mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-21 06:11:45 +00:00
Release 3.1.0 (#1185)
* Phase 0 — NestJS + Zod foundation harness (F1–F8) (#1050) Co-hosted NestJS app behind the existing Express server via a strangler-fig dispatcher, sharing the same better-sqlite3 connection and JWT httpOnly cookie. Additive and dormant: default routing stays on Express, Nest only serves its own /api/_nest diagnostics until a module opts in. F1 @trek/shared Zod contract package; F2 Nest bootstrap co-hosted (fall-through, single Dockerfile/port); F3 shared better-sqlite3 provider; F4 JWT cookie auth guard (+ @CurrentUser, admin guard); F5 Zod validation pipe + error-envelope parity; F6 Nest test + coverage gates; F7 per-prefix strangler toggle (env, default Express); F8 CI build/typecheck/test/coverage. Remaining F4/F6/F8 checklist items (trip-access + permission levels + MFA policy, e2e harness/seed + 80% gate, Nest↔Express parity test, Playwright PR-comment workflow) are tracked on the first consuming module cards (L1/A1/C1). * feat(weather): migrate /api/weather to the NestJS pilot module (L1) (#1053) First strangler migration (L1): /api/weather is served by a NestJS module. - @trek/shared/weather Zod contract; Nest controller byte-identical to the legacy Express route (paths, query params, status codes, { error } bodies, lang default, ApiError/500 passthrough). Service reuses getWeather/getDetailedWeather (+ shared cache; MCP tools unchanged). - Strangler routes /api/weather to Nest by default; the legacy Express route + its migration-time parity test were decommissioned in this PR. - Frontend (FE2): weatherApi typed against the @trek/shared WeatherResult contract. - Harness: reusable Nest-vs-Express parity harness, e2e harness (temp SQLite + seed/cookie helpers, real JwtAuthGuard), src/nest coverage gate raised to >=80%, src/nest test guide. - Verified end-to-end on a prod mirror (dev1): 401/400/200 via Nest with real Open-Meteo data, Express route gone. * fix(packing): multiply item weight by quantity in bag/total weight calcs (#898) Quantity now counts toward bag and total weights. Generalised to an itemWeight() helper used by every weight sum (bag totals + max, unassigned, grand total; sidebar + bag modal) with unit tests. * feat(i18n): add Korean (ko) translation (#977) Korean translation by @ppuassi, topped up to full en.ts key parity. Language registration follows separately. * feat(i18n): add Japanese (ja) translation (#829) Japanese translation by @soma3978, at full en.ts key parity, registered in supportedLanguages + TranslationContext. * Add Turkish (tr) translation + language registry (#1029) Turkish translation by @SkyLostTR, at full en.ts key parity, registered in supportedLanguages + TranslationContext. * i18n: register Korean + add Ukrainian translation (#1055) Korean translation by @ppuassi (#977) — now registered. Ukrainian by @JeffyOLOLO (#902) — lifted onto a clean branch. Both at full en.ts key parity (2258 keys). * chore: fix monorepo build pipeline and migrate shared to built package (#1056) * chore: fix monorepo build pipeline and migrate shared to built package - Root package.json: add workspace scripts (dev, build, test, test:cov, test:e2e) that delegate to actual scripts in shared/server/client workspaces - shared: add tsup build step (CJS + ESM dual output, .d.ts); consumers now import from the built dist instead of raw TS source via path aliases - server: replace tsc-alias with tsconfig-paths (tsc-alias mangled node_modules paths); fix MCP SDK path aliases to point to root node_modules (../node_modules) - server/scripts/dev.mjs: delay node --watch until tsc -w signals first-pass done, eliminating the spurious restart on every dev startup - client/vite.config.js + vitest.config.ts: remove @trek/shared path alias (no longer needed now that shared is a proper package) - Consolidate package-lock.json at the workspace root; drop per-workspace lock files * chore: fix test script to reflect root package.json * chore: add missing lint and prettier script in root package.json * fix(ci): build shared before tests; fix vitest MCP SDK alias paths vitest.config.ts aliases pointed at ./node_modules/ (server-local) but packages are hoisted to the root node_modules/ in the npm workspace — changed to ../node_modules/. CI jobs now install and build shared before running server/client tests so that @trek/shared's dist/ exists when vitest resolves the package. * fix(docker): update Dockerfile and CI for monorepo workspace structure Dockerfile: - Add shared-builder stage that produces @trek/shared dist before client and server stages need it - Each build stage carries root package.json + package-lock.json so npm can resolve @trek/shared as a workspace dependency - Production stage installs via workspace context (npm ci --workspace=server --omit=dev) so node_modules/@trek/shared symlinks to shared/dist correctly - Copy server/tsconfig.json into the image so tsconfig-paths/register can find the MCP SDK path aliases at runtime - CMD cds into /app/server before starting node so tsconfig-paths baseUrl resolves and ../node_modules points to /app/node_modules - Remove mkdir for /app/server (now a real dir); keep symlinks for uploads/data docker.yml version-bump: - Replace manual per-workspace cd+npm-version calls with single: npm version --workspaces --include-workspace-root --no-git-tag-version (mirrors the version:* scripts in root package.json) - git add now references root package-lock.json; adds shared/package.json .dockerignore: add shared/dist package.json: fix version:prerelease preid (alpha → pre) * fix(tests): use in-memory SQLite per worker in test mode vitest pool:forks spawns parallel worker processes that all called initDb() on the same data/travel.db, causing SQLite "database is locked" and "duplicate column name" races. When NODE_ENV=test each fork now gets an isolated :memory: DB so migrations run independently with no file contention. * chore(ci): add ACT guards to skip DockerHub steps in local act runs act sets ACT=true automatically. Guards added: - docker login: if: ${{ !env.ACT }} - build outputs: type=docker (local load) when ACT, push-by-digest when CI - digest export/upload: if: ${{ !env.ACT }} - merge job: if: ${{ !env.ACT }} - release-helm job (docker.yml): if: ${{ !env.ACT }} - version-bump git push (docker.yml): wrapped in [ -z "$ACT" ] shell guard Run locally with: ./bin/act -j build -W .github/workflows/docker.yml \ -P ubuntu-latest=catthehacker/ubuntu:act-latest * fix(ci): move ACT guards to step level; add guards to security.yml env context is invalid in job-level if conditions — moved all ACT guards down to individual steps. Also guards docker login + scout in security.yml so act can run the build-only part of that workflow. * fix(ci): skip git fetch and tag logic in act (no remote access in local containers) * Revert "fix(ci): skip git fetch and tag logic in act (no remote access in local containers)" This reverts commit67cf290cda. * Revert "fix(ci): move ACT guards to step level; add guards to security.yml" This reverts commitf92b95e054. * Revert "chore(ci): add ACT guards to skip DockerHub steps in local act runs" This reverts commit797183de08. * fix(docker): add musl optional deps so alpine builds find native rollup/sharp binaries npm prunes libc-constrained optional deps to the host libc (glibc) when generating the lockfile, leaving no musl entry for Alpine containers. Declaring the x64/arm64 musl variants as explicit root optionalDependencies forces them into the lockfile so npm ci on Alpine can install them. Covers shared-builder (tsup/rollup) and client-builder (vite/rollup + sharp icon generation) for both linux/amd64 and linux/arm64 CI targets. * fix(docker): copy client dist into server/public so the server resolves static files correctly The server runs from /app/server and serves static files relative to that directory, so the client build output must land at /app/server/public, not /app/public. * feat(planner): real road routes (OSRM) with travel-time connectors (#1060) * feat(planner): real road routes (OSRM) with travel-time connectors Replace the straight-line "as the crow flies" route with real OSRM road geometry (FOSSGIS routed-car/-foot) and an Apple-Maps style render (blue casing under a lighter core) on both the Leaflet and Mapbox GL maps. Routes are off by default and toggled per session, with a driving/walking mode switch in the day footer. Each day shows per-segment travel time/distance connectors between places, computed from the OSRM legs and split at transport bookings. Also redesigns the day header for visual consistency: vertical number+weather capsule, name with a divider before the date, subtle hotel/rental pills that stay on one line, and a hover-revealed 2x2 action square (edit / add transport / add note / collapse). Drops the Google Maps button. * test(planner): update route hook tests for calculateRouteWithLegs * remove route_calculation setting, always use OSRM routing (#1064) The per-user route_calculation toggle was a second, hidden on/off layer on top of the day footer's show-route button, and made it easy to end up with straight-line routes for no obvious reason. Drop the setting entirely: routing is always on, the footer toggle stays the single switch. Old stored values are simply ignored (settings are key-value, no migration needed). * chore: move i18n to shared package (#1066) * chore: move i18n to shared package * chore: move server translations to shared package and apply linter and prettier on entire shared package * feat(dashboard): upcoming reservations endpoint + travel-stats country/distance Adds GET /api/reservations/upcoming for the dashboard widget, switches travel-stats to the same country source as Atlas (manual + place-derived, ISO codes), and a distance service for flown km. * i18n(dashboard): dashboard keys across locales * feat(dashboard): boarding-pass hero, atlas row, live widgets + modal portal fix Reworked dashboard layout: boarding-pass hero with hover + days-left countdown, atlas stats row with real flags, searchable currency widget, editable timezone widget, new-trip FAB. Modals now portal to document.body to avoid inheriting dashboard-scoped button/font styles. * i18n(dashboard): sync all locales to one key set + German copy-dialog strings Brings every locale's dashboard namespace to the same 149-key set (missing keys backfilled from English) and translates the previously English-only copy-trip dialog into German. * refactor(dashboard): replace hardcoded strings with i18n keys Hero, atlas row, trip cards, filters, currency and timezone widgets now resolve all visible copy through t() instead of hardcoded English/German. * feat(i18n): add Greek translation (#1061) * i18n: complete Turkish (tr) translation (#1075) Fill in the remaining ~2100 UI strings in shared/src/i18n/tr so Turkish matches the English catalog. Brand names, URLs, and technical placeholders are left untranslated by design. * chore: prettier + lint * chore: enforce prettier & lint on shared package * feat: Updated border of map markers to reflect category color. (#1062) * feat(dashboard): mobile layout, glass UI, context bottom nav + OIDC PKCE (#1079) * feat(dashboard): mobile layout, glass tiles, plain-text countdown, place photos - Rework the mobile dashboard: cover hero, separate boarding-pass card, trimmed atlas (trips + days only), stacked widgets - New floating bottom tab bar with a centred context-aware + button (new trip / place / journey / entry depending on the page) - Move profile + notifications into a small top strip on the dashboard - Desktop: glassmorphic tiles (light + dark), neutral dark palette, plain-text countdown module, real place photos in the boarding pass * i18n(dashboard): translate new dashboard keys across all locales Fill the dashboard-rework keys (hero, atlas, fx, tz, upcoming, copy dialog, aria labels, countdown) that were left as English placeholders, plus the new startsIn/aria keys, for all 19 languages. * feat(oidc): send PKCE (S256) in the OIDC login flow The OIDC client now generates a code_verifier per login, sends the S256 code_challenge on the authorize request and the code_verifier on the token exchange. Works whether the provider has PKCE optional or required (fixes login against providers that require PKCE, e.g. Pocket ID). * Migrate TREK 3 to NestJS + React 19 (shared Zod contracts) (#1087) * Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer Brownfield strangler migration of the backend onto NestJS modules (auth, trips, days, places, assignments, packing, todo, budget, reservations, collab, files, photos, journey, share, settings, backup, oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories, tags, notifications, system-notices) served through a per-prefix dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT httpOnly cookie auth, with behavioural parity for every route. Client: React 19 upgrade, "page = wiring container + data hook" pattern across all pages, per-domain Zustand stores bound to @trek/shared contracts, and decomposition of the large components (DayPlanSidebar, PackingListPanel, CollabNotes, FileManager, MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal, BudgetPanel, PlaceFormModal, ...) into focused render units backed by in-file hooks. Apply the shared global request pipeline (helmet/CSP, CORS, HSTS, forced HTTPS, the global MFA policy and request logging) to the NestJS instance as well, so a migrated route is protected identically to the legacy fallback rather than bypassing it. * Finish the NestJS migration — drop the legacy Express app NestJS now serves the whole surface: every /api domain plus the platform routes (uploads, /mcp, the OAuth/MCP SDK + /.well-known metadata and the production SPA fallback). Removed server/src/app.ts, all of server/src/routes/* and the strangler dispatcher; index.ts and the integration suite share a single buildApp() bootstrap so prod and tests can't drift. - Platform/transport routes extracted to nest/platform/platform.routes.ts and mounted before app.init() — Nest's router answers an unmatched request with a 404, so a route registered after init is never reached. The SPA fallback is a NotFoundException filter and the catch-all uses a RegExp (Express 5's path-to-regexp rejects a bare '*'). - New modules: memories (/api/integrations/memories — the Journey gallery's Immich/Synology proxy), addons (GET /api/addons) and the cross-trip GET /api/reservations/upcoming. - TrekExceptionFilter reproduces the old multer / err.statusCode handling so upload rejections keep their 400/413 { error } body and non-ASCII filenames survive (defParamCharset). - addTripToJourney and the MCP get_journey_share_link tool gained the trip-access check they were missing. - Re-pointed the 34 integration tests + the websocket test onto the Nest app; removed the now-meaningless Express-vs-Nest parity tests and a few orphaned client components. * Restore the reset-password rate limit and fix copyTrip reservation links Two correctness/security gaps the NestJS migration introduced: - POST /api/auth/reset-password lost its per-IP rate limiter. Restore it (5 attempts / 15 min on a dedicated bucket, same as the old resetLimiter) so reset tokens can't be brute-forced unthrottled. Covered by AUTH-019. - copyTripById did not copy reservations.end_day_id (a day reference — now remapped through dayMap like day_id) or needs_review, so a duplicated trip lost multi-day transport end-day links and reset the review flag. * Clean up dead code, dedupe helpers, fix the reset-password contract - Remove server exports orphaned by the Express removal: the immich album-link helpers, seven route-only service exports, getFileByIdFull; de-export internal-only helpers (utcSuffix). - De-duplicate verifyTripAccess (9 identical copies -> services/tripAccess.ts) and avatarUrl (3 -> services/avatarUrl.ts); name the bcrypt cost (BCRYPT_COST) and the email regex (EMAIL_REGEX). Public API unchanged. - resetPasswordRequestSchema declared `password`, but the client sends and the service reads `new_password` — rename it so the contract matches and the client types resolve. - Make ATLAS-013 deterministic: stub the admin-1 GeoJSON download instead of fetching ~4600 features from GitHub during the test (it hung the suite). * Make the client typecheck runnable (vitest/vite ambient types) The client had no `typecheck` script and tsc couldn't even start (the baseUrl deprecation errored out, same as server/shared already silence). Add `ignoreDeprecations: "6.0"` to match the other workspaces, a `typecheck` npm script, and a src/vite-env.d.ts referencing vite/client + vitest/globals so tsc knows the test globals (describe/it/expect/vi). This turns ~3600 phantom "Cannot find name" errors into a real, measurable count (~590 actual type errors remain, to be worked down). Type-only; no runtime change. * Derive client domain types from the shared schema contracts Add entity/response Zod schemas to @trek/shared (place, trip, assignment, day, budget, packing, reservation), each matched against the producing server service, and re-export them from client types.ts instead of the hand-written duplicates that had drifted (name/title, amount/total_price, owner_id/user_id, cover_url/cover_image, ...). Updates the call sites and test fixtures the corrected types surfaced; type-only, no runtime behaviour change. * chore(db): log swallowed errors in addon-disable migration + guard against destructive migrations The migration that disables the legacy "memories" addon swallowed any error in an empty catch, as did ~30 other catch blocks in the migration runner (column adds, the journey rebuild, index probes). Replace each silent catch with the existing console.warn('[migrations] ...') log so failures are visible. Control flow is unchanged: every step stays non-fatal, nothing new is thrown. Add a static guardrail test that scans the migration source and fails when a new destructive statement (DROP TABLE / DROP COLUMN / TRUNCATE / DELETE FROM / ALTER ... DROP) appears outside a reviewed allowlist, and when an empty/silent catch block is reintroduced. The existing destructive statements are all legitimate table rebuilds or bounded cleanups and are recorded in the allowlist with a reason. * Re-check SSRF on every redirect hop when resolving short links Replace the one-shot checkSsrf + fetch(redirect:'follow') in the maps and place short-link resolvers with safeFetchFollow, which follows redirects manually and re-runs checkSsrf against the DNS-pinned IP of each hop (max 5). A redirect to an internal/loopback address is now blocked even when the initial URL is public, while legitimate cross-host redirects (goo.gl -> maps.google.com) still resolve. * Reject WebSocket tokens minted before a password change Stamp the user's password_version onto the ephemeral ws token and verify it on connect, closing the socket (4001) when it no longer matches, so a token issued before a password reset can't be replayed. Tokens minted without a version are treated as version 0, matching the JWT pv-claim semantics. * fix(i18n): guard locale key parity and finish the OAuth consent page strings Every non-en locale now exposes the exact same flat key set as en. Keys that had drifted out of sync are backfilled with the English source value (tagged en-fallback) so t() resolves a real string instead of relying on the silent runtime fallback; no existing translation was touched and no key was removed. Add a parity test that imports each aggregated locale bundle and asserts its key set matches en, with a diagnostic listing of any missing/extra keys. This complements the file-level check in shared/scripts by guarding the merged export the app actually serves. Finish internationalising OAuthAuthorizePage: the ~15 remaining hardcoded English chrome strings now go through oauth.authorize.* keys (English source in en, en-fallback placeholders elsewhere). Markup and behaviour are unchanged. * Add semantic theme color tokens to Tailwind Map the CSS theme variables from src/index.css (:root light / .dark dark) to named Tailwind utilities — bg-surface, text-content, border-edge, bg-accent and their variants. This gives components a Tailwind-native target for the theme colors so we can replace inline `style={{ ... 'var(--...)' }}` with utility classes without changing the rendered values. * Surface silent store failures to the user and validate API responses in dev Reservation toggle, todo/packing toggle and budget reorder were swallowing API errors after rolling back, so the user saw the change silently snap back with no explanation. Route those failures through the existing toast channel (new store/notify.ts bridges to window.__addToast, the same channel SystemNoticeBanner uses); the reservation toggle re-throws so ReservationsPanel's own translated toast finally fires. Also wire the existing parseInDev/checkInDev response validation into the maps and notification-test endpoints to catch contract drift in dev. * Migrate static theme inline styles to Tailwind utilities and extract page sub-components Replace the static, color-only inline `style={{ ... 'var(--bg-primary)' ... }}` props with the new semantic Tailwind utilities (bg-surface, text-content, border-edge, ...) wherever the result is byte-identical; dynamic/conditional theme styles and hardcoded status colors are left inline. Extract the Atlas country-search autocomplete, the Admin update banner, and two Journey dialogs into their own presentational components to shrink the oversized page files, keeping behaviour and markup identical. * Remove the unrouted photos page and its dead photo components PhotosPage was never wired into the router and its usePhotos hook read a tripStore photos slice that was never implemented; the Photos gallery, lightbox and upload components were only reachable through it. Per-trip photos now live in the Journey gallery (Immich/Synology). Removed the dead page, hook and components — the live Journey PhotoLightbox is a separate component and stays. * Resolve the remaining client type errors and the trip.title navbar bug Drive the client typecheck to zero without any/ts-ignore: convert the tripId route param to a number once at the page boundary so it matches the numeric props and store actions it feeds, fix trip.name -> trip.title (the wire field is title, so the old read rendered blank in the files/offline views), and tighten the scattered handler-arity, DOM-cast and untyped-payload sites. No runtime behaviour change. * Convert the remaining dynamic and hardcoded inline styles to Tailwind utilities Second styling pass over the components and pages: move conditional theme colors into className ternaries (bg-accent / bg-surface-hover etc.), turn reused CSSProperties constants into className constants, and express static hardcoded hex/rgba colors as Tailwind arbitrary values so the exact rendered colour is preserved. Truly dynamic styling (computed geometry, gradients, multi-part shadows, data-driven colours, the undefined --sidebar/--nav layout vars) stays inline as it cannot be expressed as a static class. Updated three component tests that asserted the old inline active-state styles to assert the equivalent utility class instead. Verified: client typecheck 0, full client suite green, and a live light/dark render check in the dev server confirms the semantic theme tokens resolve correctly (the earlier 'transparent popups' were a stale dev server that pre-dated the tailwind.config token addition, not a code issue). * Add eslint flat-config for client and server and gate typecheck, lint and pages in CI client and server had lint scripts but no eslint config (only shared was linted in CI). Add flat configs mirroring shared's stack (js + typescript-eslint recommended + eslint-config-prettier) plus the client's react-hooks/react-refresh plugins. Pre-existing patterns in this never-linted code (explicit any, require() in the CommonJS server, empty catches, exhaustive-deps) are set to 'warn' rather than 'error' so the gate passes at 0 errors without a repo-wide reformat — these can be ratcheted to errors over time. Wire blocking typecheck + lint + lint:pages steps into the client and server CI jobs (now that both typechecks are clean) and promote the server typecheck from informational to blocking. * Decompose the remaining God Components into hooks, helpers and sub-components FE6: split the oversized page and panel components into thin layout shells plus colocated use<Component> hooks, .constants.ts, .helpers.ts (with tests) and presentational sub-components, following the established 'logic in a hook, render in slices' pattern. Behaviour, markup, classes and effect order are unchanged. Largest reductions: PackingListPanel 1598->42, FileManager 1055->36, AdminPage 1525->167, BudgetPanel 1266->146, JourneyDetailPage 2822->547, PlacesSidebar 945->66, CollabChat 861->106, CollabNotes 1417->532. DayPlanSidebar's drag-and-drop render body was left intact (ref-identity sensitive) and only its toolbar/modals/constants were extracted. * Fix duplicate React keys in the file-assign place list When a place is assigned to the same day more than once it appeared twice in a day's list, so the place-button key={p.id} collided and React warned about duplicate keys. Key by place id + render index so siblings stay unique. Pre-existing in the old FileManager; behaviour unchanged. * Format the shared package and drop an unused import to satisfy the lint gate The i18n and schema changes added code that wasn't prettier-formatted, and place.schema.ts imported categorySchema without using it. Run prettier over shared and remove the import so 'npm run lint' + 'format:check' pass. * Install all workspaces in the server CI job so SWC's native binary is present The server vitest config transforms via unplugin-swc, which needs @swc/core's platform-specific native binary. A workspace-scoped 'npm ci --workspace server' skips that optional dependency, so vitest failed to load the config on the Linux runner. Use a full 'npm ci'. * Re-resolve dependencies with npm install in the server CI job for SWC Full 'npm ci' still skipped @swc/core's Linux native binary because the committed lockfile was generated on Windows and lacks the Linux optional-dep install metadata. 'npm install' re-resolves and fetches the platform-matching binary, which the server's unplugin-swc transform needs to load vitest.config.ts. * Install @swc/core's Linux binary explicitly in the server CI job Neither npm ci nor npm install fetched @swc/core-linux-x64-gnu on the Linux runner because the lockfile was generated on Windows and lacks the Linux optional-dep metadata. Add a step that installs the matching @swc/core-linux-x64-gnu version (no-save, no-lockfile) so unplugin-swc can load the server's vitest config. * Use legacy-peer-deps when installing the SWC Linux binary in CI The explicit @swc/core-linux-x64-gnu install re-resolved the tree and hit the pre-existing lucide-react/react-19 peer conflict that the lockfile was generated around. Add --legacy-peer-deps so the step matches the project's resolution and installs the binary. * Keep the lockfile when installing the SWC binary so other deps stay pinned Dropping --no-package-lock made npm re-resolve the whole tree and upgrade eslint, whose newer recommended config flagged no-useless-assignment as an error in the server lint step. Keep the lockfile so only @swc/core-linux-x64-gnu is added and every other dependency (incl. eslint) stays at its locked version. * Fix a batch of reported bugs: Atlas regions, planner overlays, imports, Safari modals (#1094) * Start the Journey date picker week on Monday (#1078) The Journey entry date picker started the week on Sunday (firstDow = getDay(), headers Su-first) while every other picker (CustomDateTimePicker, VacayCalendar) starts on Monday. Align it: Monday-first leading offset ((getDay()+6)%7) and Mo-first weekday headers. * Fix Taiwan resolving to CN-TW in the Atlas country search (#1049) natural-earth gives Taiwan ISO_A2='CN-TW' (a subdivision-style value) with ADM0_A3='TWN'. The dynamic A2_TO_A3 augmentation added 'CN-TW'->'TWN', which then overwrote the legitimate TWN->TW entry in the reverse map, so Taiwan's country option resolved to 'CN-TW' — unresolvable by Intl.DisplayNames (no name, broken flag, not searchable). Only augment A2_TO_A3 with real 2-letter codes. * Drop empty leftover dateless days when a trip gets a shorter dated range (#1083) generateDays kept all unused dateless placeholder days after switching to an explicit (shorter) date range, so day_count (COUNT(*) FROM days) stayed inflated. Delete the empty leftovers (no assignments/notes/accommodations) like the dateless path already does, while preserving any that still hold content. Adds TRIP-SVC-017. * Render GPX and route overlays once the Mapbox style has loaded (#1036) The GPX and route geojson effects ran before the map 'load' event had attached their sources, so on the first paint they hit the early return and never re-ran. Add mapReady to their dependencies so they fire again the moment the sources exist. * Convert HEIC trip and journey covers to JPEG before upload (#1085) HEIC/HEIF covers coming straight off an iPhone could not be rendered in the preview or stored as a usable image. Route both cover pickers through normalizeImageFile, the same conversion the journal entry editor already uses, so the file becomes a JPEG before it leaves the browser. * Name GPX routes and tracks after their source file so multiple imports stick (#1054) Unnamed routes and tracks all fell back to the same generic 'GPX Route' / 'GPX Track' label, so the name-based import dedup dropped every one after the first - importing several files (or one file with several tracks) only kept a single place. Derive the default name from the source filename with an index suffix when a file holds more than one geometry, thread the filename down through the controller, and let the import modal take more than one file at a time. Adds PLACE-SVC-037/038. * Namespace the modal backdrop class so content blockers stop hiding it (#1027) Generic class names like .modal-backdrop sit on the cosmetic filter lists that content blockers (1Blocker, EasyList Annoyances) ship, and get hidden with display:none. The shared Modal - used by New Trip and Add Place - carried that class, so Safari users running such a blocker saw the modal silently fail to open with no error and no network request. Rename it to .trek-modal-backdrop. * Highlight GB regions by resolving England/Scotland/Wales/NI to finer admin-1 codes (#1067) A zoom-8 reverse geocode of a UK place only resolves to the constituent country (GB-ENG/SCT/WLS/NIR), but Natural Earth's admin-1 polygons for GB are counties and boroughs (GB-LND, GB-MAN, GB-CON, ...). Those four codes match no polygon, so places in England never highlighted in the Atlas while CH/IT/NL/etc. worked. When a GB lookup lands on a constituent country, re-resolve it at a finer zoom where Nominatim exposes the county/borough code the polygons actually carry. Other countries keep the exact zoom-8 behaviour. Adds ATLAS-UNIT-021. * Surface the real place-search error instead of a generic toast (#1092) When a place search or detail lookup fails, the backend already forwards the upstream reason - including descriptive Google Places API messages such as 'Places API (New) has not been used in project ... or it is disabled'. The planner discarded it and always showed 'Place search failed', so a key that is mis-enabled, unbilled, or pointed at the legacy API instead of Places API (New) looked like an unexplained silent failure. Show the server-provided message when present, and stop the Atlas bucket-list search from swallowing its error without a trace. * Await the async cover normalization in the TripFormModal paste test (#1085) handleCoverSelect now normalizes the pasted file before previewing it, so URL.createObjectURL is called a microtask later. The assertion moves into waitFor; a non-HEIC file still passes through unchanged. * fix(pwa): removed orientation from the manifest (#1058) * fix(journey): raise PhotoLightbox z-index above MobileEntryView (#1101) * feat(transport): add bus, taxi, bicycle, ferry and other transport types (#1105) Closes #718. Adds five new transport reservation types alongside the existing flight/train/car/cruise: bus, taxi, bicycle, ferry and a generic 'transport_other' catch-all. The new types are treated as first-class transports everywhere — the transport modal, day plan, route calculation, map overlays, file grouping and the PDF export — and are translated across all 20 locales. A dedicated 'transport_other' value is used for the catch-all so existing 'other' bookings are not reclassified as transport. * feat(reservations): native booking-confirmation import via KDE KItinerary (#1102) * feat(reservations): native booking-confirmation import via KDE KItinerary Adds a two-step preview → confirm flow for importing booking emails, PDFs, PKPass and HTML confirmations. The server invokes the KDE kitinerary-extractor binary, maps JSON-LD schema.org output to TREK reservation shapes, and persists via the existing createReservation pipeline (accommodations, budget, places, WebSocket broadcasts). - NestJS BookingImportModule: preview + confirm endpoints under /api/trips/:tripId/reservations/import/booking{,/confirm} - KitineraryExtractorService: spawns the binary, filters stderr noise, handles QDateTime (@value) timezone-aware datetimes - kitinerary-mapper: FlightReservation, TrainReservation, BusReservation, BoatReservation, LodgingReservation, FoodEstablishmentReservation, RentalCarReservation, EventReservation → typed preview items - BookingImportService: auto-creates place rows; geocodes venues without coordinates via Nominatim (name+address → address → name fallback); resolves day IDs for accommodation linking - BookingImportModal: drag-and-drop multi-file upload, preview cards with type icons, per-item exclude toggle, confirm step - Shared Zod contracts: BookingImportPreviewItem, PreviewResponse, ConfirmRequest, ConfirmResponse — consumed by controller, service, API client and modal - Dockerfile: node:24-trixie-slim runtime; amd64 downloads KDE static binary + locales; arm64 installs libkitinerary-bin + symlinks to fixed path; ENV KITINERARY_EXTRACTOR_PATH set for both arches - /api/health/features exposes { bookingImport: boolean } so the UI hides the Import button when the binary is absent - i18n keys (English), wiki docs, API.md, README one-liner * i18n: add booking import translations for all 19 non-English locales Adds 17 reservations.import.* keys and undo.importBooking to ar, br, cs, de, es, fr, gr, hu, id, it, ja, ko, nl, pl, ru, tr, uk, zh, zh-TW. * chore: enforce i18n parity * docs(wiki): add KItinerary local setup instructions to dev environment guide * feat(costs): rework Budget into Costs — Splitwise-style, multi-currency, mobile (#1106) * fix(journey): authorize reads of the journey share link GET /api/journeys/:id/share-link now requires journey access (canAccessJourney), matching the create/delete share-link routes and the get_journey_share_link MCP tool. Returns no link when the caller lacks access to the journey. * feat(costs): rework Budget into Costs — Splitwise-style, multi-currency, mobile Renames the Budget addon to "Costs" (UI only) and reworks it into a Tricount/ Splitwise-style cost tracker: multiple payers per expense, equal split across chosen members, settle-up with persisted history + undo, 12 fixed categories, per-expense currency with live FX conversion to a user-set display currency (Settings -> Display), and locale-correct money formatting. Adds a desktop and a dedicated mobile layout. A migration backfills existing budget items (single payer, split members, currency). Closes #551 (per-expense currency). Also switches the app font to self-hosted Poppins (Geist for secondary subtext), replacing the Google Fonts CDN dependency. * fix(costs): neutral dashboard dark palette + liquid glass, full page width, entry-count badge - Dark mode used a warm oklch palette that read brownish; switch to the neutral zinc tokens used by the dashboard (#121215 bg, #f4f4f5 ink) and add a subtle backdrop-blur glass on cards. - Costs now uses the full available page width on desktop instead of a 1280px cap. - Render the expense count next to the Expenses title as a badge. - Adapt budget/journey unit tests to the new payer-based settlement model and the Costs rename (category default 'other', Costs tab/CostsPanel). * fix(costs): drop the entry-count badge, always show row edit/delete actions Removes the count badge next to the Expenses title and makes the per-row edit/delete actions permanently visible (no longer hover-only) on desktop too. * feat(costs): currency-native money formatting, custom select/date, rename addon to Costs - Format every amount in its own currency convention (symbol position, grouping and decimal separators) regardless of app language, via a currency->locale map (EUR -> '12,00 €', USD -> '$12.00', JPY -> '¥12', ...). Previously Intl used the app locale, so EUR showed the symbol in front under an English UI. - Use TREK's CustomSelect (searchable, with symbols) and CustomDatePicker in the add/edit expense modal instead of the native <select>/<input type=date>. - Rename the 'Budget Planner' add-on to 'Costs' in the admin list (display only; id/tables/permissions/MCP stay 'budget') via seed + a migration for existing DBs. * feat(auth): configurable session duration via SESSION_DURATION Adds a SESSION_DURATION env var (ms-style strings: 1h, 7d, 30d, ...) controlling how long a session stays valid before re-login. It drives both the trek_session JWT exp claim and the cookie maxAge from one source, so they never drift. Invalid values warn at startup and fall back to the default (24h — unchanged). The MFA challenge token and MCP OAuth tokens keep their own TTL. Implements the request from discussion #946. Documented in the env-var wiki page, .env.example and docker-compose.yml. * feat: Passkey (WebAuthn) login (#1111) * feat(auth): passkey (WebAuthn) login — server endpoints, schema + admin toggle Add @simplewebauthn/server registration and primary (discoverable) login ceremonies under /api/auth/passkey, a webauthn_credentials + single-use webauthn_challenges schema (migration), the instance-wide passkey_login toggle (default off) enforced before auth by a guard, and require_mfa satisfaction via a verified passkey. RP ID/origin come only from server config (webauthn_rp_id/origins -> APP_URL), never request headers. * feat(auth): passkey enrolment, login button + admin settings UI PasskeysSection in account settings (add/rename/remove with a current-password step-up), a 'Sign in with a passkey' button on the login page, the admin enable + RP-ID/origins controls, and a per-user admin reset action. * i18n(auth): passkey strings across all locales Add login/settings/admin passkey keys to en and all 19 translated locales. * chore: update kitinerary version * Backend/frontend hardening & consistency cleanups (#1113) * refactor(auth): session token validation and password-change consistency * refactor(journey): entry field allow-list and public share-link consistency * refactor(mcp): align tool authorization with the REST permission checks * chore: input validation and sanitisation touch-ups (uploads, pdf, maps, backup, csp) * feat: optimize routes around accommodation, confirm note deletions (#1123) Optimize day routes around the accommodation When a day has an accommodation set, the route optimizer now treats it as the day's home base: it optimizes a loop that leaves the hotel and returns to it, so the stop nearest the hotel comes first. On a transfer day - checking out of one hotel and into another - the route runs from the first hotel to the second instead. The optimizer also gained a 2-opt pass on top of the nearest-neighbor ordering, which removes the crossings the greedy pass used to leave behind. A new display setting ("optimize route from accommodation", on by default) lets you turn the anchoring off. Confirm before deleting notes Deleting a plan note or a collab note now asks for confirmation first. On phones and tablets the edit and delete icons sit close together and were easy to mis-tap, which deleted notes with no way back. * fix: miscellaneous bug fixes (#1139) * fix(share): serve place thumbnails in shared trip links (#1100) Google-sourced place photos are stored as image_url pointing at the JWT-guarded /api/maps/place-photo/:placeId/bytes endpoint, so they 401 for an unauthenticated shared-trip viewer and render as broken images. Rewrite place image_url values in the shared payload to a public, token-scoped proxy (/api/shared/:token/place-photo/:placeId/bytes) and add an unguarded SharedController route that validates the token and that the place belongs to its trip before streaming the cached bytes. Mirrors the existing JourneyPublicController precedent. No client changes needed. * fix(atlas): replace Natural Earth with geoBoundaries for up-to-date regions (#1119) Atlas sourced country and sub-national boundaries from Natural Earth's GitHub `master` at runtime. That data is stale (e.g. it still shows Norway's pre-2020 counties such as Oppland/Hordaland) and depicts some contested territory in unwanted ways (nvkelso/natural-earth-vector#391), so Natural Earth is dropped entirely. - Country borders (admin0) now come from the geoBoundaries CGAZ composite; sub-national regions (admin1) from per-country gbOpen, which carries ISO 3166-2 codes. A new script (server/scripts/build-atlas-geo.mjs) normalizes and quantizes them into committed gzipped bundles under server/assets/atlas, read server-side at runtime (no network at boot, no GitHub CSP allowlist entry). - New GET /addons/atlas/countries/geo serves the country layer; the client fetches it from the API instead of GitHub. - A migration reconciles manually-marked visited_regions against the new bundle (valid code -> keep; region name still matches -> re-code; curated merge crosswalk for renamed reforms; else leave intact), with UNIQUE-safe dedup. bucket_list and visited_countries hold only invariant alpha-2 country codes, so they are untouched. - Attribution added (NOTICE.md + README) per geoBoundaries CC BY 4.0. Closes #1119 * fix(packing): make templates admin-only to create, usable by members Creating a packing-list template was gated only by trip access, so any trip member could create one from the Lists feature, while applying a template silently failed for non-admins because the apply dropdown was populated from the AdminGuard-protected /api/admin/packing-templates endpoint. - save-as-template now returns 403 for non-admins; the Save-as-Template button is hidden unless the user is an admin (both the TripPlanner toolbar and the inline packing header). - add member-accessible GET /api/trips/:tripId/packing/templates so the apply dropdown lists templates for any trip member; client fetches from it instead of the admin endpoint. Closes #1120 Closes #1121 * fix(packing): show bag tracking to non-admin members The global Bag Tracking toggle was only readable via the admin-gated GET /api/admin/bag-tracking, so non-admin trip members got 403 and the weight fields, bag circles, and BAGS sidebar never rendered (#1124). Surface the flag through the already-authenticated GET /api/addons (loaded into the client addon store on app start for every user); the packing hook reads it from the store instead of the admin endpoint. The admin write path stays admin-gated and unchanged. * Fix a batch of reported bugs (#1145) * fix(maps): fall back to OSM/Wikipedia for place photos and normalize non-standard language codes (#1137) * fix(auth): refuse password reset for OIDC/SSO-linked accounts (#1129) * fix(docker): ship server/assets (airports + atlas geo) in the runtime image (#1133, #1119) * fix(unraid): point the template at a PNG icon Unraid can render (#1073) * fix(offline): serve cached file blobs when offline or on network failure (#1046, #1069) * fix(map): centre the selected pin in the visible map area above the bottom panel (#1125) * fix(pdf): render persisted place-photo proxy URLs as images (#1130) * fix(planner): show the selected place category in the edit form (#1134) * fix(dashboard): collapse list-view trip cards to a compact row on mobile (#1132) * Support multi-leg (layover) flights (#1146) * feat(transport): support multi-leg (layover) flights in the booking form A flight booking can now hold an ordered chain of airports (e.g. FRA -> BER -> HND) instead of a single departure/arrival pair. The route is entered as a list of waypoints with a '+ add stop' button; each stop carries its own arrival and departure time plus the airline/flight number of the segment leaving it, while the whole booking keeps one price. Stored without a schema change: the existing reservation_endpoints rows carry the ordered waypoints (from/stop/to by sequence) and a metadata.legs array holds the per-leg detail. Top-level metadata (departure_airport/arrival_airport/airline/ flight_number) mirrors the first and last leg, so a single-leg flight persists exactly as before and legacy readers keep working. * feat(planner): show each flight leg as its own day-plan entry, ordered by time A multi-leg flight now expands into one entry per leg (BER -> FRA, then FRA -> HND), each on its own day with its own times, instead of a single span. Each leg is an addressable slot (reservation id + leg index) so places and notes can be dropped into the layover gap between legs; the per-leg position is persisted in metadata.legs[i].day_positions and survives a reload. Day-plan items are now ordered chronologically: anything with a time (a place's time, a flight leg, a timed note) sorts by that time, and untimed items inherit the time of the item before them so they stay where they were placed. * feat(planner): show the full multi-stop route in the bookings panel The route row now lists every waypoint (FRA -> BER -> HND) by sequence instead of just the first and last airport. * feat(map): draw multi-leg flights as connected legs with a marker per airport Both the Leaflet and Mapbox overlays now render a flight over all its waypoints: one great-circle arc per leg and a marker at every airport, with the label showing the full route and the summed distance. A single-leg flight is unchanged. Also drops the floating stats badge that was drawn on transport arcs. * fix(map): centre a clicked place above the bottom inspector panel Selecting a place panned/flew it to the dead centre of the screen, where it sat behind the detail card. Both overlays now bias the target into the visible area above the bottom panel (Leaflet offsets the pan by the inspector inset; Mapbox passes the padding to flyTo). * feat: show the full multi-stop flight route in PDF and calendar export The PDF day list and the ICS export now render the whole route (FRA → BER → HND) for a multi-leg flight instead of just the first and last airport, falling back to the flat metadata for single-leg flights. The ICS keeps a single event per booking. * feat(import): group connecting flight legs into one multi-leg booking When a booking confirmation contains several flight legs sharing a PNR that connect at the same airport with a short layover (under 24h), they are now imported as a single multi-leg booking (from/stop/to endpoints + metadata.legs) instead of one booking per leg. A round trip (same PNR, multi-day gap) stays two separate bookings, and a single flight is unchanged. * i18n: translate the new flight-route strings into all languages * i18n: translate the Costs page into every language The Budget → Costs rework left the new costs.* strings untranslated in every non-English locale (they fell back to English). Translate them across all supported languages. * Revert "fix(map): centre a clicked place above the bottom inspector panel" This reverts commit0936103f04. * Explore places on the map, planner route fixes, and instance-wide Mapbox (#1147) * feat(maps): add an OSM POI search endpoint (category within a viewport) New /api/maps/pois queries OpenStreetMap via Overpass for places of a category (restaurants, cafes, hotels, sights, …) inside a bounding box. OSM-only by design — it never calls Google, even when a Google key is configured. * feat(map): explore nearby places on the trip map (OSM category pill) A floating, icon-only pill over the planner map lets you toggle a POI category and see those OpenStreetMap places in the current view; clicking a marker opens the add-place form pre-filled (name, address, website, phone). Single-select with a 'search this area' action after the map moves. Renders on both the Leaflet and Mapbox maps, and can be turned off in settings (discussion #841). * fix(planner): anchor timed places when optimising and route transports by location - The day optimiser no longer reshuffles places that have a set time — they stay anchored to their time, like locked places. - The route now uses a transport's departure/arrival location as a waypoint when it has one (e.g. a flight's airport), instead of breaking the route at every booking; transports without a location are ignored for routing but still show their leg's distance/duration under the booking. * feat(admin): instance-wide Mapbox defaults in default user settings Admins can set a shared Mapbox token (plus style, 3D and quality) as instance defaults, so the whole instance can use Mapbox without each user pasting their own key. Users without their own value inherit it via the existing admin-defaults merge; the shared token is stored encrypted (discussion #920). * Reorder whole days and insert a day (#589) (#1148) * feat(days): reorder whole days and insert a day at a position Adds reorderDays + insertDay to the day service and a PUT /days/reorder route (plus an optional position on create). Day rows stay stable so a day's assignments, notes, bookings and accommodations ride along by id; on a dated trip the calendar dates stay pinned to their slots while the content moves across them, and each booking's date is re-stamped onto its day's new date (time-of-day preserved) so day_id stays consistent. Renumbering uses the two-phase write to avoid the UNIQUE(trip_id, day_number) collision, and a move that would invert an accommodation's check-in/out span is rejected. * feat(planner): reorder days from a toolbar popup, and add days A new toolbar button opens a popup listing the days; drag a row by its grip or use the up/down arrows to reorder, and add a day from there. Reorders apply optimistically with rollback and sync over WebSocket; the day headers are left untouched, so the existing place drop-targets are unaffected. * i18n: add day-reorder strings across all languages * Map/planner/dashboard polish and small community features (#1155) * feat(planner): reorder days in a modal instead of a dropdown The day-reorder control opened a small anchored dropdown; move it into the shared Modal (portal, dimmed backdrop, Esc/backdrop close) so it matches the Add activity dialog. Drag handles, up/down arrows and the day badges are unchanged. * feat(map): explore reliability, Mapbox popups + compass, region-biased search POI explore: clamp oversized viewports, query the Overpass mirrors in parallel (first valid response wins) with a per-request timeout and a short-lived cache, and surface a retry when every mirror fails - so it returns results at any zoom instead of timing out. Mapbox renderer: add the place/POI hover popups (name, category, address, photo) the Leaflet map already had, plus a compass pill next to the explore pill that resets the view to north. /api/maps/search: accept an optional locationBias to fix foreign-region bias and expose Google's place types in the result. * feat(dashboard): list-view and mobile polish Use the Archived status label for the filter and show Open dates for trips without dates; drop the unused settings button next to the view toggle. Desktop list view renders the date as a stat-style block separated from the counts. Mobile list rows are stacked (slim cover banner + centred date), trip actions stay visible (touch has no hover), and the hero card's hover lift is disabled on touch; small spacing fix under the sidebar. * feat: small community-requested options Raise the plan-note subtitle limit to 250 characters and add more note icons. Expose is_archived and cover_image on the update_trip MCP tool. Add place coordinates to the PDF export. Allow creating a category from an existing to-do, and add a show/hide toggle on the admin password fields. * test(shared): bump day-note subtitle limit assertion to 250 * test: align specs with the new search param order and archive label Keep lang as the 3rd positional arg of the maps search controller so the existing unit test stays valid, and forward locationBias as the 4th. Add the now-used Popup to the MapViewGL mapbox mock, switch the dashboard archive-filter query to the Archived label, and expect the 4-arg search call. * fix(packing): add more bag colors so sub-bags stop repeating (#1156) The auto-assigned bag palette only had 8 colors, so the 9th bag reused the first one. Double it to 16 (keeping the existing 8 and their order) and keep the server and client lists in sync - both cycle BAG_COLORS[count % length]. * fix(packing): respect per-item quantity in bulk import (#1157) * AirTrail integration: import flights & two-way sync (#214) (#1158) * feat(admin): register AirTrail as an integration addon Off by default; toggle lives in Admin -> Addons with a Plane icon. The per-user connection (URL + API key) follows in integration settings. * feat(integrations): add per-user AirTrail connection Settings -> Integrations gains an AirTrail section: instance URL + Bearer API key (encrypted at rest via apiKeyCrypto), a self-signed-TLS opt-in and a test-connection check. Served by a small Nest controller under /api/integrations/airtrail, gated on the airtrail addon and SSRF-guarded. The key is per-user, so it only ever returns that user's own flights. * feat(transport): import flights from AirTrail Adds an AirTrail Import button next to Manual Transport that lists the user's AirTrail flights and highlights the ones inside the trip dates. Selected flights become reservations linked to their AirTrail origin (external_* columns), deduped against flights already in the trip, then broadcast to every member. The mapping resolves airports, airport-local times and flight metadata; the linkage is what the two-way sync rides on. * feat(transport): badge AirTrail-linked flights as synced Linked reservations show an 'AirTrail synced' badge, or 'no longer synced' once the flight is gone from AirTrail. * feat(transport): keep TREK and AirTrail flights in sync both ways A scheduled poll reconciles each connected owner's flights: field edits (detected by snapshot hash, since AirTrail has no updated_at) flow into the linked reservation and broadcast live; a flight deleted in AirTrail keeps the TREK row but stops syncing. Editing a linked flight in TREK pushes back to AirTrail under the importer's credentials, preserving the existing seat manifest; if the owner disconnected the link detaches so the poll can't revert the local edit. Deleting in TREK never touches AirTrail. * i18n(airtrail): add AirTrail strings across all locales * test(airtrail): cover flight mapping, timezones and snapshot hashing * fix(airtrail): reduce airline/aircraft objects to codes The flight list/get response returns airline and aircraft as joined objects ({icao, iata, name, ...}), not bare codes. Mapping them straight through produced '[object Object]' titles and stored objects in metadata, which crashed reservation rendering. Extract the ICAO/IATA code instead, and title flights by their flight number. * fix(airtrail): clear error on non-JSON responses, tolerate /api in URL A misconfigured instance URL made AirTrail serve its SPA/login HTML, and the raw JSON.parse failure surfaced as 'Unexpected token <'. Surface an actionable message instead, and strip a pasted trailing /api so the base URL still resolves. * feat(transport): sync AirTrail edits on trip open, not just on the poll Add a per-user on-demand sync (POST /integrations/airtrail/sync) triggered when a connected user opens a trip, so AirTrail-side edits appear right away instead of waiting up to a full poll cycle. Lower the background poll from 15 to 5 minutes as a safety net. * fix(transport): refresh imported AirTrail flights without a reload loadTrip doesn't fetch reservations, so a freshly imported flight only appeared after a full page reload — use loadReservations instead. Also show flight dates in the user's locale format (e.g. 13.06.2026) rather than the raw ISO string. * style(settings): align AirTrail connection with the photo-provider layout Match the Immich section: stacked URL/key fields, a ToggleSwitch for self-signed TLS, and a Save / Test-connection row with a status badge. * feat(transport): add a seat field when editing flights The transport editor only offered a seat field for trains; flights had none even though imports store metadata.seat. Show and persist a seat for flights too. * style(transport): match the AirTrail button height to Manual Transport * feat(transport): put the flight seat next to flight number and sync it to AirTrail Move the seat from a standalone row to the per-leg flight details (beside the flight number), stored per leg in metadata.legs[].seat with the first leg mirrored to metadata.seat. On push, set the seat number on the user's own AirTrail seat (the one with a userId), leaving co-passengers untouched; import/poll read that same seat back. * refactor(planner): move the AirTrail trip-open sync into useTripPlanner Page containers must not own state/effects (lint:pages). Same logic, relocated from the page into its data hook. * test(db): pin the region-reconciliation test to its schema version The test re-ran 'the last migration' assuming the reconciliation is last; it no longer is once later migrations are appended. Pin to version 135 and re-run from there (the appended migrations are idempotent). * Various fixes: 2FA autofocus, viewer-timezone times, duplicate place guard (#1159) * fix(auth): autofocus the 2FA code input when the MFA step appears (#767) * fix(notifications): show notification and admin times in the viewer timezone (#1149) SQLite CURRENT_TIMESTAMP is UTC but the string has no Z, so the client parsed it as local time. Normalize in-app notification created_at to ISO-UTC, and stop forcing the admin user table to render in the server timezone. * fix(places): warn before adding a duplicate place (#1152) Manually adding a place did not check the existing pool, so the same POI could land in Unplanned twice. Flag a likely duplicate by Google Place ID, name or near-identical coordinates and require a confirming second click to add anyway. * fix(planner): make route tools reachable in mobile day plan sheet (#1142) * wiki: update dev env * wiki: small precision in dev env * fix(planner): make route tools reachable in mobile day plan sheet On mobile, selecting a day closes the plan sheet immediately, so the route tools footer (Route toggle / Optimize / routing profile) - gated on the selected day - was never reachable. Desktop was unaffected. - Add showRouteToolsWhenExpanded prop to DayPlanSidebar: when set, route tools render on any expanded day with 2+ assigned places - Make handleOptimize accept an explicit dayId (defaulting to selectedDayId, preserving desktop behavior) - Keep the distance/duration pill gated on the selected day, since routeInfo belongs to the selected day's calculated route - Enable the prop on the mobile plan sheet in TripPlannerPage * fix(planner): correct route-tools prop doc and dev-environment wiki - Reword the showRouteToolsWhenExpanded JSDoc to list the controls the footer actually renders (Route toggle / Optimize / travel profile); there is no "Open in Google Maps" action in that block. - Wiki: drop the non-existent server test:parity script, document the real shared i18n:parity checks, and fix the i18n note (the translation layer already lives in @trek/shared, it is not "upcoming"). --------- Co-authored-by: jubnl <jgunther021@gmail.com> Co-authored-by: Maurice <mauriceboe@icloud.com> * feat(places): enrich list-imported places via the Places API (#886) (#1161) * feat(places): enrich list-imported places via the Places API (#886) Google/Naver list imports only carry a name and coordinates, so the places open as bare pins — the Maps tab jumps to coordinates, with no photo, address or open/closed. Add an opt-in "Enrich places via Google" toggle to the list-import dialog, shown only when a Google Maps key is configured. When enabled, after the (fast, unchanged) import the server runs a background pass that re-resolves each place by name — biased to and validated against the imported coordinates so a common-name search cannot overwrite the wrong place — and fills the empty address/website/phone/photo columns plus the resolved google_place_id, pushing each row over the live sync. Opening hours and the proper Maps link then work on demand from the stored id. Enrichment only fills empty fields, runs detached so a long list never blocks the import, and no-ops when no key is configured. * fix(places): use the ToggleSwitch component for the enrich toggle Match the rest of the app — the import-enrichment opt-in used a raw checkbox; swap it for the shared ToggleSwitch (text left, switch right) like the settings toggles. * fix(maps): bound place-photo cache growth (Wikimedia + Google) (#1174) The place-photo cache (uploads/photos/google) grew unbounded: a Wikimedia geosearch path cached full-res originals despite requesting a 400px thumb, the writer applied no size guard, nothing reclaimed orphaned files, and backups archived the whole re-derivable cache verbatim. - Prefer the scaled `thumburl` over the full-res `info.url` in the Commons geosearch fallback. - Downscale any cached image to <=800px JPEG via the existing jimp dep, with a safe fallback to the original bytes on decode failure. - Add sweepOrphans() (orphaned meta rows + stray files) wired into the scheduler (startup + nightly), and removeIfUnreferenced() called on place delete for prompt reclamation. - Exclude the re-derivable photo/trek caches from backups; restores self-heal as the cache dirs are recreated at startup. * fix(sync): remap temp ids, prevent id collisions, surface failed mutations (#1175) Closes three offline BLOCKERs from the PWA audit: - B1: offline edits/deletes of an offline-created entity were lost. The negative temp id was baked into the PUT/DELETE url and never rewritten after the CREATE returned a real id, so dependents 404'd and were dropped. Dependents now carry a {id} placeholder + tempEntityId; flush builds a tempId->realId map and durably rewrites still-queued dependents on CREATE success (survives flush boundaries / reloads). - B2: tempId = -(Date.now()) collided within a millisecond, overwriting an optimistic row. Replaced with a monotonic nextTempId() minter. - B3: any 4xx marked the mutation failed with no rollback and no signal, and the badge ignored failed rows. Terminal failures now roll back the phantom optimistic CREATE; 401/408/425/429 are treated as retryable; failedCount() is surfaced in OfflineBanner (red pill) and OfflineTab. * fix(maps): make offline tiles cover real trips (cap coherence + zoom-clamp) (#1177) Closes BLOCKER B5 — the offline map was blank for most real trips: - The Workbox 'map-tiles' cache held only 1000 entries while the prefetcher budgeted ~3413, so prefetched tiles were evicted on arrival. Both caps are now a coherent 12288 (~180 MB), kept in sync with cross-referencing comments. - prefetchTilesForTrip skipped a trip entirely when its all-zooms estimate exceeded the cap, so region/road-trip bboxes got no tiles. Removed the all-or-nothing guard; prefetchTiles already fills zooms low→high and stops at the budget, so large trips now cache the zooms that fit instead of nothing. * fix(security): stop cross-user offline data leak on shared devices (#1176) Closes BLOCKER B4 — three reinforcing paths could serve one account's cached data to the next user on a shared device: - The Workbox 'api-data' cache keyed trip/user-scoped GETs by URL only (cookie-blind). Changed to NetworkOnly; offline reads come from the per-user IndexedDB cache via the repo layer instead. - IndexedDB had no per-user scoping. The Dexie connection is now scoped per user (trek-offline-u<id>) behind a Proxy so the ~19 importers keep a stable binding; login opens the user DB, logout deletes it and returns to the anonymous DB. - logout() was fire-and-forget and racy: background flush/syncAll could re-seed the DB after the wipe. It is now async and ordered — close an auth gate, unregister sync triggers, disconnect, clear caches, delete the user DB — and flush()/syncAll() bail when the gate is closed. * fix(db): scope, evict, and cap the offline blob cache (H3) (#1178) Blob cache previously leaked forever: clearTripData omitted it, entries had no trip discriminator, and there was no size/count bound, so file blobs survived trip eviction and could starve the map-tile cache for quota. - BlobCacheEntry gains tripId + bytes; Dexie v3 adds a tripId index with a backfill upgrade (legacy rows -> tripId -1, bytes from blob.size) - clearTripData purges the trip's blobs in-transaction - enforceBlobBudget() evicts oldest-by-cachedAt past 200 entries / 100 MB - tripSyncManager threads tripId/bytes into puts and enforces the budget * fix(repo): fall back to Dexie when a network read fails (H2) (#1179) Repos gated reads on raw navigator.onLine and the online branch had no try/catch, so a captive portal or connected-but-no-internet (navigator.onLine lying "true") threw a network error instead of serving the good cached copy — blanking the trip even though Dexie held it. - new onlineThenCache(onlineFn, cacheFn) helper: reads the cache when offline, and on a network-level failure (Axios error with no HTTP response). A genuine HTTP error (4xx/5xx — the server responded) is rethrown so callers still set error state / navigate, not masked by a stale cache. - gates only on navigator.onLine, NOT the connectivity probe: the probe is a coarse global flag and one failed health check would otherwise divert every read to the (possibly empty) cache even when the request would succeed. - every repo list/get read path routed through it (reads only — writes still go through the mutation queue so failures surface) - tests: captive-portal fallback, HTTP-error rethrow, non-Axios rethrow * fix(store): reset and uniformly hydrate trip-scoped slices in loadTrip (H4, H5) (#1180) loadTrip only replaced the first slice group, so budget/reservations/files from a previous trip stayed visible after switching trips (data exposure on a shared screen). Those three also loaded via separate tab-gated effects, so they never hydrated offline for an unopened tab. - resetTrip() clears every trip-scoped slice (keeps global tags/categories) and runs at the top of loadTrip, so a switch can't leak the prior trip's data - loadTrip now hydrates budget/reservations/files through their repos alongside the rest (non-fatal catches), making offline hydration uniform - useTripPlanner drops the redundant loadFiles + reservations/budget effects; tab-gated lazy reloads stay as on-demand refresh - tests: cross-trip no-leak, uniform hydration, resetTrip * fix(sync): re-hydrate active trip store on reconnect/online (H1) (#1181) setRefetchCallback was dead code, so on reconnect the queue flushed and Dexie re-seeded but the open trip's Zustand store was never refreshed — a collaborator's edits made while we were offline didn't appear until navigating away and back. - new tripStore.hydrateActiveTrip(): silent refresh of the active trip's collaborative state (days/places/packing/todo/budget/reservations/files), no resetTrip and no isLoading toggle so there's no splash on reconnect - syncTriggers wires setRefetchCallback to it (WS layer awaits the flush hook first) and re-hydrates open trips after the online-event syncAll; cleared on unregister - websocket exposes getActiveTrips() for the online-event path - tests: refetch wiring + ordering, silent hydrate without reset/splash * fix(server): lengthen idempotency key TTL to survive multi-day offline (H6) (#1182) The nightly cleanup deleted idempotency keys older than 24h. The TREK client replays queued mutations with their X-Idempotency-Key on reconnect, so a device offline longer than a day had its keys GC'd before it returned — the replayed POST was then treated as new and created a duplicate. - raise the TTL to 30 days (DEFAULT_IDEMPOTENCY_TTL_SECONDS), overridable via IDEMPOTENCY_TTL_SECONDS - extract purgeExpiredIdempotencyKeys(now, ttl, db) (mirrors cleanupOldBackups) with an injectable db, and have the cron job call it - tests: 30-day default eviction, 25-day key retained (was dropped at 24h), env override H7 (exactly-once across the lost-response window) is deferred: a correct fix must store the response in the same DB transaction as the entity write. Doing it in the generic interceptor (reserve-before-handler) cannot store the real response body for the crash case, which would break the client's temp->real id remapping on replay (mutationQueue.flush relies on the entity in the body). It needs a per-service change and is tracked separately. * fix(realtime): correct assignment:created echo dedup (H11) (#1183) When X-Idempotency/X-Socket-Id let an own-echo through, the assignment:created dedup had two bugs: it keyed on place id, so (1) a legitimate second assignment of a place already on the day was silently dropped, and (2) the temp-version reconciliation matched place?.id === placeId, letting undefined === undefined collapse place-less rows onto each other. - dedup now keys on assignment id (exact-id duplicate -> no-op) - temp (negative-id) optimistic rows are reconciled only when a real placeId matches, replacing just that row; a sibling temp of another place is untouched - everything else appends, including a genuine 2nd assignment of the same place - tests: 2nd-of-same-place kept, correct temp picked among siblings, place-less rows don't collapse Note: the broader own-echo suppression relies on X-Socket-Id being sent; this fixes the client-side fallback when an echo slips through. * fix(pwa): persist offline storage + Mapbox offline policy (H8, H9) (#1184) H8: prefetched tiles and file blobs could be evicted under storage pressure (worsened by opaque tile responses inflating the quota ~7MB each), blanking the offline map right when a traveler needs it. Request persistent storage at app init so the browser exempts our caches from eviction. We deliberately keep tile requests no-cors (a cors switch would break self-hosted/custom tile providers without CORS headers), so persistence is the safe mitigation rather than de-opaquing responses. H9: Mapbox GL users had no offline map at all — no runtimeCaching matched the Mapbox hosts. Add a StaleWhileRevalidate rule for api.mapbox.com / *.tiles.mapbox.com so visited areas are available offline (best-effort; full pre-download still requires the Leaflet renderer, now documented). - new sync/persistentStorage.ts requestPersistentStorage(), called from main.tsx - vite.config: mapbox-tiles SW cache rule - MapViewAuto / tilePrefetcher comments document the offline-maps policy - tests for the persist helper (granted / already-persisted / absent / rejects) * ci(security): only fail Docker Scout on fixable CVEs Add only-fixed so the scan no longer fails on vulnerabilities with no upstream fix available (e.g. base-image OS packages), and only flags actionable, fixable findings. * build(docker): rebuild gosu with a current Go toolchain Debian's apt gosu ships an old Go stdlib that the image CVE scan flags (1 critical + several high, all in golang/stdlib). Build gosu from source with a current Go toolchain and copy the static binary in instead; the runtime behaviour is unchanged — gosu still drops root to node at startup. * build(deps): bump tsx's esbuild to 0.28.1 (GHSA-gv7w-rqvm-qjhr) The production image's last image-scan finding was esbuild 0.28.0, pulled in transitively by tsx. Pin tsx's esbuild to 0.28.1 (within tsx's ~0.28.0 range) to clear GHSA-gv7w-rqvm-qjhr. Lockfile-only; no runtime change. * feat(auth): add "Remember me" checkbox to extend session lifetime (#1189) Adds a "Remember me" checkbox to the login form (single responsive page, covers mobile + desktop). Unchecked (default) issues the existing SESSION_DURATION JWT with a browser-session cookie (no maxAge); checked issues a longer-lived JWT plus a persistent cookie sized by the new SESSION_DURATION_REMEMBER env var (default 30d). The choice is threaded through the MFA verify leg so it survives the step-up. Register/demo logins keep their current persistent behaviour. * chore(ssrf): include lookup error code in error message * fix(backup): restore from Docker, fail-fast on shadowed /app, bundle encryption key (#1193) (#1197) * fix(backup): restore uploads through symlinked dir and bundle encryption key (#1193) Restoring a backup inside Docker threw ERR_FS_CP_DIR_TO_NON_DIR because /app/server/uploads is a symlink to the mounted /app/uploads volume and cpSync (dereference:false) refuses to overwrite the symlink node with a directory. The DB was swapped before this failing copy, so users saw restored data but missing upload files (trip covers). Resolve the symlink with realpathSync before copying so the merge targets the real directory; no-op on a plain dir, so non-Docker behavior is unchanged. Also bundle the at-rest encryption key (data/.encryption_key) into the backup so a restore onto a different install can decrypt stored secrets (API keys, MFA, SMTP/OIDC). Skipped when ENCRYPTION_KEY is provided via env (the file is not the source of truth then). On restore the key is swapped back if the archive carries one; a restart is required for the in-memory key to take effect. * fix(docker): fail fast when a volume shadows /app (#1193) Mounting an old volume at /app hides the image's node_modules and dist, so startup crashed with a cryptic "Cannot find module 'tsconfig-paths/register'". Add a CMD preflight that detects the missing app files and exits with actionable guidance. Document in the README that only /app/data and /app/uploads should be mounted, never /app. * fix: ssrf test * fix(places): fall back to search when autocomplete details lookup fails (#1192) (#1198) Clicking an auto-suggest dropdown item did a second /maps/details lookup that could fail (details kill-switch off, an overloaded OSM Overpass mirror behind a proxy, or any upstream error), dead-ending on "Place search failed" while the search button stayed reliable. handleSelectSuggestion now treats a missing or coordinate-less details result (or a thrown error) as a miss and falls back to the text-search path the search button uses, applying the first result. The error toast only fires if the fallback also returns nothing. Adds tests for the previously untested suggestion-click path. * fix(planner): scroll long place description/notes on mobile (#1195) (#1199) The place details card (PlaceInspector) clipped long description/notes with no way to scroll. The content area is a flex column whose children (description/notes) had the default flex-shrink: 1, so once the card hit its maxHeight cap they compressed to fit and their overflow:hidden clipped the text instead of overflowing into a scroll region. - Make the content area a bounded scroll region (flex: 1 1 auto, minHeight: 0, overflowY: auto, momentum + overscroll containment). - Pin description/notes with flexShrink: 0 so they keep natural height and the card overflows into the scroll instead of clipping. - Pin header/footer with flexShrink: 0 so they stay fixed while scrolling. - Add wordBreak/overflowWrap to the description div to fix horizontal clip. * Day plan: hotel travel times at start/end + login toggle polish (#1206) * fix(login): use the shared toggle for the stay-signed-in option * feat(planner): show hotel travel times at the start and end of a day * fix(login): give the stay-signed-in toggle an accessible name and fix its test * fix(trips): keep the day-count field empty when cleared and validate it (#1204) (#1207) * docs(readme): refresh dashboard, costs and trip screenshots (#1208) * docs(readme): refresh dashboard, costs and trip screenshots * docs(readme): correct outdated info (React 19, NestJS, 20 languages, Costs rename, passkeys, AirTrail, notifications) * chore: update all dependencies (#1209) * chore: update all dependencies * chore: remove lint errors * fix(client): restore typecheck after dependency bump vitest 4 types vi.fn() as Mock<Procedure | Constructable>, which no longer assigns to the strictly-typed onUpdate prop; type the mock explicitly. TS6 + the new transitive @types/node 25 stopped auto- including node builtin module types, so import('node:buffer') failed; add @types/node as a direct client devDependency and a scoped node type reference in the one test that needs it. * test: fix constructor mocks for vitest 4 Reflect.construct semantics vitest 4 resolves new-invoked mocks via Reflect.construct, which rejects arrow-function implementations (including mockReturnValue sugar) as non-constructable. Convert mapbox-gl and better-sqlite3 mocks that the code instantiates with new to regular function implementations. * fix(planner): only route to multi-day transport endpoints on their pickup/drop-off days (#1210) (#1212) * chore: move to Frankfurter API for exchange rate (#1214) * Restore nest coverage to >=80% after the #1209 dep bump (istanbul provider + branch tests) (#1213) * fix(server): set oxc:false in vitest so the SWC transform survives the Vite 8 bump * fix(server): switch coverage to the istanbul provider (v8 under-reports branches on Vite 8 + Vitest 4) * test(nest): cover controller/service branches to clear the 80% coverage gate * fix(planner): correct transfer-day hotel legs and connect them to transports (#1215) When you change hotels on a day, the morning bookend leg showed the hotel you check into instead of the one you slept in whenever the morning stay didn't end exactly on that day — both bookends collapsed onto the arriving hotel. The morning hotel is now picked by "checked in earlier and still in range" rather than "checks out today", which also fixes the route optimizer's start anchor for the same case. The bookend legs now connect to the first/last located waypoint of the day — a place or a transport endpoint (a car return, a taxi or train arrival) — so the hotel-to-transport drives are included too. * feat(transports): add kitinerary import-from-file button to Transports tab * docs(config): document SESSION_DURATION_REMEMBER across deployment artifacts Add SESSION_DURATION_REMEMBER to docker-compose, .env.example, README env table, Helm chart (values + configmap passthrough), the Unraid template, and the Unraid install guide. Where the base SESSION_DURATION was also absent (README, charts, Unraid) add the pair so the Remember-me variable has context. --------- Co-authored-by: gzor <risenbrowser@web.de> Co-authored-by: ppuassi <34529179+ppuassi@users.noreply.github.com> Co-authored-by: sss3978 <106522699+soma3978@users.noreply.github.com> Co-authored-by: SkyLostTR <onurluerin@gmail.com> Co-authored-by: Julien G. <66769052+jubnl@users.noreply.github.com> Co-authored-by: Dimitris Kafetzis <39215021+Dkafetzis@users.noreply.github.com> Co-authored-by: Ahmet Yılmaz <70577707+sharkpaw@users.noreply.github.com> Co-authored-by: jubnl <jgunther021@gmail.com> Co-authored-by: jufy111 <40817638+jufy111@users.noreply.github.com> Co-authored-by: Larinel <bodink7@gmail.com> Co-authored-by: rossanorbr <48014819+rossanorbr@users.noreply.github.com>
This commit is contained in:
Maurice
@@ -0,0 +1,123 @@
|
||||
/**
|
||||
* Unit test for the Atlas region-code reconciliation migration (#1119).
