openclaw/src/plugin-sdk/approval-auth-helpers.test.ts

import { describe, expect, it } from "vitest";
import { createResolvedApproverActionAuthAdapter } from "./approval-auth-helpers.js";

describe("createResolvedApproverActionAuthAdapter", () => {
  it.each([
    {
      name: "falls back to generic same-chat auth when no approvers resolve",
      channelLabel: "Slack",
      resolveApprovers: () => [],
      normalizeSenderId: undefined,
      cases: [
        {
          senderId: "U_OWNER",
          approvalKind: "exec" as const,
          expected: { authorized: true },
        },
      ],
    },
    {
      name: "allows matching normalized approvers and rejects others",
      channelLabel: "Signal",
      resolveApprovers: () => ["uuid:owner"],
      normalizeSenderId: (value: string) => value.trim().toLowerCase(),
      cases: [
        {
          senderId: " UUID:OWNER ",
          approvalKind: "plugin" as const,
          expected: { authorized: true },
        },
        {
          senderId: "uuid:attacker",
          approvalKind: "plugin" as const,
          expected: {
            authorized: false,
            reason: "❌ You are not authorized to approve plugin requests on Signal.",
          },
        },
      ],
    },
  ])("$name", ({ channelLabel, resolveApprovers, normalizeSenderId, cases }) => {
    const auth = createResolvedApproverActionAuthAdapter({
      channelLabel,
      resolveApprovers,
      normalizeSenderId,
    });

    for (const testCase of cases) {
      expect(
        auth.authorizeActorAction({
          cfg: {},
          senderId: testCase.senderId,
          action: "approve",
          approvalKind: testCase.approvalKind,
        }),
      ).toEqual(testCase.expected);
    }
  });
});