k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: apply suite review improvements (01–11)

Browse Source 
- Fix SEC-005: rewrite path traversal test to upload a real file, inject
  traversal filename into DB, and assert the download does not succeed
- Fix SEC-007: rename misleading test description to reflect it tests
  rejection of an invalid token, not acceptance of a valid one
- Delete health.test.ts: all 3 tests were exact duplicates of auth.test.ts
  and misc.test.ts
- Remove duplicate describe blocks from misc.test.ts: Categories endpoint
  (duplicate of categories.test.ts) and App config (duplicate of auth.test.ts)
- Remove TRIP-016 from trips.test.ts: weaker duplicate of TRIP-007 (no body
  assertion)
- Remove API Keys describe block from profile.test.ts: canonical copy lives
  in security.test.ts where it belongs
- Remove avatarUrl describe block from budgetService.test.ts: identical tests
  already exist in authService.test.ts; drop now-unused import
- Add DB verification to ASSIGN-007 and PACK-006 reorder tests: query
  day_assignments / packing_items after PUT reorder to confirm order changed
- Strengthen BUDGET-007/008/009: add member/payer setup and assert concrete
  values (total_paid, per-user balance, flow direction and amount)
- Remove 6 pointless Map-semantics tests from inAppNotificationActions.test.ts;
  keep only the two built-in registration checks
- Remove 5 passthrough tests from queryHelpers.test.ts; keep the 4 tests that
  cover actual flat-to-nested transformation logic
This commit is contained in:
jubnl
2026-04-06 20:04:29 +02:00
parent 96080e8a03
commit 5bcadb3cc6
11 changed files with 502 additions and 247 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/tests/integration/profile.test.ts
-30
View File
@@ -205,36 +205,6 @@ describe('Settings', () => {
});
});
describe('API Keys', () => {
it('PROFILE-011 — PUT /api/auth/me/api-keys saves keys encrypted at rest', async () => {
const { user } = createUser(testDb);
const res = await request(app)
.put('/api/auth/me/api-keys')
.set('Cookie', authCookie(user.id))
.send({ openweather_api_key: 'my-weather-key-123' });
expect(res.status).toBe(200);
// Key in DB should be encrypted (not plaintext)
const row = testDb.prepare('SELECT openweather_api_key FROM users WHERE id = ?').get(user.id) as any;
expect(row.openweather_api_key).toMatch(/^enc:v1:/);
});
it('PROFILE-011 — GET /api/auth/me does not return plaintext API keys', async () => {
const { user } = createUser(testDb);
await request(app)
.put('/api/auth/me/api-keys')
.set('Cookie', authCookie(user.id))
.send({ openweather_api_key: 'plaintext-key' });
const me = await request(app)
.get('/api/auth/me')
.set('Cookie', authCookie(user.id));
// The key should be masked or absent, never plaintext
const body = me.body.user;
expect(body.openweather_api_key).not.toBe('plaintext-key');
});
});
describe('Account deletion', () => {
it('PROFILE-013 — DELETE /api/auth/me removes account, subsequent login fails', async () => {
const { user, password } = createUser(testDb);