|
||||
*
|
||||
* After Atlas swapped Natural Earth for geoBoundaries, manually-marked regions
|
||||
* (`visited_regions`) held the old Natural Earth ISO-3166-2 codes. The final migration
|
||||
* reconciles each row against the shipped admin-1 bundle: valid codes are kept, codes
|
||||
* whose region NAME still matches are re-coded, renamed-merge cases use a curated
|
||||
* crosswalk, and anything else is left untouched. We exercise the real migration by
|
||||
* running all migrations, seeding rows, rewinding schema_version by one, and re-running
|
||||
* so only the last (reconciliation) migration fires.
|
||||
*/
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import Database from 'better-sqlite3';
|
||||
import { createTables } from '../../../src/db/schema';
|
||||
import { runMigrations } from '../../../src/db/migrations';
|
||||
import { createUser } from '../../helpers/factories';
|
||||
|
||||
function freshDb() {
|
||||
const db = new Database(':memory:');
|
||||
db.exec('PRAGMA journal_mode = WAL');
|
||||
db.exec('PRAGMA foreign_keys = ON');
|
||||
createTables(db);
|
||||
runMigrations(db);
|
||||
return db;
|
||||
}
|
||||
|
||||
function mark(db: Database.Database, userId: number, code: string, name: string, country = 'NO') {
|
||||
db.prepare(
|
||||
'INSERT INTO visited_regions (user_id, region_code, region_name, country_code) VALUES (?, ?, ?, ?)'
|
||||
).run(userId, code, name, country);
|
||||
}
|
||||
|
||||
// The visited_regions reconciliation (#1119) is pinned at schema version 135.
|
||||
// Migrations added afterwards are appended AFTER it (append-only), so it is no
|
||||
// longer the last migration. Rewind to just before the reconciliation and
|
||||
// re-run: the later migrations are idempotent, so only the reconciliation has
|
||||
// any effect on the seeded rows here.
|
||||
const RECONCILIATION_VERSION = 135;
|
||||
function rerunLastMigration(db: Database.Database) {
|
||||
db.prepare('UPDATE schema_version SET version = ?').run(RECONCILIATION_VERSION - 1);
|
||||
runMigrations(db);
|
||||
}
|
||||
|
||||
describe('Atlas region-code reconciliation migration', () => {
|
||||
it('CROSSWALK-001: remaps a renamed-merge county via the curated crosswalk', () => {
|
||||
const db = freshDb();
|
||||
const { user } = createUser(db);
|
||||
mark(db, user.id, 'NO-05', 'Oppland'); // merged into Innlandet, name changed
|
||||
|
||||
rerunLastMigration(db);
|
||||
|
||||
const rows = db.prepare('SELECT region_code, region_name FROM visited_regions WHERE user_id = ?').all(user.id);
|
||||
expect(rows).toEqual([{ region_code: 'NO-34', region_name: 'Innlandet' }]);
|
||||
db.close();
|
||||
});
|
||||
|
||||
it('CROSSWALK-002: merges two old counties that map to the same new region (no UNIQUE clash)', () => {
|
||||
const db = freshDb();
|
||||
const { user } = createUser(db);
|
||||
mark(db, user.id, 'NO-04', 'Hedmark'); // → Innlandet
|
||||
mark(db, user.id, 'NO-05', 'Oppland'); // → Innlandet
|
||||
|
||||
rerunLastMigration(db);
|
||||
|
||||
const rows = db.prepare('SELECT region_code FROM visited_regions WHERE user_id = ?').all(user.id);
|
||||
expect(rows).toEqual([{ region_code: 'NO-34' }]);
|
||||
db.close();
|
||||
});
|
||||
|
||||
it('CROSSWALK-003: leaves a still-valid code untouched', () => {
|
||||
const db = freshDb();
|
||||
const { user } = createUser(db);
|
||||
mark(db, user.id, 'NO-03', 'Oslo'); // present in the new bundle
|
||||
|
||||
rerunLastMigration(db);
|
||||
|
||||
const rows = db.prepare('SELECT region_code, region_name FROM visited_regions WHERE user_id = ?').all(user.id);
|
||||
expect(rows).toEqual([{ region_code: 'NO-03', region_name: 'Oslo' }]);
|
||||
db.close();
|
||||
});
|
||||
|
||||
it('CROSSWALK-004: re-codes a stale code whose region NAME still matches the bundle', () => {
|
||||
// Not in any crosswalk: a bogus code but a name ("Oslo") that the bundle still carries
|
||||
// for NO → reconciled to the bundle's code for that name (NO-03) by the name-match path.
|
||||
const db = freshDb();
|
||||
const { user } = createUser(db);
|
||||
mark(db, user.id, 'NO-99', 'Oslo');
|
||||
|
||||
rerunLastMigration(db);
|
||||
|
||||
const rows = db.prepare('SELECT region_code, region_name FROM visited_regions WHERE user_id = ?').all(user.id);
|
||||
expect(rows).toEqual([{ region_code: 'NO-03', region_name: 'Oslo' }]);
|
||||
db.close();
|
||||
});
|
||||
|
||||
it('CROSSWALK-005: leaves an unresolvable row as-is (no code, no name, no crosswalk match)', () => {
|
||||
const db = freshDb();
|
||||
const { user } = createUser(db);
|
||||
mark(db, user.id, 'ZZ-99', 'Nowhere', 'ZZ');
|
||||
|
||||
rerunLastMigration(db);
|
||||
|
||||
const rows = db.prepare('SELECT region_code, region_name FROM visited_regions WHERE user_id = ?').all(user.id);
|
||||
expect(rows).toEqual([{ region_code: 'ZZ-99', region_name: 'Nowhere' }]);
|
||||
db.close();
|
||||
});
|
||||
|
||||
it('CROSSWALK-006: does not touch bucket_list or visited_countries (no region identifier there)', () => {
|
||||
const db = freshDb();
|
||||
const { user } = createUser(db);
|
||||
db.prepare('INSERT INTO bucket_list (user_id, name, country_code) VALUES (?, ?, ?)').run(user.id, 'Oppland', 'NO');
|
||||
db.prepare('INSERT INTO visited_countries (user_id, country_code) VALUES (?, ?)').run(user.id, 'NO');
|
||||
mark(db, user.id, 'NO-05', 'Oppland'); // ensure the migration actually runs its body
|
||||
|
||||
rerunLastMigration(db);
|
||||
|
||||
const bucket = db.prepare('SELECT name, country_code FROM bucket_list WHERE user_id = ?').all(user.id);
|
||||
expect(bucket).toEqual([{ name: 'Oppland', country_code: 'NO' }]); // free-text name untouched
|
||||
const countries = db.prepare('SELECT country_code FROM visited_countries WHERE user_id = ?').all(user.id);
|
||||
expect(countries).toEqual([{ country_code: 'NO' }]);
|
||||
db.close();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,196 @@
|
||||
/**
|
||||
* Migration hygiene guardrails.
|
||||
*
|
||||
* These tests scan the migration source statically and fail when a NEW
|
||||
* destructive operation (DROP TABLE / DROP COLUMN / TRUNCATE / DELETE FROM /
|
||||
* ALTER ... DROP) is introduced, or when an empty/silent `catch` block creeps
|
||||
* back into the migration runner.
|
||||
*
|
||||
* Migrations 1..N are append-only and immutable once shipped (the live schema
|
||||
* has already applied them; rewriting an applied migration is a breaking
|
||||
* change). The destructive statements that already exist were each reviewed
|
||||
* and are legitimate — almost all are the standard SQLite "table rebuild"
|
||||
* pattern (create *_new, copy rows, DROP old, RENAME), plus a handful of
|
||||
* deliberate, data-preserving cleanups. They are recorded in
|
||||
* ALLOWED_DESTRUCTIVE below with the reason. Anything not on that list is
|
||||
* treated as a regression.
|
||||
*/
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { readFileSync } from 'node:fs';
|
||||
import { fileURLToPath } from 'node:url';
|
||||
import { dirname, resolve } from 'node:path';
|
||||
import { createTestDb } from '../../helpers/test-db';
|
||||
|
||||
const here = dirname(fileURLToPath(import.meta.url));
|
||||
const MIGRATIONS_PATH = resolve(here, '../../../src/db/migrations.ts');
|
||||
const migrationsSource = readFileSync(MIGRATIONS_PATH, 'utf8');
|
||||
|
||||
/**
|
||||
* Strip line and block comments so commented-out SQL (or prose mentioning
|
||||
* "DROP TABLE") is never flagged. String/template contents are preserved —
|
||||
* that is exactly where the real SQL lives.
|
||||
*/
|
||||
function stripComments(src: string): string {
|
||||
return src
|
||||
.replace(/\/\*[\s\S]*?\*\//g, ' ')
|
||||
.replace(/(^|[^:])\/\/[^\n]*/g, '$1');
|
||||
}
|
||||
|
||||
const scannableSource = stripComments(migrationsSource);
|
||||
|
||||
interface DestructiveHit {
|
||||
/** Normalised signature used as the allowlist key, e.g. "DROP TABLE budget_items". */
|
||||
signature: string;
|
||||
/** The raw matched fragment, kept for diagnostics. */
|
||||
fragment: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Detects destructive DDL/DML. For each match we build a normalised signature
|
||||
* of "<OPERATION> <TARGET>" so cosmetic whitespace/quoting changes don't churn
|
||||
* the allowlist, while a genuinely new target (or operation) shows up as a new
|
||||
* signature.
|
||||
*/
|
||||
function findDestructiveStatements(src: string): DestructiveHit[] {
|
||||
const hits: DestructiveHit[] = [];
|
||||
const norm = (s: string) => s.replace(/[`"'\[\]]/g, '').replace(/\s+/g, ' ').trim();
|
||||
|
||||
// DROP TABLE [IF EXISTS] <name>
|
||||
for (const m of src.matchAll(/DROP\s+TABLE\s+(IF\s+EXISTS\s+)?[`"'\[]?([A-Za-z_][\w]*)/gi)) {
|
||||
hits.push({ signature: `DROP TABLE ${m[2]}`, fragment: norm(m[0]) });
|
||||
}
|
||||
// ALTER TABLE <t> DROP COLUMN <c> (and bare ALTER ... DROP <c>)
|
||||
for (const m of src.matchAll(/ALTER\s+TABLE\s+[`"'\[]?([A-Za-z_][\w]*)[`"'\]]?\s+DROP\s+(COLUMN\s+)?[`"'\[]?([A-Za-z_][\w]*)/gi)) {
|
||||
hits.push({ signature: `ALTER TABLE ${m[1]} DROP COLUMN ${m[3]}`, fragment: norm(m[0]) });
|
||||
}
|
||||
// TRUNCATE <t> (not valid SQLite, but guard anyway)
|
||||
for (const m of src.matchAll(/TRUNCATE\s+(TABLE\s+)?[`"'\[]?([A-Za-z_][\w]*)/gi)) {
|
||||
hits.push({ signature: `TRUNCATE ${m[2]}`, fragment: norm(m[0]) });
|
||||
}
|
||||
// DELETE FROM <t>
|
||||
for (const m of src.matchAll(/DELETE\s+FROM\s+[`"'\[]?([A-Za-z_][\w]*)/gi)) {
|
||||
hits.push({ signature: `DELETE FROM ${m[1]}`, fragment: norm(m[0]) });
|
||||
}
|
||||
return hits;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allowlist of destructive statements already present and reviewed as
|
||||
* legitimate. Keyed by normalised signature. NEVER add to this without a
|
||||
* code-review-level justification — that is the whole point of the guard.
|
||||
*
|
||||
* Rebuild = standard SQLite 12-step ALTER emulation: CREATE <t>_new,
|
||||
* INSERT ... SELECT to copy rows, DROP old <t>, ALTER ... RENAME <t>_new TO <t>.
|
||||
* Rows are preserved across the rebuild.
|
||||
*/
|
||||
const ALLOWED_DESTRUCTIVE: Record<string, string> = {
|
||||
// ── table rebuilds (data preserved) ──────────────────────────────────────
|
||||
'DROP TABLE budget_items':
|
||||
'Migration 12: rebuild to drop a stale NOT NULL DEFAULT on persons/days. Rows copied first.',
|
||||
'DROP TABLE oauth_clients':
|
||||
'Make oauth_clients.user_id nullable for anonymous DCR clients. Rebuild, rows copied.',
|
||||
'DROP TABLE idempotency_keys':
|
||||
'Widen PK to (key,user_id,method,path). Rebuild, rows copied (old PK is a subset).',
|
||||
'DROP TABLE day_accommodations':
|
||||
'Make place_id nullable + ON DELETE SET NULL. Rebuild, rows copied.',
|
||||
'DROP TABLE schema_version':
|
||||
'Add surrogate id PK to schema_version. Rebuild, version row copied.',
|
||||
|
||||
// ── photo/journey table rebuilds (data preserved) ────────────────────────
|
||||
'DROP TABLE trip_photos':
|
||||
'trip_photos normalisation + later photo_id FK refactor. Rebuilds, rows copied.',
|
||||
'DROP TABLE trip_album_links':
|
||||
'Normalise trip_album_links to provider+album_id schema. Rebuild, rows copied.',
|
||||
'DROP TABLE journey_photos':
|
||||
'Journey photo provider support + photo_id FK refactor. Rebuilds, rows copied.',
|
||||
'DROP TABLE journey_photos_old':
|
||||
'Migration 121 gallery refactor: drops the temporary *_old backup after backfill.',
|
||||
'DROP TABLE journey_location_trail':
|
||||
'Migration 87 journey rebuild: old data SELECTed into memory and re-inserted into new schema.',
|
||||
'DROP TABLE journey_entries':
|
||||
'Migration 87 journey rebuild: old data SELECTed into memory and re-inserted into new schema.',
|
||||
'DROP TABLE journey_checkins':
|
||||
'Migration 87 journey rebuild: old data SELECTed into memory and re-inserted into new schema.',
|
||||
'DROP TABLE journey_members':
|
||||
'Migration 87 journey rebuild: old data SELECTed into memory and re-inserted into new schema.',
|
||||
'DROP TABLE journey_trips':
|
||||
'Migration 87 journey rebuild: old data SELECTed into memory and re-inserted into new schema.',
|
||||
'DROP TABLE journeys':
|
||||
'Migration 87 journey rebuild: old data SELECTed into memory and re-inserted into new schema.',
|
||||
|
||||
// ── template/cache scaffolding drops (no user content lost) ──────────────
|
||||
'DROP TABLE packing_template_items':
|
||||
'IF EXISTS drop to recreate the template-items table with a category_id FK. Template scaffolding.',
|
||||
'DROP TABLE notification_preferences':
|
||||
'IF EXISTS drop AFTER migration 71 copied the data into notification_channel_preferences.',
|
||||
|
||||
// ── guarded column drop ──────────────────────────────────────────────────
|
||||
'ALTER TABLE photo_providers DROP COLUMN config':
|
||||
'Drop generated-only config column; guarded by a PRAGMA table_info check that it exists.',
|
||||
|
||||
// ── targeted, bounded DELETEs ────────────────────────────────────────────
|
||||
'DELETE FROM oauth_tokens':
|
||||
'SEC-H6: DELETE ... WHERE audience IS NULL — purge pre-audience-binding tokens that the MCP server now rejects.',
|
||||
'DELETE FROM journey_entries':
|
||||
"Migration 121: DELETE ... WHERE title IN ('Gallery','[Trip Photos]') — remove synthetic wrapper entries replaced by the gallery model.",
|
||||
'DELETE FROM place_regions':
|
||||
'Atlas enclave fix: DELETE ... WHERE place_id IN (places inside specific enclave boxes) — invalidate stale region cache; re-resolved on next request.',
|
||||
'DELETE FROM visited_regions':
|
||||
'Atlas geoBoundaries swap (#1119): DELETE ... WHERE id = ? — after UPDATE OR IGNORE re-codes a manually-marked region to its current code, drop only the single leftover row whose UNIQUE(user_id, region_code) collision caused the update to be skipped (a duplicate of a region the user already has).',
|
||||
};
|
||||
|
||||
describe('migration hygiene — destructive operation guard', () => {
|
||||
it('introduces no destructive migration statement outside the reviewed allowlist', () => {
|
||||
const hits = findDestructiveStatements(scannableSource);
|
||||
const offenders = hits.filter((h) => !(h.signature in ALLOWED_DESTRUCTIVE));
|
||||
|
||||
if (offenders.length > 0) {
|
||||
const detail = offenders
|
||||
.map((o) => ` • ${o.signature} (matched: "${o.fragment}")`)
|
||||
.join('\n');
|
||||
throw new Error(
|
||||
`Found ${offenders.length} destructive migration statement(s) that are not on the ` +
|
||||
`reviewed allowlist in tests/unit/db/migration-hygiene.test.ts.\n` +
|
||||
`Migrations are append-only and destructive DDL/DML risks data loss on upgrade.\n` +
|
||||
`If the statement is genuinely safe (e.g. a SQLite table rebuild that copies rows ` +
|
||||
`first, or a tightly-bounded cache/cleanup DELETE), add its signature to ` +
|
||||
`ALLOWED_DESTRUCTIVE with a justification.\n\nOffending statement(s):\n${detail}`,
|
||||
);
|
||||
}
|
||||
|
||||
expect(offenders).toEqual([]);
|
||||
});
|
||||
|
||||
it('every allowlist entry still corresponds to a real statement (no dead allowlist rows)', () => {
|
||||
const present = new Set(findDestructiveStatements(scannableSource).map((h) => h.signature));
|
||||
const dead = Object.keys(ALLOWED_DESTRUCTIVE).filter((sig) => !present.has(sig));
|
||||
expect(dead, `Allowlist entries no longer found in migrations.ts: ${dead.join(', ')}`).toEqual([]);
|
||||
});
|
||||
});
|
||||
|
||||
describe('migration hygiene — no silently swallowed errors', () => {
|
||||
it('contains no empty catch block (catch must at least log)', () => {
|
||||
// Matches `catch {}` and `catch (e) {}` where the body is only whitespace.
|
||||
const emptyCatch = scannableSource.match(/catch\s*(\([^)]*\))?\s*\{\s*\}/g) ?? [];
|
||||
expect(
|
||||
emptyCatch,
|
||||
`migrations.ts must not swallow errors silently. Give each catch a log line ` +
|
||||
`(e.g. console.warn('[migrations] ...', err)). Found: ${emptyCatch.length}`,
|
||||
).toEqual([]);
|
||||
});
|
||||
});
|
||||
|
||||
describe('migration hygiene — full chain smoke', () => {
|
||||
it('migrates a fresh in-memory database from zero to the latest version', () => {
|
||||
// createTestDb() runs createTables() + the entire runMigrations() chain.
|
||||
// This proves the logging edits in the previously-empty catch blocks do
|
||||
// not change control flow / break the migration runner.
|
||||
const db = createTestDb();
|
||||
try {
|
||||
const row = db.prepare('SELECT version FROM schema_version').get() as { version: number };
|
||||
expect(row.version).toBeGreaterThan(0);
|
||||
} finally {
|
||||
db.close();
|
||||
}
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,58 @@
|
||||
/**
|
||||
* Idempotency key TTL cleanup (H6).
|
||||
*
|
||||
* The TREK client replays queued mutations with their X-Idempotency-Key on
|
||||
* reconnect, so the server must keep keys long enough to cover a realistic
|
||||
* offline window — otherwise a key GC'd before the device returns lets the
|
||||
* replay create a duplicate. The TTL was raised from 24h to 30d (overridable).
|
||||
*/
|
||||
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
|
||||
import { db } from '../../src/db/database';
|
||||
import { purgeExpiredIdempotencyKeys } from '../../src/scheduler';
|
||||
|
||||
const DAY = 24 * 60 * 60;
|
||||
const NOW = 2_000_000_000_000; // fixed ms so the test is deterministic
|
||||
const NOW_SEC = Math.floor(NOW / 1000);
|
||||
|
||||
function insertKey(key: string, ageSeconds: number): void {
|
||||
db.prepare(
|
||||
`INSERT INTO idempotency_keys (key, user_id, method, path, status_code, response_body, created_at)
|
||||
VALUES (?, 1, 'POST', '/x', 200, '{}', ?)`,
|
||||
).run(key, NOW_SEC - ageSeconds);
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
db.pragma('foreign_keys = OFF'); // fixtures reference a user we don't seed here
|
||||
db.prepare('DELETE FROM idempotency_keys').run();
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
db.prepare('DELETE FROM idempotency_keys').run();
|
||||
db.pragma('foreign_keys = ON');
|
||||
delete process.env.IDEMPOTENCY_TTL_SECONDS;
|
||||
});
|
||||
|
||||
describe('purgeExpiredIdempotencyKeys', () => {
|
||||
it('removes keys older than the 30-day default, keeps recent ones', () => {
|
||||
insertKey('old', 31 * DAY);
|
||||
insertKey('fresh', 5 * DAY);
|
||||
|
||||
const removed = purgeExpiredIdempotencyKeys(NOW, undefined, db);
|
||||
|
||||
expect(removed).toBe(1);
|
||||
const keys = db.prepare('SELECT key FROM idempotency_keys').all().map((r: { key: string }) => r.key);
|
||||
expect(keys).toEqual(['fresh']);
|
||||
});
|
||||
|
||||
it('keeps a 25-day-old key that the old 24h TTL would have dropped', () => {
|
||||
insertKey('offline-trip', 25 * DAY);
|
||||
expect(purgeExpiredIdempotencyKeys(NOW, undefined, db)).toBe(0);
|
||||
expect(db.prepare('SELECT COUNT(*) c FROM idempotency_keys').get()).toMatchObject({ c: 1 });
|
||||
});
|
||||
|
||||
it('respects the IDEMPOTENCY_TTL_SECONDS override', () => {
|
||||
process.env.IDEMPOTENCY_TTL_SECONDS = String(DAY);
|
||||
insertKey('twoDays', 2 * DAY);
|
||||
expect(purgeExpiredIdempotencyKeys(NOW, undefined, db)).toBe(1);
|
||||
});
|
||||
});
|
||||
@@ -88,7 +88,7 @@ describe('Tool: create_budget_item', () => {
|
||||
arguments: { tripId: trip.id, name: 'Misc', total_price: 10 },
|
||||
});
|
||||
const data = parseToolResult(result) as any;
|
||||
expect(data.item.category).toBe('Other');
|
||||
expect(data.item.category).toBe('other');
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -71,8 +71,10 @@ beforeEach(() => {
|
||||
isAddonEnabledMock.mockReturnValue(true);
|
||||
|
||||
// Default mock: returns a trip-summary-shaped value from the real in-memory DB
|
||||
// so that the trip title / existence match what tests insert, but budget/packing
|
||||
// are arrays (as prompts.ts expects), not the object shape getTripSummary now returns.
|
||||
// so the trip title / existence match what tests insert. `budget` mirrors the
|
||||
// real getTripSummary object shape ({ items, total, ... }) that prompts.ts reads
|
||||
// via budget.items/budget.total; packing stays an array (the packing prompt
|
||||
// tolerates it).
|
||||
mockGetTripSummary.mockImplementation((tripId: any) => {
|
||||
const trip = testDb.prepare('SELECT * FROM trips WHERE id = ?').get(tripId) as any;
|
||||
if (!trip) return null;
|
||||
@@ -87,8 +89,13 @@ beforeEach(() => {
|
||||
trip,
|
||||
days: [],
|
||||
members,
|
||||
budget: budgetRows, // array shape expected by prompts.ts
|
||||
packing: packingRows, // array shape expected by prompts.ts
|
||||
budget: {
|
||||
items: budgetRows,
|
||||
item_count: budgetRows.length,
|
||||
total: budgetRows.reduce((sum, i) => sum + (i.total_price || 0), 0),
|
||||
currency: trip.currency,
|
||||
},
|
||||
packing: packingRows, // array shape; packing prompt tolerates it
|
||||
reservations: [],
|
||||
collabNotes: [],
|
||||
};
|
||||
|
||||
@@ -134,6 +134,23 @@ describe('authenticate', () => {
|
||||
expect(next).not.toHaveBeenCalled();
|
||||
expect(status).toHaveBeenCalledWith(401);
|
||||
});
|
||||
|
||||
it('AUTH-MW-007: rejects a purpose-scoped mfa_login token even when the user is valid', () => {
|
||||
// The token issued after the password check but before TOTP is signed with
|
||||
// the same secret. It must never authenticate a normal request, otherwise
|
||||
// password alone grants full access and MFA is bypassed.
|
||||
const mockUser = { id: 1, username: 'alice', email: 'alice@example.com', role: 'user', password_version: 0 };
|
||||
vi.mocked(db.prepare).mockReturnValue({ get: vi.fn(() => mockUser), all: vi.fn() } as any);
|
||||
|
||||
const mfaToken = jwt.sign({ id: 1, purpose: 'mfa_login', pv: 0 }, 'test-secret', { algorithm: 'HS256' });
|
||||
const next = vi.fn() as unknown as NextFunction;
|
||||
const { res, status } = makeRes();
|
||||
|
||||
authenticate(makeReq({ headers: { authorization: `Bearer ${mfaToken}` } }), res, next);
|
||||
|
||||
expect(next).not.toHaveBeenCalled();
|
||||
expect(status).toHaveBeenCalledWith(401);
|
||||
});
|
||||
});
|
||||
|
||||
// ── adminOnly ─────────────────────────────────────────────────────────────────
|
||||
|
||||
@@ -0,0 +1,101 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { AccommodationsController } from '../../../src/nest/reservations/accommodations.controller';
|
||||
import type { AccommodationsService } from '../../../src/nest/reservations/accommodations.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { user_id: 1 };
|
||||
const refs = { place_id: 2, start_day_id: 10, end_day_id: 11 };
|
||||
|
||||
function makeService(overrides: Partial<AccommodationsService> = {}): AccommodationsService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip),
|
||||
canEdit: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
validateRefs: vi.fn().mockReturnValue([]),
|
||||
...overrides,
|
||||
} as unknown as AccommodationsService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
describe('AccommodationsController (parity with the legacy accommodations sub-router)', () => {
|
||||
it('404 when trip not accessible', () => {
|
||||
const svc = makeService({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new AccommodationsController(svc).list(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('GET / lists (no permission gate)', () => {
|
||||
const svc = makeService({ list: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AccommodationsService>);
|
||||
expect(new AccommodationsController(svc).list(user, '5')).toEqual({ accommodations: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
describe('POST /', () => {
|
||||
it('403 without day_edit', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new AccommodationsController(svc).create(user, '5', refs))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
});
|
||||
|
||||
it('400 when refs are missing', () => {
|
||||
expect(thrown(() => new AccommodationsController(makeService()).create(user, '5', { place_id: 2 }))).toEqual({
|
||||
status: 400, body: { error: 'place_id, start_day_id, and end_day_id are required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('404 with the first validateRefs error message', () => {
|
||||
const svc = makeService({ validateRefs: vi.fn().mockReturnValue([{ field: 'place_id', message: 'Place not found' }]) } as Partial<AccommodationsService>);
|
||||
expect(thrown(() => new AccommodationsController(svc).create(user, '5', refs))).toEqual({ status: 404, body: { error: 'Place not found' } });
|
||||
});
|
||||
|
||||
it('creates and emits accommodation:created + reservation:created', () => {
|
||||
const create = vi.fn().mockReturnValue({ id: 9 });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ create, broadcast } as Partial<AccommodationsService>);
|
||||
expect(new AccommodationsController(svc).create(user, '5', refs, 'sock')).toEqual({ accommodation: { id: 9 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'accommodation:created', { accommodation: { id: 9 } }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'reservation:created', {}, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when the accommodation is missing', () => {
|
||||
const svc = makeService({ get: vi.fn().mockReturnValue(undefined) } as Partial<AccommodationsService>);
|
||||
expect(thrown(() => new AccommodationsController(svc).update(user, '5', '9', refs))).toEqual({ status: 404, body: { error: 'Accommodation not found' } });
|
||||
});
|
||||
|
||||
it('updates and broadcasts', () => {
|
||||
const get = vi.fn().mockReturnValue({ id: 9 });
|
||||
const update = vi.fn().mockReturnValue({ id: 9, notes: 'x' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ get, update, broadcast } as Partial<AccommodationsService>);
|
||||
expect(new AccommodationsController(svc).update(user, '5', '9', refs, 'sock')).toEqual({ accommodation: { id: 9, notes: 'x' } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'accommodation:updated', { accommodation: { id: 9, notes: 'x' } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id', () => {
|
||||
it('404 when missing', () => {
|
||||
const svc = makeService({ get: vi.fn().mockReturnValue(undefined) } as Partial<AccommodationsService>);
|
||||
expect(thrown(() => new AccommodationsController(svc).remove(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Accommodation not found' } });
|
||||
});
|
||||
|
||||
it('emits the linked reservation/budget cascade then accommodation:deleted', () => {
|
||||
const get = vi.fn().mockReturnValue({ id: 9 });
|
||||
const remove = vi.fn().mockReturnValue({ linkedReservationId: 4, deletedBudgetItemId: 7 });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ get, remove, broadcast } as Partial<AccommodationsService>);
|
||||
expect(new AccommodationsController(svc).remove(user, '5', '9', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'reservation:deleted', { reservationId: 4 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:deleted', { itemId: 7 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'accommodation:deleted', { accommodationId: 9 }, 'sock');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,26 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { AddonsController } from '../../../src/nest/addons/addons.controller';
|
||||
import type { AddonsService } from '../../../src/nest/addons/addons.service';
|
||||
|
||||
function makeService(overrides: Partial<AddonsService> = {}): AddonsService {
|
||||
return {
|
||||
list: vi.fn().mockReturnValue({ collabFeatures: {}, bagTracking: false, addons: [] }),
|
||||
...overrides,
|
||||
} as unknown as AddonsService;
|
||||
}
|
||||
|
||||
describe('AddonsController (parity with the legacy GET /api/addons route)', () => {
|
||||
it('GET / delegates straight to the service and returns its feed', () => {
|
||||
const feed = {
|
||||
collabFeatures: { comments: true },
|
||||
bagTracking: true,
|
||||
addons: [{ id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: true }],
|
||||
};
|
||||
const list = vi.fn().mockReturnValue(feed);
|
||||
const svc = makeService({ list } as Partial<AddonsService>);
|
||||
|
||||
expect(new AddonsController(svc).list()).toBe(feed);
|
||||
expect(list).toHaveBeenCalledTimes(1);
|
||||
expect(list).toHaveBeenCalledWith();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,232 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// Three distinct prepare(...).all() reads (addons, photo_providers, photo_provider_fields).
|
||||
// A single shared statement is reused, so .all() is fed result sets in call order.
|
||||
const { dbMock } = vi.hoisted(() => {
|
||||
const stmt = { get: vi.fn(), all: vi.fn(() => []), run: vi.fn() };
|
||||
return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
|
||||
});
|
||||
vi.mock('../../../src/db/database', () => ({ db: dbMock, closeDb: () => {}, reinitialize: () => {} }));
|
||||
|
||||
const { getBagTracking, getCollabFeatures } = vi.hoisted(() => ({
|
||||
getBagTracking: vi.fn(() => ({ enabled: false })),
|
||||
getCollabFeatures: vi.fn(() => ({})),
|
||||
}));
|
||||
vi.mock('../../../src/services/adminService', () => ({ getBagTracking, getCollabFeatures }));
|
||||
|
||||
const { getPhotoProviderConfig } = vi.hoisted(() => ({ getPhotoProviderConfig: vi.fn(() => ({})) }));
|
||||
vi.mock('../../../src/services/memories/helpersService', () => ({ getPhotoProviderConfig }));
|
||||
|
||||
import { AddonsService } from '../../../src/nest/addons/addons.service';
|
||||
|
||||
function svc() {
|
||||
return new AddonsService();
|
||||
}
|
||||
|
||||
// Feed the three reads in order: addons, providers, fields.
|
||||
function feedReads(addons: unknown[], providers: unknown[], fields: unknown[]) {
|
||||
dbMock._stmt.all
|
||||
.mockReturnValueOnce(addons)
|
||||
.mockReturnValueOnce(providers)
|
||||
.mockReturnValueOnce(fields);
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
dbMock._stmt.all.mockReturnValue([]);
|
||||
getCollabFeatures.mockReturnValue({});
|
||||
getBagTracking.mockReturnValue({ enabled: false });
|
||||
getPhotoProviderConfig.mockReturnValue({});
|
||||
});
|
||||
|
||||
describe('AddonsService.list', () => {
|
||||
it('returns the collab features and the bag-tracking flag from the admin service', () => {
|
||||
getCollabFeatures.mockReturnValue({ comments: true });
|
||||
getBagTracking.mockReturnValue({ enabled: true });
|
||||
feedReads([], [], []);
|
||||
|
||||
const res = svc().list();
|
||||
expect(res.collabFeatures).toEqual({ comments: true });
|
||||
expect(res.bagTracking).toBe(true);
|
||||
expect(res.addons).toEqual([]);
|
||||
});
|
||||
|
||||
it('coerces the addon enabled column to a boolean (both 1 and 0)', () => {
|
||||
feedReads(
|
||||
[
|
||||
{ id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: 1 },
|
||||
{ id: 'vacay', name: 'Vacay', type: 'page', icon: 'sun', enabled: 0 },
|
||||
],
|
||||
[],
|
||||
[],
|
||||
);
|
||||
|
||||
const res = svc().list();
|
||||
expect(res.addons).toEqual([
|
||||
{ id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: true },
|
||||
{ id: 'vacay', name: 'Vacay', type: 'page', icon: 'sun', enabled: false },
|
||||
]);
|
||||
});
|
||||
|
||||
it('maps a photo provider with no fields to an empty fields array (the || [] fallback)', () => {
|
||||
feedReads(
|
||||
[],
|
||||
[{ id: 'immich', name: 'Immich', icon: 'image', enabled: 1, sort_order: 0 }],
|
||||
[],
|
||||
);
|
||||
getPhotoProviderConfig.mockReturnValue({ baseUrl: 'http://x' });
|
||||
|
||||
const res = svc().list();
|
||||
expect(res.addons).toEqual([
|
||||
{
|
||||
id: 'immich',
|
||||
name: 'Immich',
|
||||
type: 'photo_provider',
|
||||
icon: 'image',
|
||||
enabled: true,
|
||||
config: { baseUrl: 'http://x' },
|
||||
fields: [],
|
||||
},
|
||||
]);
|
||||
expect(getPhotoProviderConfig).toHaveBeenCalledWith('immich');
|
||||
});
|
||||
|
||||
it('coerces a disabled photo provider enabled flag to false', () => {
|
||||
feedReads(
|
||||
[],
|
||||
[{ id: 'synology', name: 'Synology', icon: 'image', enabled: 0, sort_order: 1 }],
|
||||
[],
|
||||
);
|
||||
|
||||
const res = svc().list();
|
||||
expect((res.addons[0] as { enabled: boolean }).enabled).toBe(false);
|
||||
});
|
||||
|
||||
it('groups multiple fields under their provider and keeps insertion order', () => {
|
||||
feedReads(
|
||||
[],
|
||||
[{ id: 'immich', name: 'Immich', icon: 'image', enabled: 1, sort_order: 0 }],
|
||||
[
|
||||
{
|
||||
provider_id: 'immich',
|
||||
field_key: 'url',
|
||||
label: 'URL',
|
||||
input_type: 'text',
|
||||
placeholder: 'https://',
|
||||
hint: 'Base URL',
|
||||
required: 1,
|
||||
secret: 0,
|
||||
settings_key: 'immich_url',
|
||||
payload_key: 'url',
|
||||
sort_order: 0,
|
||||
},
|
||||
// Second field for the SAME provider exercises the `get(...) || []` truthy branch.
|
||||
{
|
||||
provider_id: 'immich',
|
||||
field_key: 'token',
|
||||
label: 'Token',
|
||||
input_type: 'password',
|
||||
placeholder: null,
|
||||
hint: null,
|
||||
required: 0,
|
||||
secret: 1,
|
||||
settings_key: null,
|
||||
payload_key: null,
|
||||
sort_order: 1,
|
||||
},
|
||||
],
|
||||
);
|
||||
|
||||
const res = svc().list();
|
||||
const provider = res.addons[0] as { fields: Array<Record<string, unknown>> };
|
||||
expect(provider.fields).toEqual([
|
||||
{
|
||||
key: 'url',
|
||||
label: 'URL',
|
||||
input_type: 'text',
|
||||
placeholder: 'https://',
|
||||
hint: 'Base URL',
|
||||
required: true,
|
||||
secret: false,
|
||||
settings_key: 'immich_url',
|
||||
payload_key: 'url',
|
||||
sort_order: 0,
|
||||
},
|
||||
{
|
||||
key: 'token',
|
||||
label: 'Token',
|
||||
input_type: 'password',
|
||||
placeholder: '',
|
||||
hint: null,
|
||||
required: false,
|
||||
secret: true,
|
||||
settings_key: null,
|
||||
payload_key: null,
|
||||
sort_order: 1,
|
||||
},
|
||||
]);
|
||||
});
|
||||
|
||||
it('falls back placeholder→"", hint→null, settings/payload keys→null when columns are missing/empty', () => {
|
||||
feedReads(
|
||||
[],
|
||||
[{ id: 'p', name: 'P', icon: 'i', enabled: 1, sort_order: 0 }],
|
||||
[
|
||||
{
|
||||
provider_id: 'p',
|
||||
field_key: 'k',
|
||||
label: 'L',
|
||||
input_type: 'text',
|
||||
// placeholder/hint/settings_key/payload_key omitted entirely (undefined)
|
||||
required: 0,
|
||||
secret: 0,
|
||||
sort_order: 0,
|
||||
},
|
||||
],
|
||||
);
|
||||
|
||||
const res = svc().list();
|
||||
const field = (res.addons[0] as { fields: Array<Record<string, unknown>> }).fields[0];
|
||||
expect(field).toMatchObject({
|
||||
placeholder: '',
|
||||
hint: null,
|
||||
settings_key: null,
|
||||
payload_key: null,
|
||||
});
|
||||
});
|
||||
|
||||
it('keeps fields belonging to other providers out of a provider with none of its own', () => {
|
||||
// A field exists, but for a DIFFERENT provider than the one returned — exercises
|
||||
// the `fieldsByProvider.get(p.id) || []` fallback while the map is non-empty.
