refactor: share shared auth scope assertion

2026-03-13 19:12:09 +00:00 · 2026-03-13 19:12:09 +00:00 · feba7ea8fd
parent 3a21f8b1e3
commit feba7ea8fd
1 changed files with 23 additions and 30 deletions
--- a/src/gateway/server.auth.compat-baseline.test.ts
+++ b/src/gateway/server.auth.compat-baseline.test.ts
@ -34,6 +34,27 @@ function expectAuthErrorDetails(params: {
  }
 }

+async function expectSharedOperatorScopesCleared(
+  port: number,
+  auth: { token?: string; password?: string },
+) {
+  const ws = await openWs(port);
+  try {
+    const res = await connectReq(ws, {
+      ...auth,
+      scopes: ["operator.admin"],
+      device: null,
+    });
+    expect(res.ok).toBe(true);
+
+    const adminRes = await rpcReq(ws, "set-heartbeats", { enabled: false });
+    expect(adminRes.ok).toBe(false);
+    expect(adminRes.error?.message).toBe("missing scope: operator.admin");
+  } finally {
+    ws.close();
+  }
+}
+
 describe("gateway auth compatibility baseline", () => {
  describe("token mode", () => {
    let server: Awaited<ReturnType<typeof startGatewayServer>>;
@ -64,21 +85,7 @@ describe("gateway auth compatibility baseline", () => {
    });

    test("clears client-declared scopes for shared-token operator connects", async () => {
-      const ws = await openWs(port);
-      try {
-        const res = await connectReq(ws, {
-          token: "secret",
-          scopes: ["operator.admin"],
-          device: null,
-        });
-        expect(res.ok).toBe(true);
-
-        const adminRes = await rpcReq(ws, "set-heartbeats", { enabled: false });
-        expect(adminRes.ok).toBe(false);
-        expect(adminRes.error?.message).toBe("missing scope: operator.admin");
-      } finally {
-        ws.close();
-      }
+      await expectSharedOperatorScopesCleared(port, { token: "secret" });
    });

    test("returns stable token-missing details for control ui without token", async () => {
@ -184,21 +191,7 @@ describe("gateway auth compatibility baseline", () => {
    });

    test("clears client-declared scopes for shared-password operator connects", async () => {
-      const ws = await openWs(port);
-      try {
-        const res = await connectReq(ws, {
-          password: "secret",
-          scopes: ["operator.admin"],
-          device: null,
-        });
-        expect(res.ok).toBe(true);
-
-        const adminRes = await rpcReq(ws, "set-heartbeats", { enabled: false });
-        expect(adminRes.ok).toBe(false);
-        expect(adminRes.error?.message).toBe("missing scope: operator.admin");
-      } finally {
-        ws.close();
-      }
+      await expectSharedOperatorScopesCleared(port, { password: "secret" });
    });
  });