feat(infra): add reminder scheduler jobs

2026-03-31 16:14:02 +00:00 · 2026-03-08 22:23:19 +04:00
parent 1b08da4591
commit fd0680c8ef
18 changed files with 474 additions and 59 deletions
--- a/apps/bot/src/scheduler-auth.test.ts
+++ b/apps/bot/src/scheduler-auth.test.ts
@@ -0,0 +1,75 @@
+import { describe, expect, test } from 'bun:test'
+
+import { createSchedulerRequestAuthorizer, type IdTokenVerifier } from './scheduler-auth'
+
+describe('createSchedulerRequestAuthorizer', () => {
+  test('accepts matching shared secret header', async () => {
+    const authorizer = createSchedulerRequestAuthorizer({
+      sharedSecret: 'secret'
+    })
+
+    const authorized = await authorizer.authorize(
+      new Request('http://localhost/jobs/reminder/utilities', {
+        headers: {
+          'x-household-scheduler-secret': 'secret'
+        }
+      })
+    )
+
+    expect(authorized).toBe(true)
+  })
+
+  test('accepts verified oidc token from an allowed service account', async () => {
+    const verifier: IdTokenVerifier = {
+      verifyIdToken: async () => ({
+        getPayload: () => ({
+          email: 'dev-scheduler@example.iam.gserviceaccount.com',
+          email_verified: true
+        })
+      })
+    }
+
+    const authorizer = createSchedulerRequestAuthorizer({
+      oidcAudience: 'https://household-dev-bot-api.run.app',
+      oidcAllowedEmails: ['dev-scheduler@example.iam.gserviceaccount.com'],
+      verifier
+    })
+
+    const authorized = await authorizer.authorize(
+      new Request('http://localhost/jobs/reminder/utilities', {
+        headers: {
+          authorization: 'Bearer signed-id-token'
+        }
+      })
+    )
+
+    expect(authorized).toBe(true)
+  })
+
+  test('rejects oidc token from an unexpected service account', async () => {
+    const verifier: IdTokenVerifier = {
+      verifyIdToken: async () => ({
+        getPayload: () => ({
+          email: 'someone-else@example.iam.gserviceaccount.com',
+          email_verified: true
+        })
+      })
+    }
+
+    const authorizer = createSchedulerRequestAuthorizer({
+      oidcAudience: 'https://household-dev-bot-api.run.app',
+      oidcAllowedEmails: ['dev-scheduler@example.iam.gserviceaccount.com'],
+      verifier
+    })
+
+    const authorized = await authorizer.authorize(
+      new Request('http://localhost/jobs/reminder/utilities', {
+        headers: {
+          authorization: 'Bearer signed-id-token'
+        }
+      })
+    )
+
+    expect(authorized).toBe(false)
+  })
+})