|
||||
feedReads(
|
||||
[],
|
||||
[{ id: 'has-none', name: 'X', icon: 'i', enabled: 1, sort_order: 0 }],
|
||||
[
|
||||
{
|
||||
provider_id: 'other',
|
||||
field_key: 'k',
|
||||
label: 'L',
|
||||
input_type: 'text',
|
||||
required: 0,
|
||||
secret: 0,
|
||||
sort_order: 0,
|
||||
},
|
||||
],
|
||||
);
|
||||
|
||||
const res = svc().list();
|
||||
expect((res.addons[0] as { fields: unknown[] }).fields).toEqual([]);
|
||||
});
|
||||
|
||||
it('concatenates regular addons before the photo providers', () => {
|
||||
feedReads(
|
||||
[{ id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: 1 }],
|
||||
[{ id: 'immich', name: 'Immich', icon: 'image', enabled: 1, sort_order: 0 }],
|
||||
[],
|
||||
);
|
||||
|
||||
const res = svc().list();
|
||||
expect(res.addons.map((a) => (a as { id: string }).id)).toEqual(['atlas', 'immich']);
|
||||
expect((res.addons[1] as { type: string }).type).toBe('photo_provider');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,263 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
import { HttpException, NotFoundException } from '@nestjs/common';
|
||||
import type { Request } from 'express';
|
||||
|
||||
vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4'), logInfo: vi.fn() }));
|
||||
vi.mock('../../../src/services/notificationService', () => ({ send: vi.fn().mockResolvedValue(undefined) }));
|
||||
|
||||
import { AdminController } from '../../../src/nest/admin/admin.controller';
|
||||
import type { AdminService } from '../../../src/nest/admin/admin.service';
|
||||
import { writeAudit } from '../../../src/services/auditLog';
|
||||
import { send as sendNotification } from '../../../src/services/notificationService';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'admin', email: 'admin@example.test' } as User;
|
||||
const req = { headers: {} } as Request;
|
||||
|
||||
function svc(o: Partial<AdminService> = {}): AdminService {
|
||||
return { invalidateMcpSessions: vi.fn(), ...o } as unknown as AdminService;
|
||||
}
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
if (err instanceof NotFoundException) return { status: 404, body: err.getResponse() };
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
afterEach(() => { delete process.env.NODE_ENV; });
|
||||
|
||||
describe('AdminController users', () => {
|
||||
it('lists, creates (201 + audit), maps an error', () => {
|
||||
expect(new AdminController(svc({ listUsers: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listUsers()).toEqual({ users: [{ id: 1 }] });
|
||||
expect(thrown(() => new AdminController(svc({ createUser: vi.fn().mockReturnValue({ error: 'Email taken', status: 409 }) } as Partial<AdminService>)).createUser(user, {}, req))).toEqual({ status: 409, body: { error: 'Email taken' } });
|
||||
const c = new AdminController(svc({ createUser: vi.fn().mockReturnValue({ user: { id: 2 }, insertedId: 2, auditDetails: {} }) } as Partial<AdminService>));
|
||||
expect(c.createUser(user, { email: 'a@b.c' }, req)).toEqual({ user: { id: 2 } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'admin.user_create' }));
|
||||
});
|
||||
|
||||
it('update + delete audit and map errors', () => {
|
||||
expect(new AdminController(svc({ updateUser: vi.fn().mockReturnValue({ user: { id: 2 }, previousEmail: 'a@b.c', changed: ['role'] }) } as Partial<AdminService>)).updateUser(user, '2', {}, req)).toEqual({ user: { id: 2 } });
|
||||
expect(thrown(() => new AdminController(svc({ deleteUser: vi.fn().mockReturnValue({ error: 'Cannot delete self', status: 400 }) } as Partial<AdminService>)).deleteUser(user, '1', req))).toEqual({ status: 400, body: { error: 'Cannot delete self' } });
|
||||
expect(new AdminController(svc({ deleteUser: vi.fn().mockReturnValue({ email: 'a@b.c' }) } as Partial<AdminService>)).deleteUser(user, '2', req)).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController permissions + oidc + misc', () => {
|
||||
it('permissions: 400 without an object, else saves + audits', () => {
|
||||
expect(thrown(() => new AdminController(svc()).savePermissions(user, {}, req))).toEqual({ status: 400, body: { error: 'permissions object required' } });
|
||||
const c = new AdminController(svc({ savePermissions: vi.fn().mockReturnValue({ permissions: { x: 1 }, skipped: [] }) } as Partial<AdminService>));
|
||||
expect(c.savePermissions(user, { permissions: { x: 1 } }, req)).toEqual({ success: true, permissions: { x: 1 } });
|
||||
});
|
||||
|
||||
it('permissions: includes skipped when present', () => {
|
||||
const c = new AdminController(svc({ savePermissions: vi.fn().mockReturnValue({ permissions: {}, skipped: ['bad'] }) } as Partial<AdminService>));
|
||||
expect(c.savePermissions(user, { permissions: {} }, req)).toEqual({ success: true, permissions: {}, skipped: ['bad'] });
|
||||
});
|
||||
|
||||
it('oidc update maps error, else audits', () => {
|
||||
expect(thrown(() => new AdminController(svc({ updateOidcSettings: vi.fn().mockReturnValue({ error: 'bad issuer', status: 400 }) } as Partial<AdminService>)).updateOidc(user, {}, req))).toEqual({ status: 400, body: { error: 'bad issuer' } });
|
||||
expect(new AdminController(svc({ updateOidcSettings: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).updateOidc(user, { issuer: 'https://idp' }, req)).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('save-demo-baseline maps error, else returns message', () => {
|
||||
expect(thrown(() => new AdminController(svc({ saveDemoBaseline: vi.fn().mockReturnValue({ error: 'not demo', status: 400 }) } as Partial<AdminService>)).saveDemoBaseline(user, req))).toEqual({ status: 400, body: { error: 'not demo' } });
|
||||
expect(new AdminController(svc({ saveDemoBaseline: vi.fn().mockReturnValue({ message: 'saved' }) } as Partial<AdminService>)).saveDemoBaseline(user, req)).toEqual({ success: true, message: 'saved' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController invites + feature toggles', () => {
|
||||
it('invites: create 201 + audit, delete maps error', () => {
|
||||
const c = new AdminController(svc({ createInvite: vi.fn().mockReturnValue({ invite: { id: 5 }, inviteId: 5, uses: 1, expiresInDays: 7 }) } as Partial<AdminService>));
|
||||
expect(c.createInvite(user, {}, req)).toEqual({ invite: { id: 5 } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'admin.invite_create' }));
|
||||
expect(thrown(() => new AdminController(svc({ deleteInvite: vi.fn().mockReturnValue({ error: 'not found', status: 404 }) } as Partial<AdminService>)).deleteInvite(user, '5', req))).toEqual({ status: 404, body: { error: 'not found' } });
|
||||
});
|
||||
|
||||
it('places-photos: 400 on a non-boolean, else updates + audits', () => {
|
||||
expect(thrown(() => new AdminController(svc()).updatePlacesPhotos(user, { enabled: 'yes' }, req))).toEqual({ status: 400, body: { error: 'enabled must be a boolean' } });
|
||||
expect(new AdminController(svc({ updatePlacesPhotos: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).updatePlacesPhotos(user, { enabled: true }, req)).toEqual({ enabled: true });
|
||||
});
|
||||
|
||||
it('collab-features update invalidates MCP sessions + audits', () => {
|
||||
const invalidateMcpSessions = vi.fn();
|
||||
const c = new AdminController(svc({ updateCollabFeatures: vi.fn().mockReturnValue({ chat: true }), invalidateMcpSessions } as Partial<AdminService>));
|
||||
expect(c.updateCollabFeatures(user, { chat: true }, req)).toEqual({ chat: true });
|
||||
expect(invalidateMcpSessions).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController packing templates', () => {
|
||||
it('get 404, create 201, delete audits', () => {
|
||||
expect(thrown(() => new AdminController(svc({ getPackingTemplate: vi.fn().mockReturnValue({ error: 'not found', status: 404 }) } as Partial<AdminService>)).getPackingTemplate('9'))).toEqual({ status: 404, body: { error: 'not found' } });
|
||||
expect(new AdminController(svc({ createPackingTemplate: vi.fn().mockReturnValue({ id: 3, name: 'Beach' }) } as Partial<AdminService>)).createPackingTemplate(user, { name: 'Beach' })).toEqual({ id: 3, name: 'Beach' });
|
||||
expect(new AdminController(svc({ deletePackingTemplate: vi.fn().mockReturnValue({ name: 'Beach' }) } as Partial<AdminService>)).deletePackingTemplate(user, '3', req)).toEqual({ success: true });
|
||||
expect(new AdminController(svc({ createTemplateItem: vi.fn().mockReturnValue({ id: 7 }) } as Partial<AdminService>)).createTemplateItem('3', '4', { name: 'Towel' })).toEqual({ id: 7 });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController addons + sessions + jwt + defaults', () => {
|
||||
it('addon update audits + invalidates MCP sessions', () => {
|
||||
const invalidateMcpSessions = vi.fn();
|
||||
const c = new AdminController(svc({ updateAddon: vi.fn().mockReturnValue({ addon: { id: 'mcp', enabled: true }, auditDetails: {} }), invalidateMcpSessions } as Partial<AdminService>));
|
||||
expect(c.updateAddon(user, 'mcp', { enabled: true }, req)).toEqual({ addon: { id: 'mcp', enabled: true } });
|
||||
expect(invalidateMcpSessions).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('oauth-sessions revoke audits; rotate-jwt maps error', () => {
|
||||
expect(new AdminController(svc({ revokeOAuthSession: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).revokeOAuthSession(user, '3', req)).toEqual({ success: true });
|
||||
expect(thrown(() => new AdminController(svc({ rotateJwtSecret: vi.fn().mockReturnValue({ error: 'locked', status: 409 }) } as Partial<AdminService>)).rotateJwtSecret(user, req))).toEqual({ status: 409, body: { error: 'locked' } });
|
||||
expect(new AdminController(svc({ rotateJwtSecret: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).rotateJwtSecret(user, req)).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('default-user-settings: 400 on a non-object, else sets + audits', () => {
|
||||
expect(thrown(() => new AdminController(svc()).setDefaultUserSettings(user, [], req))).toEqual({ status: 400, body: { error: 'Object body required' } });
|
||||
const setAdminUserDefaults = vi.fn();
|
||||
const c = new AdminController(svc({ setAdminUserDefaults, getAdminUserDefaults: vi.fn().mockReturnValue({ theme: 'dark' }) } as Partial<AdminService>));
|
||||
expect(c.setDefaultUserSettings(user, { theme: 'dark' }, req)).toEqual({ theme: 'dark' });
|
||||
expect(setAdminUserDefaults).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController error envelope fallbacks', () => {
|
||||
it('ok() defaults to 400 when the error envelope omits a status', () => {
|
||||
expect(thrown(() => new AdminController(svc({ createUser: vi.fn().mockReturnValue({ error: 'boom' }) } as Partial<AdminService>)).createUser(user, {}, req))).toEqual({ status: 400, body: { error: 'boom' } });
|
||||
});
|
||||
|
||||
it('updateOidc defaults to 400 when the service error omits a status', () => {
|
||||
expect(thrown(() => new AdminController(svc({ updateOidcSettings: vi.fn().mockReturnValue({ error: 'nope' }) } as Partial<AdminService>)).updateOidc(user, {}, req))).toEqual({ status: 400, body: { error: 'nope' } });
|
||||
});
|
||||
|
||||
it('updateOidc audits issuer_set=false when no issuer is supplied', () => {
|
||||
expect(new AdminController(svc({ updateOidcSettings: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).updateOidc(user, {}, req)).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'admin.oidc_update', details: { issuer_set: false } }));
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController read-only getters', () => {
|
||||
it('return service values verbatim', () => {
|
||||
expect(new AdminController(svc({ resetUserPasskeys: vi.fn().mockReturnValue({ email: 'a@b.c', deleted: 2 }) } as Partial<AdminService>)).resetUserPasskeys(user, '4', req)).toEqual({ success: true, deleted: 2 });
|
||||
expect(new AdminController(svc({ getStats: vi.fn().mockReturnValue({ users: 3 }) } as Partial<AdminService>)).stats()).toEqual({ users: 3 });
|
||||
expect(new AdminController(svc({ getPermissions: vi.fn().mockReturnValue({ a: 1 }) } as Partial<AdminService>)).permissions()).toEqual({ a: 1 });
|
||||
expect(new AdminController(svc({ getAuditLog: vi.fn().mockReturnValue({ entries: [] }) } as Partial<AdminService>)).auditLog({})).toEqual({ entries: [] });
|
||||
expect(new AdminController(svc({ getOidcSettings: vi.fn().mockReturnValue({ issuer: 'x' }) } as Partial<AdminService>)).getOidc()).toEqual({ issuer: 'x' });
|
||||
expect(new AdminController(svc({ checkVersion: vi.fn().mockResolvedValue({ current: '1' }) } as Partial<AdminService>)).versionCheck()).resolves.toEqual({ current: '1' });
|
||||
expect(new AdminController(svc({ getPreferencesMatrix: vi.fn().mockReturnValue({ rows: [] }) } as Partial<AdminService>)).getNotificationPrefs(user)).toEqual({ rows: [] });
|
||||
expect(new AdminController(svc({ listInvites: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listInvites()).toEqual({ invites: [{ id: 1 }] });
|
||||
expect(new AdminController(svc({ getBagTracking: vi.fn().mockReturnValue({ enabled: false }) } as Partial<AdminService>)).getBagTracking()).toEqual({ enabled: false });
|
||||
expect(new AdminController(svc({ getPlacesPhotos: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).getPlacesPhotos()).toEqual({ enabled: true });
|
||||
expect(new AdminController(svc({ getPlacesAutocomplete: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).getPlacesAutocomplete()).toEqual({ enabled: true });
|
||||
expect(new AdminController(svc({ getPlacesDetails: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).getPlacesDetails()).toEqual({ enabled: true });
|
||||
expect(new AdminController(svc({ getCollabFeatures: vi.fn().mockReturnValue({ chat: false }) } as Partial<AdminService>)).getCollabFeatures()).toEqual({ chat: false });
|
||||
expect(new AdminController(svc({ listPackingTemplates: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listPackingTemplates()).toEqual({ templates: [{ id: 1 }] });
|
||||
expect(new AdminController(svc({ listAddons: vi.fn().mockReturnValue([{ id: 'mcp' }]) } as Partial<AdminService>)).listAddons()).toEqual({ addons: [{ id: 'mcp' }] });
|
||||
expect(new AdminController(svc({ listMcpTokens: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listMcpTokens()).toEqual({ tokens: [{ id: 1 }] });
|
||||
expect(new AdminController(svc({ listOAuthSessions: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listOAuthSessions()).toEqual({ sessions: [{ id: 1 }] });
|
||||
expect(new AdminController(svc({ getAdminUserDefaults: vi.fn().mockReturnValue({ theme: 'dark' }) } as Partial<AdminService>)).getDefaultUserSettings()).toEqual({ theme: 'dark' });
|
||||
});
|
||||
|
||||
it('setNotificationPrefs persists then returns the refreshed matrix', () => {
|
||||
const setAdminPreferences = vi.fn();
|
||||
const c = new AdminController(svc({ setAdminPreferences, getPreferencesMatrix: vi.fn().mockReturnValue({ rows: [1] }) } as Partial<AdminService>));
|
||||
expect(c.setNotificationPrefs(user, { x: 1 })).toEqual({ rows: [1] });
|
||||
expect(setAdminPreferences).toHaveBeenCalledWith(user.id, { x: 1 });
|
||||
});
|
||||
|
||||
it('githubReleases falls back to default paging when no query is given', async () => {
|
||||
const getGithubReleases = vi.fn().mockResolvedValue([{ tag: 'v1' }]);
|
||||
const c = new AdminController(svc({ getGithubReleases } as Partial<AdminService>));
|
||||
await expect(c.githubReleases()).resolves.toEqual([{ tag: 'v1' }]);
|
||||
expect(getGithubReleases).toHaveBeenCalledWith('10', '1');
|
||||
await c.githubReleases('5', '2');
|
||||
expect(getGithubReleases).toHaveBeenLastCalledWith('5', '2');
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController feature toggles + audit', () => {
|
||||
it('bag-tracking updates and audits', () => {
|
||||
const c = new AdminController(svc({ updateBagTracking: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>));
|
||||
expect(c.updateBagTracking(user, { enabled: true }, req)).toEqual({ enabled: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'admin.bag_tracking' }));
|
||||
});
|
||||
|
||||
it('places-autocomplete: 400 on a non-boolean, else updates + audits', () => {
|
||||
expect(thrown(() => new AdminController(svc()).updatePlacesAutocomplete(user, { enabled: 'yes' }, req))).toEqual({ status: 400, body: { error: 'enabled must be a boolean' } });
|
||||
expect(new AdminController(svc({ updatePlacesAutocomplete: vi.fn().mockReturnValue({ enabled: false }) } as Partial<AdminService>)).updatePlacesAutocomplete(user, { enabled: false }, req)).toEqual({ enabled: false });
|
||||
});
|
||||
|
||||
it('places-details: 400 on a non-boolean, else updates + audits', () => {
|
||||
expect(thrown(() => new AdminController(svc()).updatePlacesDetails(user, { enabled: 1 }, req))).toEqual({ status: 400, body: { error: 'enabled must be a boolean' } });
|
||||
expect(new AdminController(svc({ updatePlacesDetails: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).updatePlacesDetails(user, { enabled: true }, req)).toEqual({ enabled: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController packing template sub-routes', () => {
|
||||
it('update/delete templates, categories and items map errors + return success', () => {
|
||||
expect(new AdminController(svc({ updatePackingTemplate: vi.fn().mockReturnValue({ id: 3 }) } as Partial<AdminService>)).updatePackingTemplate('3', {})).toEqual({ id: 3 });
|
||||
expect(new AdminController(svc({ createTemplateCategory: vi.fn().mockReturnValue({ id: 4 }) } as Partial<AdminService>)).createTemplateCategory('3', { name: 'Tops' })).toEqual({ id: 4 });
|
||||
expect(new AdminController(svc({ updateTemplateCategory: vi.fn().mockReturnValue({ id: 4 }) } as Partial<AdminService>)).updateTemplateCategory('3', '4', {})).toEqual({ id: 4 });
|
||||
expect(new AdminController(svc({ deleteTemplateCategory: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).deleteTemplateCategory('3', '4')).toEqual({ success: true });
|
||||
expect(new AdminController(svc({ updateTemplateItem: vi.fn().mockReturnValue({ id: 7 }) } as Partial<AdminService>)).updateTemplateItem('7', {})).toEqual({ id: 7 });
|
||||
expect(new AdminController(svc({ deleteTemplateItem: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).deleteTemplateItem('7')).toEqual({ success: true });
|
||||
expect(thrown(() => new AdminController(svc({ deleteTemplateItem: vi.fn().mockReturnValue({ error: 'gone', status: 404 }) } as Partial<AdminService>)).deleteTemplateItem('9'))).toEqual({ status: 404, body: { error: 'gone' } });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController tokens + sessions', () => {
|
||||
it('mcp token + oauth session deletes return success and map errors', () => {
|
||||
expect(new AdminController(svc({ deleteMcpToken: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).deleteMcpToken('2')).toEqual({ success: true });
|
||||
expect(thrown(() => new AdminController(svc({ deleteMcpToken: vi.fn().mockReturnValue({ error: 'no token', status: 404 }) } as Partial<AdminService>)).deleteMcpToken('9'))).toEqual({ status: 404, body: { error: 'no token' } });
|
||||
expect(thrown(() => new AdminController(svc({ revokeOAuthSession: vi.fn().mockReturnValue({ error: 'no session', status: 404 }) } as Partial<AdminService>)).revokeOAuthSession(user, '9', req))).toEqual({ status: 404, body: { error: 'no session' } });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController default-user-settings error path', () => {
|
||||
it('400 with an Error message when setAdminUserDefaults throws an Error', () => {
|
||||
const c = new AdminController(svc({ setAdminUserDefaults: vi.fn(() => { throw new Error('bad default'); }) } as Partial<AdminService>));
|
||||
expect(thrown(() => c.setDefaultUserSettings(user, { theme: 'x' }, req))).toEqual({ status: 400, body: { error: 'bad default' } });
|
||||
});
|
||||
|
||||
it('400 stringifies a non-Error throw', () => {
|
||||
const c = new AdminController(svc({ setAdminUserDefaults: vi.fn(() => { throw 'plain string'; }) } as Partial<AdminService>));
|
||||
expect(thrown(() => c.setDefaultUserSettings(user, { theme: 'x' }, req))).toEqual({ status: 400, body: { error: 'plain string' } });
|
||||
});
|
||||
|
||||
it('400 when the body is null', () => {
|
||||
expect(thrown(() => new AdminController(svc()).setDefaultUserSettings(user, null, req))).toEqual({ status: 400, body: { error: 'Object body required' } });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminController dev test-notification', () => {
|
||||
it('404 outside development', async () => {
|
||||
delete process.env.NODE_ENV;
|
||||
await expect(new AdminController(svc()).devTestNotification(user, {})).rejects.toBeInstanceOf(NotFoundException);
|
||||
});
|
||||
|
||||
it('sends in development', async () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const res = await new AdminController(svc()).devTestNotification(user, { event: 'trip_reminder' });
|
||||
expect(res).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('applies notification defaults when the body is empty', async () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const res = await new AdminController(svc()).devTestNotification(user, {});
|
||||
expect(res).toEqual({ success: true });
|
||||
expect(sendNotification).toHaveBeenCalledWith(expect.objectContaining({ event: 'trip_reminder', scope: 'user', targetId: user.id }));
|
||||
});
|
||||
|
||||
it('maps an Error from the notification service to 400', async () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
(sendNotification as unknown as ReturnType<typeof vi.fn>).mockRejectedValueOnce(new Error('send failed'));
|
||||
await expect(new AdminController(svc()).devTestNotification(user, { event: 'trip_reminder' })).rejects.toMatchObject({ response: { error: 'send failed' } });
|
||||
});
|
||||
|
||||
it('stringifies a non-Error notification failure to 400', async () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
(sendNotification as unknown as ReturnType<typeof vi.fn>).mockRejectedValueOnce('weird');
|
||||
await expect(new AdminController(svc()).devTestNotification(user, { event: 'trip_reminder' })).rejects.toMatchObject({ response: { error: 'weird' } });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,72 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { AirportsController } from '../../../src/nest/airports/airports.controller';
|
||||
import type { AirportsService } from '../../../src/nest/airports/airports.service';
|
||||
import type { Airport } from '@trek/shared';
|
||||
|
||||
function makeController(svc: Partial<AirportsService>) {
|
||||
return new AirportsController(svc as AirportsService);
|
||||
}
|
||||
|
||||
const BER: Airport = {
|
||||
iata: 'BER', icao: 'EDDB', name: 'Berlin Brandenburg', city: 'Berlin',
|
||||
country: 'DE', lat: 52.36, lng: 13.5, tz: 'Europe/Berlin',
|
||||
};
|
||||
|
||||
/** Run `fn`, expecting an HttpException; return its { status, body }. */
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('AirportsController (parity with the legacy /api/airports route)', () => {
|
||||
describe('GET /api/airports/search', () => {
|
||||
it('returns [] without calling the service when the query is absent', () => {
|
||||
const search = vi.fn();
|
||||
const res = makeController({ search }).search(undefined);
|
||||
expect(res).toEqual([]);
|
||||
expect(search).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('returns [] for an empty query', () => {
|
||||
const search = vi.fn();
|
||||
expect(makeController({ search }).search('')).toEqual([]);
|
||||
expect(search).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('returns [] when the query arrives as an array (Express typeof guard)', () => {
|
||||
const search = vi.fn();
|
||||
expect(makeController({ search }).search(['a', 'b'])).toEqual([]);
|
||||
expect(search).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('delegates a non-empty query to the service and returns its result', () => {
|
||||
const search = vi.fn().mockReturnValue([BER]);
|
||||
const res = makeController({ search }).search('ber');
|
||||
expect(res).toEqual([BER]);
|
||||
expect(search).toHaveBeenCalledWith('ber');
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /api/airports/:iata', () => {
|
||||
it('returns the airport when found', () => {
|
||||
const findByIata = vi.fn().mockReturnValue(BER);
|
||||
expect(makeController({ findByIata }).findByIata('BER')).toEqual(BER);
|
||||
expect(findByIata).toHaveBeenCalledWith('BER');
|
||||
});
|
||||
|
||||
it('404 { error } with the exact legacy message when not found', () => {
|
||||
const findByIata = vi.fn().mockReturnValue(null);
|
||||
expect(thrown(() => makeController({ findByIata }).findByIata('ZZZ'))).toEqual({
|
||||
status: 404,
|
||||
body: { error: 'Airport not found' },
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,95 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { DayAssignmentsController, AssignmentOpsController } from '../../../src/nest/assignments/assignments.controller';
|
||||
import type { AssignmentsService } from '../../../src/nest/assignments/assignments.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { user_id: 1 };
|
||||
|
||||
function svc(o: Partial<AssignmentsService> = {}): AssignmentsService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip), canEdit: vi.fn().mockReturnValue(true), broadcast: vi.fn(),
|
||||
dayExists: vi.fn().mockReturnValue(true), placeExists: vi.fn().mockReturnValue(true), notifyPlaceCreated: vi.fn(),
|
||||
...o,
|
||||
} as unknown as AssignmentsService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
describe('DayAssignmentsController (parity with the legacy day-assignments routes)', () => {
|
||||
it('404 trip, then 404 day on GET', () => {
|
||||
expect(thrown(() => new DayAssignmentsController(svc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).list(user, '5', '3'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(thrown(() => new DayAssignmentsController(svc({ dayExists: vi.fn().mockReturnValue(false) } as Partial<AssignmentsService>)).list(user, '5', '3'))).toEqual({ status: 404, body: { error: 'Day not found' } });
|
||||
});
|
||||
|
||||
it('GET returns assignments (access-only, no permission gate)', () => {
|
||||
const s = svc({ canEdit: vi.fn().mockReturnValue(false), listDayAssignments: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AssignmentsService>);
|
||||
expect(new DayAssignmentsController(s).list(user, '5', '3')).toEqual({ assignments: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
describe('POST', () => {
|
||||
it('403 without day_edit; 404 place not found; then creates + hooks', () => {
|
||||
expect(thrown(() => new DayAssignmentsController(svc({ canEdit: vi.fn().mockReturnValue(false) })).create(user, '5', '3', { place_id: 2 }))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new DayAssignmentsController(svc({ placeExists: vi.fn().mockReturnValue(false) } as Partial<AssignmentsService>)).create(user, '5', '3', { place_id: 2 }))).toEqual({ status: 404, body: { error: 'Place not found' } });
|
||||
const createAssignment = vi.fn().mockReturnValue({ id: 9 }); const broadcast = vi.fn(); const notifyPlaceCreated = vi.fn();
|
||||
const s = svc({ createAssignment, broadcast, notifyPlaceCreated } as Partial<AssignmentsService>);
|
||||
expect(new DayAssignmentsController(s).create(user, '5', '3', { place_id: 2, notes: 'n' }, 'sock')).toEqual({ assignment: { id: 9 } });
|
||||
expect(createAssignment).toHaveBeenCalledWith('3', 2, 'n');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'assignment:created', { assignment: { id: 9 } }, 'sock');
|
||||
expect(notifyPlaceCreated).toHaveBeenCalledWith('5', 2);
|
||||
});
|
||||
});
|
||||
|
||||
it('PUT /reorder 404 day, else reorders + broadcasts', () => {
|
||||
expect(thrown(() => new DayAssignmentsController(svc({ dayExists: vi.fn().mockReturnValue(false) } as Partial<AssignmentsService>)).reorder(user, '5', '3', [1, 2]))).toEqual({ status: 404, body: { error: 'Day not found' } });
|
||||
const reorderAssignments = vi.fn(); const broadcast = vi.fn();
|
||||
expect(new DayAssignmentsController(svc({ reorderAssignments, broadcast } as Partial<AssignmentsService>)).reorder(user, '5', '3', [2, 1], 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'assignment:reordered', { dayId: 3, orderedIds: [2, 1] }, 'sock');
|
||||
});
|
||||
|
||||
it('DELETE /:id 404 when not in day, else success', () => {
|
||||
expect(thrown(() => new DayAssignmentsController(svc({ assignmentExistsInDay: vi.fn().mockReturnValue(false) } as Partial<AssignmentsService>)).remove(user, '5', '3', '9'))).toEqual({ status: 404, body: { error: 'Assignment not found' } });
|
||||
const s = svc({ assignmentExistsInDay: vi.fn().mockReturnValue(true), deleteAssignment: vi.fn() } as Partial<AssignmentsService>);
|
||||
expect(new DayAssignmentsController(s).remove(user, '5', '3', '9')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('AssignmentOpsController (parity with the per-assignment op routes)', () => {
|
||||
it('PUT /:id/move 404 assignment, 404 target day, else moves', () => {
|
||||
expect(thrown(() => new AssignmentOpsController(svc({ getAssignmentForTrip: vi.fn().mockReturnValue(undefined) } as Partial<AssignmentsService>)).move(user, '5', '9', { new_day_id: 4 }))).toEqual({ status: 404, body: { error: 'Assignment not found' } });
|
||||
expect(thrown(() => new AssignmentOpsController(svc({ getAssignmentForTrip: vi.fn().mockReturnValue({ day_id: 3 }), dayExists: vi.fn().mockReturnValue(false) } as Partial<AssignmentsService>)).move(user, '5', '9', { new_day_id: 4 }))).toEqual({ status: 404, body: { error: 'Target day not found' } });
|
||||
const moveAssignment = vi.fn().mockReturnValue({ assignment: { id: 9 } }); const broadcast = vi.fn();
|
||||
const s = svc({ getAssignmentForTrip: vi.fn().mockReturnValue({ day_id: 3 }), moveAssignment, broadcast } as Partial<AssignmentsService>);
|
||||
expect(new AssignmentOpsController(s).move(user, '5', '9', { new_day_id: 4, order_index: 0 }, 'sock')).toEqual({ assignment: { id: 9 } });
|
||||
expect(moveAssignment).toHaveBeenCalledWith('9', 4, 0, 3);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'assignment:moved', { assignment: { id: 9 }, oldDayId: 3, newDayId: 4 }, 'sock');
|
||||
});
|
||||
|
||||
it('GET /:id/participants returns participants (access-only)', () => {
|
||||
const s = svc({ getParticipants: vi.fn().mockReturnValue([{ user_id: 2 }]) } as Partial<AssignmentsService>);
|
||||
expect(new AssignmentOpsController(s).participants(user, '5', '9')).toEqual({ participants: [{ user_id: 2 }] });
|
||||
});
|
||||
|
||||
it('PUT /:id/time 404 missing, else updates', () => {
|
||||
expect(thrown(() => new AssignmentOpsController(svc({ getAssignmentForTrip: vi.fn().mockReturnValue(undefined) } as Partial<AssignmentsService>)).time(user, '5', '9', {}))).toEqual({ status: 404, body: { error: 'Assignment not found' } });
|
||||
const updateTime = vi.fn().mockReturnValue({ id: 9 }); const broadcast = vi.fn();
|
||||
const s = svc({ getAssignmentForTrip: vi.fn().mockReturnValue({ id: 9 }), updateTime, broadcast } as Partial<AssignmentsService>);
|
||||
expect(new AssignmentOpsController(s).time(user, '5', '9', { place_time: '10:00' }, 'sock')).toEqual({ assignment: { id: 9 } });
|
||||
expect(updateTime).toHaveBeenCalledWith('9', '10:00', undefined);
|
||||
});
|
||||
|
||||
it('PUT /:id/participants 400 not array, else sets + broadcasts', () => {
|
||||
expect(thrown(() => new AssignmentOpsController(svc()).setParticipants(user, '5', '9', 'no'))).toEqual({ status: 400, body: { error: 'user_ids must be an array' } });
|
||||
const setParticipants = vi.fn().mockReturnValue([{ user_id: 2 }]); const broadcast = vi.fn();
|
||||
expect(new AssignmentOpsController(svc({ setParticipants, broadcast } as Partial<AssignmentsService>)).setParticipants(user, '5', '9', [2], 'sock')).toEqual({ participants: [{ user_id: 2 }] });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'assignment:participants', { assignmentId: 9, participants: [{ user_id: 2 }] }, 'sock');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,138 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Response } from 'express';
|
||||
import { AtlasController } from '../../../src/nest/atlas/atlas.controller';
|
||||
import type { AtlasService } from '../../../src/nest/atlas/atlas.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 8 } as User;
|
||||
|
||||
function makeController(svc: Partial<AtlasService>) {
|
||||
return new AtlasController(svc as AtlasService);
|
||||
}
|
||||
|
||||
function makeRes() {
|
||||
return { setHeader: vi.fn() } as unknown as Response & { setHeader: ReturnType<typeof vi.fn> };
|
||||
}
|
||||
|
||||
async function thrown(fn: () => unknown): Promise<{ status: number; body: unknown }> {
|
||||
try {
|
||||
await fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('AtlasController (parity with the legacy /api/addons/atlas route)', () => {
|
||||
it('GET /stats delegates with the user id', () => {
|
||||
const stats = vi.fn().mockReturnValue({ countries: 3 });
|
||||
expect(makeController({ stats }).stats(user)).toEqual({ countries: 3 });
|
||||
expect(stats).toHaveBeenCalledWith(8);
|
||||
});
|
||||
|
||||
describe('GET /regions/geo', () => {
|
||||
it('returns an empty FeatureCollection without a cache header when no countries given', async () => {
|
||||
const regionGeo = vi.fn();
|
||||
const res = makeRes();
|
||||
const out = await makeController({ regionGeo }).regionGeo(undefined, res);
|
||||
expect(out).toEqual({ type: 'FeatureCollection', features: [] });
|
||||
expect(regionGeo).not.toHaveBeenCalled();
|
||||
expect(res.setHeader).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('caches a non-empty result for a day', async () => {
|
||||
const regionGeo = vi.fn().mockResolvedValue({ type: 'FeatureCollection', features: [{ id: 1 }] });
|
||||
const res = makeRes();
|
||||
const out = await makeController({ regionGeo }).regionGeo('DE,FR', res);
|
||||
expect(out).toEqual({ type: 'FeatureCollection', features: [{ id: 1 }] });
|
||||
expect(regionGeo).toHaveBeenCalledWith(['DE', 'FR']);
|
||||
expect(res.setHeader).toHaveBeenCalledWith('Cache-Control', 'public, max-age=86400');
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /countries/geo delegates to the service', () => {
|
||||
const fc = { type: 'FeatureCollection', features: [{ id: 'NO' }] };
|
||||
const countryGeo = vi.fn().mockReturnValue(fc);
|
||||
expect(makeController({ countryGeo }).countryGeo()).toBe(fc);
|
||||
expect(countryGeo).toHaveBeenCalledWith();
|
||||
});
|
||||
|
||||
describe('country', () => {
|
||||
it('GET /country/:code upper-cases the code', () => {
|
||||
const countryPlaces = vi.fn().mockReturnValue([]);
|
||||
makeController({ countryPlaces }).countryPlaces(user, 'de');
|
||||
expect(countryPlaces).toHaveBeenCalledWith(8, 'DE');
|
||||
});
|
||||
|
||||
it('POST mark returns success and upper-cases', () => {
|
||||
const markCountry = vi.fn();
|
||||
expect(makeController({ markCountry }).markCountry(user, 'de')).toEqual({ success: true });
|
||||
expect(markCountry).toHaveBeenCalledWith(8, 'DE');
|
||||
});
|
||||
|
||||
it('DELETE mark returns success', () => {
|
||||
const unmarkCountry = vi.fn();
|
||||
expect(makeController({ unmarkCountry }).unmarkCountry(user, 'FR')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('region', () => {
|
||||
it('400 when name or country_code is missing', () => {
|
||||
const markRegion = vi.fn();
|
||||
return thrown(() => makeController({ markRegion }).markRegion(user, 'by', undefined, 'DE')).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'name and country_code are required' } }));
|
||||
});
|
||||
|
||||
it('marks a region, upper-casing both codes', () => {
|
||||
const markRegion = vi.fn();
|
||||
expect(makeController({ markRegion }).markRegion(user, 'by', 'Bavaria', 'de')).toEqual({ success: true });
|
||||
expect(markRegion).toHaveBeenCalledWith(8, 'BY', 'Bavaria', 'DE');
|
||||
});
|
||||
});
|
||||
|
||||
describe('bucket list', () => {
|
||||
it('GET wraps the items', () => {
|
||||
const bucketList = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
expect(makeController({ bucketList }).bucketList(user)).toEqual({ items: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('400 on create with a blank name', () => {
|
||||
const createBucketItem = vi.fn();
|
||||
return thrown(() => makeController({ createBucketItem }).createBucketItem(user, { name: ' ' })).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'Name is required' } }));
|
||||
});
|
||||
|
||||
it('201-shape create returns { item }', () => {
|
||||
const createBucketItem = vi.fn().mockReturnValue({ id: 1, name: 'Tokyo' });
|
||||
expect(makeController({ createBucketItem }).createBucketItem(user, { name: 'Tokyo', lat: 35, lng: 139 }))
|
||||
.toEqual({ item: { id: 1, name: 'Tokyo' } });
|
||||
expect(createBucketItem).toHaveBeenCalledWith(8, { name: 'Tokyo', lat: 35, lng: 139, country_code: undefined, notes: undefined, target_date: undefined });
|
||||
});
|
||||
|
||||
it('404 on update of a missing item', () => {
|
||||
const updateBucketItem = vi.fn().mockReturnValue(null);
|
||||
return thrown(() => makeController({ updateBucketItem }).updateBucketItem(user, '9', { name: 'X' })).then((r) =>
|
||||
expect(r).toEqual({ status: 404, body: { error: 'Item not found' } }));
|
||||
});
|
||||
|
||||
it('updates an existing item', () => {
|
||||
const updateBucketItem = vi.fn().mockReturnValue({ id: 1, name: 'Kyoto' });
|
||||
expect(makeController({ updateBucketItem }).updateBucketItem(user, '1', { name: 'Kyoto' }))
|
||||
.toEqual({ item: { id: 1, name: 'Kyoto' } });
|
||||
});
|
||||
|
||||
it('404 on delete of a missing item', () => {
|
||||
const deleteBucketItem = vi.fn().mockReturnValue(false);
|
||||
return thrown(() => makeController({ deleteBucketItem }).deleteBucketItem(user, '9')).then((r) =>
|
||||
expect(r).toEqual({ status: 404, body: { error: 'Item not found' } }));
|
||||
});
|
||||
|
||||
it('deletes an existing item', () => {
|
||||
const deleteBucketItem = vi.fn().mockReturnValue(true);
|
||||
expect(makeController({ deleteBucketItem }).deleteBucketItem(user, '1')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,264 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Request } from 'express';
|
||||
|
||||
vi.mock('../../../src/middleware/auth', () => ({ extractToken: vi.fn(), verifyJwtAndLoadUser: vi.fn() }));
|
||||
vi.mock('../../../src/services/authService', () => ({ resolveAuthToggles: vi.fn() }));
|
||||
vi.mock('../../../src/services/cookie', () => ({ setAuthCookie: vi.fn() }));
|
||||
vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4') }));
|
||||
vi.mock('../../../src/services/passkeyService', () => ({
|
||||
passkeyRegisterOptions: vi.fn(),
|
||||
passkeyRegisterVerify: vi.fn(),
|
||||
passkeyLoginOptions: vi.fn(),
|
||||
passkeyLoginVerify: vi.fn(),
|
||||
listPasskeys: vi.fn(),
|
||||
renamePasskey: vi.fn(),
|
||||
deletePasskey: vi.fn(),
|
||||
}));
|
||||
|
||||
import { JwtAuthGuard } from '../../../src/nest/auth/jwt-auth.guard';
|
||||
import { CookieAuthGuard } from '../../../src/nest/auth/cookie-auth.guard';
|
||||
import { OptionalJwtGuard } from '../../../src/nest/auth/optional-jwt.guard';
|
||||
import { AdminGuard } from '../../../src/nest/auth/admin.guard';
|
||||
import { PasskeyEnabledGuard } from '../../../src/nest/auth/passkey-enabled.guard';
|
||||
import { PasskeyController } from '../../../src/nest/auth/passkey.controller';
|
||||
import { RateLimitService } from '../../../src/nest/auth/rate-limit.service';
|
||||
import { CurrentUser } from '../../../src/nest/auth/current-user.decorator';
|
||||
import { extractToken, verifyJwtAndLoadUser } from '../../../src/middleware/auth';
|
||||
import { resolveAuthToggles } from '../../../src/services/authService';
|
||||
import { setAuthCookie } from '../../../src/services/cookie';
|
||||
import { writeAudit } from '../../../src/services/auditLog';
|
||||
import * as passkey from '../../../src/services/passkeyService';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, username: 'u', role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function context(req: unknown) {
|
||||
return { switchToHttp: () => ({ getRequest: () => req }) } as never;
|
||||
}
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try { await fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('JwtAuthGuard', () => {
|
||||
const guard = new JwtAuthGuard();
|
||||
|
||||
it('rejects with the legacy 401 { error, code } when no token is present', () => {
|
||||
vi.mocked(extractToken).mockReturnValue(null);
|
||||
expect(thrown(() => guard.canActivate(context({ headers: {}, cookies: {} })))).toEqual({
|
||||
status: 401,
|
||||
body: { error: 'Access token required', code: 'AUTH_REQUIRED' },
|
||||
});
|
||||
});
|
||||
|
||||
it('rejects an invalid/expired token (verify returns null)', () => {
|
||||
vi.mocked(extractToken).mockReturnValue('tok');
|
||||
vi.mocked(verifyJwtAndLoadUser).mockReturnValue(null);
|
||||
expect(thrown(() => guard.canActivate(context({ headers: {} })))).toEqual({
|
||||
status: 401,
|
||||
body: { error: 'Invalid or expired token', code: 'AUTH_REQUIRED' },
|
||||
});
|
||||
});
|
||||
|
||||
it('attaches the loaded user and allows a valid token through', () => {
|
||||
const req: Record<string, unknown> = { headers: {} };
|
||||
vi.mocked(extractToken).mockReturnValue('tok');
|
||||
vi.mocked(verifyJwtAndLoadUser).mockReturnValue(user);
|
||||
expect(guard.canActivate(context(req))).toBe(true);
|
||||
expect(req.user).toBe(user);
|
||||
});
|
||||
});
|
||||
|
||||
describe('CookieAuthGuard', () => {
|
||||
const guard = new CookieAuthGuard();
|
||||
|
||||
it('401s when the trek_session cookie is missing', () => {
|
||||
expect(thrown(() => guard.canActivate(context({ cookies: {} })))).toEqual({
|
||||
status: 401,
|
||||
body: { error: 'Cookie session required for this endpoint', code: 'COOKIE_AUTH_REQUIRED' },
|
||||
});
|
||||
// and when there is no cookies object at all
|
||||
expect(thrown(() => guard.canActivate(context({})))).toEqual({
|
||||
status: 401,
|
||||
body: { error: 'Cookie session required for this endpoint', code: 'COOKIE_AUTH_REQUIRED' },
|
||||
});
|
||||
});
|
||||
|
||||
it('401s when the cookie token fails verification', () => {
|
||||
vi.mocked(verifyJwtAndLoadUser).mockReturnValue(null);
|
||||
expect(thrown(() => guard.canActivate(context({ cookies: { trek_session: 'tok' } })))).toEqual({
|
||||
status: 401,
|
||||
body: { error: 'Invalid or expired session', code: 'AUTH_REQUIRED' },
|
||||
});
|
||||
});
|
||||
|
||||
it('attaches the user and allows a valid cookie session through', () => {
|
||||
const req: Record<string, unknown> = { cookies: { trek_session: 'tok' } };
|
||||
vi.mocked(verifyJwtAndLoadUser).mockReturnValue(user);
|
||||
expect(guard.canActivate(context(req))).toBe(true);
|
||||
expect(req.user).toBe(user);
|
||||
});
|
||||
});
|
||||
|
||||
describe('OptionalJwtGuard', () => {
|
||||
const guard = new OptionalJwtGuard();
|
||||
|
||||
it('always allows; sets req.user to null when no token', () => {
|
||||
const req: Record<string, unknown> = { headers: {} };
|
||||
vi.mocked(extractToken).mockReturnValue(null);
|
||||
expect(guard.canActivate(context(req))).toBe(true);
|
||||
expect(req.user).toBeNull();
|
||||
expect(verifyJwtAndLoadUser).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('sets req.user to null when a token verifies to nothing', () => {
|
||||
const req: Record<string, unknown> = { headers: {} };
|
||||
vi.mocked(extractToken).mockReturnValue('tok');
|
||||
vi.mocked(verifyJwtAndLoadUser).mockReturnValue(null);
|
||||
expect(guard.canActivate(context(req))).toBe(true);
|
||||
expect(req.user).toBeNull();
|
||||
});
|
||||
|
||||
it('populates req.user from a valid token', () => {
|
||||
const req: Record<string, unknown> = { headers: {} };
|
||||
vi.mocked(extractToken).mockReturnValue('tok');
|
||||
vi.mocked(verifyJwtAndLoadUser).mockReturnValue(user);
|
||||
expect(guard.canActivate(context(req))).toBe(true);
|
||||
expect(req.user).toBe(user);
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminGuard', () => {
|
||||
const guard = new AdminGuard();
|
||||
|
||||
it('403s for anonymous and for a non-admin role', () => {
|
||||
expect(thrown(() => guard.canActivate(context({})))).toEqual({ status: 403, body: { error: 'Admin access required' } });
|
||||
expect(thrown(() => guard.canActivate(context({ user: { role: 'user' } })))).toEqual({ status: 403, body: { error: 'Admin access required' } });
|
||||
});
|
||||
|
||||
it('allows an admin through', () => {
|
||||
expect(guard.canActivate(context({ user: { role: 'admin' } }))).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('PasskeyEnabledGuard', () => {
|
||||
const guard = new PasskeyEnabledGuard();
|
||||
|
||||
it('404s when passkey_login is off', () => {
|
||||
vi.mocked(resolveAuthToggles).mockReturnValue({ passkey_login: false } as ReturnType<typeof resolveAuthToggles>);
|
||||
expect(thrown(() => guard.canActivate())).toEqual({ status: 404, body: { error: 'Passkey login is not enabled' } });
|
||||
});
|
||||
|
||||
it('allows when passkey_login is on', () => {
|
||||
vi.mocked(resolveAuthToggles).mockReturnValue({ passkey_login: true } as ReturnType<typeof resolveAuthToggles>);
|
||||
expect(guard.canActivate()).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('CurrentUser decorator', () => {
|
||||
// Apply the decorator to a throwaway handler so Nest stores the param factory in
|
||||
// route metadata, then invoke that factory exactly as the framework would.
|
||||
function paramFactory(): (data: unknown, ctx: unknown) => User | undefined {
|
||||
class Target { handler(_u: User) {} }
|
||||
(CurrentUser() as ParameterDecorator)(Target.prototype, 'handler', 0);
|
||||
const meta = Reflect.getMetadata('__routeArguments__', Target, 'handler') as Record<string, { factory: (data: unknown, ctx: unknown) => User | undefined }>;
|
||||
return Object.values(meta)[0].factory;
|
||||
}
|
||||
|
||||
it('resolves the authenticated user from the request', () => {
|
||||
expect(paramFactory()(undefined, context({ user }))).toBe(user);
|
||||
});
|
||||
|
||||
it('returns undefined when no user is attached', () => {
|
||||
expect(paramFactory()(undefined, context({}))).toBeUndefined();
|
||||
});
|
||||
});
|
||||
|
||||
describe('PasskeyController', () => {
|
||||
const req = { ip: '9.9.9.9' } as Request;
|
||||
const res = {} as never;
|
||||
function rl(): RateLimitService { return new RateLimitService(); }
|
||||
|
||||
it('register/options maps a service error, else returns the options', async () => {
|
||||
vi.mocked(passkey.passkeyRegisterOptions).mockResolvedValue({ error: 'Incorrect password', status: 401 });
|
||||
expect(await thrownAsync(() => new PasskeyController(rl()).registerOptions(user, { password: 'x' }, req))).toEqual({ status: 401, body: { error: 'Incorrect password' } });
|
||||
vi.mocked(passkey.passkeyRegisterOptions).mockResolvedValue({ options: { challenge: 'c' } as never });
|
||||
expect(await new PasskeyController(rl()).registerOptions(user, { password: 'p' }, req)).toEqual({ challenge: 'c' });
|
||||
});
|
||||
|
||||
it('register/verify maps a service error, else audits and returns the credential', async () => {
|
||||
vi.mocked(passkey.passkeyRegisterVerify).mockResolvedValue({ error: 'Verification failed', status: 400 } as never);
|
||||
expect(await thrownAsync(() => new PasskeyController(rl()).registerVerify(user, {}, req))).toEqual({ status: 400, body: { error: 'Verification failed' } });
|
||||
vi.mocked(passkey.passkeyRegisterVerify).mockResolvedValue({ credential: { id: 'cr' } } as never);
|
||||
expect(await new PasskeyController(rl()).registerVerify(user, {}, req)).toEqual({ success: true, credential: { id: 'cr' } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.passkey_register' }));
|
||||
});
|
||||
|
||||
it('login/options maps a service error, else returns the options', async () => {
|
||||
vi.mocked(passkey.passkeyLoginOptions).mockResolvedValue({ error: 'Not configured', status: 503 } as never);
|
||||
expect(await thrownAsync(() => new PasskeyController(rl()).loginOptions(req))).toEqual({ status: 503, body: { error: 'Not configured' } });
|
||||
vi.mocked(passkey.passkeyLoginOptions).mockResolvedValue({ options: { challenge: 'd' } } as never);
|
||||
expect(await new PasskeyController(rl()).loginOptions(req)).toEqual({ challenge: 'd' });
|
||||
});
|
||||
|
||||
it('login/verify audits a failure then maps the error, padding latency', async () => {
|
||||
vi.mocked(passkey.passkeyLoginVerify).mockResolvedValue({ error: 'No match', status: 401, auditAction: 'user.login_fail', auditUserId: null } as never);
|
||||
expect(await thrownAsync(() => new PasskeyController(rl()).loginVerify({}, req, res))).toEqual({ status: 401, body: { error: 'No match' } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.login_fail' }));
|
||||
}, 10000);
|
||||
|
||||
it('login/verify sets the session cookie and audits login on success', async () => {
|
||||
vi.mocked(passkey.passkeyLoginVerify).mockResolvedValue({ token: 'tk', user, auditUserId: 1 } as never);
|
||||
expect(await new PasskeyController(rl()).loginVerify({}, req, res)).toEqual({ token: 'tk', user });
|
||||
expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req);
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.login', details: { method: 'passkey' } }));
|
||||
}, 10000);
|
||||
|
||||
it('credentials: list, rename (error + success), delete (error + success)', () => {
|
||||
vi.mocked(passkey.listPasskeys).mockReturnValue([{ id: 'a' }]);
|
||||
expect(new PasskeyController(rl()).list(user)).toEqual({ credentials: [{ id: 'a' }] });
|
||||
|
||||
vi.mocked(passkey.renamePasskey).mockReturnValue({ error: 'Not found', status: 404 });
|
||||
expect(thrown(() => new PasskeyController(rl()).rename(user, 'cid', { name: 'x' }))).toEqual({ status: 404, body: { error: 'Not found' } });
|
||||
vi.mocked(passkey.renamePasskey).mockReturnValue({ success: true });
|
||||
expect(new PasskeyController(rl()).rename(user, 'cid', { name: 'x' })).toEqual({ success: true });
|
||||
|
||||
vi.mocked(passkey.deletePasskey).mockReturnValue({ error: 'Incorrect password', status: 401 });
|
||||
expect(thrown(() => new PasskeyController(rl()).remove(user, 'cid', { password: 'x' }, req))).toEqual({ status: 401, body: { error: 'Incorrect password' } });
|
||||
vi.mocked(passkey.deletePasskey).mockReturnValue({ success: true });
|
||||
expect(new PasskeyController(rl()).remove(user, 'cid', { password: 'p' }, req)).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.passkey_delete' }));
|
||||
});
|
||||
|
||||
it('throttles registration and login ceremonies once the bucket is exhausted', async () => {
|
||||
const s = new RateLimitService();
|
||||
const now = Date.now();
|
||||
for (let i = 0; i < 5; i++) s.check('mfa', '9.9.9.9', 5, 15 * 60 * 1000, now);
|
||||
expect(await thrownAsync(() => new PasskeyController(s).registerOptions(user, {}, req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
|
||||
|
||||
const s2 = new RateLimitService();
|
||||
for (let i = 0; i < 10; i++) s2.check('login', '9.9.9.9', 10, 15 * 60 * 1000, now);
|
||||
expect(await thrownAsync(() => new PasskeyController(s2).loginOptions(req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
|
||||
});
|
||||
|
||||
it('falls back to the "unknown" rate-limit key when req.ip is absent', async () => {
|
||||
vi.mocked(passkey.passkeyLoginOptions).mockResolvedValue({ options: { challenge: 'z' } } as never);
|
||||
const noIp = {} as Request;
|
||||
expect(await new PasskeyController(rl()).loginOptions(noIp)).toEqual({ challenge: 'z' });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,331 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Request, Response } from 'express';
|
||||
|
||||
vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4') }));
|
||||
vi.mock('../../../src/services/demo', () => ({ isDemoEmail: vi.fn(() => false) }));
|
||||
|
||||
import { AuthPublicController } from '../../../src/nest/auth/auth-public.controller';
|
||||
import { AuthController } from '../../../src/nest/auth/auth.controller';
|
||||
import { RateLimitService } from '../../../src/nest/auth/rate-limit.service';
|
||||
import type { AuthService } from '../../../src/nest/auth/auth.service';
|
||||
import { writeAudit } from '../../../src/services/auditLog';
|
||||
import { isDemoEmail } from '../../../src/services/demo';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, username: 'u', role: 'user', email: 'u@example.test' } as User;
|
||||
const req = { ip: '9.9.9.9', headers: {} } as Request;
|
||||
const res = {} as Response;
|
||||
|
||||
function asvc(o: Partial<AuthService> = {}): AuthService {
|
||||
return { setAuthCookie: vi.fn(), clearAuthCookie: vi.fn(), getAppUrl: vi.fn(() => 'https://x'), sendPasswordResetEmail: vi.fn(), ...o } as unknown as AuthService;
|
||||
}
|
||||
function rl(): RateLimitService { return new RateLimitService(); }
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try { await fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
afterEach(() => { delete process.env.DEMO_MODE; });
|
||||
|
||||
describe('RateLimitService', () => {
|
||||
it('allows up to max then blocks within the window; buckets are isolated', () => {
|
||||
const s = rl();
|
||||
expect(s.check('login', 'ip', 2, 1000, 0)).toBe(true);
|
||||
expect(s.check('login', 'ip', 2, 1000, 10)).toBe(true);
|
||||
expect(s.check('login', 'ip', 2, 1000, 20)).toBe(false); // 3rd within window
|
||||
expect(s.check('mfa', 'ip', 2, 1000, 20)).toBe(true); // different bucket
|
||||
expect(s.check('login', 'ip', 2, 1000, 2000)).toBe(true); // window elapsed -> reset
|
||||
});
|
||||
|
||||
it('reset clears a single named bucket, and reset() clears all of them', () => {
|
||||
const s = rl();
|
||||
s.check('login', 'ip', 1, 1000, 0); // login bucket now at its cap
|
||||
s.check('mfa', 'ip', 1, 1000, 0); // mfa bucket now at its cap
|
||||
expect(s.check('login', 'ip', 1, 1000, 0)).toBe(false);
|
||||
s.reset('login'); // only the login bucket
|
||||
expect(s.check('login', 'ip', 1, 1000, 0)).toBe(true);
|
||||
expect(s.check('mfa', 'ip', 1, 1000, 0)).toBe(false); // mfa untouched
|
||||
s.reset(); // everything
|
||||
expect(s.check('mfa', 'ip', 1, 1000, 0)).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('AuthPublicController', () => {
|
||||
it('demo-login maps error, else sets the cookie + returns token/user', () => {
|
||||
expect(thrown(() => new AuthPublicController(asvc({ demoLogin: vi.fn().mockReturnValue({ error: 'Demo disabled', status: 403 }) } as Partial<AuthService>), rl()).demoLogin(req, res))).toEqual({ status: 403, body: { error: 'Demo disabled' } });
|
||||
const setAuthCookie = vi.fn();
|
||||
const c = new AuthPublicController(asvc({ demoLogin: vi.fn().mockReturnValue({ token: 'tk', user }), setAuthCookie } as Partial<AuthService>), rl());
|
||||
expect(c.demoLogin(req, res)).toEqual({ token: 'tk', user });
|
||||
expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req);
|
||||
});
|
||||
|
||||
it('register audits + sets cookie; maps error', () => {
|
||||
expect(thrown(() => new AuthPublicController(asvc({ registerUser: vi.fn().mockReturnValue({ error: 'Email taken', status: 409 }) } as Partial<AuthService>), rl()).register({}, req, res))).toEqual({ status: 409, body: { error: 'Email taken' } });
|
||||
const setAuthCookie = vi.fn();
|
||||
const c = new AuthPublicController(asvc({ registerUser: vi.fn().mockReturnValue({ token: 'tk', user, auditUserId: 1, auditDetails: {} }), setAuthCookie } as Partial<AuthService>), rl());
|
||||
expect(c.register({ email: 'a@b.c', password: 'p' }, req, res)).toEqual({ token: 'tk', user });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.register' }));
|
||||
expect(setAuthCookie).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('invite 429 when rate-limited', () => {
|
||||
const s = rl();
|
||||
s.check('login', '9.9.9.9', 10, 15 * 60 * 1000, Date.now()); // not exhausted yet
|
||||
const c = new AuthPublicController(asvc({ validateInviteToken: vi.fn().mockReturnValue({ valid: true, max_uses: 1, used_count: 0, expires_at: null }) } as Partial<AuthService>), s);
|
||||
expect(c.invite('tok', req)).toEqual({ valid: true, max_uses: 1, used_count: 0, expires_at: null });
|
||||
});
|
||||
|
||||
it('login: mfa branch, success cookie, error mapping', async () => {
|
||||
const setAuthCookie = vi.fn();
|
||||
const mfa = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ mfa_required: true, mfa_token: 'mt' }) } as Partial<AuthService>), rl());
|
||||
expect(await mfa.login({}, req, res)).toEqual({ mfa_required: true, mfa_token: 'mt' });
|
||||
const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user, remember: true }), setAuthCookie } as Partial<AuthService>), rl());
|
||||
expect(await ok.login({}, req, res)).toEqual({ token: 'tk', user });
|
||||
// The "remember me" flag from the service rides through to the cookie service.
|
||||
expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req, true);
|
||||
const bad = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ error: 'Bad creds', status: 401, auditAction: 'user.login_fail' }) } as Partial<AuthService>), rl());
|
||||
expect(await thrownAsync(() => bad.login({}, req, res))).toEqual({ status: 401, body: { error: 'Bad creds' } });
|
||||
}, 10000);
|
||||
|
||||
it('forgot-password issues a reset email then returns the generic ok', async () => {
|
||||
const sendPasswordResetEmail = vi.fn().mockResolvedValue({ delivered: true });
|
||||
const c = new AuthPublicController(asvc({ requestPasswordReset: vi.fn().mockReturnValue({ reason: 'issued', tokenForDelivery: 'rt', userEmail: 'a@b.c', userId: 1 }), sendPasswordResetEmail } as Partial<AuthService>), rl());
|
||||
expect(await c.forgotPassword({ email: 'a@b.c' }, req)).toEqual({ ok: true });
|
||||
expect(sendPasswordResetEmail).toHaveBeenCalledWith('a@b.c', 'https://x/reset-password?token=rt', 1);
|
||||
}, 10000);
|
||||
|
||||
it('reset-password: error audits a fail, mfa branch, success', () => {
|
||||
expect(thrown(() => new AuthPublicController(asvc({ resetPassword: vi.fn().mockReturnValue({ error: 'Invalid token', status: 400 }) } as Partial<AuthService>), rl()).resetPassword({}, req))).toEqual({ status: 400, body: { error: 'Invalid token' } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.password_reset_fail' }));
|
||||
expect(new AuthPublicController(asvc({ resetPassword: vi.fn().mockReturnValue({ mfa_required: true }) } as Partial<AuthService>), rl()).resetPassword({}, req)).toEqual({ mfa_required: true });
|
||||
expect(new AuthPublicController(asvc({ resetPassword: vi.fn().mockReturnValue({ userId: 1 }) } as Partial<AuthService>), rl()).resetPassword({}, req)).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('app-config forwards the optional user (present and absent)', () => {
|
||||
const getAppConfig = vi.fn().mockReturnValue({ version: '3' });
|
||||
const c = new AuthPublicController(asvc({ getAppConfig } as Partial<AuthService>), rl());
|
||||
expect(c.appConfig({ user } as unknown as Request)).toEqual({ version: '3' });
|
||||
expect(getAppConfig).toHaveBeenLastCalledWith(user);
|
||||
expect(c.appConfig({} as Request)).toEqual({ version: '3' });
|
||||
expect(getAppConfig).toHaveBeenLastCalledWith(undefined);
|
||||
});
|
||||
|
||||
it('invite maps a service error', () => {
|
||||
const c = new AuthPublicController(asvc({ validateInviteToken: vi.fn().mockReturnValue({ error: 'Expired', status: 410 }) } as Partial<AuthService>), rl());
|
||||
expect(thrown(() => c.invite('tok', req))).toEqual({ status: 410, body: { error: 'Expired' } });
|
||||
});
|
||||
|
||||
it('login takes the mfa-required branch and never sets a cookie', async () => {
|
||||
const setAuthCookie = vi.fn();
|
||||
const c = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ mfa_required: true, mfa_token: 'mt', auditAction: 'user.login_mfa' }), setAuthCookie } as Partial<AuthService>), rl());
|
||||
expect(await c.login({}, req, res)).toEqual({ mfa_required: true, mfa_token: 'mt' });
|
||||
expect(setAuthCookie).not.toHaveBeenCalled();
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.login_mfa' }));
|
||||
}, 10000);
|
||||
|
||||
it('forgot-password: non-issued reason and a delivery failure both still return ok', async () => {
|
||||
// Non-issued (unknown email / throttled): audits the reason, no email sent.
|
||||
const sendNever = vi.fn();
|
||||
const skip = new AuthPublicController(asvc({ requestPasswordReset: vi.fn().mockReturnValue({ reason: 'not_found', userId: null }), sendPasswordResetEmail: sendNever } as Partial<AuthService>), rl());
|
||||
expect(await skip.forgotPassword({ email: 'x@y.z' }, req)).toEqual({ ok: true });
|
||||
expect(sendNever).not.toHaveBeenCalled();
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.password_reset_request', details: { reason: 'not_found' } }));
|
||||
// Issued but the mailer throws: swallowed, audited as failed, still ok.
