feat(auth): extend API key authentication to tRPC endpoints (#4732)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

packages/auth/api-key/test/get-api-key-session.spec.ts

@@ -0,0 +1,133 @@
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+import { describe, expect, test, vi } from "vitest";
+
+import { createId } from "@homarr/common";
+import { apiKeys, users } from "@homarr/db/schema";
+import { createDb } from "@homarr/db/test";
+
+import { createSaltAsync, hashPasswordAsync } from "../../security";
+import { getSessionFromApiKeyAsync } from "../get-api-key-session";
+
+// Mock the logger to avoid console output during tests
+vi.mock("@homarr/core/infrastructure/logs", () => ({
+  createLogger: () => ({
+    warn: vi.fn(),
+    info: vi.fn(),
+  }),
+}));
+
+const defaultUserId = createId();
+const defaultUsername = "testuser";
+const defaultApiKeyId = createId();
+const defaultIpAddress = "127.0.0.1";
+const defaultUserAgent = "test-agent";
+const defaultLogParams = [defaultIpAddress, defaultUserAgent] as const;
+
+describe("getSessionFromApiKeyAsync", () => {
+  test("should return null when api key header is null", async () => {
+    // Arrange
+    const { db } = await setupAsync();
+    const apiKey = null;
+
+    // Act
+    const result = await getSessionFromApiKeyAsync(db, apiKey, ...defaultLogParams);
+
+    // Assert
+    expect(result).toBeNull();
+  });
+
+  test.each([
+    ["invalidformat", "no dot"],
+    ["keyid.", "missing token"],
+    [".token", "missing id"],
+  ])("should return null when api key format is invalid key=%s reason=%s", async (apiKey) => {
+    // Arrange
+    const { db } = await setupAsync();
+
+    // Act
+    const result = await getSessionFromApiKeyAsync(db, apiKey, ...defaultLogParams);
+
+    // Assert
+    expect(result).toBeNull();
+  });
+
+  test("should return null when api key is not found in database", async () => {
+    // Arrange
+    const { db } = await setupAsync();
+
+    // Act
+    const result = await getSessionFromApiKeyAsync(db, "nonexistent.token", ...defaultLogParams);
+
+    // Assert
+    expect(result).toBeNull();
+  });
+
+  test("should return null when api key token does not match", async () => {
+    // Arrange
+    const { db } = await setupAsync({ token: "correcttoken" });
+
+    // Act
+    const result = await getSessionFromApiKeyAsync(db, `${defaultApiKeyId}.wrongtoken`, ...defaultLogParams);
+
+    // Assert
+    expect(result).toBeNull();
+  });
+
+  test("should return session when api key is valid", async () => {
+    // Arrange
+    const token = "validtesttoken123";
+    const { db } = await setupAsync({ token });
+
+    // Act
+    const result = await getSessionFromApiKeyAsync(db, `${defaultApiKeyId}.${token}`, ...defaultLogParams);
+
+    // Assert
+    expect(result).not.toBeNull();
+    expect(result!.user.id).toEqual(defaultUserId);
+    expect(result!.user.name).toEqual(defaultUsername);
+  });
+
+  test("should work with null ip address", async () => {
+    // Arrange
+    const token = "validtesttoken456";
+    const { db } = await setupAsync({ token });
+
+    // Act
+    const result = await getSessionFromApiKeyAsync(db, `${defaultApiKeyId}.${token}`, null, defaultUserAgent);
+
+    // Assert
+    expect(result).not.toBeNull();
+    expect(result!.user.id).toEqual(defaultUserId);
+  });
+});
+
+interface SetupOptions {
+  /**
+   * If provided, inserts an API key into the database for testing.
+   */
+  token?: string;
+}
+
+const setupAsync = async (options?: SetupOptions) => {
+  const db = createDb();
+
+  await db.insert(users).values({
+    id: defaultUserId,
+    name: defaultUsername,
+    email: "test@example.com",
+  });
+
+  if (options?.token) {
+    const salt = await createSaltAsync();
+    await db.insert(apiKeys).values({
+      id: defaultApiKeyId,
+      apiKey: await hashPasswordAsync(options.token, salt),
+      salt,
+      userId: defaultUserId,
+    });
+  }
+
+  return {
+    db,
+  };
+};