feat(auth): add auth guard in hooks.server.ts with session validation

Validates session cookie via GET /v1/auth/me, populates event.locals with benutzer and haushalt, redirects to /login if unauthenticated. Public routes (/login, /register, /invite) bypass auth. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 13:19:40 +02:00
parent cfe38c39aa
commit 7a17873046
3 changed files with 161 additions and 0 deletions
--- a/frontend/src/hooks.server.test.ts
+++ b/frontend/src/hooks.server.test.ts
@@ -0,0 +1,96 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// Mock $env/dynamic/private before importing anything
+vi.mock('$env/dynamic/private', () => ({
+	env: { BACKEND_URL: 'http://localhost:8080' }
+}));
+
+// Mock the apiClient
+const mockGet = vi.fn();
+vi.mock('$lib/server/api', () => ({
+	apiClient: () => ({ GET: mockGet })
+}));
+
+describe('auth guard (hooks.server.ts handle)', () => {
+	let handle: any;
+
+	beforeEach(async () => {
+		mockGet.mockReset();
+		const mod = await import('./hooks.server');
+		handle = mod.handle;
+	});
+
+	function createEvent(pathname: string, cookie?: string) {
+		const resolve = vi.fn().mockResolvedValue(new Response('ok'));
+		const event = {
+			url: new URL(`http://localhost${pathname}`),
+			cookies: {
+				get: vi.fn().mockReturnValue(cookie)
+			},
+			locals: {} as any,
+			fetch: vi.fn()
+		};
+		return { event, resolve };
+	}
+
+	it('allows public routes without auth', async () => {
+		const { event, resolve } = createEvent('/login');
+		await handle({ event, resolve });
+		expect(resolve).toHaveBeenCalledWith(event);
+	});
+
+	it('redirects unauthenticated requests on protected routes', async () => {
+		const { event, resolve } = createEvent('/planner');
+		try {
+			await handle({ event, resolve });
+			// If using SvelteKit redirect, it throws
+			expect.unreachable();
+		} catch (e: any) {
+			expect(e.status).toBe(302);
+			expect(e.location).toBe('/login');
+		}
+	});
+
+	it('populates event.locals.benutzer on valid session', async () => {
+		mockGet.mockResolvedValue({
+			data: {
+				data: {
+					id: '123',
+					displayName: 'Max',
+					householdId: 'h1',
+					householdName: 'Familie Müller',
+					householdRole: 'planer',
+					email: 'max@example.com',
+					systemRole: 'user'
+				}
+			},
+			error: undefined
+		});
+
+		const { event, resolve } = createEvent('/planner', 'valid-session');
+		await handle({ event, resolve });
+		expect(event.locals.benutzer).toEqual({
+			id: '123',
+			name: 'Max',
+			rolle: 'planer'
+		});
+		expect(event.locals.haushalt).toEqual({
+			id: 'h1',
+			name: 'Familie Müller'
+		});
+		expect(resolve).toHaveBeenCalledWith(event);
+	});
+
+	it('redirects to /login when session validation fails', async () => {
+		mockGet.mockResolvedValue({ data: undefined, error: { status: 401 } });
+
+		const { event, resolve } = createEvent('/planner', 'bad-session');
+		try {
+			await handle({ event, resolve });
+			expect.unreachable();
+		} catch (e: any) {
+			expect(e.status).toBe(302);
+			expect(e.location).toBe('/login');
+		}
+	});
+});