|
||||
const boom = vi.fn().mockRejectedValue(new Error('smtp'));
|
||||
const fail = new AuthPublicController(asvc({ requestPasswordReset: vi.fn().mockReturnValue({ reason: 'issued', tokenForDelivery: 'rt', userEmail: 'a@b.c', userId: 1 }), sendPasswordResetEmail: boom } as Partial<AuthService>), rl());
|
||||
expect(await fail.forgotPassword({ email: 'a@b.c' }, req)).toEqual({ ok: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ details: { delivered: 'failed' } }));
|
||||
}, 10000);
|
||||
|
||||
it('forgot-password ignores a non-string email body', async () => {
|
||||
const requestPasswordReset = vi.fn().mockReturnValue({ reason: 'not_found', userId: null });
|
||||
const c = new AuthPublicController(asvc({ requestPasswordReset } as Partial<AuthService>), rl());
|
||||
expect(await c.forgotPassword({ email: 42 } as { email?: unknown }, req)).toEqual({ ok: true });
|
||||
expect(requestPasswordReset).toHaveBeenCalledWith('', expect.any(String));
|
||||
}, 10000);
|
||||
|
||||
it('reset-password 429 once the dedicated reset bucket is exhausted', () => {
|
||||
const s = rl();
|
||||
const now = Date.now();
|
||||
for (let i = 0; i < 5; i++) s.check('reset', '9.9.9.9', 5, 15 * 60 * 1000, now);
|
||||
const c = new AuthPublicController(asvc({ resetPassword: vi.fn() } as Partial<AuthService>), s);
|
||||
expect(thrown(() => c.resetPassword({}, req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
|
||||
});
|
||||
|
||||
it('mfa/verify-login maps a service error', () => {
|
||||
const c = new AuthPublicController(asvc({ verifyMfaLogin: vi.fn().mockReturnValue({ error: 'Bad code', status: 401 }) } as Partial<AuthService>), rl());
|
||||
expect(thrown(() => c.verifyMfaLogin({}, req, res))).toEqual({ status: 401, body: { error: 'Bad code' } });
|
||||
});
|
||||
|
||||
it('demo-login + register + invite throw 429 when the login bucket is exhausted', () => {
|
||||
const s = rl();
|
||||
const now = Date.now();
|
||||
for (let i = 0; i < 10; i++) s.check('login', '9.9.9.9', 10, 15 * 60 * 1000, now);
|
||||
const c = new AuthPublicController(asvc({ registerUser: vi.fn(), validateInviteToken: vi.fn() } as Partial<AuthService>), s);
|
||||
expect(thrown(() => c.register({}, req, res))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
|
||||
expect(thrown(() => c.invite('t', req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
|
||||
});
|
||||
|
||||
it('mfa/verify-login sets cookie + audits; logout clears cookie', () => {
|
||||
const setAuthCookie = vi.fn();
|
||||
const c = new AuthPublicController(asvc({ verifyMfaLogin: vi.fn().mockReturnValue({ token: 'tk', user, auditUserId: 1 }), setAuthCookie } as Partial<AuthService>), rl());
|
||||
expect(c.verifyMfaLogin({}, req, res)).toEqual({ token: 'tk', user });
|
||||
expect(setAuthCookie).toHaveBeenCalled();
|
||||
const clearAuthCookie = vi.fn();
|
||||
expect(new AuthPublicController(asvc({ clearAuthCookie } as Partial<AuthService>), rl()).logout(req, res)).toEqual({ success: true });
|
||||
expect(clearAuthCookie).toHaveBeenCalledWith(res, req);
|
||||
});
|
||||
});
|
||||
|
||||
describe('AuthController (authenticated)', () => {
|
||||
it('GET /me 404 when missing, else returns the loaded user', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ getCurrentUser: vi.fn().mockReturnValue(undefined) } as Partial<AuthService>), rl()).me(user))).toEqual({ status: 404, body: { error: 'User not found' } });
|
||||
expect(new AuthController(asvc({ getCurrentUser: vi.fn().mockReturnValue({ id: 1 }) } as Partial<AuthService>), rl()).me(user)).toEqual({ user: { id: 1 } });
|
||||
});
|
||||
|
||||
it('change-password maps error, else audits', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ changePassword: vi.fn().mockReturnValue({ error: 'Wrong', status: 400 }) } as Partial<AuthService>), rl()).changePassword(user, {}, req))).toEqual({ status: 400, body: { error: 'Wrong' } });
|
||||
expect(new AuthController(asvc({ changePassword: vi.fn().mockReturnValue({}) } as Partial<AuthService>), rl()).changePassword(user, {}, req)).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.password_change' }));
|
||||
});
|
||||
|
||||
it('avatar 403 in demo mode, 400 without a file, else saves', async () => {
|
||||
process.env.DEMO_MODE = 'true';
|
||||
vi.mocked(isDemoEmail).mockReturnValue(true);
|
||||
expect(await thrownAsync(() => new AuthController(asvc(), rl()).avatar(user, { filename: 'a.jpg' } as Express.Multer.File))).toEqual({ status: 403, body: { error: 'Uploads are disabled in demo mode. Self-host TREK for full functionality.' } });
|
||||
vi.mocked(isDemoEmail).mockReturnValue(false);
|
||||
delete process.env.DEMO_MODE;
|
||||
expect(await thrownAsync(() => new AuthController(asvc(), rl()).avatar(user, undefined))).toEqual({ status: 400, body: { error: 'No image uploaded' } });
|
||||
const saveAvatar = vi.fn().mockResolvedValue({ avatar: '/a.jpg' });
|
||||
expect(await new AuthController(asvc({ saveAvatar } as Partial<AuthService>), rl()).avatar(user, { filename: 'a.jpg' } as Express.Multer.File)).toEqual({ avatar: '/a.jpg' });
|
||||
});
|
||||
|
||||
it('mfa/setup awaits the QR promise, maps a generation failure to 500', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const ok = new AuthController(asvc({ setupMfa: vi.fn().mockReturnValue({ secret: 's', otpauth_url: 'o', qrPromise: Promise.resolve('<svg>') }) } as Partial<AuthService>), rl());
|
||||
expect(await ok.mfaSetup(user)).toEqual({ secret: 's', otpauth_url: 'o', qr_svg: '<svg>' });
|
||||
const fail = new AuthController(asvc({ setupMfa: vi.fn().mockReturnValue({ secret: 's', otpauth_url: 'o', qrPromise: Promise.reject(new Error('x')) }) } as Partial<AuthService>), rl());
|
||||
expect(await thrownAsync(() => fail.mfaSetup(user))).toEqual({ status: 500, body: { error: 'Could not generate QR code' } });
|
||||
});
|
||||
|
||||
it('mfa/enable audits + returns backup codes; mcp-tokens create 201', () => {
|
||||
const enable = new AuthController(asvc({ enableMfa: vi.fn().mockReturnValue({ mfa_enabled: true, backup_codes: ['a', 'b'] }) } as Partial<AuthService>), rl());
|
||||
expect(enable.mfaEnable(user, { code: '123456' }, req)).toEqual({ success: true, mfa_enabled: true, backup_codes: ['a', 'b'] });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.mfa_enable' }));
|
||||
const tok = new AuthController(asvc({ createMcpToken: vi.fn().mockReturnValue({ token: 'mcp_x' }) } as Partial<AuthService>), rl());
|
||||
expect(tok.createMcpToken(user, { name: 'CLI' }, req)).toEqual({ token: 'mcp_x' });
|
||||
});
|
||||
|
||||
it('resource-token 503 when unavailable, else returns the token payload', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ createResourceToken: vi.fn().mockReturnValue(null) } as Partial<AuthService>), rl()).resourceToken(user, {}))).toEqual({ status: 503, body: { error: 'Service unavailable' } });
|
||||
expect(new AuthController(asvc({ createResourceToken: vi.fn().mockReturnValue({ token: 'rt' }) } as Partial<AuthService>), rl()).resourceToken(user, { purpose: 'download' })).toEqual({ token: 'rt' });
|
||||
});
|
||||
|
||||
it('rate-limited account ops throw 429 once the bucket is exhausted', () => {
|
||||
const s = rl();
|
||||
const now = Date.now();
|
||||
// exhaust the shared 'login' bucket for this ip (max 5)
|
||||
for (let i = 0; i < 5; i++) s.check('login', '9.9.9.9', 5, 15 * 60 * 1000, now);
|
||||
const c = new AuthController(asvc({ changePassword: vi.fn() } as Partial<AuthService>), s);
|
||||
expect(thrown(() => c.changePassword(user, {}, req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
|
||||
});
|
||||
|
||||
it('change-password refreshes this device cookie when the service returns a token', () => {
|
||||
const setAuthCookie = vi.fn();
|
||||
const c = new AuthController(asvc({ changePassword: vi.fn().mockReturnValue({ token: 'tk2' }), setAuthCookie } as Partial<AuthService>), rl());
|
||||
expect(c.changePassword(user, {}, req, res)).toEqual({ success: true });
|
||||
expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk2', req);
|
||||
});
|
||||
|
||||
it('delete-account maps error, else audits and succeeds', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ deleteAccount: vi.fn().mockReturnValue({ error: 'Last admin', status: 403 }) } as Partial<AuthService>), rl()).deleteAccount(user, req))).toEqual({ status: 403, body: { error: 'Last admin' } });
|
||||
expect(new AuthController(asvc({ deleteAccount: vi.fn().mockReturnValue({}) } as Partial<AuthService>), rl()).deleteAccount(user, req)).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.account_delete' }));
|
||||
});
|
||||
|
||||
it('maps-key + api-keys pass straight through to the service', () => {
|
||||
const updateMapsKey = vi.fn().mockReturnValue({ success: true });
|
||||
expect(new AuthController(asvc({ updateMapsKey } as Partial<AuthService>), rl()).mapsKey(user, { maps_api_key: 'k' })).toEqual({ success: true });
|
||||
expect(updateMapsKey).toHaveBeenCalledWith(1, 'k');
|
||||
const updateApiKeys = vi.fn().mockReturnValue({ ok: 1 });
|
||||
expect(new AuthController(asvc({ updateApiKeys } as Partial<AuthService>), rl()).apiKeys(user, { a: 1 })).toEqual({ ok: 1 });
|
||||
});
|
||||
|
||||
it('update-settings + get-settings map errors, else return their payloads', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ updateSettings: vi.fn().mockReturnValue({ error: 'Bad', status: 400 }) } as Partial<AuthService>), rl()).updateSettings(user, {}))).toEqual({ status: 400, body: { error: 'Bad' } });
|
||||
expect(new AuthController(asvc({ updateSettings: vi.fn().mockReturnValue({ success: true, user: { id: 1 } }) } as Partial<AuthService>), rl()).updateSettings(user, {})).toEqual({ success: true, user: { id: 1 } });
|
||||
expect(thrown(() => new AuthController(asvc({ getSettings: vi.fn().mockReturnValue({ error: 'Nope', status: 404 }) } as Partial<AuthService>), rl()).getSettings(user))).toEqual({ status: 404, body: { error: 'Nope' } });
|
||||
expect(new AuthController(asvc({ getSettings: vi.fn().mockReturnValue({ settings: { theme: 'dark' } }) } as Partial<AuthService>), rl()).getSettings(user)).toEqual({ settings: { theme: 'dark' } });
|
||||
});
|
||||
|
||||
it('delete-avatar + users + travel-stats delegate to the service', async () => {
|
||||
const deleteAvatar = vi.fn().mockResolvedValue({ removed: true });
|
||||
expect(await new AuthController(asvc({ deleteAvatar } as Partial<AuthService>), rl()).deleteAvatar(user)).toEqual({ removed: true });
|
||||
const listUsers = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
expect(new AuthController(asvc({ listUsers } as Partial<AuthService>), rl()).users(user)).toEqual({ users: [{ id: 1 }] });
|
||||
expect(listUsers).toHaveBeenCalledWith(1);
|
||||
const getTravelStats = vi.fn().mockReturnValue({ countries: 3 });
|
||||
expect(new AuthController(asvc({ getTravelStats } as Partial<AuthService>), rl()).travelStats(user)).toEqual({ countries: 3 });
|
||||
});
|
||||
|
||||
it('validate-keys maps error, else returns the maps/weather payload', async () => {
|
||||
expect(await thrownAsync(() => new AuthController(asvc({ validateKeys: vi.fn().mockResolvedValue({ error: 'fail', status: 502 }) } as Partial<AuthService>), rl()).validateKeys(user))).toEqual({ status: 502, body: { error: 'fail' } });
|
||||
const ok = new AuthController(asvc({ validateKeys: vi.fn().mockResolvedValue({ maps: true, weather: false, maps_details: { ok: 1 } }) } as Partial<AuthService>), rl());
|
||||
expect(await ok.validateKeys(user)).toEqual({ maps: true, weather: false, maps_details: { ok: 1 } });
|
||||
});
|
||||
|
||||
it('app-settings get maps error, else returns data; put maps error, else audits', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ getAppSettings: vi.fn().mockReturnValue({ error: 'denied', status: 403 }) } as Partial<AuthService>), rl()).getAppSettings(user))).toEqual({ status: 403, body: { error: 'denied' } });
|
||||
expect(new AuthController(asvc({ getAppSettings: vi.fn().mockReturnValue({ data: { x: 1 } }) } as Partial<AuthService>), rl()).getAppSettings(user)).toEqual({ x: 1 });
|
||||
expect(thrown(() => new AuthController(asvc({ updateAppSettings: vi.fn().mockReturnValue({ error: 'bad', status: 400 }) } as Partial<AuthService>), rl()).updateAppSettings(user, {}, req))).toEqual({ status: 400, body: { error: 'bad' } });
|
||||
expect(new AuthController(asvc({ updateAppSettings: vi.fn().mockReturnValue({ auditSummary: 's', auditDebugDetails: 'd' }) } as Partial<AuthService>), rl()).updateAppSettings(user, {}, req)).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'settings.app_update' }));
|
||||
});
|
||||
|
||||
it('mfa/setup maps a service error before ever awaiting the QR promise', async () => {
|
||||
const c = new AuthController(asvc({ setupMfa: vi.fn().mockReturnValue({ error: 'already on', status: 409 }) } as Partial<AuthService>), rl());
|
||||
expect(await thrownAsync(() => c.mfaSetup(user))).toEqual({ status: 409, body: { error: 'already on' } });
|
||||
});
|
||||
|
||||
it('mfa/enable + mfa/disable map errors', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ enableMfa: vi.fn().mockReturnValue({ error: 'Invalid code', status: 400 }) } as Partial<AuthService>), rl()).mfaEnable(user, { code: 'x' }, req))).toEqual({ status: 400, body: { error: 'Invalid code' } });
|
||||
expect(thrown(() => new AuthController(asvc({ disableMfa: vi.fn().mockReturnValue({ error: 'Wrong', status: 401 }) } as Partial<AuthService>), rl()).mfaDisable(user, {}, req))).toEqual({ status: 401, body: { error: 'Wrong' } });
|
||||
const ok = new AuthController(asvc({ disableMfa: vi.fn().mockReturnValue({ mfa_enabled: false }) } as Partial<AuthService>), rl());
|
||||
expect(ok.mfaDisable(user, {}, req)).toEqual({ success: true, mfa_enabled: false });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.mfa_disable' }));
|
||||
});
|
||||
|
||||
it('mcp-tokens list + create error + delete error/success', () => {
|
||||
expect(new AuthController(asvc({ listMcpTokens: vi.fn().mockReturnValue([{ id: 't' }]) } as Partial<AuthService>), rl()).listMcpTokens(user)).toEqual({ tokens: [{ id: 't' }] });
|
||||
expect(thrown(() => new AuthController(asvc({ createMcpToken: vi.fn().mockReturnValue({ error: 'Name taken', status: 409 }) } as Partial<AuthService>), rl()).createMcpToken(user, { name: 'x' }, req))).toEqual({ status: 409, body: { error: 'Name taken' } });
|
||||
expect(thrown(() => new AuthController(asvc({ deleteMcpToken: vi.fn().mockReturnValue({ error: 'Not found', status: 404 }) } as Partial<AuthService>), rl()).deleteMcpToken(user, 'tid'))).toEqual({ status: 404, body: { error: 'Not found' } });
|
||||
expect(new AuthController(asvc({ deleteMcpToken: vi.fn().mockReturnValue({}) } as Partial<AuthService>), rl()).deleteMcpToken(user, 'tid')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('ws-token maps error, else returns the token', () => {
|
||||
expect(thrown(() => new AuthController(asvc({ createWsToken: vi.fn().mockReturnValue({ error: 'down', status: 503 }) } as Partial<AuthService>), rl()).wsToken(user))).toEqual({ status: 503, body: { error: 'down' } });
|
||||
expect(new AuthController(asvc({ createWsToken: vi.fn().mockReturnValue({ token: 'ws' }) } as Partial<AuthService>), rl()).wsToken(user)).toEqual({ token: 'ws' });
|
||||
});
|
||||
|
||||
it('avatar saves when not in demo mode (env present but email is not a demo email)', async () => {
|
||||
process.env.DEMO_MODE = 'true';
|
||||
vi.mocked(isDemoEmail).mockReturnValue(false);
|
||||
const saveAvatar = vi.fn().mockResolvedValue({ avatar: '/b.png' });
|
||||
expect(await new AuthController(asvc({ saveAvatar } as Partial<AuthService>), rl()).avatar(user, { filename: 'b.png' } as Express.Multer.File)).toEqual({ avatar: '/b.png' });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,232 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Request, Response } from 'express';
|
||||
|
||||
vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4') }));
|
||||
// The controller imports the tmp-dir + size cap at module load. The thin
|
||||
// BackupService wrapper forwards every call straight into this module, so the
|
||||
// mock also stubs the delegated functions for the wrapper tests below.
|
||||
vi.mock('../../../src/services/backupService', () => ({
|
||||
getUploadTmpDir: () => '/tmp',
|
||||
MAX_BACKUP_UPLOAD_SIZE: 1024,
|
||||
BACKUP_RATE_WINDOW: 3600000,
|
||||
listBackups: vi.fn().mockReturnValue([{ filename: 'svc.zip' }]),
|
||||
createBackup: vi.fn().mockResolvedValue({ filename: 'svc.zip', size: 5 }),
|
||||
restoreFromZip: vi.fn().mockResolvedValue({ success: true }),
|
||||
getAutoSettings: vi.fn().mockReturnValue({ settings: { enabled: false }, timezone: 'UTC' }),
|
||||
updateAutoSettings: vi.fn().mockReturnValue({ enabled: true, interval: 'daily', keep_days: 7 }),
|
||||
deleteBackup: vi.fn(),
|
||||
isValidBackupFilename: vi.fn().mockReturnValue(true),
|
||||
backupFilePath: vi.fn().mockReturnValue('/data/backups/svc.zip'),
|
||||
backupFileExists: vi.fn().mockReturnValue(true),
|
||||
checkRateLimit: vi.fn().mockReturnValue(true),
|
||||
}));
|
||||
|
||||
import { BackupController } from '../../../src/nest/backup/backup.controller';
|
||||
import { BackupService as RealBackupService } from '../../../src/nest/backup/backup.service';
|
||||
import { AdminGuard } from '../../../src/nest/auth/admin.guard';
|
||||
import type { BackupService } from '../../../src/nest/backup/backup.service';
|
||||
import { writeAudit } from '../../../src/services/auditLog';
|
||||
import * as backupSvc from '../../../src/services/backupService';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'admin', email: 'a@example.test' } as User;
|
||||
const req = { ip: '1.2.3.4', headers: {} } as Request;
|
||||
|
||||
function svc(o: Partial<BackupService> = {}): BackupService {
|
||||
return {
|
||||
listBackups: vi.fn().mockReturnValue([]),
|
||||
createBackup: vi.fn(),
|
||||
restoreFromZip: vi.fn(),
|
||||
getAutoSettings: vi.fn(),
|
||||
updateAutoSettings: vi.fn(),
|
||||
deleteBackup: vi.fn(),
|
||||
isValidBackupFilename: vi.fn().mockReturnValue(true),
|
||||
backupFilePath: vi.fn().mockReturnValue('/b/x.zip'),
|
||||
backupFileExists: vi.fn().mockReturnValue(true),
|
||||
checkRateLimit: vi.fn().mockReturnValue(true),
|
||||
rateWindow: 3600000,
|
||||
...o,
|
||||
} as unknown as BackupService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try { await fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
afterEach(() => { delete process.env.NODE_ENV; });
|
||||
|
||||
describe('AdminGuard (used by BackupController)', () => {
|
||||
function ctx(role?: string) {
|
||||
return { switchToHttp: () => ({ getRequest: () => ({ user: role ? { role } : undefined }) }) } as never;
|
||||
}
|
||||
it('403 for a non-admin, passes for an admin', () => {
|
||||
expect(thrown(() => new AdminGuard().canActivate(ctx('user')))).toEqual({ status: 403, body: { error: 'Admin access required' } });
|
||||
expect(new AdminGuard().canActivate(ctx('admin'))).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('BackupController', () => {
|
||||
it('GET /list returns backups, 500 on error', () => {
|
||||
expect(new BackupController(svc({ listBackups: vi.fn().mockReturnValue([{ filename: 'a.zip' }]) } as Partial<BackupService>)).list()).toEqual({ backups: [{ filename: 'a.zip' }] });
|
||||
expect(thrown(() => new BackupController(svc({ listBackups: vi.fn(() => { throw new Error('io'); }) } as Partial<BackupService>)).list())).toEqual({ status: 500, body: { error: 'Error loading backups' } });
|
||||
});
|
||||
|
||||
it('POST /create 429 when rate-limited, else creates + audits', async () => {
|
||||
expect(await thrownAsync(() => new BackupController(svc({ checkRateLimit: vi.fn().mockReturnValue(false) })).create(user, req))).toEqual({ status: 429, body: { error: 'Too many backup requests. Please try again later.' } });
|
||||
const createBackup = vi.fn().mockResolvedValue({ filename: 'b.zip', size: 10 });
|
||||
const res = await new BackupController(svc({ createBackup } as Partial<BackupService>)).create(user, req);
|
||||
expect(res).toEqual({ success: true, backup: { filename: 'b.zip', size: 10 } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.create', resource: 'b.zip' }));
|
||||
});
|
||||
|
||||
it('GET /download 400 invalid / 404 missing, else res.download', () => {
|
||||
const res = { download: vi.fn() } as unknown as Response;
|
||||
expect(thrown(() => new BackupController(svc({ isValidBackupFilename: vi.fn().mockReturnValue(false) })).download('x', res))).toEqual({ status: 400, body: { error: 'Invalid filename' } });
|
||||
expect(thrown(() => new BackupController(svc({ backupFileExists: vi.fn().mockReturnValue(false) })).download('x.zip', res))).toEqual({ status: 404, body: { error: 'Backup not found' } });
|
||||
new BackupController(svc()).download('x.zip', res);
|
||||
expect(res.download).toHaveBeenCalledWith('/b/x.zip', 'x.zip');
|
||||
});
|
||||
|
||||
it('POST /restore maps the service status, else audits', async () => {
|
||||
expect(await thrownAsync(() => new BackupController(svc({ isValidBackupFilename: vi.fn().mockReturnValue(false) })).restore(user, 'x', req))).toEqual({ status: 400, body: { error: 'Invalid filename' } });
|
||||
expect(await thrownAsync(() => new BackupController(svc({ backupFileExists: vi.fn().mockReturnValue(false) })).restore(user, 'x.zip', req))).toEqual({ status: 404, body: { error: 'Backup not found' } });
|
||||
expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: false, status: 422, error: 'bad zip' }) } as Partial<BackupService>)).restore(user, 'x.zip', req))).toEqual({ status: 422, body: { error: 'bad zip' } });
|
||||
const res = await new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: true }) } as Partial<BackupService>)).restore(user, 'x.zip', req);
|
||||
expect(res).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.restore', resource: 'x.zip' }));
|
||||
});
|
||||
|
||||
it('POST /restore falls back to status 400 when the service omits one', async () => {
|
||||
expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: false, error: 'nope' }) } as Partial<BackupService>)).restore(user, 'x.zip', req))).toEqual({ status: 400, body: { error: 'nope' } });
|
||||
});
|
||||
|
||||
it('POST /upload-restore 400 without a file, cleans up the tmp file', async () => {
|
||||
expect(await thrownAsync(() => new BackupController(svc()).uploadRestore(user, undefined, req))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
|
||||
});
|
||||
|
||||
it('POST /upload-restore success audits + reports', async () => {
|
||||
const file = { path: '/tmp/does-not-exist-xyz.zip', originalname: 'up.zip' } as Express.Multer.File;
|
||||
const res = await new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: true }) } as Partial<BackupService>)).uploadRestore(user, file, req);
|
||||
expect(res).toEqual({ success: true });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.upload_restore', resource: 'up.zip' }));
|
||||
});
|
||||
|
||||
it('POST /upload-restore maps a failed restore status', async () => {
|
||||
const file = { path: '/tmp/does-not-exist-xyz.zip', originalname: 'up.zip' } as Express.Multer.File;
|
||||
expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: false, status: 422, error: 'bad' }) } as Partial<BackupService>)).uploadRestore(user, file, req))).toEqual({ status: 422, body: { error: 'bad' } });
|
||||
});
|
||||
|
||||
it('POST /upload-restore falls back to a default name and maps unexpected errors to 500', async () => {
|
||||
const file = { path: '/tmp/does-not-exist-xyz.zip', originalname: '' } as Express.Multer.File;
|
||||
expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockRejectedValue(new Error('boom')) } as Partial<BackupService>)).uploadRestore(user, file, req))).toEqual({ status: 500, body: { error: 'Error restoring backup' } });
|
||||
const ok = { path: '/tmp/does-not-exist-xyz.zip', originalname: '' } as Express.Multer.File;
|
||||
await new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: true }) } as Partial<BackupService>)).uploadRestore(user, ok, req);
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.upload_restore', resource: 'upload.zip' }));
|
||||
});
|
||||
|
||||
it('maps unexpected service errors to 500 (create, restore, auto-settings)', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
expect(await thrownAsync(() => new BackupController(svc({ createBackup: vi.fn().mockRejectedValue(new Error('disk')) } as Partial<BackupService>)).create(user, req))).toEqual({ status: 500, body: { error: 'Error creating backup' } });
|
||||
expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockRejectedValue(new Error('boom')) } as Partial<BackupService>)).restore(user, 'x.zip', req))).toEqual({ status: 500, body: { error: 'Error restoring backup' } });
|
||||
expect(thrown(() => new BackupController(svc({ getAutoSettings: vi.fn(() => { throw new Error('io'); }) } as Partial<BackupService>)).autoSettings())).toEqual({ status: 500, body: { error: 'Could not load backup settings' } });
|
||||
});
|
||||
|
||||
it('PUT /auto-settings maps errors to 500 (with a dev-only detail)', () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
process.env.NODE_ENV = 'development';
|
||||
const r = thrown(() => new BackupController(svc({ updateAutoSettings: vi.fn(() => { throw new Error('parse fail'); }) } as Partial<BackupService>)).updateAutoSettings(user, {}, req));
|
||||
expect(r.status).toBe(500);
|
||||
expect(r.body).toEqual({ error: 'Could not save auto-backup settings', detail: 'parse fail' });
|
||||
});
|
||||
|
||||
it('PUT /auto-settings hides the detail in production and stringifies non-Error throws', () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
process.env.NODE_ENV = 'production';
|
||||
const r = thrown(() => new BackupController(svc({ updateAutoSettings: vi.fn(() => { throw 'plain string'; }) } as Partial<BackupService>)).updateAutoSettings(user, {}, req));
|
||||
expect(r.status).toBe(500);
|
||||
expect(r.body).toEqual({ error: 'Could not save auto-backup settings', detail: undefined });
|
||||
});
|
||||
|
||||
it('PUT /auto-settings tolerates a missing body', () => {
|
||||
const updateAutoSettings = vi.fn().mockReturnValue({ enabled: false, interval: 'weekly', keep_days: 30 });
|
||||
new BackupController(svc({ updateAutoSettings } as Partial<BackupService>)).updateAutoSettings(user, undefined as unknown as Record<string, unknown>, req);
|
||||
expect(updateAutoSettings).toHaveBeenCalledWith({});
|
||||
});
|
||||
|
||||
it('GET/PUT /auto-settings', () => {
|
||||
expect(new BackupController(svc({ getAutoSettings: vi.fn().mockReturnValue({ settings: { enabled: true }, timezone: 'UTC' }) } as Partial<BackupService>)).autoSettings()).toEqual({ settings: { enabled: true }, timezone: 'UTC' });
|
||||
const res = new BackupController(svc({ updateAutoSettings: vi.fn().mockReturnValue({ enabled: true, interval: 'daily', keep_days: 7 }) } as Partial<BackupService>)).updateAutoSettings(user, { enabled: true }, req);
|
||||
expect(res).toEqual({ settings: { enabled: true, interval: 'daily', keep_days: 7 } });
|
||||
expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.auto_settings' }));
|
||||
});
|
||||
|
||||
it('DELETE /:filename 400/404, else deletes + audits', () => {
|
||||
expect(thrown(() => new BackupController(svc({ isValidBackupFilename: vi.fn().mockReturnValue(false) })).remove(user, 'x', req))).toEqual({ status: 400, body: { error: 'Invalid filename' } });
|
||||
expect(thrown(() => new BackupController(svc({ backupFileExists: vi.fn().mockReturnValue(false) })).remove(user, 'x.zip', req))).toEqual({ status: 404, body: { error: 'Backup not found' } });
|
||||
const deleteBackup = vi.fn();
|
||||
expect(new BackupController(svc({ deleteBackup } as Partial<BackupService>)).remove(user, 'x.zip', req)).toEqual({ success: true });
|
||||
expect(deleteBackup).toHaveBeenCalledWith('x.zip');
|
||||
});
|
||||
});
|
||||
|
||||
describe('BackupService (wrapper)', () => {
|
||||
const wrapper = new RealBackupService();
|
||||
|
||||
it('forwards every call straight to the legacy backup service', async () => {
|
||||
expect(wrapper.listBackups()).toEqual([{ filename: 'svc.zip' }]);
|
||||
expect(backupSvc.listBackups).toHaveBeenCalled();
|
||||
|
||||
await expect(wrapper.createBackup()).resolves.toEqual({ filename: 'svc.zip', size: 5 });
|
||||
expect(backupSvc.createBackup).toHaveBeenCalled();
|
||||
|
||||
await expect(wrapper.restoreFromZip('/tmp/a.zip')).resolves.toEqual({ success: true });
|
||||
expect(backupSvc.restoreFromZip).toHaveBeenCalledWith('/tmp/a.zip');
|
||||
|
||||
expect(wrapper.getAutoSettings()).toEqual({ settings: { enabled: false }, timezone: 'UTC' });
|
||||
expect(backupSvc.getAutoSettings).toHaveBeenCalled();
|
||||
|
||||
expect(wrapper.updateAutoSettings({ enabled: true })).toEqual({ enabled: true, interval: 'daily', keep_days: 7 });
|
||||
expect(backupSvc.updateAutoSettings).toHaveBeenCalledWith({ enabled: true });
|
||||
|
||||
wrapper.deleteBackup('svc.zip');
|
||||
expect(backupSvc.deleteBackup).toHaveBeenCalledWith('svc.zip');
|
||||
|
||||
expect(wrapper.isValidBackupFilename('svc.zip')).toBe(true);
|
||||
expect(backupSvc.isValidBackupFilename).toHaveBeenCalledWith('svc.zip');
|
||||
|
||||
expect(wrapper.backupFilePath('svc.zip')).toBe('/data/backups/svc.zip');
|
||||
expect(backupSvc.backupFilePath).toHaveBeenCalledWith('svc.zip');
|
||||
|
||||
expect(wrapper.backupFileExists('svc.zip')).toBe(true);
|
||||
expect(backupSvc.backupFileExists).toHaveBeenCalledWith('svc.zip');
|
||||
|
||||
expect(wrapper.checkRateLimit('ip', 3, 1000)).toBe(true);
|
||||
expect(backupSvc.checkRateLimit).toHaveBeenCalledWith('ip', 3, 1000);
|
||||
});
|
||||
|
||||
it('exposes the legacy rate window', () => {
|
||||
expect(wrapper.rateWindow).toBe(backupSvc.BACKUP_RATE_WINDOW);
|
||||
});
|
||||
});
|
||||
|
||||
describe('BackupModule', () => {
|
||||
it('wires the controller and service together', async () => {
|
||||
const { BackupModule } = await import('../../../src/nest/backup/backup.module');
|
||||
expect(new BackupModule()).toBeInstanceOf(BackupModule);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,248 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { BudgetController } from '../../../src/nest/budget/budget.controller';
|
||||
import type { BudgetService } from '../../../src/nest/budget/budget.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { id: 5, user_id: 1 };
|
||||
|
||||
function makeService(overrides: Partial<BudgetService> = {}): BudgetService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip),
|
||||
canEdit: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
syncReservationPrice: vi.fn(),
|
||||
...overrides,
|
||||
} as unknown as BudgetService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('BudgetController (parity with the legacy /api/trips/:tripId/budget route)', () => {
|
||||
it('404 when the trip is not accessible', () => {
|
||||
const svc = makeService({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new BudgetController(svc).list(user, '5'))).toEqual({
|
||||
status: 404, body: { error: 'Trip not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('GET / returns items', () => {
|
||||
const svc = makeService({ list: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).list(user, '5')).toEqual({ items: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('GET /summary/per-person + /settlement delegate', () => {
|
||||
const settlement = vi.fn().mockReturnValue({ transfers: [] });
|
||||
const svc = makeService({
|
||||
perPersonSummary: vi.fn().mockReturnValue([{ userId: 1, owes: 10 }]),
|
||||
settlement,
|
||||
} as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).perPerson(user, '5')).toEqual({ summary: [{ userId: 1, owes: 10 }] });
|
||||
expect(new BudgetController(svc).settlement(user, '5')).toEqual({ transfers: [] });
|
||||
expect(settlement).toHaveBeenLastCalledWith('5', undefined, 'EUR');
|
||||
});
|
||||
|
||||
it('GET /settlement forwards the base query and the trip currency', () => {
|
||||
const settlement = vi.fn().mockReturnValue({ transfers: [] });
|
||||
const svc = makeService({
|
||||
verifyTripAccess: vi.fn().mockReturnValue({ id: 5, user_id: 1, currency: 'USD' }),
|
||||
settlement,
|
||||
} as Partial<BudgetService>);
|
||||
new BudgetController(svc).settlement(user, '5', 'GBP');
|
||||
expect(settlement).toHaveBeenCalledWith('5', 'GBP', 'USD');
|
||||
});
|
||||
|
||||
describe('settlements ledger', () => {
|
||||
it('GET /settlements lists', () => {
|
||||
const svc = makeService({ listSettlements: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).listSettlements(user, '5')).toEqual({ settlements: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('POST /settlements 403 without budget_edit', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, to_user_id: 2, amount: 10 }))).toEqual({
|
||||
status: 403, body: { error: 'No permission' },
|
||||
});
|
||||
});
|
||||
|
||||
it('POST /settlements 400 when a field is missing', () => {
|
||||
const svc = makeService();
|
||||
expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, to_user_id: 2 }))).toEqual({
|
||||
status: 400, body: { error: 'from_user_id, to_user_id and amount are required' },
|
||||
});
|
||||
expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, amount: 5 }))).toEqual({
|
||||
status: 400, body: { error: 'from_user_id, to_user_id and amount are required' },
|
||||
});
|
||||
expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { to_user_id: 2, amount: 5 }))).toEqual({
|
||||
status: 400, body: { error: 'from_user_id, to_user_id and amount are required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('POST /settlements creates and broadcasts (amount 0 is allowed)', () => {
|
||||
const createSettlement = vi.fn().mockReturnValue({ id: 3, amount: 0 });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ createSettlement, broadcast } as Partial<BudgetService>);
|
||||
const res = new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, to_user_id: 2, amount: 0 }, 'sock');
|
||||
expect(res).toEqual({ settlement: { id: 3, amount: 0 } });
|
||||
expect(createSettlement).toHaveBeenCalledWith('5', { from_user_id: 1, to_user_id: 2, amount: 0 }, user.id);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:settlement-created', { settlement: { id: 3, amount: 0 } }, 'sock');
|
||||
});
|
||||
|
||||
it('DELETE /settlements/:id 404 when missing', () => {
|
||||
const svc = makeService({ deleteSettlement: vi.fn().mockReturnValue(false) } as Partial<BudgetService>);
|
||||
expect(thrown(() => new BudgetController(svc).deleteSettlement(user, '5', '7'))).toEqual({
|
||||
status: 404, body: { error: 'Settlement not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('DELETE /settlements/:id success broadcasts the numeric id', () => {
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ deleteSettlement: vi.fn().mockReturnValue(true), broadcast } as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).deleteSettlement(user, '5', '7', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:settlement-deleted', { settlementId: 7 }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /', () => {
|
||||
it('403 without budget_edit', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new BudgetController(svc).create(user, '5', { name: 'Hotel' }))).toEqual({
|
||||
status: 403, body: { error: 'No permission' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 when name missing', () => {
|
||||
expect(thrown(() => new BudgetController(makeService()).create(user, '5', {}))).toEqual({
|
||||
status: 400, body: { error: 'Name is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('creates and broadcasts', () => {
|
||||
const create = vi.fn().mockReturnValue({ id: 9, name: 'Hotel' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ create, broadcast } as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).create(user, '5', { name: 'Hotel', total_price: 200 }, 'sock')).toEqual({ item: { id: 9, name: 'Hotel' } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:created', { item: { id: 9, name: 'Hotel' } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when item missing', () => {
|
||||
const svc = makeService({ update: vi.fn().mockReturnValue(null) } as Partial<BudgetService>);
|
||||
expect(thrown(() => new BudgetController(svc).update(user, '5', '9', { name: 'X' }))).toEqual({
|
||||
status: 404, body: { error: 'Budget item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('syncs the reservation price when a linked item changes total_price', () => {
|
||||
const update = vi.fn().mockReturnValue({ id: 9, reservation_id: 42, total_price: 250 });
|
||||
const syncReservationPrice = vi.fn();
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ update, syncReservationPrice, broadcast } as Partial<BudgetService>);
|
||||
new BudgetController(svc).update(user, '5', '9', { total_price: 250 }, 'sock');
|
||||
expect(syncReservationPrice).toHaveBeenCalledWith('5', 42, 250, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:updated', { item: { id: 9, reservation_id: 42, total_price: 250 } }, 'sock');
|
||||
});
|
||||
|
||||
it('does not sync when the item has no linked reservation', () => {
|
||||
const update = vi.fn().mockReturnValue({ id: 9, reservation_id: null, total_price: 250 });
|
||||
const syncReservationPrice = vi.fn();
|
||||
const svc = makeService({ update, syncReservationPrice } as Partial<BudgetService>);
|
||||
new BudgetController(svc).update(user, '5', '9', { total_price: 250 });
|
||||
expect(syncReservationPrice).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id/members', () => {
|
||||
it('400 when user_ids is not an array', () => {
|
||||
expect(thrown(() => new BudgetController(makeService()).updateMembers(user, '5', '9', 'nope'))).toEqual({
|
||||
status: 400, body: { error: 'user_ids must be an array' },
|
||||
});
|
||||
});
|
||||
|
||||
it('404 when the item is missing', () => {
|
||||
const svc = makeService({ updateMembers: vi.fn().mockReturnValue(null) } as Partial<BudgetService>);
|
||||
expect(thrown(() => new BudgetController(svc).updateMembers(user, '5', '9', [2, 3]))).toEqual({
|
||||
status: 404, body: { error: 'Budget item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('updates members and broadcasts persons count', () => {
|
||||
const updateMembers = vi.fn().mockReturnValue({ members: [{ user_id: 2 }], item: { persons: 1 } });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ updateMembers, broadcast } as Partial<BudgetService>);
|
||||
const res = new BudgetController(svc).updateMembers(user, '5', '9', [2], 'sock');
|
||||
expect(res).toEqual({ members: [{ user_id: 2 }], item: { persons: 1 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:members-updated', { itemId: 9, members: [{ user_id: 2 }], persons: 1 }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id/payers', () => {
|
||||
it('400 when payers is not an array', () => {
|
||||
expect(thrown(() => new BudgetController(makeService()).setPayers(user, '5', '9', 'nope'))).toEqual({
|
||||
status: 400, body: { error: 'payers must be an array' },
|
||||
});
|
||||
});
|
||||
|
||||
it('404 when the item is missing', () => {
|
||||
const svc = makeService({ setPayers: vi.fn().mockReturnValue(null) } as Partial<BudgetService>);
|
||||
expect(thrown(() => new BudgetController(svc).setPayers(user, '5', '9', [{ user_id: 2, amount: 10 }]))).toEqual({
|
||||
status: 404, body: { error: 'Budget item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('sets payers and broadcasts budget:updated', () => {
|
||||
const setPayers = vi.fn().mockReturnValue({ id: 9, payers: [{ user_id: 2, amount: 10 }] });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ setPayers, broadcast } as Partial<BudgetService>);
|
||||
const res = new BudgetController(svc).setPayers(user, '5', '9', [{ user_id: 2, amount: 10 }], 'sock');
|
||||
expect(res).toEqual({ item: { id: 9, payers: [{ user_id: 2, amount: 10 }] } });
|
||||
expect(setPayers).toHaveBeenCalledWith('9', '5', [{ user_id: 2, amount: 10 }]);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:updated', { item: { id: 9, payers: [{ user_id: 2, amount: 10 }] } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
it('PUT /:id/members/:userId/paid toggles + broadcasts normalised paid flag', () => {
|
||||
const toggleMemberPaid = vi.fn().mockReturnValue({ user_id: 2, paid: 1 });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ toggleMemberPaid, broadcast } as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).toggleMemberPaid(user, '5', '9', '2', true, 'sock')).toEqual({ member: { user_id: 2, paid: 1 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:member-paid-updated', { itemId: 9, userId: 2, paid: 1 }, 'sock');
|
||||
});
|
||||
|
||||
it('PUT /:id/members/:userId/paid broadcasts paid: 0 when toggled off', () => {
|
||||
const toggleMemberPaid = vi.fn().mockReturnValue({ user_id: 2, paid: 0 });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ toggleMemberPaid, broadcast } as Partial<BudgetService>);
|
||||
new BudgetController(svc).toggleMemberPaid(user, '5', '9', '2', false, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:member-paid-updated', { itemId: 9, userId: 2, paid: 0 }, 'sock');
|
||||
});
|
||||
|
||||
it('DELETE /:id 404 when missing, success otherwise', () => {
|
||||
const missing = makeService({ remove: vi.fn().mockReturnValue(false) } as Partial<BudgetService>);
|
||||
expect(thrown(() => new BudgetController(missing).remove(user, '5', '9'))).toEqual({
|
||||
status: 404, body: { error: 'Budget item not found' },
|
||||
});
|
||||
const ok = makeService({ remove: vi.fn().mockReturnValue(true), broadcast: vi.fn() } as Partial<BudgetService>);
|
||||
expect(new BudgetController(ok).remove(user, '5', '9')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('PUT /reorder/items + /reorder/categories broadcast budget:reordered', () => {
|
||||
const reorderItems = vi.fn(); const reorderCategories = vi.fn(); const broadcast = vi.fn();
|
||||
const svc = makeService({ reorderItems, reorderCategories, broadcast } as Partial<BudgetService>);
|
||||
expect(new BudgetController(svc).reorderItems(user, '5', [3, 1], 'sock')).toEqual({ success: true });
|
||||
expect(reorderItems).toHaveBeenCalledWith('5', [3, 1]);
|
||||
expect(new BudgetController(svc).reorderCategories(user, '5', ['food', 'fun'], 'sock')).toEqual({ success: true });
|
||||
expect(reorderCategories).toHaveBeenCalledWith('5', ['food', 'fun']);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,165 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// Mock the data + side-effect dependencies the wrapper reaches into directly.
|
||||
const { dbMock } = vi.hoisted(() => {
|
||||
const stmt = { get: vi.fn(), all: vi.fn(() => []), run: vi.fn() };
|
||||
return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
|
||||
});
|
||||
vi.mock('../../../src/db/database', () => ({ db: dbMock, closeDb: () => {}, reinitialize: () => {} }));
|
||||
|
||||
const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
|
||||
vi.mock('../../../src/websocket', () => ({ broadcast }));
|
||||
|
||||
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
|
||||
vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
|
||||
|
||||
const { getRates } = vi.hoisted(() => ({ getRates: vi.fn() }));
|
||||
vi.mock('../../../src/services/exchangeRateService', () => ({ getRates }));
|
||||
|
||||
const { budget } = vi.hoisted(() => ({
|
||||
budget: {
|
||||
verifyTripAccess: vi.fn(),
|
||||
listBudgetItems: vi.fn(),
|
||||
getPerPersonSummary: vi.fn(),
|
||||
calculateSettlement: vi.fn(),
|
||||
createBudgetItem: vi.fn(),
|
||||
updateBudgetItem: vi.fn(),
|
||||
deleteBudgetItem: vi.fn(),
|
||||
updateMembers: vi.fn(),
|
||||
toggleMemberPaid: vi.fn(),
|
||||
setItemPayers: vi.fn(),
|
||||
listSettlements: vi.fn(),
|
||||
createSettlement: vi.fn(),
|
||||
deleteSettlement: vi.fn(),
|
||||
reorderBudgetItems: vi.fn(),
|
||||
reorderBudgetCategories: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/budgetService', () => budget);
|
||||
|
||||
import { BudgetService } from '../../../src/nest/budget/budget.service';
|
||||
|
||||
function svc() {
|
||||
return new BudgetService();
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
});
|
||||
|
||||
describe('BudgetService', () => {
|
||||
it('verifyTripAccess delegates to the legacy service', () => {
|
||||
budget.verifyTripAccess.mockReturnValue({ id: 5, user_id: 2 });
|
||||
expect(svc().verifyTripAccess('5', 2)).toEqual({ id: 5, user_id: 2 });
|
||||
expect(budget.verifyTripAccess).toHaveBeenCalledWith('5', 2);
|
||||
});
|
||||
|
||||
it('canEdit forwards the ownership flag when the user owns the trip', () => {
|
||||
checkPermission.mockReturnValue(true);
|
||||
expect(svc().canEdit({ user_id: 1 } as never, { id: 1, role: 'user' } as never)).toBe(true);
|
||||
expect(checkPermission).toHaveBeenCalledWith('budget_edit', 'user', 1, 1, false);
|
||||
});
|
||||
|
||||
it('canEdit marks the user as a guest when they do not own the trip', () => {
|
||||
checkPermission.mockReturnValue(false);
|
||||
expect(svc().canEdit({ user_id: 2 } as never, { id: 1, role: 'user' } as never)).toBe(false);
|
||||
expect(checkPermission).toHaveBeenCalledWith('budget_edit', 'user', 2, 1, true);
|
||||
});
|
||||
|
||||
it('broadcast forwards to the websocket helper', () => {
|
||||
svc().broadcast('5', 'budget:created', { item: { id: 1 } }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:created', { item: { id: 1 } }, 'sock');
|
||||
});
|
||||
|
||||
it('list / perPersonSummary delegate', () => {
|
||||
budget.listBudgetItems.mockReturnValue([{ id: 1 }]);
|
||||
expect(svc().list('5')).toEqual([{ id: 1 }]);
|
||||
budget.getPerPersonSummary.mockReturnValue([{ userId: 1 }]);
|
||||
expect(svc().perPersonSummary('5')).toEqual([{ userId: 1 }]);
|
||||
});
|
||||
|
||||
describe('settlement', () => {
|
||||
it('upper-cases the explicit base and forwards the rates', async () => {
|
||||
getRates.mockResolvedValue({ USD: 1.1 });
|
||||
budget.calculateSettlement.mockReturnValue({ transfers: [] });
|
||||
await svc().settlement('5', 'usd', 'EUR');
|
||||
expect(getRates).toHaveBeenCalledWith('USD');
|
||||
expect(budget.calculateSettlement).toHaveBeenCalledWith('5', { base: 'USD', rates: { USD: 1.1 }, tripCurrency: 'EUR' });
|
||||
});
|
||||
|
||||
it('falls back to the trip currency when no base is given', async () => {
|
||||
getRates.mockResolvedValue(null);
|
||||
await svc().settlement('5', undefined, 'gbp');
|
||||
expect(getRates).toHaveBeenCalledWith('GBP');
|
||||
expect(budget.calculateSettlement).toHaveBeenCalledWith('5', { base: 'GBP', rates: null, tripCurrency: 'gbp' });
|
||||
});
|
||||
|
||||
it('falls back to EUR when neither base nor trip currency is present', async () => {
|
||||
getRates.mockResolvedValue(null);
|
||||
await svc().settlement('5', undefined, '');
|
||||
expect(getRates).toHaveBeenCalledWith('EUR');
|
||||
expect(budget.calculateSettlement).toHaveBeenCalledWith('5', { base: 'EUR', rates: null, tripCurrency: '' });
|
||||
});
|
||||
});
|
||||
|
||||
it('create / update / remove / members / paid / payers delegate', () => {
|
||||
svc().create('5', { name: 'Hotel' } as never);
|
||||
expect(budget.createBudgetItem).toHaveBeenCalledWith('5', { name: 'Hotel' });
|
||||
svc().update('9', '5', { name: 'X' });
|
||||
expect(budget.updateBudgetItem).toHaveBeenCalledWith('9', '5', { name: 'X' });
|
||||
svc().remove('9', '5');
|
||||
expect(budget.deleteBudgetItem).toHaveBeenCalledWith('9', '5');
|
||||
svc().updateMembers('9', '5', [2, 3]);
|
||||
expect(budget.updateMembers).toHaveBeenCalledWith('9', '5', [2, 3]);
|
||||
svc().toggleMemberPaid('9', '5', '2', true);
|
||||
expect(budget.toggleMemberPaid).toHaveBeenCalledWith('9', '5', '2', true);
|
||||
svc().setPayers('9', '5', [{ user_id: 2, amount: 10 }]);
|
||||
expect(budget.setItemPayers).toHaveBeenCalledWith('9', '5', [{ user_id: 2, amount: 10 }]);
|
||||
});
|
||||
|
||||
it('settlement ledger + reorder delegate', () => {
|
||||
svc().listSettlements('5');
|
||||
expect(budget.listSettlements).toHaveBeenCalledWith('5');
|
||||
svc().createSettlement('5', { from_user_id: 1, to_user_id: 2, amount: 10 }, 3);
|
||||
expect(budget.createSettlement).toHaveBeenCalledWith('5', { from_user_id: 1, to_user_id: 2, amount: 10 }, 3);
|
||||
svc().deleteSettlement('7', '5');
|
||||
expect(budget.deleteSettlement).toHaveBeenCalledWith('7', '5');
|
||||
svc().reorderItems('5', [3, 1]);
|
||||
expect(budget.reorderBudgetItems).toHaveBeenCalledWith('5', [3, 1]);
|
||||
svc().reorderCategories('5', ['food', 'fun']);
|
||||
expect(budget.reorderBudgetCategories).toHaveBeenCalledWith('5', ['food', 'fun']);
|
||||
});
|
||||
|
||||
describe('syncReservationPrice', () => {
|
||||
it('returns early when the reservation is not found', () => {
|
||||
dbMock._stmt.get.mockReturnValueOnce(undefined);
|
||||
svc().syncReservationPrice('5', 42, 250, 'sock');
|
||||
expect(dbMock._stmt.run).not.toHaveBeenCalled();
|
||||
expect(broadcast).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('merges into existing metadata and broadcasts reservation:updated', () => {
|
||||
dbMock._stmt.get
|
||||
.mockReturnValueOnce({ id: 42, metadata: '{"vendor":"ACME"}' }) // lookup
|
||||
.mockReturnValueOnce({ id: 42, metadata: '{"vendor":"ACME","price":"250"}' }); // reload
|
||||
svc().syncReservationPrice('5', 42, 250, 'sock');
|
||||
const writtenMeta = JSON.parse(dbMock._stmt.run.mock.calls[0][0] as string);
|
||||
expect(writtenMeta).toEqual({ vendor: 'ACME', price: '250' });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'reservation:updated', { reservation: { id: 42, metadata: '{"vendor":"ACME","price":"250"}' } }, 'sock');
|
||||
});
|
||||
|
||||
it('starts from an empty object when the reservation has no metadata', () => {
|
||||
dbMock._stmt.get.mockReturnValueOnce({ id: 42, metadata: null }).mockReturnValueOnce({ id: 42 });
|
||||
svc().syncReservationPrice('5', 42, 99, undefined);
|
||||
const writtenMeta = JSON.parse(dbMock._stmt.run.mock.calls[0][0] as string);
|
||||
expect(writtenMeta).toEqual({ price: '99' });
|
||||
});
|
||||
|
||||
it('swallows errors so a sync failure never breaks the budget update', () => {
|
||||
dbMock.prepare.mockImplementationOnce(() => { throw new Error('db gone'); });
|
||||
expect(() => svc().syncReservationPrice('5', 42, 250, 'sock')).not.toThrow();
|
||||
expect(broadcast).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,84 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { CategoriesController } from '../../../src/nest/categories/categories.controller';
|
||||
import type { CategoriesService } from '../../../src/nest/categories/categories.service';
|
||||
import type { User } from '../../../src/types';
|
||||
import type { Category } from '@trek/shared';
|
||||
|
||||
const admin = { id: 1, role: 'admin' } as User;
|
||||
|
||||
function makeController(svc: Partial<CategoriesService>) {
|
||||
return new CategoriesController(svc as CategoriesService);
|
||||
}
|
||||
|
||||
const cat: Category = { id: 1, name: 'Food', color: '#fff', icon: '🍔' };
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('CategoriesController (parity with the legacy /api/categories route)', () => {
|
||||
it('GET / returns the category list wrapped in { categories }', () => {
|
||||
const list = vi.fn().mockReturnValue([cat]);
|
||||
expect(makeController({ list }).list()).toEqual({ categories: [cat] });
|
||||
});
|
||||
|
||||
describe('POST /', () => {
|
||||
it('400 when name is missing', () => {
|
||||
const create = vi.fn();
|
||||
expect(thrown(() => makeController({ create }).create(admin, undefined))).toEqual({
|
||||
status: 400, body: { error: 'Category name is required' },
|
||||
});
|
||||
expect(create).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('creates and returns { category }', () => {
|
||||
const create = vi.fn().mockReturnValue(cat);
|
||||
expect(makeController({ create }).create(admin, 'Food', '#fff', '🍔')).toEqual({ category: cat });
|
||||
expect(create).toHaveBeenCalledWith(1, 'Food', '#fff', '🍔');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when the category does not exist', () => {
|
||||
const getById = vi.fn().mockReturnValue(undefined);
|
||||
const update = vi.fn();
|
||||
expect(thrown(() => makeController({ getById, update }).update('9', 'X'))).toEqual({
|
||||
status: 404, body: { error: 'Category not found' },
|
||||
});
|
||||
expect(update).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('updates and returns { category }', () => {
|
||||
const getById = vi.fn().mockReturnValue(cat);
|
||||
const update = vi.fn().mockReturnValue({ ...cat, name: 'Drinks' });
|
||||
expect(makeController({ getById, update }).update('1', 'Drinks')).toEqual({ category: { ...cat, name: 'Drinks' } });
|
||||
expect(update).toHaveBeenCalledWith('1', 'Drinks', undefined, undefined);
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id', () => {
|
||||
it('404 when the category does not exist', () => {
|
||||
const getById = vi.fn().mockReturnValue(undefined);
|
||||
const remove = vi.fn();
|
||||
expect(thrown(() => makeController({ getById, remove }).remove('9'))).toEqual({
|
||||
status: 404, body: { error: 'Category not found' },
|
||||
});
|
||||
expect(remove).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('deletes and returns { success: true }', () => {
|
||||
const getById = vi.fn().mockReturnValue(cat);
|
||||
const remove = vi.fn();
|
||||
expect(makeController({ getById, remove }).remove('1')).toEqual({ success: true });
|
||||
expect(remove).toHaveBeenCalledWith('1');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,174 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
|
||||
import { CollabController } from '../../../src/nest/collab/collab.controller';
|
||||
import type { CollabService } from '../../../src/nest/collab/collab.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, username: 'u', role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function svc(o: Partial<CollabService> = {}): CollabService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue({ user_id: 1 }),
|
||||
canEdit: vi.fn().mockReturnValue(true),
|
||||
canUploadFiles: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
notifyCollab: vi.fn(),
|
||||
...o,
|
||||
} as unknown as CollabService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try { await fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('CollabController (parity with the legacy /api/trips/:tripId/collab route)', () => {
|
||||
describe('notes', () => {
|
||||
it('GET 404 without access, else lists', () => {
|
||||
expect(thrown(() => new CollabController(svc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).listNotes(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const s = svc({ listNotes: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<CollabService>);
|
||||
expect(new CollabController(s).listNotes(user, '5')).toEqual({ notes: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('POST 403 without collab_edit, 400 without title, else creates + broadcasts + notifies', () => {
|
||||
expect(thrown(() => new CollabController(svc({ canEdit: vi.fn().mockReturnValue(false) })).createNote(user, '5', { title: 'T' }))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new CollabController(svc()).createNote(user, '5', {}))).toEqual({ status: 400, body: { error: 'Title is required' } });
|
||||
const createNote = vi.fn().mockReturnValue({ id: 9 });
|
||||
const broadcast = vi.fn();
|
||||
const notifyCollab = vi.fn();
|
||||
const s = svc({ createNote, broadcast, notifyCollab } as Partial<CollabService>);
|
||||
expect(new CollabController(s).createNote(user, '5', { title: 'T', content: 'c' }, 'sock')).toEqual({ note: { id: 9 } });
|
||||
expect(createNote).toHaveBeenCalledWith('5', 1, { title: 'T', content: 'c', category: undefined, color: undefined, website: undefined });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:note:created', { note: { id: 9 } }, 'sock');
|
||||
expect(notifyCollab).toHaveBeenCalledWith('5', user);
|
||||
});
|
||||
|
||||
it('PUT 404 when missing, else updates + broadcasts', () => {
|
||||
expect(thrown(() => new CollabController(svc({ updateNote: vi.fn().mockReturnValue(null) } as Partial<CollabService>)).updateNote(user, '5', '9', {}))).toEqual({ status: 404, body: { error: 'Note not found' } });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ updateNote: vi.fn().mockReturnValue({ id: 9 }), broadcast } as Partial<CollabService>);
|
||||
expect(new CollabController(s).updateNote(user, '5', '9', { title: 'b' }, 'sock')).toEqual({ note: { id: 9 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:note:updated', { note: { id: 9 } }, 'sock');
|
||||
});
|
||||
|
||||
it('DELETE 404 when missing, else success + broadcasts', () => {
|
||||
expect(thrown(() => new CollabController(svc({ deleteNote: vi.fn().mockReturnValue(false) } as Partial<CollabService>)).deleteNote(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Note not found' } });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ deleteNote: vi.fn().mockReturnValue(true), broadcast } as Partial<CollabService>);
|
||||
expect(new CollabController(s).deleteNote(user, '5', '9', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:note:deleted', { noteId: 9 }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('note files', () => {
|
||||
const file = { filename: 'a.pdf' } as Express.Multer.File;
|
||||
it('403 without file_upload, 400 without file, 404 unknown note, else returns result', () => {
|
||||
expect(thrown(() => new CollabController(svc({ canUploadFiles: vi.fn().mockReturnValue(false) })).addNoteFile(user, '5', '9', file))).toEqual({ status: 403, body: { error: 'No permission to upload files' } });
|
||||
expect(thrown(() => new CollabController(svc()).addNoteFile(user, '5', '9', undefined))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
|
||||
expect(thrown(() => new CollabController(svc({ addNoteFile: vi.fn().mockReturnValue(null) } as Partial<CollabService>)).addNoteFile(user, '5', '9', file))).toEqual({ status: 404, body: { error: 'Note not found' } });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ addNoteFile: vi.fn().mockReturnValue({ file: { id: 3 } }), getFormattedNoteById: vi.fn().mockReturnValue({ id: 9 }), broadcast } as Partial<CollabService>);
|
||||
expect(new CollabController(s).addNoteFile(user, '5', '9', file, 'sock')).toEqual({ file: { id: 3 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:note:updated', { note: { id: 9 } }, 'sock');
|
||||
});
|
||||
|
||||
it('DELETE file 404 when missing, else success', () => {
|
||||
expect(thrown(() => new CollabController(svc({ deleteNoteFile: vi.fn().mockReturnValue(false) } as Partial<CollabService>)).deleteNoteFile(user, '5', '9', '3'))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
const s = svc({ deleteNoteFile: vi.fn().mockReturnValue(true), getFormattedNoteById: vi.fn().mockReturnValue({ id: 9 }), broadcast: vi.fn() } as Partial<CollabService>);
|
||||
expect(new CollabController(s).deleteNoteFile(user, '5', '9', '3')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('polls', () => {
|
||||
it('POST 400 without question / <2 options, else creates', () => {
|
||||
expect(thrown(() => new CollabController(svc()).createPoll(user, '5', {}))).toEqual({ status: 400, body: { error: 'Question is required' } });
|
||||
expect(thrown(() => new CollabController(svc()).createPoll(user, '5', { question: 'q', options: ['only'] }))).toEqual({ status: 400, body: { error: 'At least 2 options are required' } });
|
||||
const s = svc({ createPoll: vi.fn().mockReturnValue({ id: 7 }), broadcast: vi.fn() } as Partial<CollabService>);
|
||||
expect(new CollabController(s).createPoll(user, '5', { question: 'q', options: ['a', 'b'] })).toEqual({ poll: { id: 7 } });
|
||||
});
|
||||
|
||||
it('vote maps not_found/closed/invalid_index, else broadcasts the poll', () => {
|
||||
expect(thrown(() => new CollabController(svc({ votePoll: vi.fn().mockReturnValue({ error: 'not_found' }) } as Partial<CollabService>)).votePoll(user, '5', '7', 0))).toEqual({ status: 404, body: { error: 'Poll not found' } });
|
||||
expect(thrown(() => new CollabController(svc({ votePoll: vi.fn().mockReturnValue({ error: 'closed' }) } as Partial<CollabService>)).votePoll(user, '5', '7', 0))).toEqual({ status: 400, body: { error: 'Poll is closed' } });
|
||||
expect(thrown(() => new CollabController(svc({ votePoll: vi.fn().mockReturnValue({ error: 'invalid_index' }) } as Partial<CollabService>)).votePoll(user, '5', '7', 9))).toEqual({ status: 400, body: { error: 'Invalid option index' } });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ votePoll: vi.fn().mockReturnValue({ poll: { id: 7 } }), broadcast } as Partial<CollabService>);
|
||||
expect(new CollabController(s).votePoll(user, '5', '7', 0, 'sock')).toEqual({ poll: { id: 7 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:poll:voted', { poll: { id: 7 } }, 'sock');
|
||||
});
|
||||
|
||||
it('close 404 when missing, else broadcasts', () => {
|
||||
expect(thrown(() => new CollabController(svc({ closePoll: vi.fn().mockReturnValue(null) } as Partial<CollabService>)).closePoll(user, '5', '7'))).toEqual({ status: 404, body: { error: 'Poll not found' } });
|
||||
const s = svc({ closePoll: vi.fn().mockReturnValue({ id: 7 }), broadcast: vi.fn() } as Partial<CollabService>);
|
||||
expect(new CollabController(s).closePoll(user, '5', '7')).toEqual({ poll: { id: 7 } });
|
||||
});
|
||||
|
||||
it('delete 404 when missing, else success', () => {
|
||||
expect(thrown(() => new CollabController(svc({ deletePoll: vi.fn().mockReturnValue(false) } as Partial<CollabService>)).deletePoll(user, '5', '7'))).toEqual({ status: 404, body: { error: 'Poll not found' } });
|
||||
const s = svc({ deletePoll: vi.fn().mockReturnValue(true), broadcast: vi.fn() } as Partial<CollabService>);
|
||||
expect(new CollabController(s).deletePoll(user, '5', '7')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('messages', () => {
|
||||
it('POST 400 over 5000 chars (before access), 400 empty, 400 reply_not_found, else creates + notifies', () => {
|
||||
expect(thrown(() => new CollabController(svc()).createMessage(user, '5', { text: 'x'.repeat(5001) }))).toEqual({ status: 400, body: { error: 'text must be 5000 characters or less' } });
|
||||
expect(thrown(() => new CollabController(svc()).createMessage(user, '5', { text: ' ' }))).toEqual({ status: 400, body: { error: 'Message text is required' } });
|
||||
expect(thrown(() => new CollabController(svc({ createMessage: vi.fn().mockReturnValue({ error: 'reply_not_found' }) } as Partial<CollabService>)).createMessage(user, '5', { text: 'hi', reply_to: 99 }))).toEqual({ status: 400, body: { error: 'Reply target message not found' } });
|
||||
const broadcast = vi.fn();
|
||||
const notifyCollab = vi.fn();
|
||||
const s = svc({ createMessage: vi.fn().mockReturnValue({ message: { id: 3 } }), broadcast, notifyCollab } as Partial<CollabService>);
|
||||
expect(new CollabController(s).createMessage(user, '5', { text: 'hello' }, 'sock')).toEqual({ message: { id: 3 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:message:created', { message: { id: 3 } }, 'sock');
|
||||
expect(notifyCollab).toHaveBeenCalledWith('5', user, 'hello');
|
||||
});
|
||||
|
||||
it('react 400 without emoji, 404 unknown, else broadcasts reactions', () => {
|
||||
expect(thrown(() => new CollabController(svc()).react(user, '5', '3', ''))).toEqual({ status: 400, body: { error: 'Emoji is required' } });
|
||||
expect(thrown(() => new CollabController(svc({ reactMessage: vi.fn().mockReturnValue({ found: false, reactions: [] }) } as Partial<CollabService>)).react(user, '5', '3', '👍'))).toEqual({ status: 404, body: { error: 'Message not found' } });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ reactMessage: vi.fn().mockReturnValue({ found: true, reactions: [{ emoji: '👍', count: 1 }] }), broadcast } as Partial<CollabService>);
|
||||
expect(new CollabController(s).react(user, '5', '3', '👍', 'sock')).toEqual({ reactions: [{ emoji: '👍', count: 1 }] });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:message:reacted', { messageId: 3, reactions: [{ emoji: '👍', count: 1 }] }, 'sock');
|
||||
});
|
||||
|
||||
it('delete maps not_found (404) / not_owner (403), else success with username', () => {
|
||||
expect(thrown(() => new CollabController(svc({ deleteMessage: vi.fn().mockReturnValue({ error: 'not_found' }) } as Partial<CollabService>)).deleteMessage(user, '5', '3'))).toEqual({ status: 404, body: { error: 'Message not found' } });
|
||||
expect(thrown(() => new CollabController(svc({ deleteMessage: vi.fn().mockReturnValue({ error: 'not_owner' }) } as Partial<CollabService>)).deleteMessage(user, '5', '3'))).toEqual({ status: 403, body: { error: 'You can only delete your own messages' } });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ deleteMessage: vi.fn().mockReturnValue({ username: 'bob' }), broadcast } as Partial<CollabService>);
|
||||
expect(new CollabController(s).deleteMessage(user, '5', '3', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'collab:message:deleted', { messageId: 3, username: 'bob' }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('link preview', () => {
|
||||
it('400 without url, maps an error result to 400, else returns the preview', async () => {
|
||||
expect(await thrownAsync(() => new CollabController(svc()).linkPreview(user, '5', undefined))).toEqual({ status: 400, body: { error: 'URL is required' } });
|
||||
expect(await thrownAsync(() => new CollabController(svc({ linkPreview: vi.fn().mockResolvedValue({ error: 'bad url' }) } as Partial<CollabService>)).linkPreview(user, '5', 'http://x'))).toEqual({ status: 400, body: { error: 'bad url' } });
|
||||
const s = svc({ linkPreview: vi.fn().mockResolvedValue({ title: 'T', description: null, image: null, url: 'http://x' }) } as Partial<CollabService>);
|
||||
expect(await new CollabController(s).linkPreview(user, '5', 'http://x')).toEqual({ title: 'T', description: null, image: null, url: 'http://x' });
|
||||
});
|
||||
|
||||
it('falls back to a null preview when the service throws', async () => {
|
||||
const s = svc({ linkPreview: vi.fn().mockRejectedValue(new Error('network')) } as Partial<CollabService>);
|
||||
expect(await new CollabController(s).linkPreview(user, '5', 'http://x')).toEqual({ title: null, description: null, image: null, url: 'http://x' });
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,9 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { ConfigController } from '../../../src/nest/config/config.controller';
|
||||
import { DEFAULT_LANGUAGE } from '../../../src/config';
|
||||
|
||||
describe('ConfigController (parity with the legacy /api/config route)', () => {
|
||||
it('returns the server default language, like the legacy public route', () => {
|
||||
expect(new ConfigController().getConfig()).toEqual({ defaultLanguage: DEFAULT_LANGUAGE });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,36 @@
|
||||
/**
|
||||
* DatabaseService — the shared better-sqlite3 provider (F3). Exercises every
|
||||
* helper against the real connection so the typed query surface is covered.
