECRET=real-jwt-secret-from-platform'); + }); +});