[Task]: TEST-004: Test RBAC (Role-Based Access Control) #822
Description
TEST-004: Test RBAC (Role-Based Access Control)
Priority: P0 - Critical
Effort: Medium (4-6 hours)
File: src/lib/rbac.test.ts
Description
Build comprehensive test suite for Role-Based Access Control (RBAC) system to ensure secure and correct authorization behavior across all user roles. This is critical security infrastructure that must be thoroughly validated before production deployment.
Test Cases
- ✅
requireAuth()- authenticated users, unauthenticated users - ✅
requireAuth()- session data populated correctly - ✅
requireRole()- single role check, multiple roles check - ✅
requireRole()- insufficient permissions return 403 - ✅
hasRole()- various role combinations - ✅
isAdmin()- admin and non-admin users - ✅
isInstructorOrAdmin()- all role types - ✅
canManageCourses()- permission checks - ✅
canGradeAssignments()- mentor, instructor, admin roles - ✅ Mock NextAuth session for all tests
Acceptance Criteria
- 100% code coverage for
rbac.ts - All authorization paths tested (success and failure scenarios)
- Mock NextAuth session properly configured for all test cases
- Security edge cases covered (null sessions, malformed roles, privilege escalation attempts)
- All HTTP status codes verified (401 Unauthorized, 403 Forbidden, 200 OK)
- Tests run in <2 seconds
- No authentication bypasses possible
Technical Notes
- Use
jest.mock('next-auth')or equivalent to mock authentication - Test role hierarchy: Admin > Instructor > Mentor > Student
- Verify middleware behavior with different session states
- Include tests for role inheritance and permission cascading
- Document expected role capabilities in test comments
Security Considerations
- Ensure no authentication bypass vulnerabilities
- Test boundary conditions between role levels
- Verify session expiration handling
- Test concurrent role modifications