|
||||
*/
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { DatabaseService } from '../../../src/nest/database/database.service';
|
||||
|
||||
describe('DatabaseService (typed query helpers)', () => {
|
||||
const svc = new DatabaseService();
|
||||
|
||||
it('exposes the shared connection', () => {
|
||||
expect(typeof svc.connection.prepare).toBe('function');
|
||||
});
|
||||
|
||||
it('prepare + get + all return rows from the live connection', () => {
|
||||
expect(svc.prepare('SELECT 1 AS one').get()).toEqual({ one: 1 });
|
||||
expect(svc.get('SELECT 2 AS two')).toEqual({ two: 2 });
|
||||
expect(svc.all('SELECT 3 AS three')).toEqual([{ three: 3 }]);
|
||||
});
|
||||
|
||||
it('run + transaction operate on a scratch table', () => {
|
||||
svc.run('CREATE TEMP TABLE IF NOT EXISTS _dbsvc_test (n INTEGER)');
|
||||
svc.run('DELETE FROM _dbsvc_test');
|
||||
|
||||
const info = svc.run('INSERT INTO _dbsvc_test (n) VALUES (?)', 41);
|
||||
expect(info.changes).toBe(1);
|
||||
|
||||
const total = svc.transaction((conn) => {
|
||||
conn.prepare('INSERT INTO _dbsvc_test (n) VALUES (?)').run(1);
|
||||
return conn.prepare('SELECT SUM(n) AS s FROM _dbsvc_test').get() as { s: number };
|
||||
});
|
||||
expect(total.s).toBe(42);
|
||||
|
||||
svc.run('DROP TABLE _dbsvc_test');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,164 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { DaysController } from '../../../src/nest/days/days.controller';
|
||||
import { DayNotesController } from '../../../src/nest/days/day-notes.controller';
|
||||
import { DayReorderError } from '../../../src/services/dayService';
|
||||
import type { DaysService } from '../../../src/nest/days/days.service';
|
||||
import type { DayNotesService } from '../../../src/nest/days/day-notes.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { user_id: 1 };
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
function daysSvc(o: Partial<DaysService> = {}): DaysService {
|
||||
return { verifyTripAccess: vi.fn().mockReturnValue(trip), canEdit: vi.fn().mockReturnValue(true), broadcast: vi.fn(), ...o } as unknown as DaysService;
|
||||
}
|
||||
function notesSvc(o: Partial<DayNotesService> = {}): DayNotesService {
|
||||
return { verifyTripAccess: vi.fn().mockReturnValue(trip), canEdit: vi.fn().mockReturnValue(true), broadcast: vi.fn(), ...o } as unknown as DayNotesService;
|
||||
}
|
||||
|
||||
describe('DaysController (parity with the legacy /api/trips/:tripId/days route)', () => {
|
||||
it('404 when trip not accessible', () => {
|
||||
const svc = daysSvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new DaysController(svc).list(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('GET / returns the list service result verbatim (the { days } envelope)', () => {
|
||||
const svc = daysSvc({ list: vi.fn().mockReturnValue({ days: [{ id: 1 }] }) } as Partial<DaysService>);
|
||||
expect(new DaysController(svc).list(user, '5')).toEqual({ days: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('POST / 403 without day_edit, then creates + broadcasts', () => {
|
||||
expect(thrown(() => new DaysController(daysSvc({ canEdit: vi.fn().mockReturnValue(false) })).create(user, '5', {}))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
const create = vi.fn().mockReturnValue({ id: 9 }); const broadcast = vi.fn();
|
||||
expect(new DaysController(daysSvc({ create, broadcast } as Partial<DaysService>)).create(user, '5', { date: '2026-07-01' }, 'sock')).toEqual({ day: { id: 9 } });
|
||||
expect(create).toHaveBeenCalledWith('5', '2026-07-01', undefined);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'day:created', { day: { id: 9 } }, 'sock');
|
||||
});
|
||||
|
||||
it('POST / 404 when the trip is not accessible', () => {
|
||||
const svc = daysSvc({ verifyTripAccess: vi.fn().mockReturnValue(null) });
|
||||
expect(thrown(() => new DaysController(svc).create(user, '5', {}))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('POST / with a position inserts + broadcasts day:reordered', () => {
|
||||
const insert = vi.fn().mockReturnValue({ id: 12 }); const create = vi.fn(); const broadcast = vi.fn();
|
||||
const svc = daysSvc({ insert, create, broadcast } as Partial<DaysService>);
|
||||
expect(new DaysController(svc).create(user, '5', { position: 0 }, 'sock')).toEqual({ day: { id: 12 } });
|
||||
expect(insert).toHaveBeenCalledWith('5', 0);
|
||||
expect(create).not.toHaveBeenCalled();
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'day:reordered', { day: { id: 12 } }, 'sock');
|
||||
});
|
||||
|
||||
describe('PUT /reorder', () => {
|
||||
it('404 when the trip is not accessible', () => {
|
||||
const svc = daysSvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new DaysController(svc).reorder(user, '5', { orderedIds: [1, 2] }))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('403 without day_edit', () => {
|
||||
const svc = daysSvc({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new DaysController(svc).reorder(user, '5', { orderedIds: [1, 2] }))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
});
|
||||
|
||||
it('400 when orderedIds is missing', () => {
|
||||
expect(thrown(() => new DaysController(daysSvc()).reorder(user, '5', {}))).toEqual({ status: 400, body: { error: 'orderedIds must be an array' } });
|
||||
});
|
||||
|
||||
it('400 when orderedIds is not an array', () => {
|
||||
expect(thrown(() => new DaysController(daysSvc()).reorder(user, '5', { orderedIds: 'nope' as never }))).toEqual({ status: 400, body: { error: 'orderedIds must be an array' } });
|
||||
});
|
||||
|
||||
it('maps a DayReorderError to 400 with its message', () => {
|
||||
const reorder = vi.fn(() => { throw new DayReorderError('orderedIds must be a permutation of the trip day ids.'); });
|
||||
const svc = daysSvc({ reorder } as Partial<DaysService>);
|
||||
expect(thrown(() => new DaysController(svc).reorder(user, '5', { orderedIds: [9] }))).toEqual({
|
||||
status: 400, body: { error: 'orderedIds must be a permutation of the trip day ids.' },
|
||||
});
|
||||
});
|
||||
|
||||
it('rethrows a non-DayReorderError unchanged', () => {
|
||||
const boom = new Error('db is down');
|
||||
const reorder = vi.fn(() => { throw boom; });
|
||||
const svc = daysSvc({ reorder } as Partial<DaysService>);
|
||||
expect(() => new DaysController(svc).reorder(user, '5', { orderedIds: [1, 2] })).toThrow(boom);
|
||||
});
|
||||
|
||||
it('reorders and broadcasts day:reordered', () => {
|
||||
const reorder = vi.fn(); const broadcast = vi.fn();
|
||||
const svc = daysSvc({ reorder, broadcast } as Partial<DaysService>);
|
||||
expect(new DaysController(svc).reorder(user, '5', { orderedIds: [2, 1] }, 'sock')).toEqual({ success: true });
|
||||
expect(reorder).toHaveBeenCalledWith('5', [2, 1]);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'day:reordered', { orderedIds: [2, 1] }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
it('PUT /:id 404 when the day is missing, else updates', () => {
|
||||
expect(thrown(() => new DaysController(daysSvc({ getDay: vi.fn().mockReturnValue(undefined) } as Partial<DaysService>)).update(user, '5', '9', {}))).toEqual({ status: 404, body: { error: 'Day not found' } });
|
||||
const update = vi.fn().mockReturnValue({ id: 9, title: 'T' });
|
||||
const svc = daysSvc({ getDay: vi.fn().mockReturnValue({ id: 9 }), update } as Partial<DaysService>);
|
||||
expect(new DaysController(svc).update(user, '5', '9', { title: 'T' })).toEqual({ day: { id: 9, title: 'T' } });
|
||||
});
|
||||
|
||||
it('DELETE /:id 404 when missing, else success', () => {
|
||||
expect(thrown(() => new DaysController(daysSvc({ getDay: vi.fn().mockReturnValue(undefined) } as Partial<DaysService>)).remove(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Day not found' } });
|
||||
const svc = daysSvc({ getDay: vi.fn().mockReturnValue({ id: 9 }), remove: vi.fn() } as Partial<DaysService>);
|
||||
expect(new DaysController(svc).remove(user, '5', '9')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('DayNotesController (parity with the legacy /api/.../days/:dayId/notes route)', () => {
|
||||
it('400 on an over-long text BEFORE the trip-access check (middleware order)', () => {
|
||||
const verifyTripAccess = vi.fn().mockReturnValue(undefined); // would 404 if reached
|
||||
const svc = notesSvc({ verifyTripAccess });
|
||||
expect(thrown(() => new DayNotesController(svc).create(user, '5', '3', { text: 'x'.repeat(501) }))).toEqual({
|
||||
status: 400, body: { error: 'text must be 500 characters or less' },
|
||||
});
|
||||
expect(verifyTripAccess).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('400 on an over-long time', () => {
|
||||
expect(thrown(() => new DayNotesController(notesSvc()).create(user, '5', '3', { text: 'ok', time: 'y'.repeat(151) }))).toEqual({
|
||||
status: 400, body: { error: 'time must be 150 characters or less' },
|
||||
});
|
||||
});
|
||||
|
||||
it('404 trip, 403 permission, 404 day, 400 empty text, then creates', () => {
|
||||
expect(thrown(() => new DayNotesController(notesSvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).create(user, '5', '3', { text: 'ok' }))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(thrown(() => new DayNotesController(notesSvc({ canEdit: vi.fn().mockReturnValue(false) })).create(user, '5', '3', { text: 'ok' }))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new DayNotesController(notesSvc({ dayExists: vi.fn().mockReturnValue(false) } as Partial<DayNotesService>)).create(user, '5', '3', { text: 'ok' }))).toEqual({ status: 404, body: { error: 'Day not found' } });
|
||||
expect(thrown(() => new DayNotesController(notesSvc({ dayExists: vi.fn().mockReturnValue(true) } as Partial<DayNotesService>)).create(user, '5', '3', { text: ' ' }))).toEqual({ status: 400, body: { error: 'Text required' } });
|
||||
const create = vi.fn().mockReturnValue({ id: 7 }); const broadcast = vi.fn();
|
||||
const svc = notesSvc({ dayExists: vi.fn().mockReturnValue(true), create, broadcast } as Partial<DayNotesService>);
|
||||
expect(new DayNotesController(svc).create(user, '5', '3', { text: 'Lunch', time: '12:00' }, 'sock')).toEqual({ note: { id: 7 } });
|
||||
expect(create).toHaveBeenCalledWith('3', '5', 'Lunch', '12:00', undefined, undefined);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'dayNote:created', { dayId: 3, note: { id: 7 } }, 'sock');
|
||||
});
|
||||
|
||||
it('GET / returns notes; PUT/DELETE 404 when the note is missing', () => {
|
||||
const svc = notesSvc({ list: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<DayNotesService>);
|
||||
expect(new DayNotesController(svc).list(user, '5', '3')).toEqual({ notes: [{ id: 1 }] });
|
||||
expect(thrown(() => new DayNotesController(notesSvc({ getNote: vi.fn().mockReturnValue(undefined) } as Partial<DayNotesService>)).update(user, '5', '3', '9', { text: 'x' }))).toEqual({ status: 404, body: { error: 'Note not found' } });
|
||||
expect(thrown(() => new DayNotesController(notesSvc({ getNote: vi.fn().mockReturnValue(undefined) } as Partial<DayNotesService>)).remove(user, '5', '3', '9'))).toEqual({ status: 404, body: { error: 'Note not found' } });
|
||||
});
|
||||
|
||||
it('PUT/DELETE update + delete a note with broadcasts', () => {
|
||||
const update = vi.fn().mockReturnValue({ id: 9 }); const broadcast = vi.fn();
|
||||
const u = notesSvc({ getNote: vi.fn().mockReturnValue({ id: 9 }), update, broadcast } as Partial<DayNotesService>);
|
||||
expect(new DayNotesController(u).update(user, '5', '3', '9', { text: 'x' }, 'sock')).toEqual({ note: { id: 9 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'dayNote:updated', { dayId: 3, note: { id: 9 } }, 'sock');
|
||||
const remove = vi.fn(); const b2 = vi.fn();
|
||||
const d = notesSvc({ getNote: vi.fn().mockReturnValue({ id: 9 }), remove, broadcast: b2 } as Partial<DayNotesService>);
|
||||
expect(new DayNotesController(d).remove(user, '5', '3', '9', 'sock')).toEqual({ success: true });
|
||||
expect(b2).toHaveBeenCalledWith('5', 'dayNote:deleted', { noteId: 9, dayId: 3 }, 'sock');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,120 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { MulterError } from 'multer';
|
||||
import { TrekExceptionFilter } from '../../../src/nest/common/trek-exception.filter';
|
||||
|
||||
function mockHost() {
|
||||
const res = { status: vi.fn().mockReturnThis(), json: vi.fn().mockReturnThis() };
|
||||
const host = { switchToHttp: () => ({ getResponse: () => res }) } as never;
|
||||
return { res, host };
|
||||
}
|
||||
|
||||
describe('TrekExceptionFilter', () => {
|
||||
const filter = new TrekExceptionFilter();
|
||||
|
||||
it('passes through { error, code } bodies (auth guards) unchanged', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException({ error: 'Access token required', code: 'AUTH_REQUIRED' }, 401), host);
|
||||
expect(res.status).toHaveBeenCalledWith(401);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Access token required', code: 'AUTH_REQUIRED' });
|
||||
});
|
||||
|
||||
it('normalises a string HttpException to { error }', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException('Bad thing', 400), host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Bad thing' });
|
||||
});
|
||||
|
||||
it('maps unknown errors to 500 { error: Internal server error }', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new Error('boom'), host);
|
||||
expect(res.status).toHaveBeenCalledWith(500);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
|
||||
});
|
||||
|
||||
it('maps a multer LIMIT_FILE_SIZE error to 413 with the multer message', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new MulterError('LIMIT_FILE_SIZE', 'avatar'), host);
|
||||
expect(res.status).toHaveBeenCalledWith(413);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'File too large' });
|
||||
});
|
||||
|
||||
it('maps any other multer error to 400 with the multer message', () => {
|
||||
const { res, host } = mockHost();
|
||||
const err = new MulterError('LIMIT_UNEXPECTED_FILE', 'avatar');
|
||||
filter.catch(err, host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: err.message });
|
||||
});
|
||||
|
||||
it('normalises a Nest-shaped { statusCode, message, error } body to { error }', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException({ statusCode: 400, message: 'Validation failed', error: 'Bad Request' }, 400), host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Validation failed' });
|
||||
});
|
||||
|
||||
it('joins an array message into a single string', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException({ message: ['too short', 'required'] }, 400), host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'too short, required' });
|
||||
});
|
||||
|
||||
it('falls back to obj.error when an object body has no message', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException({ statusCode: 400, error: 'Bad Request' }, 400), host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Bad Request' });
|
||||
});
|
||||
|
||||
it("uses 'Error' when an object body carries neither message nor error", () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException({ statusCode: 400 }, 400), host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Error' });
|
||||
});
|
||||
|
||||
it('hides 5xx object-body details behind Internal server error', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException({ message: 'secret stack detail' }, 503), host);
|
||||
expect(res.status).toHaveBeenCalledWith(503);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
|
||||
});
|
||||
|
||||
it('maps a plain error with statusCode to that status (4xx exposes message)', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch({ statusCode: 400, message: 'Only images are allowed' }, host);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Only images are allowed' });
|
||||
});
|
||||
|
||||
it('honours a plain error status field when statusCode is absent', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch({ status: 404, message: 'Not here' }, host);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Not here' });
|
||||
});
|
||||
|
||||
it("uses 'Error' for a 4xx plain error with no message", () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch({ statusCode: 422 }, host);
|
||||
expect(res.status).toHaveBeenCalledWith(422);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Error' });
|
||||
});
|
||||
|
||||
it('hides a 5xx string-body HttpException behind Internal server error', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(new HttpException('database exploded', 500), host);
|
||||
expect(res.status).toHaveBeenCalledWith(500);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
|
||||
});
|
||||
|
||||
it('treats a null exception as a 500', () => {
|
||||
const { res, host } = mockHost();
|
||||
filter.catch(null, host);
|
||||
expect(res.status).toHaveBeenCalledWith(500);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,254 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Request, Response } from 'express';
|
||||
import os from 'os';
|
||||
import path from 'path';
|
||||
import fs from 'fs';
|
||||
|
||||
vi.mock('../../../src/services/demo', () => ({ isDemoEmail: vi.fn(() => false) }));
|
||||
|
||||
import { FilesController } from '../../../src/nest/files/files.controller';
|
||||
import { FilesDownloadController } from '../../../src/nest/files/files-download.controller';
|
||||
import { PhotosController } from '../../../src/nest/photos/photos.controller';
|
||||
import type { FilesService } from '../../../src/nest/files/files.service';
|
||||
import type { PhotosService } from '../../../src/nest/photos/photos.service';
|
||||
import { isDemoEmail } from '../../../src/services/demo';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, username: 'u', role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function fsvc(o: Partial<FilesService> = {}): FilesService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue({ user_id: 1 }),
|
||||
can: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
...o,
|
||||
} as unknown as FilesService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
afterEach(() => { delete process.env.DEMO_MODE; });
|
||||
|
||||
describe('FilesController (parity with the legacy /api/trips/:tripId/files route)', () => {
|
||||
it('GET / 404 without access, else lists with the trash flag', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).list(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const listFiles = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
expect(new FilesController(fsvc({ listFiles } as Partial<FilesService>)).list(user, '5', 'true')).toEqual({ files: [{ id: 1 }] });
|
||||
expect(listFiles).toHaveBeenCalledWith('5', true);
|
||||
});
|
||||
|
||||
describe('POST / (upload)', () => {
|
||||
const file = { filename: 'a.pdf' } as Express.Multer.File;
|
||||
it('403 in demo mode for a demo email', () => {
|
||||
process.env.DEMO_MODE = 'true';
|
||||
vi.mocked(isDemoEmail).mockReturnValue(true);
|
||||
expect(thrown(() => new FilesController(fsvc()).upload(user, '5', file, {}))).toEqual({ status: 403, body: { error: 'Uploads are disabled in demo mode. Self-host TREK for full functionality.' } });
|
||||
});
|
||||
it('403 without file_upload, 400 without a file, else creates + broadcasts', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ can: vi.fn().mockReturnValue(false) })).upload(user, '5', file, {}))).toEqual({ status: 403, body: { error: 'No permission to upload files' } });
|
||||
expect(thrown(() => new FilesController(fsvc()).upload(user, '5', undefined, {}))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
|
||||
const createFile = vi.fn().mockReturnValue({ id: 9 });
|
||||
const broadcast = vi.fn();
|
||||
const s = fsvc({ createFile, broadcast } as Partial<FilesService>);
|
||||
expect(new FilesController(s).upload(user, '5', file, { description: 'd' }, 'sock')).toEqual({ file: { id: 9 } });
|
||||
expect(createFile).toHaveBeenCalledWith('5', file, 1, { place_id: undefined, description: 'd', reservation_id: undefined });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'file:created', { file: { id: 9 } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
it('PUT /:id 403 without file_edit, 404 unknown, else updates + broadcasts', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ can: vi.fn().mockReturnValue(false) })).update(user, '5', '9', {}))).toEqual({ status: 403, body: { error: 'No permission to edit files' } });
|
||||
expect(thrown(() => new FilesController(fsvc({ getFileById: vi.fn().mockReturnValue(undefined) } as Partial<FilesService>)).update(user, '5', '9', {}))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
const updateFile = vi.fn().mockReturnValue({ id: 9 });
|
||||
const s = fsvc({ getFileById: vi.fn().mockReturnValue({ id: 9, description: 'x' }), updateFile, broadcast: vi.fn() } as Partial<FilesService>);
|
||||
expect(new FilesController(s).update(user, '5', '9', { description: 'new' })).toEqual({ file: { id: 9 } });
|
||||
});
|
||||
|
||||
it('PATCH /:id/star 403/404, else toggles', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ can: vi.fn().mockReturnValue(false) })).star(user, '5', '9'))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new FilesController(fsvc({ getFileById: vi.fn().mockReturnValue(undefined) } as Partial<FilesService>)).star(user, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
const toggleStarred = vi.fn().mockReturnValue({ id: 9, starred: 1 });
|
||||
const s = fsvc({ getFileById: vi.fn().mockReturnValue({ id: 9, starred: 0 }), toggleStarred, broadcast: vi.fn() } as Partial<FilesService>);
|
||||
expect(new FilesController(s).star(user, '5', '9')).toEqual({ file: { id: 9, starred: 1 } });
|
||||
expect(toggleStarred).toHaveBeenCalledWith('9', 0);
|
||||
});
|
||||
|
||||
it('DELETE /:id soft-delete 403/404, else success', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ can: vi.fn().mockReturnValue(false) })).remove(user, '5', '9'))).toEqual({ status: 403, body: { error: 'No permission to delete files' } });
|
||||
expect(thrown(() => new FilesController(fsvc({ getFileById: vi.fn().mockReturnValue(undefined) } as Partial<FilesService>)).remove(user, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
const softDeleteFile = vi.fn();
|
||||
const broadcast = vi.fn();
|
||||
const s = fsvc({ getFileById: vi.fn().mockReturnValue({ id: 9 }), softDeleteFile, broadcast } as Partial<FilesService>);
|
||||
expect(new FilesController(s).remove(user, '5', '9', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'file:deleted', { fileId: 9 }, 'sock');
|
||||
});
|
||||
|
||||
it('POST /:id/restore 404 not in trash, else restores', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ getDeletedFile: vi.fn().mockReturnValue(undefined) } as Partial<FilesService>)).restore(user, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found in trash' } });
|
||||
const restoreFile = vi.fn().mockReturnValue({ id: 9 });
|
||||
const s = fsvc({ getDeletedFile: vi.fn().mockReturnValue({ id: 9 }), restoreFile, broadcast: vi.fn() } as Partial<FilesService>);
|
||||
expect(new FilesController(s).restore(user, '5', '9')).toEqual({ file: { id: 9 } });
|
||||
});
|
||||
|
||||
it('DELETE /:id/permanent 404 not in trash, else deletes', async () => {
|
||||
await expect(new FilesController(fsvc({ getDeletedFile: vi.fn().mockReturnValue(undefined) } as Partial<FilesService>)).permanent(user, '5', '9')).rejects.toBeInstanceOf(HttpException);
|
||||
const permanentDeleteFile = vi.fn().mockResolvedValue(undefined);
|
||||
const s = fsvc({ getDeletedFile: vi.fn().mockReturnValue({ id: 9 }), permanentDeleteFile, broadcast: vi.fn() } as Partial<FilesService>);
|
||||
expect(await new FilesController(s).permanent(user, '5', '9')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('DELETE /trash/empty 403, else returns the count', async () => {
|
||||
await expect(new FilesController(fsvc({ can: vi.fn().mockReturnValue(false) })).emptyTrash(user, '5')).rejects.toBeInstanceOf(HttpException);
|
||||
const s = fsvc({ emptyTrash: vi.fn().mockResolvedValue(3) } as Partial<FilesService>);
|
||||
expect(await new FilesController(s).emptyTrash(user, '5')).toEqual({ success: true, deleted: 3 });
|
||||
});
|
||||
|
||||
it('POST /:id/link 404 unknown file, else links', () => {
|
||||
expect(thrown(() => new FilesController(fsvc({ getFileById: vi.fn().mockReturnValue(undefined) } as Partial<FilesService>)).link(user, '5', '9', {}))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
const createFileLink = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
const s = fsvc({ getFileById: vi.fn().mockReturnValue({ id: 9 }), createFileLink } as Partial<FilesService>);
|
||||
expect(new FilesController(s).link(user, '5', '9', { reservation_id: 2 })).toEqual({ success: true, links: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('DELETE /:id/link/:linkId removes the link; GET /:id/links lists', () => {
|
||||
const deleteFileLink = vi.fn();
|
||||
expect(new FilesController(fsvc({ deleteFileLink } as Partial<FilesService>)).unlink(user, '5', '9', '3')).toEqual({ success: true });
|
||||
expect(deleteFileLink).toHaveBeenCalledWith('3', '9');
|
||||
const s = fsvc({ getFileLinks: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<FilesService>);
|
||||
expect(new FilesController(s).links(user, '5', '9')).toEqual({ links: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('the trash + link routes all reject without file_delete / file_edit', async () => {
|
||||
const denied = () => fsvc({ can: vi.fn().mockReturnValue(false) });
|
||||
await expect(new FilesController(denied()).permanent(user, '5', '9')).rejects.toMatchObject({ status: 403 });
|
||||
expect(thrown(() => new FilesController(denied()).restore(user, '5', '9'))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new FilesController(denied()).link(user, '5', '9', {}))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new FilesController(denied()).unlink(user, '5', '9', '3'))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
});
|
||||
|
||||
it('GET /:id/links 404 without trip access', () => {
|
||||
const s = fsvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new FilesController(s).links(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
});
|
||||
|
||||
describe('FilesDownloadController', () => {
|
||||
function dsvc(o: Partial<FilesService> = {}): FilesService {
|
||||
return {
|
||||
authenticateDownload: vi.fn().mockReturnValue({ userId: 1 }),
|
||||
verifyTripAccess: vi.fn().mockReturnValue({ user_id: 1 }),
|
||||
getFileById: vi.fn().mockReturnValue({ filename: 'x.pdf', original_name: 'x.pdf' }),
|
||||
resolveFilePath: vi.fn().mockReturnValue({ resolved: 'C:/nope/x.pdf', safe: true }),
|
||||
...o,
|
||||
} as unknown as FilesService;
|
||||
}
|
||||
const req = { headers: {}, query: {} } as Request;
|
||||
const res = { setHeader: vi.fn(), sendFile: vi.fn() } as unknown as Response;
|
||||
|
||||
it('maps the auth error from authenticateDownload', () => {
|
||||
const s = dsvc({ authenticateDownload: vi.fn().mockReturnValue({ error: 'Authentication required', status: 401 }) });
|
||||
expect(thrown(() => new FilesDownloadController(s).download(req, res, '5', '9'))).toEqual({ status: 401, body: { error: 'Authentication required' } });
|
||||
});
|
||||
it('404 without trip access, 404 unknown file, 403 on an unsafe path', () => {
|
||||
expect(thrown(() => new FilesDownloadController(dsvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).download(req, res, '5', '9'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(thrown(() => new FilesDownloadController(dsvc({ getFileById: vi.fn().mockReturnValue(undefined) })).download(req, res, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
expect(thrown(() => new FilesDownloadController(dsvc({ resolveFilePath: vi.fn().mockReturnValue({ resolved: '/x', safe: false }) })).download(req, res, '5', '9'))).toEqual({ status: 403, body: { error: 'Forbidden' } });
|
||||
});
|
||||
|
||||
it('404 when the safe path is gone from disk', () => {
|
||||
const missing = path.join(os.tmpdir(), `trek-no-such-${Date.now()}.pdf`);
|
||||
const s = dsvc({ resolveFilePath: vi.fn().mockReturnValue({ resolved: missing, safe: true }) });
|
||||
expect(thrown(() => new FilesDownloadController(s).download(req, res, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found' } });
|
||||
});
|
||||
|
||||
it('streams a regular file via sendFile with an explicit root', () => {
|
||||
const real = path.join(os.tmpdir(), `trek-dl-${Date.now()}.pdf`);
|
||||
fs.writeFileSync(real, 'x');
|
||||
try {
|
||||
const sendFile = vi.fn();
|
||||
const localRes = { setHeader: vi.fn(), sendFile } as unknown as Response;
|
||||
const s = dsvc({ resolveFilePath: vi.fn().mockReturnValue({ resolved: real, safe: true }) });
|
||||
new FilesDownloadController(s).download(req, localRes, '5', '9');
|
||||
expect(sendFile).toHaveBeenCalledWith(path.basename(real), { root: path.dirname(real) });
|
||||
expect(localRes.setHeader).not.toHaveBeenCalled();
|
||||
} finally {
|
||||
fs.unlinkSync(real);
|
||||
}
|
||||
});
|
||||
|
||||
it('serves a .pkpass inline with the Wallet MIME type and the original name', () => {
|
||||
const real = path.join(os.tmpdir(), `trek-pass-${Date.now()}.pkpass`);
|
||||
fs.writeFileSync(real, 'x');
|
||||
try {
|
||||
const setHeader = vi.fn();
|
||||
const localRes = { setHeader, sendFile: vi.fn() } as unknown as Response;
|
||||
const s = dsvc({
|
||||
getFileById: vi.fn().mockReturnValue({ filename: 'pass.pkpass', original_name: 'BoardingPass.pkpass' }),
|
||||
resolveFilePath: vi.fn().mockReturnValue({ resolved: real, safe: true }),
|
||||
});
|
||||
new FilesDownloadController(s).download(req, localRes, '5', '9');
|
||||
expect(setHeader).toHaveBeenCalledWith('Content-Type', 'application/vnd.apple.pkpass');
|
||||
expect(setHeader).toHaveBeenCalledWith('Content-Disposition', 'inline; filename="BoardingPass.pkpass"');
|
||||
} finally {
|
||||
fs.unlinkSync(real);
|
||||
}
|
||||
});
|
||||
|
||||
it('falls back to the resolved basename when a .pkpass has no original name', () => {
|
||||
const real = path.join(os.tmpdir(), `trek-pass-${Date.now()}.pkpass`);
|
||||
fs.writeFileSync(real, 'x');
|
||||
try {
|
||||
const setHeader = vi.fn();
|
||||
const localRes = { setHeader, sendFile: vi.fn() } as unknown as Response;
|
||||
const s = dsvc({
|
||||
getFileById: vi.fn().mockReturnValue({ filename: 'pass.pkpass', original_name: null }),
|
||||
resolveFilePath: vi.fn().mockReturnValue({ resolved: real, safe: true }),
|
||||
});
|
||||
new FilesDownloadController(s).download(req, localRes, '5', '9');
|
||||
expect(setHeader).toHaveBeenCalledWith('Content-Disposition', `inline; filename="${path.basename(real)}"`);
|
||||
} finally {
|
||||
fs.unlinkSync(real);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
describe('PhotosController', () => {
|
||||
const user2 = { id: 1 } as User;
|
||||
function psvc(o: Partial<PhotosService> = {}): PhotosService {
|
||||
return { canAccess: vi.fn().mockReturnValue(true), stream: vi.fn().mockResolvedValue(undefined), info: vi.fn(), ...o } as unknown as PhotosService;
|
||||
}
|
||||
const res = { status: vi.fn().mockReturnThis(), json: vi.fn() } as unknown as Response;
|
||||
|
||||
it('400 on a non-finite id, 403 without access', async () => {
|
||||
await expect(new PhotosController(psvc()).thumbnail(user2, 'abc', res)).rejects.toMatchObject({ status: 400 });
|
||||
await expect(new PhotosController(psvc({ canAccess: vi.fn().mockReturnValue(false) })).original(user2, '5', res)).rejects.toMatchObject({ status: 403 });
|
||||
});
|
||||
|
||||
it('streams thumbnail/original', async () => {
|
||||
const stream = vi.fn().mockResolvedValue(undefined);
|
||||
const c = new PhotosController(psvc({ stream }));
|
||||
await c.thumbnail(user2, '5', res);
|
||||
expect(stream).toHaveBeenCalledWith(res, 1, 5, 'thumbnail');
|
||||
await c.original(user2, '5', res);
|
||||
expect(stream).toHaveBeenCalledWith(res, 1, 5, 'original');
|
||||
});
|
||||
|
||||
it('info writes the data, maps a service error', async () => {
|
||||
const okRes = { status: vi.fn().mockReturnThis(), json: vi.fn() } as unknown as Response;
|
||||
await new PhotosController(psvc({ info: vi.fn().mockResolvedValue({ data: { id: '5' } }) })).info(user2, '5', okRes);
|
||||
expect(okRes.json).toHaveBeenCalledWith({ id: '5' });
|
||||
const errRes = { status: vi.fn().mockReturnThis(), json: vi.fn() } as unknown as Response;
|
||||
await new PhotosController(psvc({ info: vi.fn().mockResolvedValue({ error: { status: 404, message: 'Photo not found' } }) })).info(user2, '5', errRes);
|
||||
expect(errRes.status).toHaveBeenCalledWith(404);
|
||||
expect(errRes.json).toHaveBeenCalledWith({ error: 'Photo not found' });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,134 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import type { Request } from 'express';
|
||||
|
||||
// Mock the side-effect dependencies the wrapper reaches into directly.
|
||||
const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
|
||||
vi.mock('../../../src/websocket', () => ({ broadcast }));
|
||||
|
||||
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
|
||||
vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
|
||||
|
||||
const { svc } = vi.hoisted(() => ({
|
||||
svc: {
|
||||
verifyTripAccess: vi.fn(),
|
||||
authenticateDownload: vi.fn(),
|
||||
resolveFilePath: vi.fn(),
|
||||
listFiles: vi.fn(),
|
||||
getFileById: vi.fn(),
|
||||
getDeletedFile: vi.fn(),
|
||||
createFile: vi.fn(),
|
||||
updateFile: vi.fn(),
|
||||
toggleStarred: vi.fn(),
|
||||
softDeleteFile: vi.fn(),
|
||||
restoreFile: vi.fn(),
|
||||
permanentDeleteFile: vi.fn(),
|
||||
emptyTrash: vi.fn(),
|
||||
createFileLink: vi.fn(),
|
||||
deleteFileLink: vi.fn(),
|
||||
getFileLinks: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/fileService', () => svc);
|
||||
|
||||
import { FilesService } from '../../../src/nest/files/files.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
function service() {
|
||||
return new FilesService();
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('FilesService (thin wrapper around the legacy fileService)', () => {
|
||||
it('verifyTripAccess delegates to the legacy service', () => {
|
||||
svc.verifyTripAccess.mockReturnValue({ id: 5, user_id: 2 });
|
||||
expect(service().verifyTripAccess('5', 2)).toEqual({ id: 5, user_id: 2 });
|
||||
expect(svc.verifyTripAccess).toHaveBeenCalledWith('5', 2);
|
||||
});
|
||||
|
||||
it('can forwards the ownership flag when the user owns the trip', () => {
|
||||
checkPermission.mockReturnValue(true);
|
||||
const user = { id: 1, role: 'user' } as User;
|
||||
expect(service().can('file_edit', { user_id: 1 } as never, user)).toBe(true);
|
||||
expect(checkPermission).toHaveBeenCalledWith('file_edit', 'user', 1, 1, false);
|
||||
});
|
||||
|
||||
it('can marks the user as a guest when they do not own the trip', () => {
|
||||
checkPermission.mockReturnValue(false);
|
||||
const user = { id: 1, role: 'user' } as User;
|
||||
expect(service().can('file_upload', { user_id: 2 } as never, user)).toBe(false);
|
||||
expect(checkPermission).toHaveBeenCalledWith('file_upload', 'user', 2, 1, true);
|
||||
});
|
||||
|
||||
it('broadcast forwards to the websocket helper', () => {
|
||||
service().broadcast('5', 'file:created', { file: { id: 1 } }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'file:created', { file: { id: 1 } }, 'sock');
|
||||
});
|
||||
|
||||
it('authenticateDownload / resolveFilePath delegate', () => {
|
||||
const req = { headers: {} } as Request;
|
||||
svc.authenticateDownload.mockReturnValue({ userId: 7 });
|
||||
expect(service().authenticateDownload(req)).toEqual({ userId: 7 });
|
||||
expect(svc.authenticateDownload).toHaveBeenCalledWith(req);
|
||||
|
||||
svc.resolveFilePath.mockReturnValue({ resolved: '/a/b.pdf', safe: true });
|
||||
expect(service().resolveFilePath('b.pdf')).toEqual({ resolved: '/a/b.pdf', safe: true });
|
||||
expect(svc.resolveFilePath).toHaveBeenCalledWith('b.pdf');
|
||||
});
|
||||
|
||||
it('the read helpers delegate', () => {
|
||||
svc.listFiles.mockReturnValue([{ id: 1 }]);
|
||||
expect(service().listFiles('5', true)).toEqual([{ id: 1 }]);
|
||||
expect(svc.listFiles).toHaveBeenCalledWith('5', true);
|
||||
|
||||
svc.getFileById.mockReturnValue({ id: 9 });
|
||||
expect(service().getFileById('9', '5')).toEqual({ id: 9 });
|
||||
expect(svc.getFileById).toHaveBeenCalledWith('9', '5');
|
||||
|
||||
svc.getDeletedFile.mockReturnValue({ id: 9 });
|
||||
expect(service().getDeletedFile('9', '5')).toEqual({ id: 9 });
|
||||
expect(svc.getDeletedFile).toHaveBeenCalledWith('9', '5');
|
||||
|
||||
svc.getFileLinks.mockReturnValue([{ id: 1 }]);
|
||||
expect(service().getFileLinks('9')).toEqual([{ id: 1 }]);
|
||||
expect(svc.getFileLinks).toHaveBeenCalledWith('9');
|
||||
});
|
||||
|
||||
it('the mutating helpers delegate', () => {
|
||||
const file = { filename: 'a.pdf' } as Express.Multer.File;
|
||||
svc.createFile.mockReturnValue({ id: 9 });
|
||||
expect(service().createFile('5', file, 1, { description: 'd' })).toEqual({ id: 9 });
|
||||
expect(svc.createFile).toHaveBeenCalledWith('5', file, 1, { description: 'd' });
|
||||
|
||||
svc.updateFile.mockReturnValue({ id: 9 });
|
||||
const current = { id: 9 } as never;
|
||||
expect(service().updateFile('9', current, { description: 'x' })).toEqual({ id: 9 });
|
||||
expect(svc.updateFile).toHaveBeenCalledWith('9', current, { description: 'x' });
|
||||
|
||||
svc.toggleStarred.mockReturnValue({ id: 9, starred: 1 });
|
||||
expect(service().toggleStarred('9', 0)).toEqual({ id: 9, starred: 1 });
|
||||
expect(svc.toggleStarred).toHaveBeenCalledWith('9', 0);
|
||||
|
||||
service().softDeleteFile('9');
|
||||
expect(svc.softDeleteFile).toHaveBeenCalledWith('9');
|
||||
|
||||
svc.restoreFile.mockReturnValue({ id: 9 });
|
||||
expect(service().restoreFile('9')).toEqual({ id: 9 });
|
||||
expect(svc.restoreFile).toHaveBeenCalledWith('9');
|
||||
|
||||
const trashed = { id: 9 } as never;
|
||||
service().permanentDeleteFile(trashed);
|
||||
expect(svc.permanentDeleteFile).toHaveBeenCalledWith(trashed);
|
||||
|
||||
svc.emptyTrash.mockReturnValue(3);
|
||||
expect(service().emptyTrash('5')).toBe(3);
|
||||
expect(svc.emptyTrash).toHaveBeenCalledWith('5');
|
||||
|
||||
svc.createFileLink.mockReturnValue([{ id: 1 }]);
|
||||
expect(service().createFileLink('9', { reservation_id: 2 })).toEqual([{ id: 1 }]);
|
||||
expect(svc.createFileLink).toHaveBeenCalledWith('9', { reservation_id: 2 });
|
||||
|
||||
service().deleteFileLink('3', '9');
|
||||
expect(svc.deleteFileLink).toHaveBeenCalledWith('3', '9');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,65 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HealthController } from '../../../src/nest/health/health.controller';
|
||||
import { HealthService } from '../../../src/nest/health/health.service';
|
||||
import { DatabaseService } from '../../../src/nest/database/database.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function makeService(overrides: Partial<HealthService> = {}): HealthService {
|
||||
return {
|
||||
info: vi.fn().mockReturnValue({ runtime: 'nestjs', diInjected: true, userCount: 0 }),
|
||||
...overrides,
|
||||
} as unknown as HealthService;
|
||||
}
|
||||
|
||||
describe('HealthController (foundation smoke endpoints under /api/_nest)', () => {
|
||||
it('GET /health merges ok:true with the service info', () => {
|
||||
const svc = makeService({
|
||||
info: vi.fn().mockReturnValue({ runtime: 'nestjs', diInjected: true, userCount: 7 }),
|
||||
});
|
||||
expect(new HealthController(svc).getHealth()).toEqual({
|
||||
ok: true,
|
||||
runtime: 'nestjs',
|
||||
diInjected: true,
|
||||
userCount: 7,
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /me returns the authenticated user as-is', () => {
|
||||
const svc = makeService();
|
||||
expect(new HealthController(svc).me(user)).toBe(user);
|
||||
});
|
||||
|
||||
it('POST /echo wraps the validated body', () => {
|
||||
const svc = makeService();
|
||||
expect(new HealthController(svc).echo({ name: 'Maurice' })).toEqual({
|
||||
youSent: { name: 'Maurice' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('HealthService.info (shared SQLite connection proof)', () => {
|
||||
function makeDb(get: () => unknown): DatabaseService {
|
||||
return { get: vi.fn(get) } as unknown as DatabaseService;
|
||||
}
|
||||
|
||||
it('returns the real user count when the row resolves', () => {
|
||||
const service = new HealthService(makeDb(() => ({ n: 42 })));
|
||||
expect(service.info()).toEqual({
|
||||
runtime: 'nestjs',
|
||||
diInjected: true,
|
||||
userCount: 42,
|
||||
});
|
||||
});
|
||||
|
||||
it('falls back to null when the row is undefined', () => {
|
||||
const service = new HealthService(makeDb(() => undefined));
|
||||
expect(service.info().userCount).toBeNull();
|
||||
});
|
||||
|
||||
it('falls back to null when the count column is null', () => {
|
||||
const service = new HealthService(makeDb(() => ({ n: null })));
|
||||
expect(service.info().userCount).toBeNull();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,25 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { Test } from '@nestjs/testing';
|
||||
import { HealthController } from '../../../src/nest/health/health.controller';
|
||||
import { HealthService } from '../../../src/nest/health/health.service';
|
||||
import { DatabaseService } from '../../../src/nest/database/database.service';
|
||||
|
||||
describe('Nest dependency injection (vitest + swc)', () => {
|
||||
it('injects HealthService + DatabaseService into HealthController by type', async () => {
|
||||
const moduleRef = await Test.createTestingModule({
|
||||
controllers: [HealthController],
|
||||
providers: [
|
||||
HealthService,
|
||||
{ provide: DatabaseService, useValue: { get: () => ({ n: 7 }) } },
|
||||
],
|
||||
}).compile();
|
||||
|
||||
const controller = moduleRef.get(HealthController);
|
||||
expect(controller.getHealth()).toEqual({
|
||||
ok: true,
|
||||
runtime: 'nestjs',
|
||||
diInjected: true,
|
||||
userCount: 7,
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,197 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { CallHandler, ExecutionContext } from '@nestjs/common';
|
||||
import { of, lastValueFrom } from 'rxjs';
|
||||
import { IdempotencyInterceptor } from '../../../src/nest/common/idempotency.interceptor';
|
||||
import type { DatabaseService } from '../../../src/nest/database/database.service';
|
||||
|
||||
type ReqShape = {
|
||||
method: string;
|
||||
headers: Record<string, string>;
|
||||
path?: string;
|
||||
user?: { id: number };
|
||||
};
|
||||
|
||||
function makeRes() {
|
||||
const res = {
|
||||
statusCode: 200,
|
||||
status: vi.fn((code: number) => {
|
||||
res.statusCode = code;
|
||||
return res;
|
||||
}),
|
||||
json: vi.fn((body: unknown) => body),
|
||||
};
|
||||
return res;
|
||||
}
|
||||
|
||||
function ctx(req: ReqShape, res: ReturnType<typeof makeRes>): ExecutionContext {
|
||||
return {
|
||||
switchToHttp: () => ({ getRequest: () => req, getResponse: () => res }),
|
||||
} as unknown as ExecutionContext;
|
||||
}
|
||||
|
||||
function handler(result: unknown): CallHandler & { handle: ReturnType<typeof vi.fn> } {
|
||||
return { handle: vi.fn(() => of(result)) };
|
||||
}
|
||||
|
||||
function makeDb(overrides: Partial<DatabaseService> = {}): DatabaseService {
|
||||
return { get: vi.fn(), run: vi.fn(), ...overrides } as unknown as DatabaseService;
|
||||
}
|
||||
|
||||
describe('IdempotencyInterceptor (parity with the legacy applyIdempotency middleware)', () => {
|
||||
it('passes a GET through without touching the store', async () => {
|
||||
const db = makeDb();
|
||||
const h = handler('weather');
|
||||
const out = await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(ctx({ method: 'GET', headers: {} }, makeRes()), h),
|
||||
);
|
||||
expect(out).toBe('weather');
|
||||
expect(h.handle).toHaveBeenCalled();
|
||||
expect(db.get).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('passes a mutating request without a key through', async () => {
|
||||
const db = makeDb();
|
||||
const h = handler('done');
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(ctx({ method: 'POST', headers: {}, user: { id: 1 } }, makeRes()), h),
|
||||
);
|
||||
expect(h.handle).toHaveBeenCalled();
|
||||
expect(db.get).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('passes through when there is no authenticated user', async () => {
|
||||
const db = makeDb();
|
||||
const h = handler('done');
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' } }, makeRes()), h),
|
||||
);
|
||||
expect(h.handle).toHaveBeenCalled();
|
||||
expect(db.get).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('rejects an over-long key with the exact legacy 400 body', () => {
|
||||
const db = makeDb();
|
||||
const h = handler('done');
|
||||
const run = () =>
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'POST', headers: { 'x-idempotency-key': 'x'.repeat(129) }, user: { id: 1 } }, makeRes()),
|
||||
h,
|
||||
);
|
||||
expect(run).toThrow(HttpException);
|
||||
try {
|
||||
run();
|
||||
} catch (err) {
|
||||
const e = err as HttpException;
|
||||
expect(e.getStatus()).toBe(400);
|
||||
expect(e.getResponse()).toEqual({ error: 'X-Idempotency-Key exceeds maximum length of 128 characters' });
|
||||
}
|
||||
expect(h.handle).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('replays a cached response and skips the handler', async () => {
|
||||
const db = makeDb({ get: vi.fn().mockReturnValue({ status_code: 201, response_body: '{"id":5}' }) });
|
||||
const res = makeRes();
|
||||
const h = handler('should-not-run');
|
||||
const out = await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
|
||||
h,
|
||||
),
|
||||
);
|
||||
expect(res.status).toHaveBeenCalledWith(201);
|
||||
expect(out).toEqual({ id: 5 });
|
||||
expect(h.handle).not.toHaveBeenCalled();
|
||||
expect(db.get).toHaveBeenCalledWith(
|
||||
expect.stringContaining('idempotency_keys'),
|
||||
'k', 1, 'POST', '/api/categories',
|
||||
);
|
||||
});
|
||||
|
||||
it('captures a successful JSON response under the key', async () => {
|
||||
const run = vi.fn();
|
||||
const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run });
|
||||
const res = makeRes();
|
||||
const h = handler({ created: true });
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
|
||||
h,
|
||||
),
|
||||
);
|
||||
// Simulate Nest serialising the handler result through the wrapped res.json.
