feat: add authentication test page and API testing scripts; implement debug auth endpoint and enhance task route with read permissions

test-auth-api.mjs

@@ -0,0 +1,109 @@
+// Test authenticated API access using NextAuth.js client-side approach
+
+const BASE_URL = 'http://localhost:3000';
+
+async function testAuthenticatedAPI() {
+  console.log('🔐 Testing Authenticated API Access\n');
+  
+  try {
+    // Test 1: Check if server is running
+    console.log('1️⃣ Checking server status...');
+    const healthResponse = await fetch(`${BASE_URL}/api/auth/session`);
+    console.log(`Server status: ${healthResponse.status}`);
+    
+    if (!healthResponse.ok) {
+      console.log('❌ Server not responding properly');
+      return;
+    }
+    
+    // Test 2: Test unauthenticated access to protected endpoints
+    console.log('\n2️⃣ Testing unauthenticated access...');
+    const protectedEndpoints = [
+      '/api/projects',
+      '/api/contracts', 
+      '/api/tasks',
+      '/api/project-tasks'
+    ];
+    
+    for (const endpoint of protectedEndpoints) {
+      const response = await fetch(`${BASE_URL}${endpoint}`);
+      console.log(`${endpoint}: ${response.status} ${response.status === 401 ? '✅ (properly protected)' : '❌ (not protected)'}`);
+    }
+    
+    // Test 3: Check protected pages
+    console.log('\n3️⃣ Testing protected pages...');
+    const protectedPages = ['/projects', '/contracts', '/tasks'];
+    
+    for (const page of protectedPages) {
+      const response = await fetch(`${BASE_URL}${page}`, {
+        redirect: 'manual'
+      });
+      
+      if (response.status === 302) {
+        const location = response.headers.get('location');
+        if (location && location.includes('/auth/signin')) {
+          console.log(`${page}: ✅ Properly redirects to sign-in`);
+        } else {
+          console.log(`${page}: ⚠️  Redirects to: ${location}`);
+        }
+      } else if (response.status === 200) {
+        console.log(`${page}: ❌ Accessible without authentication`);
+      } else {
+        console.log(`${page}: ❓ Status ${response.status}`);
+      }
+    }
+    
+    // Test 4: Test sign-in page accessibility
+    console.log('\n4️⃣ Testing sign-in page...');
+    const signinResponse = await fetch(`${BASE_URL}/auth/signin`);
+    if (signinResponse.ok) {
+      console.log('✅ Sign-in page accessible');
+      const content = await signinResponse.text();
+      const hasEmailField = content.includes('name="email"') || content.includes('id="email"');
+      const hasPasswordField = content.includes('name="password"') || content.includes('id="password"');
+      console.log(`   Email field: ${hasEmailField ? '✅' : '❌'}`);
+      console.log(`   Password field: ${hasPasswordField ? '✅' : '❌'}`);
+    } else {
+      console.log('❌ Sign-in page not accessible');
+    }
+    
+    // Test 5: Check NextAuth.js providers endpoint
+    console.log('\n5️⃣ Testing NextAuth.js configuration...');
+    const providersResponse = await fetch(`${BASE_URL}/api/auth/providers`);
+    if (providersResponse.ok) {
+      const providers = await providersResponse.json();
+      console.log('✅ NextAuth.js providers endpoint accessible');
+      console.log('Available providers:', Object.keys(providers));
+    } else {
+      console.log('❌ NextAuth.js providers endpoint failed');
+    }
+    
+    // Test 6: Check CSRF token endpoint
+    console.log('\n6️⃣ Testing CSRF token...');
+    const csrfResponse = await fetch(`${BASE_URL}/api/auth/csrf`);
+    if (csrfResponse.ok) {
+      const csrf = await csrfResponse.json();
+      console.log('✅ CSRF token endpoint accessible');
+      console.log('CSRF token available:', !!csrf.csrfToken);
+    } else {
+      console.log('❌ CSRF token endpoint failed');
+    }
+    
+    console.log('\n🎯 Manual Testing Instructions:');
+    console.log('1. Open browser to: http://localhost:3000/auth/signin');
+    console.log('2. Use credentials:');
+    console.log('   Email: admin@localhost.com');
+    console.log('   Password: admin123456');
+    console.log('3. After login, test these pages:');
+    protectedPages.forEach(page => {
+      console.log(`   - http://localhost:3000${page}`);
+    });
+    console.log('4. Test API endpoints with browser dev tools or Postman');
+    
+  } catch (error) {
+    console.error('❌ Test failed with error:', error.message);
+  }
+}
+
+// Run the test
+testAuthenticatedAPI();