feat: add public access security tests for CRUD endpoints

Artuomka · Artuomka · commit c46c0377e7ec · 2026-06-16T07:28:41.000Z
diff --git a/backend/test/ava-tests/non-saas-tests/non-saas-table-pure-crud-operations-e2e.test.ts b/backend/test/ava-tests/non-saas-tests/non-saas-table-pure-crud-operations-e2e.test.ts
@@ -545,3 +545,132 @@ test.serial(`${currentTest} GET public-permissions returns the configured tables
 	t.truthy(tableEntry);
 	t.deepEqual(tableEntry.readableColumns, [testTableColumnName]);
 });
+
+currentTest = 'Public access security invariants';
+
+test.serial(
+	`${currentTest} EVERY CRUD endpoint denies an unauthenticated user when no public policy is configured`,
+	async (t) => {
+		const { connectionId, testTableName, testTableColumnName, testTableSecondColumnName } =
+			await createConnectionAndTable();
+
+		const row = JSON.stringify({
+			[testTableColumnName]: faker.person.firstName(),
+			[testTableSecondColumnName]: faker.internet.email(),
+		});
+
+		// getRows
+		const getRows = await request(app.getHttpServer())
+			.post(`/table/crud/rows/${connectionId}?tableName=${testTableName}&page=1&perPage=100`)
+			.send({})
+			.set('Content-Type', 'application/json')
+			.set('Accept', 'application/json');
+		t.is(getRows.status, 403);
+		t.is(Object.hasOwn(JSON.parse(getRows.text), 'rows'), false);
+
+		// readRow by primary key
+		const readRow = await request(app.getHttpServer())
+			.get(`/table/crud/${connectionId}?tableName=${testTableName}&id=1`)
+			.set('Content-Type', 'application/json')
+			.set('Accept', 'application/json');
+		t.is(readRow.status, 403);
+		t.is(Object.hasOwn(JSON.parse(readRow.text), 'row'), false);
+
+		// createRow
+		const createRow = await request(app.getHttpServer())
+			.post(`/table/crud/${connectionId}?tableName=${testTableName}`)
+			.send(row)
+			.set('Content-Type', 'application/json')
+			.set('Accept', 'application/json');
+		t.is(createRow.status, 403);
+
+		// updateRow
+		const updateRow = await request(app.getHttpServer())
+			.put(`/table/crud/${connectionId}?tableName=${testTableName}&id=1`)
+			.send(row)
+			.set('Content-Type', 'application/json')
+			.set('Accept', 'application/json');
+		t.is(updateRow.status, 403);
+
+		// deleteRow
+		const deleteRow = await request(app.getHttpServer())
+			.delete(`/table/crud/${connectionId}?tableName=${testTableName}&id=1`)
+			.set('Content-Type', 'application/json')
+			.set('Accept', 'application/json');
+		t.is(deleteRow.status, 403);
+	},
+);
+
+test.serial(`${currentTest} a public policy scoped to one table does NOT grant access to other tables`, async (t) => {
+	const { token, connectionId, testTableName } = await createConnectionAndTable();
+
+	// A second table living in the same database (same connection).
+	const connectionToTestDB = getTestData(mockFactory).connectionToMySQL;
+	const secondTable = await createTestTable(connectionToTestDB);
+	testTables.push(secondTable.testTableName);
+
+	// Grant public access to the FIRST table only.
+	const setRes = await setPublicPermissions(connectionId, token, [{ tableName: testTableName }]);
+	t.is(setRes.status, 200);
+
+	// The granted table is reachable...
+	const allowed = await request(app.getHttpServer())
+		.post(`/table/crud/rows/${connectionId}?tableName=${testTableName}&page=1&perPage=10`)
+		.send({})
+		.set('Content-Type', 'application/json')
+		.set('Accept', 'application/json');
+	t.is(allowed.status, 200);
+
+	// ...but the OTHER table must not be: no row data may leak.
+	const deniedRows = await request(app.getHttpServer())
+		.post(`/table/crud/rows/${connectionId}?tableName=${secondTable.testTableName}&page=1&perPage=10`)
+		.send({})
+		.set('Content-Type', 'application/json')
+		.set('Accept', 'application/json');
+	t.is(deniedRows.status, 403);
+	t.is(Object.hasOwn(JSON.parse(deniedRows.text), 'rows'), false);
+
+	const deniedRead = await request(app.getHttpServer())
+		.get(`/table/crud/${connectionId}?tableName=${secondTable.testTableName}&id=1`)
+		.set('Content-Type', 'application/json')
+		.set('Accept', 'application/json');
+	t.is(deniedRead.status, 403);
+});
+
+test.serial(`${currentTest} readRow strips non-readable columns for an unauthenticated user`, async (t) => {
+	const { token, connectionId, testTableName, testTableColumnName, testTableSecondColumnName } =
+		await createConnectionAndTable();
+
+	await setPublicPermissions(connectionId, token, [
+		{ tableName: testTableName, readableColumns: [testTableColumnName] },
+	]);
+
+	const res = await request(app.getHttpServer())
+		.get(`/table/crud/${connectionId}?tableName=${testTableName}&id=1`)
+		.set('Content-Type', 'application/json')
+		.set('Accept', 'application/json');
+
+	t.is(res.status, 200);
+	const ro = JSON.parse(res.text);
+	t.is(Object.hasOwn(ro.row, testTableColumnName), true);
+	t.is(Object.hasOwn(ro.row, testTableSecondColumnName), false);
+	t.is(Object.hasOwn(ro.row, 'id'), false);
+});
+
+test.serial(`${currentTest} an invalid/expired JWT cookie is rejected, never treated as public`, async (t) => {
+	const { connectionId, token, testTableName } = await createConnectionAndTable();
+	// Enable public access so that, if the bad token were silently ignored, the request would succeed.
+	await setPublicPermissions(connectionId, token, [{ tableName: testTableName }]);
+
+	const res = await request(app.getHttpServer())
+		.post(`/table/crud/rows/${connectionId}?tableName=${testTableName}&page=1&perPage=10`)
+		.send({})
+		.set('Cookie', ['rocketadmin_cookie=this.is.not.a.valid.jwt'])
+		.set('Content-Type', 'application/json')
+		.set('Accept', 'application/json');
+
+	// A malformed credential must be rejected, never silently downgraded to public access.
+	// (The existing middleware surfaces this as a 4xx/5xx; the invariant is "not 200, no data leaked".)
+	t.not(res.status, 200);
+	t.is(Object.hasOwn(JSON.parse(res.text), 'rows'), false);
+});