|
||||
res.statusCode = 201;
|
||||
res.json({ created: true });
|
||||
expect(run).toHaveBeenCalledTimes(1);
|
||||
expect(run).toHaveBeenCalledWith(
|
||||
expect.stringContaining('INSERT OR IGNORE INTO idempotency_keys'),
|
||||
'k', 1, 'POST', '/api/categories', 201, '{"created":true}', expect.any(Number),
|
||||
);
|
||||
});
|
||||
|
||||
it('does not cache a non-2xx response', async () => {
|
||||
const run = vi.fn();
|
||||
const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run });
|
||||
const res = makeRes();
|
||||
const h = handler({ error: 'bad' });
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
|
||||
h,
|
||||
),
|
||||
);
|
||||
res.statusCode = 400;
|
||||
res.json({ error: 'bad' });
|
||||
expect(run).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('does not cache a body that exceeds the 256 KiB cap', async () => {
|
||||
const run = vi.fn();
|
||||
const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run });
|
||||
const res = makeRes();
|
||||
const big = { blob: 'x'.repeat(300 * 1024) };
|
||||
const h = handler(big);
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
|
||||
h,
|
||||
),
|
||||
);
|
||||
res.statusCode = 200;
|
||||
res.json(big);
|
||||
expect(run).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('swallows a storage failure so the response still succeeds', async () => {
|
||||
const run = vi.fn(() => {
|
||||
throw new Error('db is locked');
|
||||
});
|
||||
const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run });
|
||||
const res = makeRes();
|
||||
const h = handler({ ok: true });
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
|
||||
h,
|
||||
),
|
||||
);
|
||||
res.statusCode = 201;
|
||||
const returned = res.json({ ok: true });
|
||||
expect(run).toHaveBeenCalledTimes(1);
|
||||
expect(returned).toEqual({ ok: true });
|
||||
});
|
||||
|
||||
it('treats a PATCH as a mutating method', async () => {
|
||||
const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run: vi.fn() });
|
||||
const res = makeRes();
|
||||
const h = handler('done');
|
||||
await lastValueFrom(
|
||||
new IdempotencyInterceptor(db).intercept(
|
||||
ctx({ method: 'PATCH', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories/1', user: { id: 1 } }, res),
|
||||
h,
|
||||
),
|
||||
);
|
||||
expect(db.get).toHaveBeenCalled();
|
||||
expect(h.handle).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,340 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Response } from 'express';
|
||||
import path from 'node:path';
|
||||
import fs from 'node:fs';
|
||||
|
||||
import { JourneyController } from '../../../src/nest/journey/journey.controller';
|
||||
import { JourneyPublicController } from '../../../src/nest/journey/journey-public.controller';
|
||||
import { JourneyAddonGuard } from '../../../src/nest/journey/journey-addon.guard';
|
||||
import type { JourneyService } from '../../../src/nest/journey/journey.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, username: 'u', role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function svc(o: Partial<JourneyService> = {}): JourneyService {
|
||||
return { journeyAddonEnabled: vi.fn().mockReturnValue(true), ...o } as unknown as JourneyService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try { await fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('JourneyAddonGuard', () => {
|
||||
it('404 when the addon is disabled, passes when enabled', () => {
|
||||
expect(thrown(() => new JourneyAddonGuard(svc({ journeyAddonEnabled: vi.fn().mockReturnValue(false) })).canActivate())).toEqual({ status: 404, body: { error: 'Journey addon is not enabled' } });
|
||||
expect(new JourneyAddonGuard(svc()).canActivate()).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('JourneyController', () => {
|
||||
it('GET / lists; POST / 400 without title, else creates', () => {
|
||||
expect(new JourneyController(svc({ listJourneys: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<JourneyService>)).list(user)).toEqual({ journeys: [{ id: 1 }] });
|
||||
expect(thrown(() => new JourneyController(svc()).create(user, { title: ' ' }))).toEqual({ status: 400, body: { error: 'Title is required' } });
|
||||
const createJourney = vi.fn().mockReturnValue({ id: 9 });
|
||||
expect(new JourneyController(svc({ createJourney } as Partial<JourneyService>)).create(user, { title: ' Trip ', trip_ids: [1, '2'] })).toEqual({ id: 9 });
|
||||
expect(createJourney).toHaveBeenCalledWith(1, { title: 'Trip', subtitle: undefined, trip_ids: [1, 2] });
|
||||
});
|
||||
|
||||
it('GET /suggestions + /available-trips', () => {
|
||||
expect(new JourneyController(svc({ getSuggestions: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<JourneyService>)).suggestions(user)).toEqual({ trips: [{ id: 1 }] });
|
||||
expect(new JourneyController(svc({ listUserTrips: vi.fn().mockReturnValue([{ id: 2 }]) } as Partial<JourneyService>)).availableTrips(user)).toEqual({ trips: [{ id: 2 }] });
|
||||
});
|
||||
|
||||
it('PATCH/DELETE entries map 404', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ updateEntry: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).updateEntry(user, '3', {}))).toEqual({ status: 404, body: { error: 'Entry not found' } });
|
||||
expect(new JourneyController(svc({ updateEntry: vi.fn().mockReturnValue({ id: 3 }) } as Partial<JourneyService>)).updateEntry(user, '3', { title: 'x' })).toEqual({ id: 3 });
|
||||
expect(thrown(() => new JourneyController(svc({ deleteEntry: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).deleteEntry(user, '3'))).toEqual({ status: 404, body: { error: 'Entry not found' } });
|
||||
expect(new JourneyController(svc({ deleteEntry: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).deleteEntry(user, '3')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('provider-photos: batch, single 400/403, success', () => {
|
||||
const batch = svc({ addProviderPhoto: vi.fn().mockReturnValue({ id: 1 }) } as Partial<JourneyService>);
|
||||
expect(new JourneyController(batch).providerPhotos(user, '3', { provider: 'immich', asset_ids: ['a', 'b'] })).toEqual({ photos: [{ id: 1 }, { id: 1 }], added: 2 });
|
||||
expect(thrown(() => new JourneyController(svc()).providerPhotos(user, '3', { provider: 'immich' }))).toEqual({ status: 400, body: { error: 'provider and asset_id required' } });
|
||||
expect(thrown(() => new JourneyController(svc({ addProviderPhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).providerPhotos(user, '3', { provider: 'immich', asset_id: 'a' }))).toEqual({ status: 403, body: { error: 'Not allowed or duplicate' } });
|
||||
});
|
||||
|
||||
it('link-photo: 400 without id (accepts legacy photo_id), 403, success', () => {
|
||||
expect(thrown(() => new JourneyController(svc()).linkPhoto(user, '3', {}))).toEqual({ status: 400, body: { error: 'journey_photo_id required' } });
|
||||
const linkPhotoToEntry = vi.fn().mockReturnValue({ id: 5 });
|
||||
const c = new JourneyController(svc({ linkPhotoToEntry } as Partial<JourneyService>));
|
||||
expect(c.linkPhoto(user, '3', { photo_id: 5 })).toEqual({ id: 5 });
|
||||
expect(linkPhotoToEntry).toHaveBeenCalledWith(3, 5, 1);
|
||||
// accepts the canonical journey_photo_id, 403 when the service refuses
|
||||
expect(thrown(() => new JourneyController(svc({ linkPhotoToEntry: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).linkPhoto(user, '3', { journey_photo_id: 9 }))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
});
|
||||
|
||||
it('unlink photo (204) maps 404; delete photo 404 then unlinks file', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ unlinkPhotoFromEntry: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).unlinkPhoto(user, '3', '7'))).toEqual({ status: 404, body: { error: 'Not found or not allowed' } });
|
||||
expect(new JourneyController(svc({ unlinkPhotoFromEntry: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).unlinkPhoto(user, '3', '7')).toBeUndefined();
|
||||
expect(thrown(() => new JourneyController(svc({ deletePhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).deletePhoto(user, '7'))).toEqual({ status: 404, body: { error: 'Photo not found' } });
|
||||
expect(new JourneyController(svc({ deletePhoto: vi.fn().mockReturnValue({ id: 7, file_path: null }) } as Partial<JourneyService>)).deletePhoto(user, '7')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('gallery upload 400 no files / 403 not allowed, else returns photos', () => {
|
||||
expect(thrown(() => new JourneyController(svc()).uploadGalleryPhotos(user, '3', undefined))).toEqual({ status: 400, body: { error: 'No files uploaded' } });
|
||||
expect(thrown(() => new JourneyController(svc({ uploadGalleryPhotos: vi.fn().mockReturnValue([]) } as Partial<JourneyService>)).uploadGalleryPhotos(user, '3', [{ filename: 'a.jpg' } as Express.Multer.File]))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
expect(new JourneyController(svc({ uploadGalleryPhotos: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<JourneyService>)).uploadGalleryPhotos(user, '3', [{ filename: 'a.jpg' } as Express.Multer.File])).toEqual({ photos: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('GET/PATCH/DELETE /:id map 404', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ getJourneyFull: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).get(user, '9'))).toEqual({ status: 404, body: { error: 'Journey not found' } });
|
||||
expect(new JourneyController(svc({ getJourneyFull: vi.fn().mockReturnValue({ id: 9 }) } as Partial<JourneyService>)).get(user, '9')).toEqual({ id: 9 });
|
||||
expect(thrown(() => new JourneyController(svc({ updateJourney: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).update(user, '9', {}))).toEqual({ status: 404, body: { error: 'Journey not found' } });
|
||||
expect(thrown(() => new JourneyController(svc({ deleteJourney: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).remove(user, '9'))).toEqual({ status: 404, body: { error: 'Journey not found' } });
|
||||
});
|
||||
|
||||
it('trips: POST 400 without trip_id / 403, DELETE 403', () => {
|
||||
expect(thrown(() => new JourneyController(svc()).addTrip(user, '9', {}))).toEqual({ status: 400, body: { error: 'trip_id required' } });
|
||||
expect(thrown(() => new JourneyController(svc({ addTripToJourney: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).addTrip(user, '9', { trip_id: 2 }))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
expect(new JourneyController(svc({ addTripToJourney: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).addTrip(user, '9', { trip_id: 2 })).toEqual({ success: true });
|
||||
expect(thrown(() => new JourneyController(svc({ removeTripFromJourney: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).removeTrip(user, '9', '2'))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
});
|
||||
|
||||
it('entries under journey: list 404, create 400/404, reorder 400/403', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ listEntries: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).listEntries(user, '9'))).toEqual({ status: 404, body: { error: 'Journey not found' } });
|
||||
expect(new JourneyController(svc({ listEntries: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<JourneyService>)).listEntries(user, '9')).toEqual({ entries: [{ id: 1 }] });
|
||||
expect(thrown(() => new JourneyController(svc()).createEntry(user, '9', {}))).toEqual({ status: 400, body: { error: 'entry_date is required' } });
|
||||
expect(thrown(() => new JourneyController(svc({ createEntry: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).createEntry(user, '9', { entry_date: '2026-01-01' }))).toEqual({ status: 404, body: { error: 'Journey not found' } });
|
||||
expect(thrown(() => new JourneyController(svc()).reorderEntries(user, '9', { orderedIds: 'no' }))).toEqual({ status: 400, body: { error: 'orderedIds must be an array of numbers' } });
|
||||
expect(thrown(() => new JourneyController(svc({ reorderEntries: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).reorderEntries(user, '9', { orderedIds: [1, 2] }))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
});
|
||||
|
||||
it('contributors: add 400/403, update 403, remove 403', () => {
|
||||
expect(thrown(() => new JourneyController(svc()).addContributor(user, '9', {}))).toEqual({ status: 400, body: { error: 'user_id required' } });
|
||||
expect(thrown(() => new JourneyController(svc({ addContributor: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).addContributor(user, '9', { user_id: 2 }))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
expect(new JourneyController(svc({ addContributor: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).addContributor(user, '9', { user_id: 2 })).toEqual({ success: true });
|
||||
expect(thrown(() => new JourneyController(svc({ updateContributorRole: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).updateContributor(user, '9', '2', { role: 'editor' }))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
expect(thrown(() => new JourneyController(svc({ removeContributor: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).removeContributor(user, '9', '2'))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
});
|
||||
|
||||
it('preferences 403, share-link get/set/delete', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ updateJourneyPreferences: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).preferences(user, '9', {}))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
expect(new JourneyController(svc({ getJourneyShareLink: vi.fn().mockReturnValue({ token: 'abc' }) } as Partial<JourneyService>)).getShareLink(user, '9')).toEqual({ link: { token: 'abc' } });
|
||||
expect(thrown(() => new JourneyController(svc({ createOrUpdateJourneyShareLink: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).setShareLink(user, '9', {}))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
expect(new JourneyController(svc({ createOrUpdateJourneyShareLink: vi.fn().mockReturnValue({ token: 'abc' }) } as Partial<JourneyService>)).setShareLink(user, '9', { share_timeline: true })).toEqual({ token: 'abc' });
|
||||
expect(thrown(() => new JourneyController(svc({ deleteJourneyShareLink: vi.fn().mockReturnValue(false) } as Partial<JourneyService>)).deleteShareLink(user, '9'))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
});
|
||||
|
||||
it('entry photo upload mirrors to Immich only when opted in', async () => {
|
||||
const addPhoto = vi.fn().mockReturnValue({ id: 5 });
|
||||
const uploadToImmich = vi.fn().mockResolvedValue('immich-1');
|
||||
const setPhotoProvider = vi.fn();
|
||||
const s = svc({ addPhoto, immichAutoUploadEnabled: vi.fn().mockReturnValue(true), uploadToImmich, setPhotoProvider } as Partial<JourneyService>);
|
||||
const res = await new JourneyController(s).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], {});
|
||||
expect(setPhotoProvider).toHaveBeenCalledWith(5, 'immich', 'immich-1', 1);
|
||||
expect(res).toEqual({ photos: [{ id: 5, provider: 'immich', asset_id: 'immich-1', owner_id: 1 }] });
|
||||
|
||||
const noOptIn = svc({ addPhoto: vi.fn().mockReturnValue({ id: 6 }), immichAutoUploadEnabled: vi.fn().mockReturnValue(false), uploadToImmich } as Partial<JourneyService>);
|
||||
await new JourneyController(noOptIn).uploadEntryPhotos(user, '3', [{ filename: 'b.jpg', originalname: 'b.jpg' } as Express.Multer.File], {});
|
||||
expect(uploadToImmich).toHaveBeenCalledTimes(1); // only the opted-in upload above
|
||||
});
|
||||
|
||||
it('entry photo upload: 400 no files, 403 when nothing added, swallows immich errors and empty ids', async () => {
|
||||
expect(await thrownAsync(() => new JourneyController(svc()).uploadEntryPhotos(user, '3', undefined, {}))).toEqual({ status: 400, body: { error: 'No files uploaded' } });
|
||||
expect(await thrownAsync(() => new JourneyController(svc({ addPhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], {}))).toEqual({ status: 403, body: { error: 'Not allowed' } });
|
||||
|
||||
// opted in but the immich upload throws → best-effort, the local photo still wins
|
||||
const setPhotoProvider = vi.fn();
|
||||
const blowsUp = svc({ addPhoto: vi.fn().mockReturnValue({ id: 8 }), immichAutoUploadEnabled: vi.fn().mockReturnValue(true), uploadToImmich: vi.fn().mockRejectedValue(new Error('immich down')), setPhotoProvider } as Partial<JourneyService>);
|
||||
expect(await new JourneyController(blowsUp).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], { caption: 'c' })).toEqual({ photos: [{ id: 8 }] });
|
||||
expect(setPhotoProvider).not.toHaveBeenCalled();
|
||||
|
||||
// opted in but immich returns a falsy id → no provider stamping
|
||||
const noId = svc({ addPhoto: vi.fn().mockReturnValue({ id: 9 }), immichAutoUploadEnabled: vi.fn().mockReturnValue(true), uploadToImmich: vi.fn().mockResolvedValue(''), setPhotoProvider } as Partial<JourneyService>);
|
||||
expect(await new JourneyController(noId).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], {})).toEqual({ photos: [{ id: 9 }] });
|
||||
});
|
||||
|
||||
it('provider-photos batch passes the passphrase through when present', () => {
|
||||
const addProviderPhoto = vi.fn().mockReturnValue({ id: 1 });
|
||||
new JourneyController(svc({ addProviderPhoto } as Partial<JourneyService>)).providerPhotos(user, '3', { provider: 'immich', asset_ids: ['a'], caption: 'cap', passphrase: 'secret' });
|
||||
expect(addProviderPhoto).toHaveBeenCalledWith(3, 1, 'immich', 'a', 'cap', 'secret');
|
||||
// single-photo success path
|
||||
expect(new JourneyController(svc({ addProviderPhoto: vi.fn().mockReturnValue({ id: 2 }) } as Partial<JourneyService>)).providerPhotos(user, '3', { provider: 'immich', asset_id: 'a' })).toEqual({ id: 2 });
|
||||
});
|
||||
|
||||
it('PATCH photos: 404 then returns the updated photo', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ updatePhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).updatePhoto(user, '7', { caption: 'x' }))).toEqual({ status: 404, body: { error: 'Photo not found' } });
|
||||
expect(new JourneyController(svc({ updatePhoto: vi.fn().mockReturnValue({ id: 7 }) } as Partial<JourneyService>)).updatePhoto(user, '7', { caption: 'x' })).toEqual({ id: 7 });
|
||||
});
|
||||
|
||||
it('DELETE photo unlinks the file when a path exists', () => {
|
||||
const unlinkSpy = vi.spyOn(fs, 'unlinkSync').mockImplementation(() => undefined);
|
||||
try {
|
||||
expect(new JourneyController(svc({ deletePhoto: vi.fn().mockReturnValue({ id: 7, file_path: 'journey/a.jpg' }) } as Partial<JourneyService>)).deletePhoto(user, '7')).toEqual({ success: true });
|
||||
expect(unlinkSpy).toHaveBeenCalledTimes(1);
|
||||
// a vanished file is swallowed
|
||||
unlinkSpy.mockImplementationOnce(() => { throw new Error('ENOENT'); });
|
||||
expect(new JourneyController(svc({ deletePhoto: vi.fn().mockReturnValue({ id: 8, file_path: 'journey/b.jpg' }) } as Partial<JourneyService>)).deletePhoto(user, '8')).toEqual({ success: true });
|
||||
} finally {
|
||||
unlinkSpy.mockRestore();
|
||||
}
|
||||
});
|
||||
|
||||
it('gallery provider-photos: batch (with passphrase), single 400/403, success', () => {
|
||||
const addProviderPhotoToGallery = vi.fn().mockReturnValue({ id: 1 });
|
||||
const batch = new JourneyController(svc({ addProviderPhotoToGallery } as Partial<JourneyService>));
|
||||
expect(batch.galleryProviderPhotos(user, '9', { provider: 'immich', asset_ids: ['a', 'b'], passphrase: 'pw' })).toEqual({ photos: [{ id: 1 }, { id: 1 }], added: 2 });
|
||||
expect(addProviderPhotoToGallery).toHaveBeenCalledWith(9, 1, 'immich', 'a', undefined, 'pw');
|
||||
expect(thrown(() => new JourneyController(svc()).galleryProviderPhotos(user, '9', { provider: 'immich' }))).toEqual({ status: 400, body: { error: 'provider and asset_id required' } });
|
||||
expect(thrown(() => new JourneyController(svc({ addProviderPhotoToGallery: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).galleryProviderPhotos(user, '9', { provider: 'immich', asset_id: 'a' }))).toEqual({ status: 403, body: { error: 'Not allowed or duplicate' } });
|
||||
expect(new JourneyController(svc({ addProviderPhotoToGallery: vi.fn().mockReturnValue({ id: 3 }) } as Partial<JourneyService>)).galleryProviderPhotos(user, '9', { provider: 'immich', asset_id: 'a' })).toEqual({ id: 3 });
|
||||
});
|
||||
|
||||
it('DELETE gallery photo: 404, then unlinks the file when present', () => {
|
||||
expect(thrown(() => new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '7'))).toEqual({ status: 404, body: { error: 'Photo not found or not allowed' } });
|
||||
// no file_path → nothing to unlink, returns void
|
||||
expect(new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue({ id: 7, file_path: null }) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '7')).toBeUndefined();
|
||||
const unlinkSpy = vi.spyOn(fs, 'unlinkSync').mockImplementation(() => undefined);
|
||||
try {
|
||||
new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue({ id: 8, file_path: 'journey/g.jpg' }) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '8');
|
||||
expect(unlinkSpy).toHaveBeenCalledTimes(1);
|
||||
unlinkSpy.mockImplementationOnce(() => { throw new Error('ENOENT'); });
|
||||
expect(new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue({ id: 9, file_path: 'journey/h.jpg' }) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '9')).toBeUndefined();
|
||||
} finally {
|
||||
unlinkSpy.mockRestore();
|
||||
}
|
||||
});
|
||||
|
||||
it('PATCH /:id returns the updated journey on success', () => {
|
||||
expect(new JourneyController(svc({ updateJourney: vi.fn().mockReturnValue({ id: 9 }) } as Partial<JourneyService>)).update(user, '9', { title: 'x' })).toEqual({ id: 9 });
|
||||
});
|
||||
|
||||
it('cover upload: 400 without file, 404 when the journey is gone, else returns the journey', () => {
|
||||
expect(thrown(() => new JourneyController(svc()).cover(user, '9', undefined))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
|
||||
expect(thrown(() => new JourneyController(svc({ updateJourney: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).cover(user, '9', { filename: 'c.jpg' } as Express.Multer.File))).toEqual({ status: 404, body: { error: 'Journey not found' } });
|
||||
const updateJourney = vi.fn().mockReturnValue({ id: 9, cover_image: 'journey/c.jpg' });
|
||||
expect(new JourneyController(svc({ updateJourney } as Partial<JourneyService>)).cover(user, '9', { filename: 'c.jpg' } as Express.Multer.File)).toEqual({ id: 9, cover_image: 'journey/c.jpg' });
|
||||
expect(updateJourney).toHaveBeenCalledWith(9, 1, { cover_image: 'journey/c.jpg' });
|
||||
});
|
||||
|
||||
it('DELETE /:id and trips/contributors success paths', () => {
|
||||
expect(new JourneyController(svc({ deleteJourney: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).remove(user, '9')).toEqual({ success: true });
|
||||
expect(new JourneyController(svc({ removeTripFromJourney: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).removeTrip(user, '9', '2')).toEqual({ success: true });
|
||||
expect(new JourneyController(svc({ updateContributorRole: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).updateContributor(user, '9', '2', { role: 'editor' })).toEqual({ success: true });
|
||||
expect(new JourneyController(svc({ removeContributor: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).removeContributor(user, '9', '2')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('addContributor defaults the role to viewer when omitted', () => {
|
||||
const addContributor = vi.fn().mockReturnValue(true);
|
||||
new JourneyController(svc({ addContributor } as Partial<JourneyService>)).addContributor(user, '9', { user_id: 2 });
|
||||
expect(addContributor).toHaveBeenCalledWith(9, 1, 2, 'viewer');
|
||||
});
|
||||
|
||||
it('createEntry returns the entry when the journey exists', () => {
|
||||
expect(new JourneyController(svc({ createEntry: vi.fn().mockReturnValue({ id: 4 }) } as Partial<JourneyService>)).createEntry(user, '9', { entry_date: '2026-01-01' })).toEqual({ id: 4 });
|
||||
});
|
||||
|
||||
it('reorderEntries succeeds for a numeric array', () => {
|
||||
expect(new JourneyController(svc({ reorderEntries: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).reorderEntries(user, '9', { orderedIds: [3, 1, 2] })).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('preferences returns the result on success', () => {
|
||||
expect(new JourneyController(svc({ updateJourneyPreferences: vi.fn().mockReturnValue({ ok: true }) } as Partial<JourneyService>)).preferences(user, '9', { theme: 'dark' })).toEqual({ ok: true });
|
||||
});
|
||||
|
||||
it('deleteShareLink returns success when removed', () => {
|
||||
expect(new JourneyController(svc({ deleteJourneyShareLink: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).deleteShareLink(user, '9')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('JourneyPublicController', () => {
|
||||
it('GET /:token 404 / json', () => {
|
||||
expect(thrown(() => new JourneyPublicController(svc({ getPublicJourney: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).get('tok'))).toEqual({ status: 404, body: { error: 'Not found' } });
|
||||
expect(new JourneyPublicController(svc({ getPublicJourney: vi.fn().mockReturnValue({ id: 1 }) } as Partial<JourneyService>)).get('tok')).toEqual({ id: 1 });
|
||||
});
|
||||
|
||||
it('photo proxy 404 on invalid token, else streams', async () => {
|
||||
expect(await thrownAsync(() => new JourneyPublicController(svc({ validateShareTokenForPhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).photo('tok', '7', 'thumbnail', {} as Response))).toEqual({ status: 404, body: { error: 'Not found' } });
|
||||
const streamPhoto = vi.fn().mockResolvedValue(undefined);
|
||||
const s = svc({ validateShareTokenForPhoto: vi.fn().mockReturnValue({ ownerId: 2 }), streamPhoto } as Partial<JourneyService>);
|
||||
await new JourneyPublicController(s).photo('tok', '7', 'original', {} as Response);
|
||||
expect(streamPhoto).toHaveBeenCalledWith({}, 2, 7, 'original');
|
||||
});
|
||||
|
||||
it('legacy photo proxy: 404 invalid token, immich path streams', async () => {
|
||||
expect(await thrownAsync(() => new JourneyPublicController(svc({ validateShareTokenForAsset: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).legacyPhoto('tok', 'immich', 'a1', '2', 'thumbnail', {} as Response))).toEqual({ status: 404, body: { error: 'Not found' } });
|
||||
const streamImmichAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 5 }), streamImmichAsset } as Partial<JourneyService>);
|
||||
await new JourneyPublicController(s).legacyPhoto('tok', 'immich', 'a1', '2', 'original', {} as Response);
|
||||
expect(streamImmichAsset).toHaveBeenCalledWith({}, 5, 'a1', 'original', 5);
|
||||
});
|
||||
|
||||
it('photo proxy streams thumbnails too', async () => {
|
||||
const streamPhoto = vi.fn().mockResolvedValue(undefined);
|
||||
const s = svc({ validateShareTokenForPhoto: vi.fn().mockReturnValue({ ownerId: 3 }), streamPhoto } as Partial<JourneyService>);
|
||||
await new JourneyPublicController(s).photo('tok', '7', 'thumbnail', {} as Response);
|
||||
expect(streamPhoto).toHaveBeenCalledWith({}, 3, 7, 'thumbnail');
|
||||
});
|
||||
|
||||
it('legacy photo proxy: synology streams, and a failure becomes a 404 json', async () => {
|
||||
const streamSynologyAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 5 }), streamSynologyAsset } as Partial<JourneyService>);
|
||||
await new JourneyPublicController(s).legacyPhoto('tok', 'synology', 'a1', '2', 'thumbnail', {} as Response);
|
||||
expect(streamSynologyAsset).toHaveBeenCalledWith({}, 5, 5, 'a1', 'thumbnail');
|
||||
|
||||
const status = vi.fn().mockReturnThis();
|
||||
const json = vi.fn();
|
||||
const res = { status, json } as unknown as Response;
|
||||
const failing = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 0 }), streamSynologyAsset: vi.fn().mockRejectedValue(new Error('no synology')) } as Partial<JourneyService>);
|
||||
await new JourneyPublicController(failing).legacyPhoto('tok', 'synology', 'a1', '6', 'original', res);
|
||||
expect(status).toHaveBeenCalledWith(404);
|
||||
expect(json).toHaveBeenCalledWith({ error: 'Provider not supported' });
|
||||
});
|
||||
|
||||
it('legacy photo proxy: falls back to the path ownerId when the token has none', async () => {
|
||||
const streamImmichAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 0 }), streamImmichAsset } as Partial<JourneyService>);
|
||||
await new JourneyPublicController(s).legacyPhoto('tok', 'immich', 'a1', '8', 'original', {} as Response);
|
||||
expect(streamImmichAsset).toHaveBeenCalledWith({}, 8, 'a1', 'original', 8);
|
||||
});
|
||||
|
||||
it('legacy photo proxy: local provider 404s when the resolved file does not exist', async () => {
|
||||
const existsSpy = vi.spyOn(fs, 'existsSync').mockReturnValue(false);
|
||||
try {
|
||||
const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 5 }) } as Partial<JourneyService>);
|
||||
expect(await thrownAsync(() => new JourneyPublicController(s).legacyPhoto('tok', 'local', 'gone.jpg', '2', 'thumbnail', {} as Response))).toEqual({ status: 404, body: { error: 'Not found' } });
|
||||
} finally {
|
||||
existsSpy.mockRestore();
|
||||
}
|
||||
});
|
||||
|
||||
it('legacy photo proxy: local provider cannot escape uploads/journey via a traversal asset id', async () => {
|
||||
// Pretend any path exists so we can inspect exactly what would be served.
|
||||
const existsSpy = vi.spyOn(fs, 'existsSync').mockReturnValue(true);
|
||||
try {
|
||||
const sendFile = vi.fn();
|
||||
const res = { set: vi.fn(), sendFile } as unknown as Response;
|
||||
const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 5 }) } as Partial<JourneyService>);
|
||||
|
||||
// Express decodes %2F in a single path param to '/', so the handler sees this.
|
||||
await new JourneyPublicController(s).legacyPhoto('tok', 'local', '../../files/secret.pdf', '2', 'original', res);
|
||||
|
||||
expect(sendFile).toHaveBeenCalledTimes(1);
|
||||
const served = sendFile.mock.calls[0][0] as string;
|
||||
// basename() collapses the traversal: the served file stays inside
|
||||
// uploads/journey and never reaches the sibling /uploads/files dir.
|
||||
expect(path.basename(served)).toBe('secret.pdf');
|
||||
expect(served).toMatch(/[\\/]journey[\\/]secret\.pdf$/);
|
||||
expect(served).not.toMatch(/[\\/]files[\\/]/);
|
||||
} finally {
|
||||
existsSpy.mockRestore();
|
||||
}
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,359 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Response } from 'express';
|
||||
|
||||
const { createReadStream } = vi.hoisted(() => ({ createReadStream: vi.fn() }));
|
||||
vi.mock('node:fs', () => ({ createReadStream }));
|
||||
|
||||
import { MapsController } from '../../../src/nest/maps/maps.controller';
|
||||
import type { MapsService } from '../../../src/nest/maps/maps.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 3 } as User;
|
||||
|
||||
function makeController(svc: Partial<MapsService>) {
|
||||
return new MapsController(svc as MapsService);
|
||||
}
|
||||
|
||||
/** Run an async handler, expecting an HttpException; return its { status, body }. */
|
||||
async function thrown(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try {
|
||||
await fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
function withError(status: number, message: string): Error {
|
||||
return Object.assign(new Error(message), { status });
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
});
|
||||
|
||||
describe('MapsController (parity with the legacy /api/maps route)', () => {
|
||||
describe('POST /search', () => {
|
||||
it('400 when query is missing', async () => {
|
||||
expect(await thrown(() => makeController({}).search(user, undefined))).toEqual({
|
||||
status: 400, body: { error: 'Search query is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('returns the service result', async () => {
|
||||
const search = vi.fn().mockResolvedValue({ places: [], source: 'osm' });
|
||||
const res = await makeController({ search }).search(user, 'berlin', 'de');
|
||||
expect(res).toEqual({ places: [], source: 'osm' });
|
||||
expect(search).toHaveBeenCalledWith(3, 'berlin', 'de', undefined);
|
||||
});
|
||||
|
||||
it('400 on a malformed locationBias (non-finite lat/lng)', async () => {
|
||||
const search = vi.fn();
|
||||
const bad = { lat: NaN, lng: 2 };
|
||||
expect(await thrown(() => makeController({ search }).search(user, 'x', 'de', bad))).toEqual({
|
||||
status: 400, body: { error: 'Invalid locationBias: lat and lng must be finite numbers' },
|
||||
});
|
||||
expect(search).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('forwards a valid locationBias to the service', async () => {
|
||||
const search = vi.fn().mockResolvedValue({ places: [], source: 'osm' });
|
||||
const bias = { lat: 1, lng: 2, radius: 5000 };
|
||||
await makeController({ search }).search(user, 'x', 'de', bias);
|
||||
expect(search).toHaveBeenCalledWith(3, 'x', 'de', bias);
|
||||
});
|
||||
|
||||
it('maps a service error to its status + message', async () => {
|
||||
const search = vi.fn().mockRejectedValue(withError(429, 'Rate limited'));
|
||||
expect(await thrown(() => makeController({ search }).search(user, 'x'))).toEqual({
|
||||
status: 429, body: { error: 'Rate limited' },
|
||||
});
|
||||
});
|
||||
|
||||
it('defaults a non-Error rejection to 500 + the fallback message', async () => {
|
||||
const search = vi.fn().mockRejectedValue('boom');
|
||||
expect(await thrown(() => makeController({ search }).search(user, 'x'))).toEqual({
|
||||
status: 500, body: { error: 'Search error' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /pois', () => {
|
||||
it('400 when category is missing', async () => {
|
||||
const pois = vi.fn();
|
||||
expect(await thrown(() => makeController({ pois }).pois(undefined, '1', '2', '3', '4'))).toEqual({
|
||||
status: 400, body: { error: 'A category is required' },
|
||||
});
|
||||
expect(pois).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('400 when the bbox has a non-finite value', async () => {
|
||||
const pois = vi.fn();
|
||||
expect(await thrown(() => makeController({ pois }).pois('cafe', 'x', '2', '3', '4'))).toEqual({
|
||||
status: 400, body: { error: 'A valid bbox (south, west, north, east) is required' },
|
||||
});
|
||||
expect(pois).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('delegates a valid request with a parsed numeric bbox', async () => {
|
||||
const pois = vi.fn().mockResolvedValue({ places: [] });
|
||||
const res = await makeController({ pois }).pois('cafe', '1', '2', '3', '4');
|
||||
expect(res).toEqual({ places: [] });
|
||||
expect(pois).toHaveBeenCalledWith('cafe', { south: 1, west: 2, north: 3, east: 4 });
|
||||
});
|
||||
|
||||
it('maps a service error, defaulting to 500', async () => {
|
||||
const pois = vi.fn().mockRejectedValue(new Error('Overpass down'));
|
||||
expect(await thrown(() => makeController({ pois }).pois('cafe', '1', '2', '3', '4'))).toEqual({
|
||||
status: 500, body: { error: 'Overpass down' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /autocomplete', () => {
|
||||
it('returns the disabled envelope when the kill-switch is off', async () => {
|
||||
const autocomplete = vi.fn();
|
||||
const res = await makeController({ autocompleteDisabled: () => true, autocomplete }).autocomplete(user, 'be');
|
||||
expect(res).toEqual({ suggestions: [], source: 'disabled' });
|
||||
expect(autocomplete).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('400 when input is missing or not a string', async () => {
|
||||
const c = makeController({ autocompleteDisabled: () => false });
|
||||
expect(await thrown(() => c.autocomplete(user, undefined))).toEqual({ status: 400, body: { error: 'Input is required' } });
|
||||
expect(await thrown(() => c.autocomplete(user, 123 as unknown as string))).toEqual({ status: 400, body: { error: 'Input is required' } });
|
||||
});
|
||||
|
||||
it('400 when input is too long', async () => {
|
||||
const c = makeController({ autocompleteDisabled: () => false });
|
||||
expect(await thrown(() => c.autocomplete(user, 'x'.repeat(201)))).toEqual({
|
||||
status: 400, body: { error: 'Input too long (max 200 chars)' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 on a malformed locationBias', async () => {
|
||||
const c = makeController({ autocompleteDisabled: () => false });
|
||||
const bad = { low: { lat: 1, lng: NaN }, high: { lat: 2, lng: 3 } };
|
||||
expect(await thrown(() => c.autocomplete(user, 'be', undefined, bad))).toEqual({
|
||||
status: 400, body: { error: 'Invalid locationBias: low and high must have finite lat and lng' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 when locationBias is missing the high corner', async () => {
|
||||
const c = makeController({ autocompleteDisabled: () => false });
|
||||
const bad = { low: { lat: 1, lng: 2 } } as never;
|
||||
expect(await thrown(() => c.autocomplete(user, 'be', undefined, bad))).toEqual({
|
||||
status: 400, body: { error: 'Invalid locationBias: low and high must have finite lat and lng' },
|
||||
});
|
||||
});
|
||||
|
||||
it('delegates a valid request', async () => {
|
||||
const autocomplete = vi.fn().mockResolvedValue({ suggestions: [], source: 'osm' });
|
||||
const bias = { low: { lat: 1, lng: 2 }, high: { lat: 3, lng: 4 } };
|
||||
await makeController({ autocompleteDisabled: () => false, autocomplete }).autocomplete(user, 'be', 'en', bias);
|
||||
expect(autocomplete).toHaveBeenCalledWith(3, 'be', 'en', bias);
|
||||
});
|
||||
|
||||
it('maps a service error', async () => {
|
||||
const autocomplete = vi.fn().mockRejectedValue(withError(503, 'Upstream down'));
|
||||
const c = makeController({ autocompleteDisabled: () => false, autocomplete });
|
||||
expect(await thrown(() => c.autocomplete(user, 'be'))).toEqual({
|
||||
status: 503, body: { error: 'Upstream down' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /details/:placeId', () => {
|
||||
it('returns the disabled envelope when off', async () => {
|
||||
const res = await makeController({ detailsDisabled: () => true }).details(user, 'p1');
|
||||
expect(res).toEqual({ place: null, disabled: true });
|
||||
});
|
||||
|
||||
it('uses the expanded lookup when expand is set', async () => {
|
||||
const detailsExpanded = vi.fn().mockResolvedValue({ place: { id: 'p1' } });
|
||||
const details = vi.fn();
|
||||
await makeController({ detailsDisabled: () => false, detailsExpanded, details })
|
||||
.details(user, 'p1', 'full', 'de', '1');
|
||||
expect(detailsExpanded).toHaveBeenCalledWith(3, 'p1', 'de', true);
|
||||
expect(details).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('uses the plain lookup without expand', async () => {
|
||||
const details = vi.fn().mockResolvedValue({ place: { id: 'p1' } });
|
||||
await makeController({ detailsDisabled: () => false, details }).details(user, 'p1', undefined, 'de');
|
||||
expect(details).toHaveBeenCalledWith(3, 'p1', 'de');
|
||||
});
|
||||
|
||||
it('maps a service error', async () => {
|
||||
const details = vi.fn().mockRejectedValue(withError(404, 'Not found'));
|
||||
expect(await thrown(() => makeController({ detailsDisabled: () => false, details }).details(user, 'p1'))).toEqual({
|
||||
status: 404, body: { error: 'Not found' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /place-photo/:placeId', () => {
|
||||
it('returns { photoUrl: null } when photos are disabled (non-coords)', async () => {
|
||||
const photo = vi.fn();
|
||||
const res = await makeController({ photosDisabled: () => true, photo }).placePhoto(user, 'p1', '1', '2');
|
||||
expect(res).toEqual({ photoUrl: null });
|
||||
expect(photo).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('bypasses the kill-switch for coords: ids', async () => {
|
||||
const photo = vi.fn().mockResolvedValue({ photoUrl: 'u', attribution: null });
|
||||
await makeController({ photosDisabled: () => true, photo }).placePhoto(user, 'coords:1,2', '1', '2', 'Spot');
|
||||
expect(photo).toHaveBeenCalledWith(3, 'coords:1,2', 1, 2, 'Spot');
|
||||
});
|
||||
|
||||
it('maps a 4xx service error', async () => {
|
||||
const photo = vi.fn().mockRejectedValue(withError(404, 'No photo available'));
|
||||
expect(await thrown(() => makeController({ photosDisabled: () => false, photo }).placePhoto(user, 'p1', '1', '2'))).toEqual({
|
||||
status: 404, body: { error: 'No photo available' },
|
||||
});
|
||||
});
|
||||
|
||||
it('logs and maps a 5xx service error', async () => {
|
||||
const photo = vi.fn().mockRejectedValue(withError(502, 'Upstream failed'));
|
||||
expect(await thrown(() => makeController({ photosDisabled: () => false, photo }).placePhoto(user, 'p1', '1', '2'))).toEqual({
|
||||
status: 502, body: { error: 'Upstream failed' },
|
||||
});
|
||||
expect(console.error).toHaveBeenCalledWith('Place photo error:', expect.any(Error));
|
||||
});
|
||||
|
||||
it('defaults a status-less error to 500 and parses NaN coords', async () => {
|
||||
const photo = vi.fn().mockRejectedValue(new Error('Error fetching photo'));
|
||||
expect(await thrown(() => makeController({ photosDisabled: () => false, photo }).placePhoto(user, 'p1'))).toEqual({
|
||||
status: 500, body: { error: 'Error fetching photo' },
|
||||
});
|
||||
const [, , lat, lng] = photo.mock.calls[0];
|
||||
expect(Number.isNaN(lat)).toBe(true);
|
||||
expect(Number.isNaN(lng)).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /place-photo/:placeId/bytes', () => {
|
||||
function makeRes() {
|
||||
const res = {
|
||||
statusCode: 200,
|
||||
headersSent: false,
|
||||
status: vi.fn(function (this: unknown, c: number) { (res as { statusCode: number }).statusCode = c; return res; }),
|
||||
json: vi.fn(),
|
||||
set: vi.fn(),
|
||||
type: vi.fn(),
|
||||
};
|
||||
return res as unknown as Response & { status: ReturnType<typeof vi.fn>; json: ReturnType<typeof vi.fn>; set: ReturnType<typeof vi.fn>; type: ReturnType<typeof vi.fn> };
|
||||
}
|
||||
|
||||
beforeEach(() => createReadStream.mockReset());
|
||||
|
||||
it('404 when the photo is not cached', () => {
|
||||
const res = makeRes();
|
||||
makeController({ photoBytesPath: () => null }).placePhotoBytes('p1', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Photo not cached' });
|
||||
expect(createReadStream).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('streams the cached file with image/jpeg + an immutable cache header on a hit', () => {
|
||||
const stream = { on: vi.fn().mockReturnThis(), pipe: vi.fn() };
|
||||
createReadStream.mockReturnValue(stream);
|
||||
const res = makeRes();
|
||||
makeController({ photoBytesPath: () => '/cache/p1.jpg' }).placePhotoBytes('p1', res);
|
||||
expect(res.set).toHaveBeenCalledWith('Cache-Control', 'public, max-age=2592000, immutable');
|
||||
expect(res.type).toHaveBeenCalledWith('image/jpeg');
|
||||
expect(createReadStream).toHaveBeenCalledWith('/cache/p1.jpg');
|
||||
expect(stream.pipe).toHaveBeenCalledWith(res);
|
||||
});
|
||||
|
||||
it('falls back to 404 when the read stream errors', () => {
|
||||
let onError: () => void = () => {};
|
||||
const stream = { on: vi.fn((ev: string, cb: () => void) => { if (ev === 'error') onError = cb; return stream; }), pipe: vi.fn() };
|
||||
createReadStream.mockReturnValue(stream);
|
||||
const res = makeRes();
|
||||
makeController({ photoBytesPath: () => '/cache/p1.jpg' }).placePhotoBytes('p1', res);
|
||||
onError();
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Photo not cached' });
|
||||
});
|
||||
|
||||
it('does not re-send a 404 when the stream errors after headers were flushed', () => {
|
||||
let onError: () => void = () => {};
|
||||
const stream = { on: vi.fn((ev: string, cb: () => void) => { if (ev === 'error') onError = cb; return stream; }), pipe: vi.fn() };
|
||||
createReadStream.mockReturnValue(stream);
|
||||
const res = makeRes();
|
||||
(res as { headersSent: boolean }).headersSent = true;
|
||||
makeController({ photoBytesPath: () => '/cache/p1.jpg' }).placePhotoBytes('p1', res);
|
||||
onError();
|
||||
expect(res.status).not.toHaveBeenCalled();
|
||||
expect(res.json).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /reverse', () => {
|
||||
it('400 when lat/lng missing', async () => {
|
||||
expect(await thrown(() => makeController({}).reverse(undefined, '2'))).toEqual({
|
||||
status: 400, body: { error: 'lat and lng required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('returns the reverse result', async () => {
|
||||
const reverse = vi.fn().mockResolvedValue({ name: 'Spot', address: 'Street 1' });
|
||||
expect(await makeController({ reverse }).reverse('1', '2', 'de')).toEqual({ name: 'Spot', address: 'Street 1' });
|
||||
});
|
||||
|
||||
it('swallows a failure into an empty result (no error)', async () => {
|
||||
const reverse = vi.fn().mockRejectedValue(new Error('boom'));
|
||||
expect(await makeController({ reverse }).reverse('1', '2')).toEqual({ name: null, address: null });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /resolve-url', () => {
|
||||
it('400 when url missing or not a string', async () => {
|
||||
expect(await thrown(() => makeController({}).resolveUrl(undefined))).toEqual({ status: 400, body: { error: 'URL is required' } });
|
||||
});
|
||||
|
||||
it('returns the resolved coordinates', async () => {
|
||||
const resolveUrl = vi.fn().mockResolvedValue({ lat: 1, lng: 2, name: null, address: null });
|
||||
expect(await makeController({ resolveUrl }).resolveUrl('https://maps.app.goo.gl/x')).toEqual({ lat: 1, lng: 2, name: null, address: null });
|
||||
});
|
||||
|
||||
it('400 when url is not a string', async () => {
|
||||
expect(await thrown(() => makeController({}).resolveUrl(42 as unknown as string))).toEqual({
|
||||
status: 400, body: { error: 'URL is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('maps a service error, defaulting to 400', async () => {
|
||||
const resolveUrl = vi.fn().mockRejectedValue(new Error('Failed to resolve URL'));
|
||||
expect(await thrown(() => makeController({ resolveUrl }).resolveUrl('bad'))).toEqual({
|
||||
status: 400, body: { error: 'Failed to resolve URL' },
|
||||
});
|
||||
});
|
||||
|
||||
it('honours an explicit status on the thrown error', async () => {
|
||||
const resolveUrl = vi.fn().mockRejectedValue(withError(422, 'Unsupported link'));
|
||||
expect(await thrown(() => makeController({ resolveUrl }).resolveUrl('bad'))).toEqual({
|
||||
status: 422, body: { error: 'Unsupported link' },
|
||||
});
|
||||
});
|
||||
|
||||
it('falls back to the default message when a non-Error is thrown', async () => {
|
||||
const resolveUrl = vi.fn().mockRejectedValue('nope');
|
||||
expect(await thrown(() => makeController({ resolveUrl }).resolveUrl('bad'))).toEqual({
|
||||
status: 400, body: { error: 'Failed to resolve URL' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /reverse', () => {
|
||||
it('forwards lang through to the service', async () => {
|
||||
const reverse = vi.fn().mockResolvedValue({ name: null, address: null });
|
||||
await makeController({ reverse }).reverse('1', '2', 'fr');
|
||||
expect(reverse).toHaveBeenCalledWith('1', '2', 'fr');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,131 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
const { maps } = vi.hoisted(() => ({
|
||||
maps: {
|
||||
searchPlaces: vi.fn(),
|
||||
autocompletePlaces: vi.fn(),
|
||||
getPlaceDetails: vi.fn(),
|
||||
getPlaceDetailsExpanded: vi.fn(),
|
||||
getPlacePhoto: vi.fn(),
|
||||
reverseGeocode: vi.fn(),
|
||||
resolveGoogleMapsUrl: vi.fn(),
|
||||
searchOverpassPois: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/mapsService', () => maps);
|
||||
|
||||
const { serveFilePath } = vi.hoisted(() => ({ serveFilePath: vi.fn() }));
|
||||
vi.mock('../../../src/services/placePhotoCache', () => ({ serveFilePath }));
|
||||
|
||||
import { MapsService } from '../../../src/nest/maps/maps.service';
|
||||
import type { DatabaseService } from '../../../src/nest/database/database.service';
|
||||
|
||||
/** A DatabaseService stub whose get() returns the row the test wants. */
|
||||
function makeDb(row?: { value: string }) {
|
||||
const get = vi.fn(() => row);
|
||||
const db = { get } as unknown as DatabaseService;
|
||||
return { db, get };
|
||||
}
|
||||
|
||||
function svc(row?: { value: string }) {
|
||||
return new MapsService(makeDb(row).db);
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('MapsService', () => {
|
||||
describe('kill-switch settings reads', () => {
|
||||
it('reports a switch disabled when the stored value is exactly "false"', () => {
|
||||
expect(svc({ value: 'false' }).autocompleteDisabled()).toBe(true);
|
||||
expect(svc({ value: 'false' }).detailsDisabled()).toBe(true);
|
||||
expect(svc({ value: 'false' }).photosDisabled()).toBe(true);
|
||||
});
|
||||
|
||||
it('reports enabled when the value is "true"', () => {
|
||||
expect(svc({ value: 'true' }).autocompleteDisabled()).toBe(false);
|
||||
expect(svc({ value: 'true' }).detailsDisabled()).toBe(false);
|
||||
expect(svc({ value: 'true' }).photosDisabled()).toBe(false);
|
||||
});
|
||||
|
||||
it('reports enabled when the setting row is absent', () => {
|
||||
expect(svc(undefined).autocompleteDisabled()).toBe(false);
|
||||
expect(svc(undefined).detailsDisabled()).toBe(false);
|
||||
expect(svc(undefined).photosDisabled()).toBe(false);
|
||||
});
|
||||
|
||||
it('queries the matching app_settings key', () => {
|
||||
const { db, get } = makeDb({ value: 'true' });
|
||||
const s = new MapsService(db);
|
||||
s.autocompleteDisabled();
|
||||
expect(get).toHaveBeenCalledWith(expect.stringContaining('app_settings'), 'places_autocomplete_enabled');
|
||||
s.detailsDisabled();
|
||||
expect(get).toHaveBeenCalledWith(expect.any(String), 'places_details_enabled');
|
||||
s.photosDisabled();
|
||||
expect(get).toHaveBeenCalledWith(expect.any(String), 'places_photos_enabled');
|
||||
});
|
||||
});
|
||||
|
||||
describe('delegation to the legacy maps service', () => {
|
||||
it('search forwards userId, query, lang and bias', () => {
|
||||
maps.searchPlaces.mockResolvedValue({ places: [], source: 'osm' });
|
||||
const bias = { lat: 1, lng: 2, radius: 5 };
|
||||
svc().search(3, 'berlin', 'de', bias);
|
||||
expect(maps.searchPlaces).toHaveBeenCalledWith(3, 'berlin', 'de', bias);
|
||||
});
|
||||
|
||||
it('search works without optional args', () => {
|
||||
svc().search(3, 'berlin');
|
||||
expect(maps.searchPlaces).toHaveBeenCalledWith(3, 'berlin', undefined, undefined);
|
||||
});
|
||||
|
||||
it('autocomplete forwards through', () => {
|
||||
const bias = { low: { lat: 1, lng: 2 }, high: { lat: 3, lng: 4 } };
|
||||
svc().autocomplete(3, 'be', 'en', bias);
|
||||
expect(maps.autocompletePlaces).toHaveBeenCalledWith(3, 'be', 'en', bias);
|
||||
});
|
||||
|
||||
it('details forwards through', () => {
|
||||
svc().details(3, 'p1', 'de');
|
||||
expect(maps.getPlaceDetails).toHaveBeenCalledWith(3, 'p1', 'de');
|
||||
});
|
||||
|
||||
it('detailsExpanded forwards refresh through', () => {
|
||||
svc().detailsExpanded(3, 'p1', 'de', true);
|
||||
expect(maps.getPlaceDetailsExpanded).toHaveBeenCalledWith(3, 'p1', 'de', true);
|
||||
});
|
||||
|
||||
it('photo forwards coords and name through', () => {
|
||||
svc().photo(3, 'p1', 1.5, 2.5, 'Spot');
|
||||
expect(maps.getPlacePhoto).toHaveBeenCalledWith(3, 'p1', 1.5, 2.5, 'Spot');
|
||||
});
|
||||
|
||||
it('reverse forwards through', () => {
|
||||
svc().reverse('1', '2', 'de');
|
||||
expect(maps.reverseGeocode).toHaveBeenCalledWith('1', '2', 'de');
|
||||
});
|
||||
|
||||
it('resolveUrl forwards through', () => {
|
||||
svc().resolveUrl('https://maps.app.goo.gl/x');
|
||||
expect(maps.resolveGoogleMapsUrl).toHaveBeenCalledWith('https://maps.app.goo.gl/x');
|
||||
});
|
||||
|
||||
it('pois forwards category and bbox through', () => {
|
||||
const bbox = { south: 1, west: 2, north: 3, east: 4 };
|
||||
svc().pois('cafe', bbox);
|
||||
expect(maps.searchOverpassPois).toHaveBeenCalledWith('cafe', bbox);
|
||||
});
|
||||
});
|
||||
|
||||
describe('photoBytesPath', () => {
|
||||
it('returns the cached file path from placePhotoCache', () => {
|
||||
serveFilePath.mockReturnValue('/cache/p1.jpg');
|
||||
expect(svc().photoBytesPath('p1')).toBe('/cache/p1.jpg');
|
||||
expect(serveFilePath).toHaveBeenCalledWith('p1');
|
||||
});
|
||||
|
||||
it('returns null when nothing is cached', () => {
|
||||
serveFilePath.mockReturnValue(null);
|
||||
expect(svc().photoBytesPath('p1')).toBeNull();
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,748 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import type { Response } from 'express';
|
||||
import type { Request } from 'express';
|
||||
import { UnifiedMemoriesController } from '../../../src/nest/memories/unified.controller';
|
||||
import { ImmichMemoriesController } from '../../../src/nest/memories/immich.controller';
|
||||
import { SynologyMemoriesController } from '../../../src/nest/memories/synology.controller';
|
||||
import type { MemoriesService } from '../../../src/nest/memories/memories.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const { getClientIp } = vi.hoisted(() => ({ getClientIp: vi.fn(() => '1.2.3.4') }));
|
||||
vi.mock('../../../src/services/auditLog', () => ({ getClientIp }));
|
||||
|
||||
const user = { id: 7, role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function makeService(overrides: Partial<MemoriesService> = {}): MemoriesService {
|
||||
return { ...overrides } as unknown as MemoriesService;
|
||||
}
|
||||
|
||||
type MockRes = Response & {
|
||||
status: ReturnType<typeof vi.fn>;
|
||||
json: ReturnType<typeof vi.fn>;
|
||||
statusCode: number;
|
||||
};
|
||||
|
||||
function makeRes(): MockRes {
|
||||
const res = {
|
||||
statusCode: 200,
|
||||
status: vi.fn(function (this: unknown, c: number) {
|
||||
(res as { statusCode: number }).statusCode = c;
|
||||
return res;
|
||||
}),
|
||||
json: vi.fn(function () {
|
||||
return res;
|
||||
}),
|
||||
};
|
||||
return res as unknown as MockRes;
|
||||
}
|
||||
|
||||
// ─────────────────────────────────────────────────────────────────────────────
|
||||
describe('UnifiedMemoriesController (parity with /api/integrations/memories/unified)', () => {
|
||||
describe('GET /trips/:tripId/photos', () => {
|
||||
it('returns the photos on success', () => {
|
||||
const svc = makeService({ listTripPhotos: vi.fn().mockReturnValue({ data: [{ id: 1 }] }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).listPhotos(user, '5', res);
|
||||
expect(svc.listTripPhotos).toHaveBeenCalledWith('5', 7);
|
||||
expect(res.json).toHaveBeenCalledWith({ photos: [{ id: 1 }] });
|
||||
expect(res.status).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('maps the error envelope to its status + message', () => {
|
||||
const svc = makeService({ listTripPhotos: vi.fn().mockReturnValue({ error: { status: 404, message: 'Trip not found' } }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).listPhotos(user, '5', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Trip not found' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /trips/:tripId/photos', () => {
|
||||
it('defaults shared to true and selections to [] when both are absent', async () => {
|
||||
const addTripPhotos = vi.fn().mockResolvedValue({ data: { added: 3 } });
|
||||
const svc = makeService({ addTripPhotos });
|
||||
const res = makeRes();
|
||||
await new UnifiedMemoriesController(svc).addPhotos(user, '5', {}, 'sock', res);
|
||||
expect(addTripPhotos).toHaveBeenCalledWith('5', 7, true, [], 'sock');
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true, added: 3 });
|
||||
});
|
||||
|
||||
it('coerces a falsy shared flag and forwards an array of selections', async () => {
|
||||
const addTripPhotos = vi.fn().mockResolvedValue({ data: { added: 0 } });
|
||||
const svc = makeService({ addTripPhotos });
|
||||
const selections = [{ provider: 'immich', asset_ids: ['a'] }];
|
||||
await new UnifiedMemoriesController(svc).addPhotos(user, '5', { shared: 0, selections }, 'sock', makeRes());
|
||||
expect(addTripPhotos).toHaveBeenCalledWith('5', 7, false, selections, 'sock');
|
||||
});
|
||||
|
||||
it('ignores a non-array selections payload', async () => {
|
||||
const addTripPhotos = vi.fn().mockResolvedValue({ data: { added: 0 } });
|
||||
const svc = makeService({ addTripPhotos });
|
||||
await new UnifiedMemoriesController(svc).addPhotos(user, '5', { selections: 'nope', shared: true }, 'sock', makeRes());
|
||||
expect(addTripPhotos).toHaveBeenCalledWith('5', 7, true, [], 'sock');
|
||||
});
|
||||
|
||||
it('maps the error envelope', async () => {
|
||||
const svc = makeService({ addTripPhotos: vi.fn().mockResolvedValue({ error: { status: 403, message: 'No access' } }) });
|
||||
const res = makeRes();
|
||||
await new UnifiedMemoriesController(svc).addPhotos(user, '5', {}, 'sock', res);
|
||||
expect(res.status).toHaveBeenCalledWith(403);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'No access' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /trips/:tripId/photos/sharing', () => {
|
||||
it('coerces photo_id to a number and forwards shared', async () => {
|
||||
const setTripPhotoSharing = vi.fn().mockResolvedValue({ data: {} });
|
||||
const svc = makeService({ setTripPhotoSharing });
|
||||
const res = makeRes();
|
||||
await new UnifiedMemoriesController(svc).setSharing(user, '5', { photo_id: '9', shared: true }, res);
|
||||
expect(setTripPhotoSharing).toHaveBeenCalledWith('5', 7, 9, true);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true });
|
||||
});
|
||||
|
||||
it('maps the error envelope', async () => {
|
||||
const svc = makeService({ setTripPhotoSharing: vi.fn().mockResolvedValue({ error: { status: 404, message: 'Photo not found' } }) });
|
||||
const res = makeRes();
|
||||
await new UnifiedMemoriesController(svc).setSharing(user, '5', { photo_id: '9', shared: false }, res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Photo not found' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /trips/:tripId/photos', () => {
|
||||
it('removes the photo on success', () => {
|
||||
const removeTripPhoto = vi.fn().mockReturnValue({ data: {} });
|
||||
const svc = makeService({ removeTripPhoto });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).removePhoto(user, '5', { photo_id: 11 }, res);
|
||||
expect(removeTripPhoto).toHaveBeenCalledWith('5', 7, 11);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true });
|
||||
});
|
||||
|
||||
it('maps the error envelope', () => {
|
||||
const svc = makeService({ removeTripPhoto: vi.fn().mockReturnValue({ error: { status: 404, message: 'Photo not found' } }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).removePhoto(user, '5', { photo_id: 11 }, res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Photo not found' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /trips/:tripId/album-links', () => {
|
||||
it('returns the links on success', () => {
|
||||
const svc = makeService({ listTripAlbumLinks: vi.fn().mockReturnValue({ data: [{ id: 'l1' }] }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).listAlbumLinks(user, '5', res);
|
||||
expect(res.json).toHaveBeenCalledWith({ links: [{ id: 'l1' }] });
|
||||
});
|
||||
|
||||
it('maps the error envelope', () => {
|
||||
const svc = makeService({ listTripAlbumLinks: vi.fn().mockReturnValue({ error: { status: 404, message: 'Trip not found' } }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).listAlbumLinks(user, '5', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Trip not found' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /trips/:tripId/album-links', () => {
|
||||
it('forwards a coerced passphrase when present', () => {
|
||||
const createTripAlbumLink = vi.fn().mockReturnValue({ data: {} });
|
||||
const svc = makeService({ createTripAlbumLink });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).createAlbumLink(
|
||||
user,
|
||||
'5',
|
||||
{ provider: 'synologyphotos', album_id: 'a1', album_name: 'Trip', passphrase: 123 },
|
||||
res,
|
||||
);
|
||||
expect(createTripAlbumLink).toHaveBeenCalledWith('5', 7, 'synologyphotos', 'a1', 'Trip', '123');
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true });
|
||||
});
|
||||
|
||||
it('passes undefined when the passphrase is absent or empty', () => {
|
||||
const createTripAlbumLink = vi.fn().mockReturnValue({ data: {} });
|
||||
const svc = makeService({ createTripAlbumLink });
|
||||
new UnifiedMemoriesController(svc).createAlbumLink(user, '5', { provider: 'immich', album_id: 'a1', album_name: 'Trip', passphrase: '' }, makeRes());
|
||||
expect(createTripAlbumLink).toHaveBeenCalledWith('5', 7, 'immich', 'a1', 'Trip', undefined);
|
||||
});
|
||||
|
||||
it('maps the error envelope', () => {
|
||||
const svc = makeService({ createTripAlbumLink: vi.fn().mockReturnValue({ error: { status: 400, message: 'Invalid provider' } }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).createAlbumLink(user, '5', {}, res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Invalid provider' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /trips/:tripId/album-links/:linkId', () => {
|
||||
it('removes the link on success', () => {
|
||||
const removeAlbumLink = vi.fn().mockReturnValue({ data: {} });
|
||||
const svc = makeService({ removeAlbumLink });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).removeAlbumLink(user, '5', 'l1', res);
|
||||
expect(removeAlbumLink).toHaveBeenCalledWith('5', 'l1', 7);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true });
|
||||
});
|
||||
|
||||
it('maps the error envelope', () => {
|
||||
const svc = makeService({ removeAlbumLink: vi.fn().mockReturnValue({ error: { status: 404, message: 'Link not found' } }) });
|
||||
const res = makeRes();
|
||||
new UnifiedMemoriesController(svc).removeAlbumLink(user, '5', 'l1', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Link not found' });
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
// ─────────────────────────────────────────────────────────────────────────────
|
||||
describe('ImmichMemoriesController (parity with /api/integrations/memories/immich)', () => {
|
||||
describe('GET /settings', () => {
|
||||
it('delegates to the service', () => {
|
||||
const immichGetConnectionSettings = vi.fn().mockReturnValue({ immich_url: 'u' });
|
||||
const svc = makeService({ immichGetConnectionSettings });
|
||||
expect(new ImmichMemoriesController(svc).getSettings(user)).toEqual({ immich_url: 'u' });
|
||||
expect(immichGetConnectionSettings).toHaveBeenCalledWith(7);
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /settings', () => {
|
||||
const req = {} as Request;
|
||||
|
||||
it('400 when the save fails', async () => {
|
||||
const svc = makeService({ immichSaveSettings: vi.fn().mockResolvedValue({ success: false, error: 'Bad URL' }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).putSettings(user, { immich_url: 'x', immich_api_key: 'k' }, req, res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Bad URL' });
|
||||
});
|
||||
|
||||
it('applies auto_upload when it is a boolean and returns success', async () => {
|
||||
const immichSaveSettings = vi.fn().mockResolvedValue({ success: true });
|
||||
const immichSetAutoUpload = vi.fn();
|
||||
const svc = makeService({ immichSaveSettings, immichSetAutoUpload });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).putSettings(user, { immich_url: 'x', immich_api_key: 'k', auto_upload: true }, req, res);
|
||||
expect(immichSaveSettings).toHaveBeenCalledWith(7, 'x', 'k', '1.2.3.4');
|
||||
expect(immichSetAutoUpload).toHaveBeenCalledWith(7, true);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true });
|
||||
});
|
||||
|
||||
it('skips auto_upload when it is not a boolean', async () => {
|
||||
const immichSaveSettings = vi.fn().mockResolvedValue({ success: true });
|
||||
const immichSetAutoUpload = vi.fn();
|
||||
const svc = makeService({ immichSaveSettings, immichSetAutoUpload });
|
||||
await new ImmichMemoriesController(svc).putSettings(user, { auto_upload: 'yes' as unknown as boolean }, req, makeRes());
|
||||
expect(immichSetAutoUpload).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('returns the warning when the save carries one', async () => {
|
||||
const svc = makeService({ immichSaveSettings: vi.fn().mockResolvedValue({ success: true, warning: 'Unverified TLS' }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).putSettings(user, {}, req, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true, warning: 'Unverified TLS' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /status', () => {
|
||||
it('delegates to the service', async () => {
|
||||
const svc = makeService({ immichGetConnectionStatus: vi.fn().mockResolvedValue({ connected: true }) });
|
||||
await expect(new ImmichMemoriesController(svc).getStatus(user)).resolves.toEqual({ connected: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /test', () => {
|
||||
it('short-circuits to a 200 envelope when url is missing', async () => {
|
||||
const immichTestConnection = vi.fn();
|
||||
const svc = makeService({ immichTestConnection });
|
||||
expect(await new ImmichMemoriesController(svc).test({ immich_api_key: 'k' })).toEqual({ connected: false, error: 'URL and API key required' });
|
||||
expect(immichTestConnection).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('short-circuits when the api key is missing', async () => {
|
||||
const immichTestConnection = vi.fn();
|
||||
const svc = makeService({ immichTestConnection });
|
||||
expect(await new ImmichMemoriesController(svc).test({ immich_url: 'u' })).toEqual({ connected: false, error: 'URL and API key required' });
|
||||
expect(immichTestConnection).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('delegates when both are present', async () => {
|
||||
const immichTestConnection = vi.fn().mockResolvedValue({ connected: true });
|
||||
const svc = makeService({ immichTestConnection });
|
||||
expect(await new ImmichMemoriesController(svc).test({ immich_url: 'u', immich_api_key: 'k' })).toEqual({ connected: true });
|
||||
expect(immichTestConnection).toHaveBeenCalledWith('u', 'k');
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /browse', () => {
|
||||
it('returns the buckets on success', async () => {
|
||||
const svc = makeService({ immichBrowseTimeline: vi.fn().mockResolvedValue({ buckets: [{ id: 'b' }] }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).browse(user, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ buckets: [{ id: 'b' }] });
|
||||
});
|
||||
|
||||
it('maps the error with its status', async () => {
|
||||
const svc = makeService({ immichBrowseTimeline: vi.fn().mockResolvedValue({ error: 'Not connected', status: 412 }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).browse(user, res);
|
||||
expect(res.status).toHaveBeenCalledWith(412);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Not connected' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /search', () => {
|
||||
it('clamps page to >=1 and size to <=200 and defaults both', async () => {
|
||||
const immichSearchPhotos = vi.fn().mockResolvedValue({ assets: [{ id: 'a' }], hasMore: true });
|
||||
const svc = makeService({ immichSearchPhotos });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).search(user, { from: 'f', to: 't' }, res);
|
||||
expect(immichSearchPhotos).toHaveBeenCalledWith(7, 'f', 't', 1, 50);
|
||||
expect(res.json).toHaveBeenCalledWith({ assets: [{ id: 'a' }], hasMore: true });
|
||||
});
|
||||
|
||||
it('floors a sub-1 page to 1 and caps an oversized size at 200', async () => {
|
||||
const immichSearchPhotos = vi.fn().mockResolvedValue({});
|
||||
const svc = makeService({ immichSearchPhotos });
|
||||
await new ImmichMemoriesController(svc).search(user, { page: 0, size: 9999 }, makeRes());
|
||||
expect(immichSearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 1, 200);
|
||||
});
|
||||
|
||||
it('honours an explicit page and size within range', async () => {
|
||||
const immichSearchPhotos = vi.fn().mockResolvedValue({});
|
||||
const svc = makeService({ immichSearchPhotos });
|
||||
await new ImmichMemoriesController(svc).search(user, { page: 3, size: 25 }, makeRes());
|
||||
expect(immichSearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 3, 25);
|
||||
});
|
||||
|
||||
it('defaults assets to [] and hasMore to false when omitted', async () => {
|
||||
const svc = makeService({ immichSearchPhotos: vi.fn().mockResolvedValue({}) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).search(user, {}, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ assets: [], hasMore: false });
|
||||
});
|
||||
|
||||
it('maps the error envelope', async () => {
|
||||
const svc = makeService({ immichSearchPhotos: vi.fn().mockResolvedValue({ error: 'down', status: 502 }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).search(user, {}, res);
|
||||
expect(res.status).toHaveBeenCalledWith(502);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'down' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /assets/:tripId/:assetId/:ownerId/info', () => {
|
||||
it('400 on an invalid asset id', async () => {
|
||||
const immichIsValidAssetId = vi.fn().mockReturnValue(false);
|
||||
const svc = makeService({ immichIsValidAssetId });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetInfo(user, '5', 'bad', '2', res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Invalid asset ID' });
|
||||
});
|
||||
|
||||
it('403 when access is denied', async () => {
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(false),
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetInfo(user, '5', 'a', '2', res);
|
||||
expect(svc.canAccessUserPhoto).toHaveBeenCalledWith(7, 2, '5', 'a', 'immich');
|
||||
expect(res.status).toHaveBeenCalledWith(403);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Forbidden' });
|
||||
});
|
||||
|
||||
it('maps a service error after the guards pass', async () => {
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(true),
|
||||
immichGetAssetInfo: vi.fn().mockResolvedValue({ error: 'Asset gone', status: 404 }),
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetInfo(user, '5', 'a', '2', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Asset gone' });
|
||||
});
|
||||
|
||||
it('returns the asset data on success', async () => {
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(true),
|
||||
immichGetAssetInfo: vi.fn().mockResolvedValue({ data: { id: 'a', takenAt: 't' } }),
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetInfo(user, '5', 'a', '2', res);
|
||||
expect(res.json).toHaveBeenCalledWith({ id: 'a', takenAt: 't' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /assets/.../thumbnail + /original', () => {
|
||||
it('thumbnail: 400 on invalid id', async () => {
|
||||
const svc = makeService({ immichIsValidAssetId: vi.fn().mockReturnValue(false) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetThumbnail(user, '5', 'bad', '2', res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
});
|
||||
|
||||
it('thumbnail: 403 when access denied', async () => {
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(false),
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetThumbnail(user, '5', 'a', '2', res);
|
||||
expect(res.status).toHaveBeenCalledWith(403);
|
||||
});
|
||||
|
||||
it('thumbnail: streams with kind=thumbnail when allowed', async () => {
|
||||
const immichStreamAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(true),
|
||||
immichStreamAsset,
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetThumbnail(user, '5', 'a', '2', res);
|
||||
expect(immichStreamAsset).toHaveBeenCalledWith(res, 7, 'a', 'thumbnail', 2);
|
||||
});
|
||||
|
||||
it('original: 400 on invalid id', async () => {
|
||||
const svc = makeService({ immichIsValidAssetId: vi.fn().mockReturnValue(false) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetOriginal(user, '5', 'bad', '2', res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
});
|
||||
|
||||
it('original: 403 when access denied', async () => {
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(false),
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetOriginal(user, '5', 'a', '2', res);
|
||||
expect(res.status).toHaveBeenCalledWith(403);
|
||||
});
|
||||
|
||||
it('original: streams with kind=original when allowed', async () => {
|
||||
const immichStreamAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const svc = makeService({
|
||||
immichIsValidAssetId: vi.fn().mockReturnValue(true),
|
||||
canAccessUserPhoto: vi.fn().mockReturnValue(true),
|
||||
immichStreamAsset,
|
||||
});
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).assetOriginal(user, '5', 'a', '2', res);
|
||||
expect(immichStreamAsset).toHaveBeenCalledWith(res, 7, 'a', 'original', 2);
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /albums + /albums/:albumId/photos', () => {
|
||||
it('albums: returns the list on success', async () => {
|
||||
const svc = makeService({ immichListAlbums: vi.fn().mockResolvedValue({ albums: [{ id: 'a' }] }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).albums(user, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ albums: [{ id: 'a' }] });
|
||||
});
|
||||
|
||||
it('albums: maps the error envelope', async () => {
|
||||
const svc = makeService({ immichListAlbums: vi.fn().mockResolvedValue({ error: 'nope', status: 500 }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).albums(user, res);
|
||||
expect(res.status).toHaveBeenCalledWith(500);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'nope' });
|
||||
});
|
||||
|
||||
it('albumPhotos: returns the assets on success', async () => {
|
||||
const svc = makeService({ immichGetAlbumPhotos: vi.fn().mockResolvedValue({ assets: [{ id: 'p' }] }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).albumPhotos(user, 'al1', res);
|
||||
expect(svc.immichGetAlbumPhotos).toHaveBeenCalledWith(7, 'al1');
|
||||
expect(res.json).toHaveBeenCalledWith({ assets: [{ id: 'p' }] });
|
||||
});
|
||||
|
||||
it('albumPhotos: maps the error envelope', async () => {
|
||||
const svc = makeService({ immichGetAlbumPhotos: vi.fn().mockResolvedValue({ error: 'gone', status: 404 }) });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).albumPhotos(user, 'al1', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'gone' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /trips/:tripId/album-links/:linkId/sync', () => {
|
||||
it('maps the error envelope without broadcasting', async () => {
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ immichSyncAlbumAssets: vi.fn().mockResolvedValue({ error: 'Link gone', status: 404 }), broadcast });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Link gone' });
|
||||
expect(broadcast).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('broadcasts when at least one asset was added', async () => {
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ immichSyncAlbumAssets: vi.fn().mockResolvedValue({ added: 2, total: 10 }), broadcast });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true, added: 2, total: 10 });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'memories:updated', { userId: 7 }, 'sock');
|
||||
});
|
||||
|
||||
it('does not broadcast when nothing was added', async () => {
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ immichSyncAlbumAssets: vi.fn().mockResolvedValue({ added: 0, total: 10 }), broadcast });
|
||||
const res = makeRes();
|
||||
await new ImmichMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
|
||||
expect(res.json).toHaveBeenCalledWith({ success: true, added: 0, total: 10 });
|
||||
expect(broadcast).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
// ─────────────────────────────────────────────────────────────────────────────
|
||||
describe('SynologyMemoriesController (parity with /api/integrations/memories/synologyphotos)', () => {
|
||||
describe('GET /settings + /status', () => {
|
||||
it('settings: returns the data on success', async () => {
|
||||
const svc = makeService({ synologyGetSettings: vi.fn().mockResolvedValue({ success: true, data: { synology_url: 'u' } }) });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).getSettings(user, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ synology_url: 'u' });
|
||||
});
|
||||
|
||||
it('settings: maps the error envelope', async () => {
|
||||
const svc = makeService({ synologyGetSettings: vi.fn().mockResolvedValue({ success: false, error: { status: 500, message: 'DB error' } }) });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).getSettings(user, res);
|
||||
expect(res.status).toHaveBeenCalledWith(500);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'DB error' });
|
||||
});
|
||||
|
||||
it('status: delegates', async () => {
|
||||
const svc = makeService({ synologyGetStatus: vi.fn().mockResolvedValue({ success: true, data: { connected: true } }) });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).getStatus(user, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ connected: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /settings', () => {
|
||||
it('400 when the url is missing', async () => {
|
||||
const synologyUpdateSettings = vi.fn();
|
||||
const svc = makeService({ synologyUpdateSettings });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).putSettings(user, { synology_username: 'admin' }, res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'URL and username are required' });
|
||||
expect(synologyUpdateSettings).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('400 when the username is missing', async () => {
|
||||
const synologyUpdateSettings = vi.fn();
|
||||
const svc = makeService({ synologyUpdateSettings });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).putSettings(user, { synology_url: 'http://nas' }, res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(synologyUpdateSettings).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('delegates with trimmed values and the boolean skip-ssl flag (true keyword)', async () => {
|
||||
const synologyUpdateSettings = vi.fn().mockResolvedValue({ success: true, data: {} });
|
||||
const svc = makeService({ synologyUpdateSettings });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(
|
||||
svc,
|
||||
).putSettings(user, { synology_url: ' http://nas ', synology_username: ' admin ', synology_password: ' pw ', synology_skip_ssl: 'true' }, res);
|
||||
expect(synologyUpdateSettings).toHaveBeenCalledWith(7, 'http://nas', 'admin', 'pw', true);
|
||||
expect(res.json).toHaveBeenCalledWith({});
|
||||
});
|
||||
|
||||
it('treats a literal-true skip-ssl flag as true and other values as false', async () => {
|
||||
const synologyUpdateSettings = vi.fn().mockResolvedValue({ success: true, data: {} });
|
||||
const svc = makeService({ synologyUpdateSettings });
|
||||
await new SynologyMemoriesController(svc).putSettings(user, { synology_url: 'u', synology_username: 'a', synology_skip_ssl: true }, makeRes());
|
||||
expect(synologyUpdateSettings).toHaveBeenCalledWith(7, 'u', 'a', '', true);
|
||||
|
||||
const svc2 = makeService({ synologyUpdateSettings: vi.fn().mockResolvedValue({ success: true, data: {} }) });
|
||||
await new SynologyMemoriesController(svc2).putSettings(user, { synology_url: 'u', synology_username: 'a', synology_skip_ssl: 'no' }, makeRes());
|
||||
expect(svc2.synologyUpdateSettings).toHaveBeenCalledWith(7, 'u', 'a', '', false);
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /test', () => {
|
||||
it('reports a single missing field with "is required"', async () => {
|
||||
const synologyTestConnection = vi.fn();
|
||||
const svc = makeService({ synologyTestConnection });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).test(user, { synology_url: 'u', synology_username: 'a' }, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ connected: false, error: 'Password is required' });
|
||||
expect(synologyTestConnection).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('reports multiple missing fields with "are required"', async () => {
|
||||
const svc = makeService({ synologyTestConnection: vi.fn() });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).test(user, {}, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ connected: false, error: 'URL, Username, Password are required' });
|
||||
});
|
||||
|
||||
it('delegates when every field is present (otp + skip-ssl forwarded)', async () => {
|
||||
const synologyTestConnection = vi.fn().mockResolvedValue({ success: true, data: { connected: true } });
|
||||
const svc = makeService({ synologyTestConnection });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(
|
||||
svc,
|
||||
).test(user, { synology_url: 'u', synology_username: 'a', synology_password: 'p', synology_otp: '123', synology_skip_ssl: true }, res);
|
||||
expect(synologyTestConnection).toHaveBeenCalledWith(7, 'u', 'a', 'p', '123', true);
|
||||
expect(res.json).toHaveBeenCalledWith({ connected: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /albums + /albums/:albumId/photos', () => {
|
||||
it('albums: delegates', async () => {
|
||||
const svc = makeService({ synologyListAlbums: vi.fn().mockResolvedValue({ success: true, data: { albums: [] } }) });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).albums(user, res);
|
||||
expect(res.json).toHaveBeenCalledWith({ albums: [] });
|
||||
});
|
||||
|
||||
it('albumPhotos: forwards a coerced passphrase when present', async () => {
|
||||
const synologyGetAlbumPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologyGetAlbumPhotos });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).albumPhotos(user, 'al1', 'secret', res);
|
||||
expect(synologyGetAlbumPhotos).toHaveBeenCalledWith(7, 'al1', 'secret');
|
||||
expect(res.json).toHaveBeenCalledWith({ assets: [] });
|
||||
});
|
||||
|
||||
it('albumPhotos: passes undefined when the passphrase query is absent', async () => {
|
||||
const synologyGetAlbumPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologyGetAlbumPhotos });
|
||||
await new SynologyMemoriesController(svc).albumPhotos(user, 'al1', undefined, makeRes());
|
||||
expect(synologyGetAlbumPhotos).toHaveBeenCalledWith(7, 'al1', undefined);
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /trips/:tripId/album-links/:linkId/sync', () => {
|
||||
it('delegates and unwraps the success envelope', async () => {
|
||||
const synologySyncAlbumLink = vi.fn().mockResolvedValue({ success: true, data: { added: 1, total: 2 } });
|
||||
const svc = makeService({ synologySyncAlbumLink });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
|
||||
expect(synologySyncAlbumLink).toHaveBeenCalledWith(7, '5', 'l1', 'sock');
|
||||
expect(res.json).toHaveBeenCalledWith({ added: 1, total: 2 });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /search', () => {
|
||||
it('uses the default offset/limit when nothing is provided', async () => {
|
||||
const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologySearchPhotos });
|
||||
await new SynologyMemoriesController(svc).search(user, {}, makeRes());
|
||||
expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 0, 100);
|
||||
});
|
||||
|
||||
it('forwards from/to and uses size as the limit when size > 0', async () => {
|
||||
const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologySearchPhotos });
|
||||
await new SynologyMemoriesController(svc).search(user, { from: '2024-01-01', to: '2024-02-01', size: 30 }, makeRes());
|
||||
expect(synologySearchPhotos).toHaveBeenCalledWith(7, '2024-01-01', '2024-02-01', 0, 30);
|
||||
});
|
||||
|
||||
it('derives the offset from a 1-based page using the limit', async () => {
|
||||
const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologySearchPhotos });
|
||||
await new SynologyMemoriesController(svc).search(user, { page: 3, limit: 20 }, makeRes());
|
||||
// page-1 = 2, offset = 2 * 20 = 40
|
||||
expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 40, 20);
|
||||
});
|
||||
|
||||
it('keeps the explicit offset when page resolves to <= 0', async () => {
|
||||
const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologySearchPhotos });
|
||||
await new SynologyMemoriesController(svc).search(user, { page: 1, offset: 5, limit: 10 }, makeRes());
|
||||
expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 5, 10);
|
||||
});
|
||||
|
||||
it('falls back to defaults when numeric fields are non-finite', async () => {
|
||||
const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
|
||||
const svc = makeService({ synologySearchPhotos });
|
||||
await new SynologyMemoriesController(svc).search(user, { offset: 'x', limit: 'y', page: 'z', size: 'q' }, makeRes());
|
||||
expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 0, 100);
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /assets/:tripId/:photoId/:ownerId/info', () => {
|
||||
it('403 when access is denied', async () => {
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(false) });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).assetInfo(user, '5', 'p1', '2', undefined, res);
|
||||
expect(svc.canAccessUserPhoto).toHaveBeenCalledWith(7, 2, '5', 'p1', 'synologyphotos');
|
||||
expect(res.status).toHaveBeenCalledWith(403);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: "You don't have access to this photo" });
|
||||
});
|
||||
|
||||
it('delegates with the coerced passphrase when access is granted', async () => {
|
||||
const synologyGetAssetInfo = vi.fn().mockResolvedValue({ success: true, data: { id: 'p1' } });
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyGetAssetInfo });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).assetInfo(user, '5', 'p1', '2', 'secret', res);
|
||||
expect(synologyGetAssetInfo).toHaveBeenCalledWith(7, 'p1', 2, 'secret');
|
||||
expect(res.json).toHaveBeenCalledWith({ id: 'p1' });
|
||||
});
|
||||
|
||||
it('passes undefined passphrase when the query is absent', async () => {
|
||||
const synologyGetAssetInfo = vi.fn().mockResolvedValue({ success: true, data: { id: 'p1' } });
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyGetAssetInfo });
|
||||
await new SynologyMemoriesController(svc).assetInfo(user, '5', 'p1', '2', undefined, makeRes());
|
||||
expect(synologyGetAssetInfo).toHaveBeenCalledWith(7, 'p1', 2, undefined);
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /assets/:tripId/:photoId/:ownerId/:kind', () => {
|
||||
it('400 on an invalid kind', async () => {
|
||||
const synologyStreamAsset = vi.fn();
|
||||
const svc = makeService({ synologyStreamAsset });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'preview', undefined, undefined, res);
|
||||
expect(res.status).toHaveBeenCalledWith(400);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Invalid asset kind' });
|
||||
expect(synologyStreamAsset).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('403 when access is denied for a valid kind', async () => {
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(false) });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'thumbnail', undefined, undefined, res);
|
||||
expect(res.status).toHaveBeenCalledWith(403);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: "You don't have access to this photo" });
|
||||
});
|
||||
|
||||
it('streams a thumbnail, defaulting size to "sm" when omitted', async () => {
|
||||
const synologyStreamAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyStreamAsset });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'thumbnail', undefined, undefined, res);
|
||||
expect(synologyStreamAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'thumbnail', 'sm', undefined);
|
||||
});
|
||||
|
||||
it('keeps a whitelisted size and forwards the passphrase for an original', async () => {
|
||||
const synologyStreamAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyStreamAsset });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'original', 'xl', 'secret', res);
|
||||
expect(synologyStreamAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'original', 'xl', 'secret');
|
||||
});
|
||||
|
||||
it('coerces a non-whitelisted size back to "sm"', async () => {
|
||||
const synologyStreamAsset = vi.fn().mockResolvedValue(undefined);
|
||||
const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyStreamAsset });
|
||||
const res = makeRes();
|
||||
await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'thumbnail', 'huge', undefined, res);
|
||||
expect(synologyStreamAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'thumbnail', 'sm', undefined);
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,195 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// The MemoriesService is a thin pass-through over the legacy services/memories/*
|
||||
// helpers. Mock each legacy module so we can assert the wrapper forwards every
|
||||
// argument unchanged (and exercise the optional-param call sites).
|
||||
|
||||
const unified = vi.hoisted(() => ({
|
||||
listTripPhotos: vi.fn(() => ({ data: [] })),
|
||||
listTripAlbumLinks: vi.fn(() => ({ data: [] })),
|
||||
createTripAlbumLink: vi.fn(() => ({ data: {} })),
|
||||
removeAlbumLink: vi.fn(() => ({ data: {} })),
|
||||
addTripPhotos: vi.fn(async () => ({ data: { added: 0 } })),
|
||||
removeTripPhoto: vi.fn(() => ({ data: {} })),
|
||||
setTripPhotoSharing: vi.fn(async () => ({ data: {} })),
|
||||
}));
|
||||
vi.mock('../../../src/services/memories/unifiedService', () => unified);
|
||||
|
||||
const immich = vi.hoisted(() => ({
|
||||
getConnectionSettings: vi.fn(() => ({})),
|
||||
saveImmichSettings: vi.fn(async () => ({ success: true })),
|
||||
setImmichAutoUpload: vi.fn(),
|
||||
testConnection: vi.fn(async () => ({ connected: true })),
|
||||
getConnectionStatus: vi.fn(async () => ({ connected: true })),
|
||||
browseTimeline: vi.fn(async () => ({ buckets: [] })),
|
||||
searchPhotos: vi.fn(async () => ({ assets: [] })),
|
||||
streamImmichAsset: vi.fn(async () => undefined),
|
||||
listAlbums: vi.fn(async () => ({ albums: [] })),
|
||||
getAlbumPhotos: vi.fn(async () => ({ assets: [] })),
|
||||
syncAlbumAssets: vi.fn(async () => ({ added: 0, total: 0 })),
|
||||
getAssetInfo: vi.fn(async () => ({ data: {} })),
|
||||
isValidAssetId: vi.fn(() => true),
|
||||
}));
|
||||
vi.mock('../../../src/services/memories/immichService', () => immich);
|
||||
|
||||
const synology = vi.hoisted(() => ({
|
||||
getSynologySettings: vi.fn(async () => ({ success: true, data: {} })),
|
||||
updateSynologySettings: vi.fn(async () => ({ success: true, data: {} })),
|
||||
getSynologyStatus: vi.fn(async () => ({ success: true, data: {} })),
|
||||
testSynologyConnection: vi.fn(async () => ({ success: true, data: {} })),
|
||||
listSynologyAlbums: vi.fn(async () => ({ success: true, data: {} })),
|
||||
getSynologyAlbumPhotos: vi.fn(async () => ({ success: true, data: {} })),
|
||||
syncSynologyAlbumLink: vi.fn(async () => ({ success: true, data: {} })),
|
||||
searchSynologyPhotos: vi.fn(async () => ({ success: true, data: {} })),
|
||||
getSynologyAssetInfo: vi.fn(async () => ({ success: true, data: {} })),
|
||||
streamSynologyAsset: vi.fn(async () => undefined),
|
||||
}));
|
||||
vi.mock('../../../src/services/memories/synologyService', () => synology);
|
||||
|
||||
const helpers = vi.hoisted(() => ({ canAccessUserPhoto: vi.fn(() => true) }));
|
||||
vi.mock('../../../src/services/memories/helpersService', () => helpers);
|
||||
|
||||
const ws = vi.hoisted(() => ({ broadcast: vi.fn() }));
|
||||
vi.mock('../../../src/websocket', () => ws);
|
||||
|
||||
import { MemoriesService } from '../../../src/nest/memories/memories.service';
|
||||
|
||||
const res = {} as import('express').Response;
|
||||
|
||||
describe('MemoriesService (delegation wrapper over services/memories/*)', () => {
|
||||
let svc: MemoriesService;
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
svc = new MemoriesService();
|
||||
});
|
||||
|
||||
it('access check + broadcast forward verbatim', () => {
|
||||
helpers.canAccessUserPhoto.mockReturnValue(false);
|
||||
expect(svc.canAccessUserPhoto(1, 2, '5', 'a', 'immich')).toBe(false);
|
||||
expect(helpers.canAccessUserPhoto).toHaveBeenCalledWith(1, 2, '5', 'a', 'immich');
|
||||
|
||||
svc.broadcast('5', 'memories:updated', { userId: 1 }, 'sock');
|
||||
expect(ws.broadcast).toHaveBeenCalledWith('5', 'memories:updated', { userId: 1 }, 'sock');
|
||||
});
|
||||
|
||||
it('broadcast forwards an absent socket id as undefined', () => {
|
||||
svc.broadcast('5', 'memories:updated', { userId: 1 });
|
||||
expect(ws.broadcast).toHaveBeenCalledWith('5', 'memories:updated', { userId: 1 }, undefined);
|
||||
});
|
||||
|
||||
it('unified methods delegate', async () => {
|
||||
svc.listTripPhotos('5', 7);
|
||||
expect(unified.listTripPhotos).toHaveBeenCalledWith('5', 7);
|
||||
|
||||
const selections = [{ provider: 'immich', asset_ids: ['a'] }];
|
||||
await svc.addTripPhotos('5', 7, true, selections, 'sock');
|
||||
expect(unified.addTripPhotos).toHaveBeenCalledWith('5', 7, true, selections, 'sock');
|
||||
|
||||
await svc.setTripPhotoSharing('5', 7, 9, false);
|
||||
expect(unified.setTripPhotoSharing).toHaveBeenCalledWith('5', 7, 9, false);
|
||||
|
||||
svc.removeTripPhoto('5', 7, 9);
|
||||
expect(unified.removeTripPhoto).toHaveBeenCalledWith('5', 7, 9);
|
||||
|
||||
svc.listTripAlbumLinks('5', 7);
|
||||
expect(unified.listTripAlbumLinks).toHaveBeenCalledWith('5', 7);
|
||||
|
||||
svc.removeAlbumLink('5', 'l1', 7);
|
||||
expect(unified.removeAlbumLink).toHaveBeenCalledWith('5', 'l1', 7);
|
||||
});
|
||||
|
||||
it('createTripAlbumLink forwards a passphrase when present and omits it when absent', () => {
|
||||
svc.createTripAlbumLink('5', 7, 'immich', 'a1', 'Trip', 'secret');
|
||||
expect(unified.createTripAlbumLink).toHaveBeenCalledWith('5', 7, 'immich', 'a1', 'Trip', 'secret');
|
||||
|
||||
svc.createTripAlbumLink('5', 7, 'immich', 'a1', 'Trip');
|
||||
expect(unified.createTripAlbumLink).toHaveBeenLastCalledWith('5', 7, 'immich', 'a1', 'Trip', undefined);
|
||||
});
|
||||
|
||||
it('immich methods delegate', async () => {
|
||||
svc.immichGetConnectionSettings(7);
|
||||
expect(immich.getConnectionSettings).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.immichSaveSettings(7, 'u', 'k', '1.2.3.4');
|
||||
expect(immich.saveImmichSettings).toHaveBeenCalledWith(7, 'u', 'k', '1.2.3.4');
|
||||
|
||||
svc.immichSetAutoUpload(7, true);
|
||||
expect(immich.setImmichAutoUpload).toHaveBeenCalledWith(7, true);
|
||||
|
||||
await svc.immichGetConnectionStatus(7);
|
||||
expect(immich.getConnectionStatus).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.immichTestConnection('u', 'k');
|
||||
expect(immich.testConnection).toHaveBeenCalledWith('u', 'k');
|
||||
|
||||
await svc.immichBrowseTimeline(7);
|
||||
expect(immich.browseTimeline).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.immichSearchPhotos(7, 'f', 't', 2, 50);
|
||||
expect(immich.searchPhotos).toHaveBeenCalledWith(7, 'f', 't', 2, 50);
|
||||
|
||||
expect(svc.immichIsValidAssetId('abc')).toBe(true);
|
||||
expect(immich.isValidAssetId).toHaveBeenCalledWith('abc');
|
||||
|
||||
await svc.immichGetAssetInfo(7, 'a', 2);
|
||||
expect(immich.getAssetInfo).toHaveBeenCalledWith(7, 'a', 2);
|
||||
|
||||
await svc.immichStreamAsset(res, 7, 'a', 'thumbnail', 2);
|
||||
expect(immich.streamImmichAsset).toHaveBeenCalledWith(res, 7, 'a', 'thumbnail', 2);
|
||||
|
||||
await svc.immichListAlbums(7);
|
||||
expect(immich.listAlbums).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.immichGetAlbumPhotos(7, 'al1');
|
||||
expect(immich.getAlbumPhotos).toHaveBeenCalledWith(7, 'al1');
|
||||
|
||||
await svc.immichSyncAlbumAssets('5', 'l1', 7, 'sock');
|
||||
expect(immich.syncAlbumAssets).toHaveBeenCalledWith('5', 'l1', 7, 'sock');
|
||||
});
|
||||
|
||||
it('synology methods delegate', async () => {
|
||||
await svc.synologyGetSettings(7);
|
||||
expect(synology.getSynologySettings).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.synologyUpdateSettings(7, 'u', 'a', 'p', true);
|
||||
expect(synology.updateSynologySettings).toHaveBeenCalledWith(7, 'u', 'a', 'p', true);
|
||||
|
||||
await svc.synologyGetStatus(7);
|
||||
expect(synology.getSynologyStatus).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.synologyTestConnection(7, 'u', 'a', 'p', '123', false);
|
||||
expect(synology.testSynologyConnection).toHaveBeenCalledWith(7, 'u', 'a', 'p', '123', false);
|
||||
|
||||
await svc.synologyListAlbums(7);
|
||||
expect(synology.listSynologyAlbums).toHaveBeenCalledWith(7);
|
||||
|
||||
await svc.synologySyncAlbumLink(7, '5', 'l1', 'sock');
|
||||
expect(synology.syncSynologyAlbumLink).toHaveBeenCalledWith(7, '5', 'l1', 'sock');
|
||||
|
||||
await svc.synologySearchPhotos(7, 'f', 't', 0, 100);
|
||||
expect(synology.searchSynologyPhotos).toHaveBeenCalledWith(7, 'f', 't', 0, 100);
|
||||
});
|
||||
|
||||
it('synology album-photos forwards a passphrase when present and omits it when absent', async () => {
|
||||
await svc.synologyGetAlbumPhotos(7, 'al1', 'secret');
|
||||
expect(synology.getSynologyAlbumPhotos).toHaveBeenCalledWith(7, 'al1', 'secret');
|
||||
|
||||
await svc.synologyGetAlbumPhotos(7, 'al1');
|
||||
expect(synology.getSynologyAlbumPhotos).toHaveBeenLastCalledWith(7, 'al1', undefined);
|
||||
});
|
||||
|
||||
it('synology asset-info + stream forward a passphrase when present and omit it when absent', async () => {
|
||||
await svc.synologyGetAssetInfo(7, 'p1', 2, 'secret');
|
||||
expect(synology.getSynologyAssetInfo).toHaveBeenCalledWith(7, 'p1', 2, 'secret');
|
||||
|
||||
await svc.synologyGetAssetInfo(7, 'p1', 2);
|
||||
expect(synology.getSynologyAssetInfo).toHaveBeenLastCalledWith(7, 'p1', 2, undefined);
|
||||
|
||||
await svc.synologyStreamAsset(res, 7, 2, 'p1', 'thumbnail', 'sm', 'secret');
|
||||
expect(synology.streamSynologyAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'thumbnail', 'sm', 'secret');
|
||||
|
||||
await svc.synologyStreamAsset(res, 7, 2, 'p1', 'original', 'xl');
|
||||
expect(synology.streamSynologyAsset).toHaveBeenLastCalledWith(res, 7, 2, 'p1', 'original', 'xl', undefined);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,183 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { NotificationsController } from '../../../src/nest/notifications/notifications.controller';
|
||||
import type { NotificationsService } from '../../../src/nest/notifications/notifications.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const MASKED = '••••••••';
|
||||
const user = { id: 4, role: 'user', email: 'u@example.test' } as User;
|
||||
const admin = { id: 1, role: 'admin', email: 'admin@example.test' } as User;
|
||||
|
||||
function makeController(svc: Partial<NotificationsService>) {
|
||||
return new NotificationsController(svc as NotificationsService);
|
||||
}
|
||||
|
||||
async function thrown(fn: () => unknown): Promise<{ status: number; body: unknown }> {
|
||||
try {
|
||||
await fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('NotificationsController (parity with the legacy /api/notifications route)', () => {
|
||||
describe('preferences', () => {
|
||||
it('GET returns the matrix for the user', () => {
|
||||
const getPreferences = vi.fn().mockReturnValue({ preferences: {} });
|
||||
expect(makeController({ getPreferences }).getPreferences(user)).toEqual({ preferences: {} });
|
||||
expect(getPreferences).toHaveBeenCalledWith(4, 'user');
|
||||
});
|
||||
|
||||
it('PUT saves then returns the refreshed matrix', () => {
|
||||
const setPreferences = vi.fn();
|
||||
const getPreferences = vi.fn().mockReturnValue({ preferences: { a: { inapp: true } } });
|
||||
const body = { a: { inapp: true } };
|
||||
expect(makeController({ setPreferences, getPreferences }).setPreferences(user, body)).toEqual({ preferences: { a: { inapp: true } } });
|
||||
expect(setPreferences).toHaveBeenCalledWith(4, body);
|
||||
});
|
||||
});
|
||||
|
||||
describe('test-smtp', () => {
|
||||
it('403 { error: Admin only } for a non-admin (distinct from AdminGuard wording)', async () => {
|
||||
const testSmtp = vi.fn();
|
||||
expect(await thrown(() => makeController({ testSmtp }).testSmtp(user))).toEqual({
|
||||
status: 403, body: { error: 'Admin only' },
|
||||
});
|
||||
expect(testSmtp).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('falls back to the admin\'s own email when none given', async () => {
|
||||
const testSmtp = vi.fn().mockResolvedValue({ success: true });
|
||||
await makeController({ testSmtp }).testSmtp(admin);
|
||||
expect(testSmtp).toHaveBeenCalledWith('admin@example.test');
|
||||
});
|
||||
});
|
||||
|
||||
describe('test-webhook', () => {
|
||||
it('uses the provided url', async () => {
|
||||
const testWebhook = vi.fn().mockResolvedValue({ success: true });
|
||||
await makeController({ testWebhook }).testWebhook(user, 'https://hooks.example/x');
|
||||
expect(testWebhook).toHaveBeenCalledWith('https://hooks.example/x');
|
||||
});
|
||||
|
||||
it('falls back to the saved user url when the masked placeholder is sent', async () => {
|
||||
const testWebhook = vi.fn().mockResolvedValue({ success: true });
|
||||
const userWebhookUrl = vi.fn().mockReturnValue('https://saved.example/u');
|
||||
await makeController({ testWebhook, userWebhookUrl }).testWebhook(user, MASKED);
|
||||
expect(userWebhookUrl).toHaveBeenCalledWith(4);
|
||||
expect(testWebhook).toHaveBeenCalledWith('https://saved.example/u');
|
||||
});
|
||||
|
||||
it('400 when no url is configured', async () => {
|
||||
const userWebhookUrl = vi.fn().mockReturnValue(null);
|
||||
expect(await thrown(() => makeController({ userWebhookUrl }).testWebhook(user, undefined))).toEqual({
|
||||
status: 400, body: { error: 'No webhook URL configured' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 on an invalid url', async () => {
|
||||
expect(await thrown(() => makeController({}).testWebhook(user, 'not a url'))).toEqual({
|
||||
status: 400, body: { error: 'Invalid URL' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('test-ntfy', () => {
|
||||
it('400 when no topic can be resolved', async () => {
|
||||
const userNtfyConfig = vi.fn().mockReturnValue(null);
|
||||
const adminNtfyConfig = vi.fn().mockReturnValue({ server: null, token: null });
|
||||
expect(await thrown(() => makeController({ userNtfyConfig, adminNtfyConfig }).testNtfy(user))).toEqual({
|
||||
status: 400, body: { error: 'No ntfy topic configured' },
|
||||
});
|
||||
});
|
||||
|
||||
it('resolves topic/server/token with fallbacks and reuses a saved token for the placeholder', async () => {
|
||||
const testNtfy = vi.fn().mockResolvedValue({ success: true });
|
||||
const userNtfyConfig = vi.fn().mockReturnValue({ topic: 'saved-topic', server: 'https://ntfy.me', token: 'saved-token' });
|
||||
const adminNtfyConfig = vi.fn().mockReturnValue({ server: null, token: null });
|
||||
await makeController({ testNtfy, userNtfyConfig, adminNtfyConfig }).testNtfy(user, undefined, undefined, MASKED);
|
||||
expect(testNtfy).toHaveBeenCalledWith({ topic: 'saved-topic', server: 'https://ntfy.me', token: 'saved-token' });
|
||||
});
|
||||
});
|
||||
|
||||
describe('in-app list + counts', () => {
|
||||
it('clamps limit to 50 and defaults offset/unread', () => {
|
||||
const listInApp = vi.fn().mockReturnValue({ notifications: [], total: 0, unread_count: 0 });
|
||||
makeController({ listInApp }).listInApp(user, '100', '5', 'true');
|
||||
expect(listInApp).toHaveBeenCalledWith(4, { limit: 50, offset: 5, unreadOnly: true });
|
||||
});
|
||||
|
||||
it('defaults limit to 20 when absent/non-numeric', () => {
|
||||
const listInApp = vi.fn().mockReturnValue({ notifications: [], total: 0, unread_count: 0 });
|
||||
makeController({ listInApp }).listInApp(user, undefined, undefined, undefined);
|
||||
expect(listInApp).toHaveBeenCalledWith(4, { limit: 20, offset: 0, unreadOnly: false });
|
||||
});
|
||||
|
||||
it('GET unread-count wraps the number', () => {
|
||||
const unreadCount = vi.fn().mockReturnValue(7);
|
||||
expect(makeController({ unreadCount }).unreadCount(user)).toEqual({ count: 7 });
|
||||
});
|
||||
});
|
||||
|
||||
describe('bulk + single mutations', () => {
|
||||
it('read-all returns success + count', () => {
|
||||
const markAllRead = vi.fn().mockReturnValue(3);
|
||||
expect(makeController({ markAllRead }).readAll(user)).toEqual({ success: true, count: 3 });
|
||||
});
|
||||
|
||||
it('delete-all returns success + count', () => {
|
||||
const deleteAll = vi.fn().mockReturnValue(5);
|
||||
expect(makeController({ deleteAll }).deleteAll(user)).toEqual({ success: true, count: 5 });
|
||||
});
|
||||
|
||||
it('400 on a non-numeric id', () => {
|
||||
const markRead = vi.fn();
|
||||
return thrown(() => makeController({ markRead }).markRead(user, 'abc')).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'Invalid id' } }));
|
||||
});
|
||||
|
||||
it('404 when mark-read finds nothing', async () => {
|
||||
const markRead = vi.fn().mockReturnValue(false);
|
||||
expect(await thrown(() => makeController({ markRead }).markRead(user, '9'))).toEqual({
|
||||
status: 404, body: { error: 'Not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('mark-read success', () => {
|
||||
const markRead = vi.fn().mockReturnValue(true);
|
||||
expect(makeController({ markRead }).markRead(user, '5')).toEqual({ success: true });
|
||||
expect(markRead).toHaveBeenCalledWith(5, 4);
|
||||
});
|
||||
|
||||
it('delete single success', () => {
|
||||
const deleteOne = vi.fn().mockReturnValue(true);
|
||||
expect(makeController({ deleteOne }).deleteOne(user, '5')).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('respond', () => {
|
||||
it('400 on an invalid response value', async () => {
|
||||
expect(await thrown(() => makeController({}).respond(user, '5', 'maybe'))).toEqual({
|
||||
status: 400, body: { error: 'response must be "positive" or "negative"' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 with the service error when the response fails', async () => {
|
||||
const respond = vi.fn().mockResolvedValue({ success: false, error: 'Already responded' });
|
||||
expect(await thrown(() => makeController({ respond }).respond(user, '5', 'positive'))).toEqual({
|
||||
status: 400, body: { error: 'Already responded' },
|
||||
});
|
||||
});
|
||||
|
||||
it('returns success + the updated notification', async () => {
|
||||
const respond = vi.fn().mockResolvedValue({ success: true, notification: { id: 5, response: 'positive' } });
|
||||
expect(await makeController({ respond }).respond(user, '5', 'positive')).toEqual({
|
||||
success: true, notification: { id: 5, response: 'positive' },
|
||||
});
|
||||
expect(respond).toHaveBeenCalledWith(5, 4, 'positive');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,426 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Request, Response } from 'express';
|
||||
|
||||
vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4'), logWarn: vi.fn() }));
|
||||
|
||||
import { getClientIp } from '../../../src/services/auditLog';
|
||||
const getClientIpMock = vi.mocked(getClientIp);
|
||||
|
||||
import { OauthPublicController } from '../../../src/nest/oauth/oauth-public.controller';
|
||||
import { OauthApiController } from '../../../src/nest/oauth/oauth-api.controller';
|
||||
import { RateLimitService } from '../../../src/nest/auth/rate-limit.service';
|
||||
import type { OauthService } from '../../../src/nest/oauth/oauth.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
function osvc(o: Partial<OauthService> = {}): OauthService {
|
||||
return { mcpEnabled: vi.fn().mockReturnValue(true), mcpSafeUrl: vi.fn().mockReturnValue('https://app'), ...o } as unknown as OauthService;
|
||||
}
|
||||
function rl(): RateLimitService { return new RateLimitService(); }
|
||||
function makeRes() {
|
||||
const res = {
|
||||
statusCode: 200, headers: {} as Record<string, string>, body: undefined as unknown, ended: false,
|
||||
status: vi.fn((c: number) => { res.statusCode = c; return res; }),
|
||||
json: vi.fn((b: unknown) => { res.body = b; return res; }),
|
||||
set: vi.fn((k: string, v: string) => { res.headers[k] = v; return res; }),
|
||||
end: vi.fn(() => { res.ended = true; return res; }),
|
||||
};
|
||||
return res as unknown as Response & { statusCode: number; headers: Record<string, string>; body: unknown; ended: boolean };
|
||||
}
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
const user = { id: 1, email: 'u@example.test' } as User;
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('OauthPublicController /token', () => {
|
||||
function reqWith(body: Record<string, string>): Request { return { ip: '7.7.7.7', body } as Request; }
|
||||
|
||||
it('404 (empty) when MCP is disabled', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).token(reqWith({}), res);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.ended).toBe(true);
|
||||
});
|
||||
|
||||
it('sets no-store headers + 401 without client_id', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).token(reqWith({}), res);
|
||||
expect(res.headers['Cache-Control']).toBe('no-store');
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toEqual({ error: 'invalid_client', error_description: 'client_id is required' });
|
||||
});
|
||||
|
||||
it('authorization_code: invalid_grant on a bad code, success issues tokens', () => {
|
||||
const bad = makeRes();
|
||||
new OauthPublicController(osvc({ consumeAuthCode: vi.fn().mockReturnValue(null) }), rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }), bad);
|
||||
expect(bad.statusCode).toBe(400);
|
||||
expect(bad.body).toEqual({ error: 'invalid_grant', error_description: 'Authorization grant is invalid.' });
|
||||
|
||||
const ok = makeRes();
|
||||
const svc = osvc({
|
||||
consumeAuthCode: vi.fn().mockReturnValue({ clientId: 'c', redirectUri: 'u', userId: 1, scopes: ['s'], codeChallenge: 'cc', resource: null }),
|
||||
authenticateClient: vi.fn().mockReturnValue({ id: 'c' }),
|
||||
verifyPKCE: vi.fn().mockReturnValue(true),
|
||||
issueTokens: vi.fn().mockReturnValue({ access_token: 'at', token_type: 'Bearer' }),
|
||||
});
|
||||
new OauthPublicController(svc, rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }), ok);
|
||||
expect(ok.body).toEqual({ access_token: 'at', token_type: 'Bearer' });
|
||||
});
|
||||
|
||||
it('authorization_code: maps client_id / redirect_uri / resource mismatches + pkce + client auth', () => {
|
||||
const base = { grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' };
|
||||
const mk = (pending: Record<string, unknown>, extra: Partial<OauthService> = {}, body = base) => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ consumeAuthCode: vi.fn().mockReturnValue(pending), authenticateClient: vi.fn().mockReturnValue({ id: 'c' }), verifyPKCE: vi.fn().mockReturnValue(true), ...extra }), rl()).token(reqWith(body), res);
|
||||
return res;
|
||||
};
|
||||
expect(mk({ clientId: 'OTHER', redirectUri: 'u', userId: 1 }).statusCode).toBe(400); // client_id mismatch
|
||||
expect(mk({ clientId: 'c', redirectUri: 'OTHER', userId: 1 }).statusCode).toBe(400); // redirect_uri mismatch
|
||||
expect(mk({ clientId: 'c', redirectUri: 'u', userId: 1, resource: 'https://a' }, {}, { ...base, resource: 'https://b' }).statusCode).toBe(400); // resource mismatch
|
||||
expect(mk({ clientId: 'c', redirectUri: 'u', userId: 1 }, { authenticateClient: vi.fn().mockReturnValue(null) }).statusCode).toBe(401); // bad client secret
|
||||
expect(mk({ clientId: 'c', redirectUri: 'u', userId: 1, codeChallenge: 'cc' }, { verifyPKCE: vi.fn().mockReturnValue(false) }).statusCode).toBe(400); // pkce fail
|
||||
});
|
||||
|
||||
it('authorization_code: 400 when code/redirect/verifier missing', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c' }), res);
|
||||
expect(res.statusCode).toBe(400);
|
||||
expect(res.body).toEqual({ error: 'invalid_request', error_description: 'code, redirect_uri, and code_verifier are required' });
|
||||
});
|
||||
|
||||
it('refresh_token: 400 without a refresh_token, maps a service error, success', () => {
|
||||
const miss = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).token(reqWith({ grant_type: 'refresh_token', client_id: 'c' }), miss);
|
||||
expect(miss.statusCode).toBe(400);
|
||||
const err = makeRes();
|
||||
new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_grant', status: 400 }) }), rl()).token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), err);
|
||||
expect(err.body).toEqual({ error: 'invalid_grant', error_description: 'Refresh token is invalid or expired' });
|
||||
const ok = makeRes();
|
||||
new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ tokens: { access_token: 'new' } }) }), rl()).token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), ok);
|
||||
expect(ok.body).toEqual({ access_token: 'new' });
|
||||
});
|
||||
|
||||
it('client_credentials: 401 without secret, invalid_scope for a disallowed scope', () => {
|
||||
const noSecret = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c' }), noSecret);
|
||||
expect(noSecret.statusCode).toBe(401);
|
||||
const badScope = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue({ is_public: false, user_id: 1, allows_client_credentials: true, allowed_scopes: '["a"]' }) }), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's', scope: 'a zzz' }), badScope);
|
||||
expect(badScope.statusCode).toBe(400);
|
||||
expect(badScope.body).toEqual({ error: 'invalid_scope', error_description: 'Scopes not allowed for this client: zzz' });
|
||||
});
|
||||
|
||||
it('client_credentials: unauthorized_client for a public client, else issues a token', () => {
|
||||
const pub = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue({ is_public: true, user_id: null, allows_client_credentials: false, allowed_scopes: '[]' }) }), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's' }), pub);
|
||||
expect(pub.statusCode).toBe(400);
|
||||
expect(pub.body).toEqual({ error: 'unauthorized_client', error_description: 'This client is not authorized for the client_credentials grant' });
|
||||
|
||||
const ok = makeRes();
|
||||
new OauthPublicController(osvc({
|
||||
authenticateClient: vi.fn().mockReturnValue({ is_public: false, user_id: 1, allows_client_credentials: true, allowed_scopes: '["a","b"]' }),
|
||||
issueClientCredentialsToken: vi.fn().mockReturnValue({ access_token: 'cc_at' }),
|
||||
}), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's' }), ok);
|
||||
expect(ok.body).toEqual({ access_token: 'cc_at' });
|
||||
});
|
||||
|
||||
it('unsupported grant -> 400', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).token(reqWith({ grant_type: 'password', client_id: 'c' }), res);
|
||||
expect(res.statusCode).toBe(400);
|
||||
expect(res.body).toEqual({ error: 'unsupported_grant_type', error_description: 'Unsupported grant_type: password' });
|
||||
});
|
||||
|
||||
it('429 when the token bucket is exhausted (per ip|client)', () => {
|
||||
const s = rl();
|
||||
for (let i = 0; i < 30; i++) s.check('oauth_token', '7.7.7.7|c', 30, 60000, Date.now());
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc(), s).token(reqWith({ client_id: 'c' }), res);
|
||||
expect(res.statusCode).toBe(429);
|
||||
});
|
||||
|
||||
it('falls back to {} when the body is not an object', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).token({ ip: '7.7.7.7', body: 'not-an-object' } as unknown as Request, res);
|
||||
// no client_id in the {} fallback -> 401
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toEqual({ error: 'invalid_client', error_description: 'client_id is required' });
|
||||
});
|
||||
|
||||
it('authorization_code: invalid client secret writes an audit + 401', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({
|
||||
consumeAuthCode: vi.fn().mockReturnValue({ clientId: 'c', redirectUri: 'u', userId: 1, scopes: ['s'], codeChallenge: 'cc', resource: null }),
|
||||
authenticateClient: vi.fn().mockReturnValue(null),
|
||||
}), rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }), res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
|
||||
});
|
||||
|
||||
it('refresh_token: invalid_client maps to its specific 401 message', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_client', status: 401 }) }), rl())
|
||||
.token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
|
||||
});
|
||||
|
||||
it('refresh_token: defaults the status to 400 when the service omits it', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_grant' }) }), rl())
|
||||
.token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), res);
|
||||
expect(res.statusCode).toBe(400);
|
||||
});
|
||||
|
||||
it('client_credentials: 401 when the client cannot be authenticated', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
|
||||
.token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's' }), res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
|
||||
});
|
||||
|
||||
it('client_credentials: honours a valid requested scope subset', () => {
|
||||
const res = makeRes();
|
||||
const issueClientCredentialsToken = vi.fn().mockReturnValue({ access_token: 'cc_at' });
|
||||
new OauthPublicController(osvc({
|
||||
authenticateClient: vi.fn().mockReturnValue({ is_public: false, user_id: 1, allows_client_credentials: true, allowed_scopes: '["a","b"]' }),
|
||||
issueClientCredentialsToken,
|
||||
}), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's', scope: 'a' }), res);
|
||||
expect(res.body).toEqual({ access_token: 'cc_at' });
|
||||
expect(issueClientCredentialsToken).toHaveBeenCalledWith('c', 1, ['a'], expect.any(String));
|
||||
});
|
||||
|
||||
it('client_credentials: derives the audience from an explicit resource', () => {
|
||||
const res = makeRes();
|
||||
const issueClientCredentialsToken = vi.fn().mockReturnValue({ access_token: 'cc_at' });
|
||||
new OauthPublicController(osvc({
|
||||
authenticateClient: vi.fn().mockReturnValue({ is_public: false, user_id: 1, allows_client_credentials: true, allowed_scopes: '["a"]' }),
|
||||
issueClientCredentialsToken,
|
||||
}), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's', resource: 'https://aud/' }), res);
|
||||
// trailing slashes are trimmed, not the mcpSafeUrl fallback
|
||||
expect(issueClientCredentialsToken).toHaveBeenCalledWith('c', 1, ['a'], 'https://aud');
|
||||
});
|
||||
|
||||
it('logs a dash for a missing ip on the authorization_code client-auth failure', () => {
|
||||
getClientIpMock.mockReturnValueOnce(undefined);
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({
|
||||
consumeAuthCode: vi.fn().mockReturnValue({ clientId: 'c', redirectUri: 'u', userId: 1, scopes: ['s'], codeChallenge: 'cc', resource: null }),
|
||||
authenticateClient: vi.fn().mockReturnValue(null),
|
||||
}), rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }), res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
|
||||
it('logs a dash for a missing ip on the refresh invalid_client failure', () => {
|
||||
getClientIpMock.mockReturnValueOnce(undefined);
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_client', status: 401 }) }), rl())
|
||||
.token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
|
||||
it('logs a dash for a missing ip on the client_credentials auth failure', () => {
|
||||
getClientIpMock.mockReturnValueOnce(undefined);
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
|
||||
.token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's' }), res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
});
|
||||
|
||||
describe('OauthPublicController /userinfo + /revoke', () => {
|
||||
it('userinfo: 401 challenge without a Bearer, returns claims with a valid token', () => {
|
||||
const r1 = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).userinfo(undefined, r1);
|
||||
expect(r1.statusCode).toBe(401);
|
||||
expect(r1.headers['WWW-Authenticate']).toBe('Bearer realm="TREK MCP"');
|
||||
const r2 = makeRes();
|
||||
new OauthPublicController(osvc({ getUserByAccessToken: vi.fn().mockReturnValue({ user: { id: 1, email: 'a@b.c', username: 'u' } }) }), rl()).userinfo('Bearer tok', r2);
|
||||
expect(r2.body).toEqual({ sub: '1', email: 'a@b.c', email_verified: true, preferred_username: 'u' });
|
||||
});
|
||||
|
||||
it('userinfo: 404 empty when MCP is disabled', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).userinfo('Bearer tok', res);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.ended).toBe(true);
|
||||
});
|
||||
|
||||
it('userinfo: 401 with the error challenge when the token is unknown', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ getUserByAccessToken: vi.fn().mockReturnValue(null) }), rl()).userinfo('Bearer tok', res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.headers['WWW-Authenticate']).toBe('Bearer realm="TREK MCP", error="invalid_token"');
|
||||
expect(res.body).toEqual({ error: 'invalid_token' });
|
||||
});
|
||||
|
||||
it('revoke: 400 without token/client, always 200 once authenticated', () => {
|
||||
const r1 = makeRes();
|
||||
new OauthPublicController(osvc(), rl()).revoke({ ip: '1', body: { client_id: 'c' } } as Request, r1);
|
||||
expect(r1.statusCode).toBe(400);
|
||||
const r2 = makeRes();
|
||||
const revokeToken = vi.fn();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue({ id: 'c' }), revokeToken }), rl()).revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, r2);
|
||||
expect(r2.statusCode).toBe(200);
|
||||
expect(r2.body).toEqual({});
|
||||
expect(revokeToken).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('revoke: 404 empty when MCP is disabled', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).revoke({ ip: '1', body: {} } as Request, res);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.ended).toBe(true);
|
||||
});
|
||||
|
||||
it('revoke: 429 when the per-ip bucket is exhausted', () => {
|
||||
const s = rl();
|
||||
for (let i = 0; i < 10; i++) s.check('oauth_revoke', '1', 10, 60000, Date.now());
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc(), s).revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, res);
|
||||
expect(res.statusCode).toBe(429);
|
||||
});
|
||||
|
||||
it('revoke: falls back to a default ip key and {} body when both are missing', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue({ id: 'c' }), revokeToken: vi.fn() }), rl())
|
||||
.revoke({ body: undefined } as unknown as Request, res);
|
||||
// body fell back to {} -> token/client missing -> 400
|
||||
expect(res.statusCode).toBe(400);
|
||||
});
|
||||
|
||||
it('revoke: 401 when the client credentials are invalid', () => {
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
|
||||
.revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
|
||||
});
|
||||
|
||||
it('revoke: logs a dash for a missing ip on the invalid-client failure', () => {
|
||||
getClientIpMock.mockReturnValueOnce(undefined);
|
||||
const res = makeRes();
|
||||
new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
|
||||
.revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
});
|
||||
|
||||
describe('OauthApiController', () => {
|
||||
const req = { ip: '1.2.3.4', user: undefined as unknown } as Request;
|
||||
function makeRes2() { const r = { statusCode: 200, ended: false, status: vi.fn((c: number) => { r.statusCode = c; return r; }), end: vi.fn(() => { r.ended = true; }) }; return r as unknown as Response & { statusCode: number; ended: boolean }; }
|
||||
|
||||
it('validate: 404 empty when MCP off, loginRequired when anonymous + valid', () => {
|
||||
const off = makeRes2();
|
||||
new OauthApiController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).validate({ ...req } as Request, {}, off);
|
||||
expect(off.statusCode).toBe(404);
|
||||
expect(off.ended).toBe(true);
|
||||
const anon = makeRes2();
|
||||
const r = new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true }) }), rl()).validate({ ...req, user: undefined } as Request, {}, anon);
|
||||
expect(r).toEqual({ valid: true, loginRequired: true });
|
||||
});
|
||||
|
||||
it('authorize: denied returns a redirect with access_denied, approved issues a code', () => {
|
||||
const denied = new OauthApiController(osvc(), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: false }, req);
|
||||
expect((denied as { redirect: string }).redirect).toContain('error=access_denied');
|
||||
const svc = osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true, scopes: ['s'], resource: null }), saveConsent: vi.fn(), createAuthCode: vi.fn().mockReturnValue('the_code') });
|
||||
const ok = new OauthApiController(svc, rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req);
|
||||
expect((ok as { redirect: string }).redirect).toContain('code=the_code');
|
||||
});
|
||||
|
||||
it('clients/sessions: 403 when MCP off, else CRUD', () => {
|
||||
expect(thrown(() => new OauthApiController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).listClients(user))).toEqual({ status: 403, body: { error: 'MCP is not enabled' } });
|
||||
expect(new OauthApiController(osvc({ listOAuthClients: vi.fn().mockReturnValue([{ id: 'c1' }]) }), rl()).listClients(user)).toEqual({ clients: [{ id: 'c1' }] });
|
||||
expect(new OauthApiController(osvc({ createOAuthClient: vi.fn().mockReturnValue({ client_id: 'c1', client_secret: 's' }) }), rl()).createClient(user, { name: 'CLI', allowed_scopes: ['a'] }, req)).toEqual({ client_id: 'c1', client_secret: 's' });
|
||||
expect(new OauthApiController(osvc({ deleteOAuthClient: vi.fn().mockReturnValue({}) }), rl()).deleteClient(user, 'c1', req)).toEqual({ success: true });
|
||||
expect(new OauthApiController(osvc({ listOAuthSessions: vi.fn().mockReturnValue([{ id: 1 }]) }), rl()).listSessions(user)).toEqual({ sessions: [{ id: 1 }] });
|
||||
expect(new OauthApiController(osvc({ revokeSession: vi.fn().mockReturnValue({}) }), rl()).revokeSession(user, '1', req)).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('rotate maps a service error, else returns the new secret', () => {
|
||||
expect(thrown(() => new OauthApiController(osvc({ rotateOAuthClientSecret: vi.fn().mockReturnValue({ error: 'not_found', status: 404 }) }), rl()).rotateClient(user, 'c1', req))).toEqual({ status: 404, body: { error: 'not_found' } });
|
||||
expect(new OauthApiController(osvc({ rotateOAuthClientSecret: vi.fn().mockReturnValue({ client_secret: 'new' }) }), rl()).rotateClient(user, 'c1', req)).toEqual({ client_secret: 'new' });
|
||||
});
|
||||
|
||||
it('validate: anonymous + invalid returns a generic error; create maps a service error', () => {
|
||||
const res = makeRes2();
|
||||
const anon = new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: false, error: 'x' }) }), rl()).validate({ ...req, user: undefined } as Request, {}, res);
|
||||
expect(anon).toEqual({ valid: false, error: 'invalid_request', error_description: 'Invalid authorization request' });
|
||||
expect(thrown(() => new OauthApiController(osvc({ createOAuthClient: vi.fn().mockReturnValue({ error: 'invalid_redirect_uri', status: 400 }) }), rl()).createClient(user, { name: 'X', allowed_scopes: ['a'] }, req))).toEqual({ status: 400, body: { error: 'invalid_redirect_uri' } });
|
||||
});
|
||||
|
||||
it('authorize: 400 when re-validation fails, 503 when the auth code cannot be issued', () => {
|
||||
expect(thrown(() => new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: false, error: 'invalid_scope', error_description: 'bad' }) }), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req))).toEqual({ status: 400, body: { error: 'invalid_scope', error_description: 'bad' } });
|
||||
expect(thrown(() => new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true, scopes: ['s'], resource: null }), saveConsent: vi.fn(), createAuthCode: vi.fn().mockReturnValue(null) }), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req))).toEqual({ status: 503, body: { error: 'server_error', error_description: 'Authorization server is temporarily unavailable' } });
|
||||
});
|
||||
|
||||
it('validate: 429 when the per-ip bucket is exhausted', () => {
|
||||
const s = rl();
|
||||
for (let i = 0; i < 30; i++) s.check('oauth_validate', '1.2.3.4', 30, 60000, Date.now());
|
||||
const res = makeRes2();
|
||||
expect(thrown(() => new OauthApiController(osvc(), s).validate({ ...req } as Request, {}, res))).toEqual({
|
||||
status: 429,
|
||||
body: { error: 'too_many_requests', error_description: 'Too many attempts. Please try again later.' },
|
||||
});
|
||||
});
|
||||
|
||||
it('validate: falls back to the "unknown" rate-limit key when req.ip is absent', () => {
|
||||
const res = makeRes2();
|
||||
const out = new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true }) }), rl())
|
||||
.validate({ user: undefined } as unknown as Request, {}, res);
|
||||
expect(out).toEqual({ valid: true, loginRequired: true });
|
||||
});
|
||||
|
||||
it('validate: forwards the resource + returns the raw result for a logged-in user', () => {
|
||||
const res = makeRes2();
|
||||
const validateAuthorizeRequest = vi.fn().mockReturnValue({ valid: true, scopes: ['s'] });
|
||||
const out = new OauthApiController(osvc({ validateAuthorizeRequest }), rl())
|
||||
.validate({ ...req, user: { id: 9 } } as unknown as Request, { resource: 'https://r' }, res);
|
||||
expect(out).toEqual({ valid: true, scopes: ['s'] });
|
||||
expect(validateAuthorizeRequest).toHaveBeenCalledWith(expect.objectContaining({ resource: 'https://r' }), 9);
|
||||
});
|
||||
|
||||
it('authorize: 403 when MCP is disabled', () => {
|
||||
expect(thrown(() => new OauthApiController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl())
|
||||
.authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: false }, req)))
|
||||
.toEqual({ status: 403, body: { error: 'MCP is not enabled' } });
|
||||
});
|
||||
|
||||
it('authorize: carries the state through both the denied and approved redirects', () => {
|
||||
const denied = new OauthApiController(osvc(), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', state: 'xyz', code_challenge: 'cc', code_challenge_method: 'S256', approved: false }, req);
|
||||
expect((denied as { redirect: string }).redirect).toContain('state=xyz');
|
||||
|
||||
const svc = osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true, scopes: ['s'], resource: 'https://aud' }), saveConsent: vi.fn(), createAuthCode: vi.fn().mockReturnValue('the_code') });
|
||||
const ok = new OauthApiController(svc, rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', state: 'xyz', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req);
|
||||
expect((ok as { redirect: string }).redirect).toContain('code=the_code');
|
||||
expect((ok as { redirect: string }).redirect).toContain('state=xyz');
|
||||
});
|
||||
|
||||
it('client/session errors default the status to 400 when the service omits it', () => {
|
||||
expect(thrown(() => new OauthApiController(osvc({ createOAuthClient: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).createClient(user, { name: 'X', allowed_scopes: ['a'] }, req)))
|
||||
.toEqual({ status: 400, body: { error: 'bad' } });
|
||||
expect(thrown(() => new OauthApiController(osvc({ rotateOAuthClientSecret: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).rotateClient(user, 'c1', req)))
|
||||
.toEqual({ status: 400, body: { error: 'bad' } });
|
||||
expect(thrown(() => new OauthApiController(osvc({ deleteOAuthClient: vi.fn().mockReturnValue({ error: 'not_found', status: 404 }) }), rl()).deleteClient(user, 'c1', req)))
|
||||
.toEqual({ status: 404, body: { error: 'not_found' } });
|
||||
expect(thrown(() => new OauthApiController(osvc({ deleteOAuthClient: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).deleteClient(user, 'c1', req)))
|
||||
.toEqual({ status: 400, body: { error: 'bad' } });
|
||||
expect(thrown(() => new OauthApiController(osvc({ revokeSession: vi.fn().mockReturnValue({ error: 'not_found', status: 404 }) }), rl()).revokeSession(user, '1', req)))
|
||||
.toEqual({ status: 404, body: { error: 'not_found' } });
|
||||
expect(thrown(() => new OauthApiController(osvc({ revokeSession: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).revokeSession(user, '1', req)))
|
||||
.toEqual({ status: 400, body: { error: 'bad' } });
|
||||
});
|
||||
|
||||
it('sessions: 403 when MCP is off on the list', () => {
|
||||
expect(thrown(() => new OauthApiController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).listSessions(user)))
|
||||
.toEqual({ status: 403, body: { error: 'MCP is not enabled' } });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,172 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// The Nest service is a thin wrapper that forwards to the legacy oauthService
|
||||
// plus the addon/notification helpers. Mock those and assert the delegation.
|
||||
const { oauth } = vi.hoisted(() => ({
|
||||
oauth: {
|
||||
consumeAuthCode: vi.fn(),
|
||||
authenticateClient: vi.fn(),
|
||||
verifyPKCE: vi.fn(),
|
||||
issueTokens: vi.fn(),
|
||||
issueClientCredentialsToken: vi.fn(),
|
||||
refreshTokens: vi.fn(),
|
||||
revokeToken: vi.fn(),
|
||||
getUserByAccessToken: vi.fn(),
|
||||
validateAuthorizeRequest: vi.fn(),
|
||||
saveConsent: vi.fn(),
|
||||
createAuthCode: vi.fn(),
|
||||
listOAuthClients: vi.fn(),
|
||||
createOAuthClient: vi.fn(),
|
||||
rotateOAuthClientSecret: vi.fn(),
|
||||
deleteOAuthClient: vi.fn(),
|
||||
listOAuthSessions: vi.fn(),
|
||||
revokeSession: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/oauthService', () => oauth);
|
||||
|
||||
const { isAddonEnabled } = vi.hoisted(() => ({ isAddonEnabled: vi.fn() }));
|
||||
vi.mock('../../../src/services/adminService', () => ({ isAddonEnabled }));
|
||||
|
||||
const { getMcpSafeUrl } = vi.hoisted(() => ({ getMcpSafeUrl: vi.fn() }));
|
||||
vi.mock('../../../src/services/notifications', () => ({ getMcpSafeUrl }));
|
||||
|
||||
import { OauthService } from '../../../src/nest/oauth/oauth.service';
|
||||
import { ADDON_IDS } from '../../../src/addons';
|
||||
|
||||
function svc() { return new OauthService(); }
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('OauthService', () => {
|
||||
it('mcpEnabled checks the MCP addon flag', () => {
|
||||
isAddonEnabled.mockReturnValue(true);
|
||||
expect(svc().mcpEnabled()).toBe(true);
|
||||
expect(isAddonEnabled).toHaveBeenCalledWith(ADDON_IDS.MCP);
|
||||
isAddonEnabled.mockReturnValue(false);
|
||||
expect(svc().mcpEnabled()).toBe(false);
|
||||
});
|
||||
|
||||
it('mcpSafeUrl forwards to the notifications helper', () => {
|
||||
getMcpSafeUrl.mockReturnValue('https://safe');
|
||||
expect(svc().mcpSafeUrl()).toBe('https://safe');
|
||||
expect(getMcpSafeUrl).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('consumeAuthCode delegates', () => {
|
||||
oauth.consumeAuthCode.mockReturnValue({ clientId: 'c' });
|
||||
expect(svc().consumeAuthCode('code')).toEqual({ clientId: 'c' });
|
||||
expect(oauth.consumeAuthCode).toHaveBeenCalledWith('code');
|
||||
});
|
||||
|
||||
it('authenticateClient delegates with both args', () => {
|
||||
oauth.authenticateClient.mockReturnValue({ id: 'c' });
|
||||
expect(svc().authenticateClient('c', 'secret')).toEqual({ id: 'c' });
|
||||
expect(oauth.authenticateClient).toHaveBeenCalledWith('c', 'secret');
|
||||
});
|
||||
|
||||
it('verifyPKCE delegates', () => {
|
||||
oauth.verifyPKCE.mockReturnValue(true);
|
||||
expect(svc().verifyPKCE('v', 'ch')).toBe(true);
|
||||
expect(oauth.verifyPKCE).toHaveBeenCalledWith('v', 'ch');
|
||||
});
|
||||
|
||||
it('issueTokens forwards the full argument list', () => {
|
||||
oauth.issueTokens.mockReturnValue({ access_token: 'at' });
|
||||
expect(svc().issueTokens('c', 1, ['s'], null, 'aud')).toEqual({ access_token: 'at' });
|
||||
expect(oauth.issueTokens).toHaveBeenCalledWith('c', 1, ['s'], null, 'aud');
|
||||
});
|
||||
|
||||
it('issueClientCredentialsToken forwards the full argument list', () => {
|
||||
oauth.issueClientCredentialsToken.mockReturnValue({ access_token: 'cc' });
|
||||
expect(svc().issueClientCredentialsToken('c', 1, ['s'], 'aud')).toEqual({ access_token: 'cc' });
|
||||
expect(oauth.issueClientCredentialsToken).toHaveBeenCalledWith('c', 1, ['s'], 'aud');
|
||||
});
|
||||
|
||||
it('refreshTokens forwards the full argument list', () => {
|
||||
oauth.refreshTokens.mockReturnValue({ tokens: { access_token: 'new' } });
|
||||
expect(svc().refreshTokens('rt', 'c', 's', '1.2.3.4')).toEqual({ tokens: { access_token: 'new' } });
|
||||
expect(oauth.refreshTokens).toHaveBeenCalledWith('rt', 'c', 's', '1.2.3.4');
|
||||
});
|
||||
|
||||
it('revokeToken forwards the full argument list', () => {
|
||||
svc().revokeToken('t', 'c', undefined, '1.2.3.4');
|
||||
expect(oauth.revokeToken).toHaveBeenCalledWith('t', 'c', undefined, '1.2.3.4');
|
||||
});
|
||||
|
||||
it('getUserByAccessToken delegates', () => {
|
||||
oauth.getUserByAccessToken.mockReturnValue({ user: { id: 1 } });
|
||||
expect(svc().getUserByAccessToken('tok')).toEqual({ user: { id: 1 } });
|
||||
expect(oauth.getUserByAccessToken).toHaveBeenCalledWith('tok');
|
||||
});
|
||||
|
||||
it('validateAuthorizeRequest delegates with the user id', () => {
|
||||
oauth.validateAuthorizeRequest.mockReturnValue({ valid: true });
|
||||
const params = { response_type: 'code' } as never;
|
||||
expect(svc().validateAuthorizeRequest(params, 5)).toEqual({ valid: true });
|
||||
expect(oauth.validateAuthorizeRequest).toHaveBeenCalledWith(params, 5);
|
||||
});
|
||||
|
||||
it('saveConsent forwards the full argument list', () => {
|
||||
svc().saveConsent('c', 1, ['s'], '1.2.3.4');
|
||||
expect(oauth.saveConsent).toHaveBeenCalledWith('c', 1, ['s'], '1.2.3.4');
|
||||
});
|
||||
|
||||
it('createAuthCode forwards the params object', () => {
|
||||
oauth.createAuthCode.mockReturnValue('the_code');
|
||||
const p = { clientId: 'c', userId: 1, redirectUri: 'u', scopes: ['s'], resource: null, codeChallenge: 'cc', codeChallengeMethod: 'S256' } as const;
|
||||
expect(svc().createAuthCode(p)).toBe('the_code');
|
||||
expect(oauth.createAuthCode).toHaveBeenCalledWith(p);
|
||||
});
|
||||
|
||||
it('listOAuthClients delegates', () => {
|
||||
oauth.listOAuthClients.mockReturnValue([{ id: 'c1' }]);
|
||||
expect(svc().listOAuthClients(1)).toEqual([{ id: 'c1' }]);
|
||||
expect(oauth.listOAuthClients).toHaveBeenCalledWith(1);
|
||||
});
|
||||
|
||||
it('createOAuthClient forwards the full argument list', () => {
|
||||
oauth.createOAuthClient.mockReturnValue({ client_id: 'c1' });
|
||||
expect(svc().createOAuthClient(1, 'CLI', ['https://cb'], ['a'], '1.2.3.4', { allowsClientCredentials: true })).toEqual({ client_id: 'c1' });
|
||||
expect(oauth.createOAuthClient).toHaveBeenCalledWith(1, 'CLI', ['https://cb'], ['a'], '1.2.3.4', { allowsClientCredentials: true });
|
||||
});
|
||||
|
||||
it('rotateOAuthClientSecret delegates', () => {
|
||||
oauth.rotateOAuthClientSecret.mockReturnValue({ client_secret: 'new' });
|
||||
expect(svc().rotateOAuthClientSecret(1, 'c1', '1.2.3.4')).toEqual({ client_secret: 'new' });
|
||||
expect(oauth.rotateOAuthClientSecret).toHaveBeenCalledWith(1, 'c1', '1.2.3.4');
|
||||
});
|
||||
|
||||
it('deleteOAuthClient delegates', () => {
|
||||
oauth.deleteOAuthClient.mockReturnValue({});
|
||||
expect(svc().deleteOAuthClient(1, 'c1', '1.2.3.4')).toEqual({});
|
||||
expect(oauth.deleteOAuthClient).toHaveBeenCalledWith(1, 'c1', '1.2.3.4');
|
||||
});
|
||||
|
||||
it('listOAuthSessions delegates', () => {
|
||||
oauth.listOAuthSessions.mockReturnValue([{ id: 1 }]);
|
||||
expect(svc().listOAuthSessions(1)).toEqual([{ id: 1 }]);
|
||||
expect(oauth.listOAuthSessions).toHaveBeenCalledWith(1);
|
||||
});
|
||||
|
||||
it('revokeSession delegates', () => {
|
||||
oauth.revokeSession.mockReturnValue({});
|
||||
expect(svc().revokeSession(1, 7, '1.2.3.4')).toEqual({});
|
||||
expect(oauth.revokeSession).toHaveBeenCalledWith(1, 7, '1.2.3.4');
|
||||
});
|
||||
});
|
||||
|
||||
describe('OauthModule', () => {
|
||||
it('wires the public + api controllers and the providers', async () => {
|
||||
const { OauthModule } = await import('../../../src/nest/oauth/oauth.module');
|
||||
const { OauthPublicController } = await import('../../../src/nest/oauth/oauth-public.controller');
|
||||
const { OauthApiController } = await import('../../../src/nest/oauth/oauth-api.controller');
|
||||
const { OauthService: Svc } = await import('../../../src/nest/oauth/oauth.service');
|
||||
const { RateLimitService } = await import('../../../src/nest/auth/rate-limit.service');
|
||||
|
||||
const controllers = Reflect.getMetadata('controllers', OauthModule);
|
||||
const providers = Reflect.getMetadata('providers', OauthModule);
|
||||
expect(controllers).toEqual([OauthPublicController, OauthApiController]);
|
||||
expect(providers).toEqual([Svc, RateLimitService]);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,346 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
import type { Request, Response } from 'express';
|
||||
|
||||
import { OidcController } from '../../../src/nest/oidc/oidc.controller';
|
||||
import type { OidcService } from '../../../src/nest/oidc/oidc.service';
|
||||
|
||||
function svc(o: Partial<OidcService> = {}): OidcService {
|
||||
return {
|
||||
oidcLoginEnabled: vi.fn().mockReturnValue(true),
|
||||
getOidcConfig: vi.fn().mockReturnValue({ issuer: 'https://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }),
|
||||
getAppUrl: vi.fn().mockReturnValue('https://app'),
|
||||
discover: vi.fn().mockResolvedValue({ authorization_endpoint: 'https://idp/auth', userinfo_endpoint: 'https://idp/ui', issuer: 'https://idp' }),
|
||||
createState: vi.fn().mockReturnValue({ state: 'st', codeChallenge: 'cc' }),
|
||||
consumeState: vi.fn().mockReturnValue({ redirectUri: 'https://app/api/auth/oidc/callback', codeVerifier: 'cv', inviteToken: undefined }),
|
||||
exchangeCodeForToken: vi.fn(),
|
||||
verifyIdToken: vi.fn(),
|
||||
getUserInfo: vi.fn(),
|
||||
findOrCreateUser: vi.fn(),
|
||||
touchLastLogin: vi.fn(),
|
||||
generateToken: vi.fn().mockReturnValue('jwt'),
|
||||
createAuthCode: vi.fn().mockReturnValue('ac'),
|
||||
consumeAuthCode: vi.fn(),
|
||||
frontendUrl: vi.fn((p: string) => 'https://app' + p),
|
||||
setAuthCookie: vi.fn(),
|
||||
...o,
|
||||
} as unknown as OidcService;
|
||||
}
|
||||
|
||||
function makeRes() {
|
||||
const res = {
|
||||
statusCode: 200,
|
||||
redirectedTo: '' as string,
|
||||
body: undefined as unknown,
|
||||
status: vi.fn((c: number) => { res.statusCode = c; return res; }),
|
||||
json: vi.fn((b: unknown) => { res.body = b; return res; }),
|
||||
redirect: vi.fn((u: string) => { res.redirectedTo = u; }),
|
||||
cookie: vi.fn(),
|
||||
clearCookie: vi.fn(),
|
||||
};
|
||||
return res as unknown as Response & { statusCode: number; redirectedTo: string; body: unknown };
|
||||
}
|
||||
|
||||
const req = { query: {}, headers: {} } as Request;
|
||||
// Callback request carrying the state-binding cookie a real browser would send
|
||||
// after going through /login.
|
||||
const reqCb = (state = 's') => ({ query: {}, headers: {}, cookies: { trek_oidc_state: state } } as unknown as Request);
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
afterEach(() => { delete process.env.NODE_ENV; });
|
||||
|
||||
describe('OidcController /login', () => {
|
||||
it('403 when SSO is disabled', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ oidcLoginEnabled: vi.fn().mockReturnValue(false) })).login(req, res);
|
||||
expect(res.statusCode).toBe(403);
|
||||
expect(res.body).toEqual({ error: 'SSO login is disabled.' });
|
||||
});
|
||||
|
||||
it('400 when not configured', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue(null) })).login(req, res);
|
||||
expect(res.statusCode).toBe(400);
|
||||
expect(res.body).toEqual({ error: 'OIDC not configured' });
|
||||
});
|
||||
|
||||
it('redirects to the provider authorize endpoint with PKCE params', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc()).login(req, res);
|
||||
expect(res.redirect).toHaveBeenCalled();
|
||||
expect(res.redirectedTo).toContain('https://idp/auth?');
|
||||
expect(res.redirectedTo).toContain('code_challenge=cc');
|
||||
expect(res.redirectedTo).toContain('code_challenge_method=S256');
|
||||
});
|
||||
|
||||
it('400 when a non-HTTPS issuer is used in production', async () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue({ issuer: 'http://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }) })).login(req, res);
|
||||
expect(res.statusCode).toBe(400);
|
||||
expect(res.body).toEqual({ error: 'OIDC issuer must use HTTPS in production' });
|
||||
});
|
||||
|
||||
it('allows a non-HTTPS issuer outside production', async () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue({ issuer: 'http://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }) })).login(req, res);
|
||||
expect(res.redirect).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('500 when APP_URL is not configured', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ getAppUrl: vi.fn().mockReturnValue('') })).login(req, res);
|
||||
expect(res.statusCode).toBe(500);
|
||||
expect(res.body).toEqual({ error: 'APP_URL is not configured. OIDC cannot be used.' });
|
||||
});
|
||||
|
||||
it('passes the invite token from the query into createState', async () => {
|
||||
const res = makeRes();
|
||||
const createState = vi.fn().mockReturnValue({ state: 'st', codeChallenge: 'cc' });
|
||||
const reqInvite = { query: { invite: 'tok123' }, headers: {} } as unknown as Request;
|
||||
await new OidcController(svc({ createState })).login(reqInvite, res);
|
||||
expect(createState).toHaveBeenCalledWith('https://app/api/auth/oidc/callback', 'tok123');
|
||||
});
|
||||
|
||||
it('trims a trailing slash off APP_URL when building the redirect uri', async () => {
|
||||
const res = makeRes();
|
||||
const createState = vi.fn().mockReturnValue({ state: 'st', codeChallenge: 'cc' });
|
||||
await new OidcController(svc({ getAppUrl: vi.fn().mockReturnValue('https://app///'), createState })).login(req, res);
|
||||
expect(createState).toHaveBeenCalledWith('https://app/api/auth/oidc/callback', undefined);
|
||||
});
|
||||
|
||||
it('500 when discovery throws', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ discover: vi.fn().mockRejectedValue(new Error('boom')) })).login(req, res);
|
||||
expect(res.statusCode).toBe(500);
|
||||
expect(res.body).toEqual({ error: 'OIDC login failed' });
|
||||
});
|
||||
|
||||
it('500 logs a non-Error rejection without crashing', async () => {
|
||||
const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ discover: vi.fn().mockRejectedValue('plain string') })).login(req, res);
|
||||
expect(res.statusCode).toBe(500);
|
||||
expect(spy).toHaveBeenCalledWith('[OIDC] Login error:', 'plain string');
|
||||
});
|
||||
});
|
||||
|
||||
describe('OidcController /callback', () => {
|
||||
it('redirects with sso_disabled when SSO is off', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ oidcLoginEnabled: vi.fn().mockReturnValue(false) })).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=sso_disabled');
|
||||
});
|
||||
|
||||
it('redirects with the provider error', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc()).callback(undefined, undefined, 'access_denied', reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=access_denied');
|
||||
});
|
||||
|
||||
it('redirects missing_params / invalid_state', async () => {
|
||||
const r1 = makeRes();
|
||||
await new OidcController(svc()).callback(undefined, 's', undefined, reqCb('s'), r1);
|
||||
expect(r1.redirectedTo).toBe('https://app/login?oidc_error=missing_params');
|
||||
const r2 = makeRes();
|
||||
await new OidcController(svc({ consumeState: vi.fn().mockReturnValue(null) })).callback('c', 's', undefined, reqCb('s'), r2);
|
||||
expect(r2.redirectedTo).toBe('https://app/login?oidc_error=invalid_state');
|
||||
});
|
||||
|
||||
it('rejects a missing id_token, then completes with an auth code on success', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const noId = makeRes();
|
||||
await new OidcController(svc({ exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at' }) })).callback('c', 's', undefined, reqCb('s'), noId);
|
||||
expect(noId.redirectedTo).toBe('https://app/login?oidc_error=no_id_token');
|
||||
|
||||
const ok = makeRes();
|
||||
const c = new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
|
||||
findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
|
||||
}));
|
||||
await c.callback('c', 's', undefined, reqCb('s'), ok);
|
||||
expect(ok.redirectedTo).toBe('https://app/login?oidc_code=ac');
|
||||
});
|
||||
|
||||
it('rejects a callback whose state cookie does not match the query state', async () => {
|
||||
const res = makeRes();
|
||||
// Browser presents a different (or no) state cookie than the callback URL —
|
||||
// an attacker-initiated flow replayed in the victim's browser.
|
||||
await new OidcController(svc()).callback('c', 's', undefined, reqCb('attacker-state'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=invalid_state');
|
||||
});
|
||||
|
||||
it('rejects a userinfo subject mismatch', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
const c = new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'OTHER' }),
|
||||
}));
|
||||
await c.callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=subject_mismatch');
|
||||
});
|
||||
|
||||
it('redirects invalid_state when there is no bound state cookie at all', async () => {
|
||||
const res = makeRes();
|
||||
const reqNoCookie = { query: {}, headers: {}, cookies: {} } as unknown as Request;
|
||||
await new OidcController(svc()).callback('c', 's', undefined, reqNoCookie, res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=invalid_state');
|
||||
});
|
||||
|
||||
it('tolerates a request with no cookies object', async () => {
|
||||
const res = makeRes();
|
||||
const reqNoCookies = { query: {}, headers: {} } as unknown as Request;
|
||||
await new OidcController(svc()).callback('c', 's', undefined, reqNoCookies, res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=invalid_state');
|
||||
});
|
||||
|
||||
it('redirects not_configured when the config disappears mid-flow', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue(null) })).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=not_configured');
|
||||
});
|
||||
|
||||
it('redirects issuer_not_https when a non-HTTPS issuer is used in production', async () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue({ issuer: 'http://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }) })).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=issuer_not_https');
|
||||
});
|
||||
|
||||
it('redirects token_failed when the token exchange is not ok', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: false, _status: 401 }) })).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=token_failed');
|
||||
});
|
||||
|
||||
it('redirects token_failed when the access token is missing', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true }) })).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=token_failed');
|
||||
});
|
||||
|
||||
it('redirects id_token_invalid when verification fails with a reason', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: false, error: 'bad_signature' }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=id_token_invalid');
|
||||
});
|
||||
|
||||
it('redirects id_token_invalid when verification fails without an error field', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: false }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=id_token_invalid');
|
||||
});
|
||||
|
||||
it('falls back to config.issuer when the discovery doc has no issuer', async () => {
|
||||
const verifyIdToken = vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } });
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
discover: vi.fn().mockResolvedValue({ authorization_endpoint: 'https://idp/auth', userinfo_endpoint: 'https://idp/ui' }),
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken,
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
|
||||
findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
// doc.issuer absent → (doc.issuer ?? '') is '' → falls back to config.issuer
|
||||
expect(verifyIdToken).toHaveBeenCalledWith('it', expect.anything(), 'c', 'https://idp');
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_code=ac');
|
||||
});
|
||||
|
||||
it('strips trailing slashes off the discovery doc issuer before verifying', async () => {
|
||||
const verifyIdToken = vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } });
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
discover: vi.fn().mockResolvedValue({ authorization_endpoint: 'https://idp/auth', userinfo_endpoint: 'https://idp/ui', issuer: 'https://idp/' }),
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken,
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
|
||||
findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(verifyIdToken).toHaveBeenCalledWith('it', expect.anything(), 'c', 'https://idp');
|
||||
});
|
||||
|
||||
it('redirects no_email when the userinfo has no email', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
|
||||
getUserInfo: vi.fn().mockResolvedValue({ sub: 'u1' }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=no_email');
|
||||
});
|
||||
|
||||
it('accepts when userinfo omits sub (no cross-check to run)', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c' }),
|
||||
findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_code=ac');
|
||||
});
|
||||
|
||||
it('accepts when the id_token claims have a non-string sub (cross-check skipped)', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 12345 } }),
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'something-else' }),
|
||||
findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_code=ac');
|
||||
});
|
||||
|
||||
it('surfaces a findOrCreateUser provisioning error', async () => {
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({
|
||||
exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
|
||||
verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
|
||||
getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
|
||||
findOrCreateUser: vi.fn().mockReturnValue({ error: 'registration_disabled' }),
|
||||
})).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=registration_disabled');
|
||||
});
|
||||
|
||||
it('redirects server_error when the flow throws', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const res = makeRes();
|
||||
await new OidcController(svc({ discover: vi.fn().mockRejectedValue(new Error('network down')) })).callback('c', 's', undefined, reqCb('s'), res);
|
||||
expect(res.redirectedTo).toBe('https://app/login?oidc_error=server_error');
|
||||
});
|
||||
});
|
||||
|
||||
describe('OidcController /exchange', () => {
|
||||
it('400 without a code, 400 on an invalid code, else sets the cookie + returns the token', () => {
|
||||
const r1 = makeRes();
|
||||
new OidcController(svc()).exchange(undefined, req, r1);
|
||||
expect(r1.statusCode).toBe(400);
|
||||
expect(r1.body).toEqual({ error: 'Code required' });
|
||||
|
||||
const r2 = makeRes();
|
||||
new OidcController(svc({ consumeAuthCode: vi.fn().mockReturnValue({ error: 'invalid_code' }) })).exchange('x', req, r2);
|
||||
expect(r2.statusCode).toBe(400);
|
||||
expect(r2.body).toEqual({ error: 'invalid_code' });
|
||||
|
||||
const r3 = makeRes();
|
||||
const setAuthCookie = vi.fn();
|
||||
new OidcController(svc({ consumeAuthCode: vi.fn().mockReturnValue({ token: 'jwt' }), setAuthCookie })).exchange('x', req, r3);
|
||||
expect(setAuthCookie).toHaveBeenCalledWith(r3, 'jwt', req);
|
||||
expect(r3.body).toEqual({ token: 'jwt' });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,158 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import type { Request, Response } from 'express';
|
||||
|
||||
// The Nest service is a thin pass-through to the legacy OIDC helpers plus a few
|
||||
// adjacent service modules. Mock each one and assert the wrapper forwards every
|
||||
// argument and returns whatever the legacy function hands back.
|
||||
const { oidc } = vi.hoisted(() => ({
|
||||
oidc: {
|
||||
getOidcConfig: vi.fn(),
|
||||
discover: vi.fn(),
|
||||
createState: vi.fn(),
|
||||
consumeState: vi.fn(),
|
||||
exchangeCodeForToken: vi.fn(),
|
||||
verifyIdToken: vi.fn(),
|
||||
getUserInfo: vi.fn(),
|
||||
findOrCreateUser: vi.fn(),
|
||||
touchLastLogin: vi.fn(),
|
||||
generateToken: vi.fn(),
|
||||
createAuthCode: vi.fn(),
|
||||
consumeAuthCode: vi.fn(),
|
||||
frontendUrl: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/oidcService', () => oidc);
|
||||
|
||||
const { getAppUrl } = vi.hoisted(() => ({ getAppUrl: vi.fn() }));
|
||||
vi.mock('../../../src/services/notifications', () => ({ getAppUrl }));
|
||||
|
||||
const { resolveAuthToggles } = vi.hoisted(() => ({ resolveAuthToggles: vi.fn() }));
|
||||
vi.mock('../../../src/services/authService', () => ({ resolveAuthToggles }));
|
||||
|
||||
const { setAuthCookie } = vi.hoisted(() => ({ setAuthCookie: vi.fn() }));
|
||||
vi.mock('../../../src/services/cookie', () => ({ setAuthCookie }));
|
||||
|
||||
import { OidcService } from '../../../src/nest/oidc/oidc.service';
|
||||
|
||||
let s: OidcService;
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
s = new OidcService();
|
||||
});
|
||||
|
||||
describe('OidcService', () => {
|
||||
it('oidcLoginEnabled reads the resolved auth toggle', () => {
|
||||
resolveAuthToggles.mockReturnValue({ oidc_login: true });
|
||||
expect(s.oidcLoginEnabled()).toBe(true);
|
||||
resolveAuthToggles.mockReturnValue({ oidc_login: false });
|
||||
expect(s.oidcLoginEnabled()).toBe(false);
|
||||
});
|
||||
|
||||
it('getOidcConfig delegates to the legacy helper', () => {
|
||||
const cfg = { issuer: 'https://idp' };
|
||||
oidc.getOidcConfig.mockReturnValue(cfg);
|
||||
expect(s.getOidcConfig()).toBe(cfg);
|
||||
});
|
||||
|
||||
it('getAppUrl delegates to notifications.getAppUrl', () => {
|
||||
getAppUrl.mockReturnValue('https://app');
|
||||
expect(s.getAppUrl()).toBe('https://app');
|
||||
});
|
||||
|
||||
it('discover forwards the issuer and discovery url', () => {
|
||||
const doc = { authorization_endpoint: 'https://idp/auth' };
|
||||
oidc.discover.mockReturnValue(doc);
|
||||
expect(s.discover('https://idp', 'https://idp/.well-known')).toBe(doc);
|
||||
expect(oidc.discover).toHaveBeenCalledWith('https://idp', 'https://idp/.well-known');
|
||||
});
|
||||
|
||||
it('discover works without a discovery url', () => {
|
||||
oidc.discover.mockReturnValue('doc');
|
||||
expect(s.discover('https://idp')).toBe('doc');
|
||||
expect(oidc.discover).toHaveBeenCalledWith('https://idp', undefined);
|
||||
});
|
||||
|
||||
it('createState forwards the redirect uri and invite token', () => {
|
||||
const st = { state: 'st', codeChallenge: 'cc' };
|
||||
oidc.createState.mockReturnValue(st);
|
||||
expect(s.createState('https://app/cb', 'inv')).toBe(st);
|
||||
expect(oidc.createState).toHaveBeenCalledWith('https://app/cb', 'inv');
|
||||
});
|
||||
|
||||
it('createState works without an invite token', () => {
|
||||
oidc.createState.mockReturnValue({ state: 'st', codeChallenge: 'cc' });
|
||||
s.createState('https://app/cb');
|
||||
expect(oidc.createState).toHaveBeenCalledWith('https://app/cb', undefined);
|
||||
});
|
||||
|
||||
it('consumeState forwards the state', () => {
|
||||
oidc.consumeState.mockReturnValue({ redirectUri: 'r', codeVerifier: 'v' });
|
||||
expect(s.consumeState('st')).toEqual({ redirectUri: 'r', codeVerifier: 'v' });
|
||||
expect(oidc.consumeState).toHaveBeenCalledWith('st');
|
||||
});
|
||||
|
||||
it('exchangeCodeForToken spreads all arguments through', () => {
|
||||
oidc.exchangeCodeForToken.mockReturnValue({ _ok: true });
|
||||
const doc = { token_endpoint: 'https://idp/token' } as never;
|
||||
expect(s.exchangeCodeForToken(doc, 'code', 'redir', 'cid', 'secret', 'verifier')).toEqual({ _ok: true });
|
||||
expect(oidc.exchangeCodeForToken).toHaveBeenCalledWith(doc, 'code', 'redir', 'cid', 'secret', 'verifier');
|
||||
});
|
||||
|
||||
it('verifyIdToken spreads all arguments through', () => {
|
||||
oidc.verifyIdToken.mockReturnValue({ ok: true });
|
||||
const doc = { issuer: 'https://idp' } as never;
|
||||
expect(s.verifyIdToken('id_token', doc, 'cid', 'https://idp')).toEqual({ ok: true });
|
||||
expect(oidc.verifyIdToken).toHaveBeenCalledWith('id_token', doc, 'cid', 'https://idp');
|
||||
});
|
||||
|
||||
it('getUserInfo forwards the endpoint and access token', () => {
|
||||
oidc.getUserInfo.mockReturnValue({ email: 'a@b.c' });
|
||||
expect(s.getUserInfo('https://idp/ui', 'at')).toEqual({ email: 'a@b.c' });
|
||||
expect(oidc.getUserInfo).toHaveBeenCalledWith('https://idp/ui', 'at');
|
||||
});
|
||||
|
||||
it('findOrCreateUser spreads all arguments through', () => {
|
||||
const result = { user: { id: 1 } };
|
||||
oidc.findOrCreateUser.mockReturnValue(result);
|
||||
const info = { email: 'a@b.c' } as never;
|
||||
const cfg = { issuer: 'https://idp' } as never;
|
||||
expect(s.findOrCreateUser(info, cfg, 'inv')).toBe(result);
|
||||
expect(oidc.findOrCreateUser).toHaveBeenCalledWith(info, cfg, 'inv');
|
||||
});
|
||||
|
||||
it('touchLastLogin forwards the user id', () => {
|
||||
s.touchLastLogin(42);
|
||||
expect(oidc.touchLastLogin).toHaveBeenCalledWith(42);
|
||||
});
|
||||
|
||||
it('generateToken forwards the user', () => {
|
||||
oidc.generateToken.mockReturnValue('jwt');
|
||||
expect(s.generateToken({ id: 7 })).toBe('jwt');
|
||||
expect(oidc.generateToken).toHaveBeenCalledWith({ id: 7 });
|
||||
});
|
||||
|
||||
it('createAuthCode forwards the token', () => {
|
||||
oidc.createAuthCode.mockReturnValue('ac');
|
||||
expect(s.createAuthCode('jwt')).toBe('ac');
|
||||
expect(oidc.createAuthCode).toHaveBeenCalledWith('jwt');
|
||||
});
|
||||
|
||||
it('consumeAuthCode forwards the code', () => {
|
||||
oidc.consumeAuthCode.mockReturnValue({ token: 'jwt' });
|
||||
expect(s.consumeAuthCode('ac')).toEqual({ token: 'jwt' });
|
||||
expect(oidc.consumeAuthCode).toHaveBeenCalledWith('ac');
|
||||
});
|
||||
|
||||
it('frontendUrl forwards the path', () => {
|
||||
oidc.frontendUrl.mockReturnValue('https://app/login');
|
||||
expect(s.frontendUrl('/login')).toBe('https://app/login');
|
||||
expect(oidc.frontendUrl).toHaveBeenCalledWith('/login');
|
||||
});
|
||||
|
||||
it('setAuthCookie forwards res, token and req to the cookie helper', () => {
|
||||
const res = {} as Response;
|
||||
const req = {} as Request;
|
||||
s.setAuthCookie(res, 'jwt', req);
|
||||
expect(setAuthCookie).toHaveBeenCalledWith(res, 'jwt', req);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,346 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { PackingController } from '../../../src/nest/packing/packing.controller';
|
||||
import type { PackingService } from '../../../src/nest/packing/packing.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const admin = { id: 1, role: 'admin', email: 'a@example.test' } as User;
|
||||
const trip = { id: 5, user_id: 1 };
|
||||
|
||||
/** Service mock with trip access granted + edit allowed by default. */
|
||||
function makeService(overrides: Partial<PackingService> = {}): PackingService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip),
|
||||
canEdit: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
notifyTagged: vi.fn(),
|
||||
...overrides,
|
||||
} as unknown as PackingService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('PackingController (parity with the legacy /api/trips/:tripId/packing route)', () => {
|
||||
it('404 when the trip is not accessible', () => {
|
||||
const svc = makeService({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new PackingController(svc).list(user, '5'))).toEqual({
|
||||
status: 404, body: { error: 'Trip not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('GET / returns items for an accessible trip', () => {
|
||||
const svc = makeService({ listItems: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).list(user, '5')).toEqual({ items: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
describe('POST / (create)', () => {
|
||||
it('403 without packing_edit permission', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new PackingController(svc).create(user, '5', { name: 'Socks' }))).toEqual({
|
||||
status: 403, body: { error: 'No permission' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 when name missing', () => {
|
||||
const svc = makeService();
|
||||
expect(thrown(() => new PackingController(svc).create(user, '5', {}))).toEqual({
|
||||
status: 400, body: { error: 'Item name is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('creates an item and broadcasts', () => {
|
||||
const createItem = vi.fn().mockReturnValue({ id: 9, name: 'Socks' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ createItem, broadcast } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).create(user, '5', { name: 'Socks' }, 'sock')).toEqual({ item: { id: 9, name: 'Socks' } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:created', { item: { id: 9, name: 'Socks' } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
it('GET / lists items for the trip (success path)', () => {
|
||||
const listItems = vi.fn().mockReturnValue([{ id: 1 }, { id: 2 }]);
|
||||
const svc = makeService({ listItems } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).list(user, '5')).toEqual({ items: [{ id: 1 }, { id: 2 }] });
|
||||
expect(listItems).toHaveBeenCalledWith('5');
|
||||
});
|
||||
|
||||
describe('POST /import', () => {
|
||||
it('400 when items is not a non-empty array (empty array)', () => {
|
||||
const svc = makeService();
|
||||
expect(thrown(() => new PackingController(svc).importItems(user, '5', []))).toEqual({
|
||||
status: 400, body: { error: 'items must be a non-empty array' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 when items is not an array at all (non-array branch)', () => {
|
||||
const svc = makeService();
|
||||
expect(thrown(() => new PackingController(svc).importItems(user, '5', 'nope'))).toEqual({
|
||||
status: 400, body: { error: 'items must be a non-empty array' },
|
||||
});
|
||||
});
|
||||
|
||||
it('403 without packing_edit permission', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new PackingController(svc).importItems(user, '5', [{ name: 'a' }]))).toEqual({
|
||||
status: 403, body: { error: 'No permission' },
|
||||
});
|
||||
});
|
||||
|
||||
it('imports and broadcasts per item', () => {
|
||||
const bulkImport = vi.fn().mockReturnValue([{ id: 1 }, { id: 2 }]);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ bulkImport, broadcast } as Partial<PackingService>);
|
||||
const res = new PackingController(svc).importItems(user, '5', [{ name: 'a' }, { name: 'b' }], 'sock');
|
||||
expect(res).toEqual({ items: [{ id: 1 }, { id: 2 }], count: 2 });
|
||||
expect(broadcast).toHaveBeenCalledTimes(2);
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id (update)', () => {
|
||||
it('404 when the item is missing', () => {
|
||||
const svc = makeService({ updateItem: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).update(user, '5', '9', { name: 'X' }))).toEqual({
|
||||
status: 404, body: { error: 'Item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('updates, forwards changed keys, and broadcasts', () => {
|
||||
const updateItem = vi.fn().mockReturnValue({ id: 9, name: 'X' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ updateItem, broadcast } as Partial<PackingService>);
|
||||
new PackingController(svc).update(user, '5', '9', { name: 'X', checked: true }, 'sock');
|
||||
expect(updateItem).toHaveBeenCalledWith('5', '9', expect.objectContaining({ name: 'X', checked: true }), ['name', 'checked']);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:updated', { item: { id: 9, name: 'X' } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /reorder', () => {
|
||||
it('reorders the items and reports success', () => {
|
||||
const reorderItems = vi.fn();
|
||||
const svc = makeService({ reorderItems } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).reorder(user, '5', [3, 1, 2])).toEqual({ success: true });
|
||||
expect(reorderItems).toHaveBeenCalledWith('5', [3, 1, 2]);
|
||||
});
|
||||
|
||||
it('403 without packing_edit permission', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new PackingController(svc).reorder(user, '5', [1]))).toEqual({
|
||||
status: 403, body: { error: 'No permission' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id (remove)', () => {
|
||||
it('404 when the item is missing', () => {
|
||||
const svc = makeService({ deleteItem: vi.fn().mockReturnValue(false) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).remove(user, '5', '9'))).toEqual({
|
||||
status: 404, body: { error: 'Item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('deletes the item and broadcasts', () => {
|
||||
const deleteItem = vi.fn().mockReturnValue(true);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ deleteItem, broadcast } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).remove(user, '5', '9', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:deleted', { itemId: 9 }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('bags', () => {
|
||||
it('GET /bags lists bags for the trip', () => {
|
||||
const listBags = vi.fn().mockReturnValue([{ id: 3, name: 'Carry-on' }]);
|
||||
const svc = makeService({ listBags } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).listBags(user, '5')).toEqual({ bags: [{ id: 3, name: 'Carry-on' }] });
|
||||
});
|
||||
|
||||
it('400 on bag create with blank name', () => {
|
||||
const svc = makeService();
|
||||
expect(thrown(() => new PackingController(svc).createBag(user, '5', { name: ' ' }))).toEqual({
|
||||
status: 400, body: { error: 'Name is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 on bag create with no name at all (optional-chain short-circuit)', () => {
|
||||
const svc = makeService();
|
||||
expect(thrown(() => new PackingController(svc).createBag(user, '5', {}))).toEqual({
|
||||
status: 400, body: { error: 'Name is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('creates a bag and broadcasts', () => {
|
||||
const createBag = vi.fn().mockReturnValue({ id: 3, name: 'Carry-on' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ createBag, broadcast } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).createBag(user, '5', { name: 'Carry-on', color: '#fff' }, 'sock')).toEqual({
|
||||
bag: { id: 3, name: 'Carry-on' },
|
||||
});
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-created', { bag: { id: 3, name: 'Carry-on' } }, 'sock');
|
||||
});
|
||||
|
||||
it('404 on bag update when missing', () => {
|
||||
const svc = makeService({ updateBag: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).updateBag(user, '5', '3', { name: 'X' }))).toEqual({
|
||||
status: 404, body: { error: 'Bag not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('updates a bag, forwards changed keys and broadcasts', () => {
|
||||
const updateBag = vi.fn().mockReturnValue({ id: 3, name: 'X' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ updateBag, broadcast } as Partial<PackingService>);
|
||||
new PackingController(svc).updateBag(user, '5', '3', { name: 'X', color: '#000' }, 'sock');
|
||||
expect(updateBag).toHaveBeenCalledWith('5', '3', expect.objectContaining({ name: 'X', color: '#000' }), ['name', 'color']);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-updated', { bag: { id: 3, name: 'X' } }, 'sock');
|
||||
});
|
||||
|
||||
it('404 on bag delete when missing', () => {
|
||||
const svc = makeService({ deleteBag: vi.fn().mockReturnValue(false) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).deleteBag(user, '5', '3'))).toEqual({
|
||||
status: 404, body: { error: 'Bag not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('deletes a bag and broadcasts', () => {
|
||||
const deleteBag = vi.fn().mockReturnValue(true);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ deleteBag, broadcast } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).deleteBag(user, '5', '3', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-deleted', { bagId: 3 }, 'sock');
|
||||
});
|
||||
|
||||
it('404 on set-members when the bag is missing', () => {
|
||||
const svc = makeService({ setBagMembers: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).setBagMembers(user, '5', '3', [1, 2]))).toEqual({
|
||||
status: 404, body: { error: 'Bag not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('sets bag members and broadcasts (array branch)', () => {
|
||||
const setBagMembers = vi.fn().mockReturnValue([{ user_id: 1 }, { user_id: 2 }]);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ setBagMembers, broadcast } as Partial<PackingService>);
|
||||
const res = new PackingController(svc).setBagMembers(user, '5', '3', [1, 2], 'sock');
|
||||
expect(res).toEqual({ members: [{ user_id: 1 }, { user_id: 2 }] });
|
||||
expect(setBagMembers).toHaveBeenCalledWith('5', '3', [1, 2]);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-members-updated', { bagId: 3, members: [{ user_id: 1 }, { user_id: 2 }] }, 'sock');
|
||||
});
|
||||
|
||||
it('coerces non-array members to an empty list (ternary else branch)', () => {
|
||||
const setBagMembers = vi.fn().mockReturnValue([]);
|
||||
const svc = makeService({ setBagMembers } as Partial<PackingService>);
|
||||
new PackingController(svc).setBagMembers(user, '5', '3', 'not-an-array');
|
||||
expect(setBagMembers).toHaveBeenCalledWith('5', '3', []);
|
||||
});
|
||||
});
|
||||
|
||||
describe('templates', () => {
|
||||
it('GET /templates returns the template list for an accessible trip', () => {
|
||||
const listTemplates = vi.fn().mockReturnValue([{ id: 1, name: 'Beach', item_count: 4 }]);
|
||||
const svc = makeService({ listTemplates } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).listTemplates(user, '5')).toEqual({
|
||||
templates: [{ id: 1, name: 'Beach', item_count: 4 }],
|
||||
});
|
||||
});
|
||||
|
||||
it('404 when applying a missing/empty template (POST stays 200 otherwise)', () => {
|
||||
const svc = makeService({ applyTemplate: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).applyTemplate(user, '5', 't1'))).toEqual({
|
||||
status: 404, body: { error: 'Template not found or empty' },
|
||||
});
|
||||
});
|
||||
|
||||
it('applies a template, broadcasts the added items and reports the count', () => {
|
||||
const applyTemplate = vi.fn().mockReturnValue([{ id: 1 }, { id: 2 }, { id: 3 }]);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ applyTemplate, broadcast } as Partial<PackingService>);
|
||||
const res = new PackingController(svc).applyTemplate(user, '5', 't1', 'sock');
|
||||
expect(res).toEqual({ items: [{ id: 1 }, { id: 2 }, { id: 3 }], count: 3 });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:template-applied', { items: [{ id: 1 }, { id: 2 }, { id: 3 }] }, 'sock');
|
||||
});
|
||||
|
||||
it('400 when an admin saves a template with no name (whitespace)', () => {
|
||||
const saveAsTemplate = vi.fn();
|
||||
const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).saveAsTemplate(admin, '5', ' '))).toEqual({
|
||||
status: 400, body: { error: 'Template name is required' },
|
||||
});
|
||||
expect(saveAsTemplate).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('400 when an admin saves a template with no name at all (optional-chain)', () => {
|
||||
const saveAsTemplate = vi.fn();
|
||||
const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).saveAsTemplate(admin, '5'))).toEqual({
|
||||
status: 400, body: { error: 'Template name is required' },
|
||||
});
|
||||
expect(saveAsTemplate).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('403 when a non-admin tries to save a template', () => {
|
||||
const saveAsTemplate = vi.fn();
|
||||
const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).saveAsTemplate(user, '5', 'My template'))).toEqual({
|
||||
status: 403, body: { error: 'Admin access required' },
|
||||
});
|
||||
expect(saveAsTemplate).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('400 when an admin saves a template with no items', () => {
|
||||
const svc = makeService({ saveAsTemplate: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
|
||||
expect(thrown(() => new PackingController(svc).saveAsTemplate(admin, '5', 'My template'))).toEqual({
|
||||
status: 400, body: { error: 'No items to save' },
|
||||
});
|
||||
});
|
||||
|
||||
it('saves a template for an admin', () => {
|
||||
const saveAsTemplate = vi.fn().mockReturnValue({ id: 7, name: 'My template' });
|
||||
const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).saveAsTemplate(admin, '5', 'My template')).toEqual({
|
||||
template: { id: 7, name: 'My template' },
|
||||
});
|
||||
expect(saveAsTemplate).toHaveBeenCalledWith('5', admin.id, 'My template');
|
||||
});
|
||||
});
|
||||
|
||||
describe('category assignees', () => {
|
||||
it('GET /category-assignees returns the assignee list for an accessible trip', () => {
|
||||
const getCategoryAssignees = vi.fn().mockReturnValue([{ category: 'Clothes', user_id: 2 }]);
|
||||
const svc = makeService({ getCategoryAssignees } as Partial<PackingService>);
|
||||
expect(new PackingController(svc).categoryAssignees(user, '5')).toEqual({
|
||||
assignees: [{ category: 'Clothes', user_id: 2 }],
|
||||
});
|
||||
expect(getCategoryAssignees).toHaveBeenCalledWith('5');
|
||||
});
|
||||
|
||||
it('decodes the URI-encoded category name before forwarding', () => {
|
||||
const updateCategoryAssignees = vi.fn().mockReturnValue([]);
|
||||
const broadcast = vi.fn();
|
||||
const notifyTagged = vi.fn();
|
||||
const svc = makeService({ updateCategoryAssignees, broadcast, notifyTagged } as Partial<PackingService>);
|
||||
new PackingController(svc).updateCategoryAssignees(user, '5', 'Toys%20%26%20Games', [2]);
|
||||
expect(updateCategoryAssignees).toHaveBeenCalledWith('5', 'Toys & Games', [2]);
|
||||
});
|
||||
|
||||
it('updates assignees, broadcasts and fires the tag notification', () => {
|
||||
const updateCategoryAssignees = vi.fn().mockReturnValue([{ user_id: 2 }]);
|
||||
const broadcast = vi.fn();
|
||||
const notifyTagged = vi.fn();
|
||||
const svc = makeService({ updateCategoryAssignees, broadcast, notifyTagged } as Partial<PackingService>);
|
||||
const res = new PackingController(svc).updateCategoryAssignees(user, '5', 'Clothes', [2], 'sock');
|
||||
expect(res).toEqual({ assignees: [{ user_id: 2 }] });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:assignees', { category: 'Clothes', assignees: [{ user_id: 2 }] }, 'sock');
|
||||
expect(notifyTagged).toHaveBeenCalledWith('5', user, 'Clothes', [2]);
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,105 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
const { dbMock } = vi.hoisted(() => {
|
||||
const stmt = { get: vi.fn(), all: vi.fn(() => []), run: vi.fn() };
|
||||
return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
|
||||
});
|
||||
vi.mock('../../../src/db/database', () => ({ db: dbMock, closeDb: () => {}, reinitialize: () => {} }));
|
||||
|
||||
const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
|
||||
vi.mock('../../../src/websocket', () => ({ broadcast }));
|
||||
|
||||
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
|
||||
vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
|
||||
|
||||
const { pk } = vi.hoisted(() => ({
|
||||
pk: {
|
||||
verifyTripAccess: vi.fn(), listItems: vi.fn(), createItem: vi.fn(), updateItem: vi.fn(), deleteItem: vi.fn(),
|
||||
bulkImport: vi.fn(), listBags: vi.fn(), createBag: vi.fn(), updateBag: vi.fn(), deleteBag: vi.fn(),
|
||||
listTemplates: vi.fn(), applyTemplate: vi.fn(), saveAsTemplate: vi.fn(), setBagMembers: vi.fn(), getCategoryAssignees: vi.fn(),
|
||||
updateCategoryAssignees: vi.fn(), reorderItems: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/packingService', () => pk);
|
||||
|
||||
const { send } = vi.hoisted(() => ({ send: vi.fn(() => Promise.resolve()) }));
|
||||
vi.mock('../../../src/services/notificationService', () => ({ send }));
|
||||
|
||||
import { PackingService } from '../../../src/nest/packing/packing.service';
|
||||
|
||||
function svc() {
|
||||
return new PackingService();
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('PackingService (wrapper delegation + helpers)', () => {
|
||||
it('canEdit delegates to checkPermission with packing_edit', () => {
|
||||
svc().canEdit({ user_id: 2 } as never, { id: 1, role: 'user' } as never);
|
||||
expect(checkPermission).toHaveBeenCalledWith('packing_edit', 'user', 2, 1, true);
|
||||
});
|
||||
|
||||
it('broadcast forwards to the websocket helper', () => {
|
||||
svc().broadcast('5', 'packing:created', { item: 1 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'packing:created', { item: 1 }, 'sock');
|
||||
});
|
||||
|
||||
it('forwards every item/bag/template/assignee call to the legacy service', () => {
|
||||
const s = svc();
|
||||
s.verifyTripAccess('5', 1); expect(pk.verifyTripAccess).toHaveBeenCalledWith('5', 1);
|
||||
s.listItems('5'); expect(pk.listItems).toHaveBeenCalledWith('5');
|
||||
s.createItem('5', { name: 'a' }); expect(pk.createItem).toHaveBeenCalledWith('5', { name: 'a' });
|
||||
s.updateItem('5', '2', { name: 'b' } as never, ['name']); expect(pk.updateItem).toHaveBeenCalledWith('5', '2', { name: 'b' }, ['name']);
|
||||
s.deleteItem('5', '2'); expect(pk.deleteItem).toHaveBeenCalledWith('5', '2');
|
||||
s.bulkImport('5', [{ name: 'x' }] as never); expect(pk.bulkImport).toHaveBeenCalledWith('5', [{ name: 'x' }]);
|
||||
s.reorderItems('5', [3, 1] as never); expect(pk.reorderItems).toHaveBeenCalledWith('5', [3, 1]);
|
||||
s.listBags('5'); expect(pk.listBags).toHaveBeenCalledWith('5');
|
||||
s.createBag('5', { name: 'Bag' }); expect(pk.createBag).toHaveBeenCalledWith('5', { name: 'Bag' });
|
||||
s.updateBag('5', '2', { name: 'B' } as never, ['name']); expect(pk.updateBag).toHaveBeenCalledWith('5', '2', { name: 'B' }, ['name']);
|
||||
s.deleteBag('5', '2'); expect(pk.deleteBag).toHaveBeenCalledWith('5', '2');
|
||||
s.setBagMembers('5', '2', [1, 2]); expect(pk.setBagMembers).toHaveBeenCalledWith('5', '2', [1, 2]);
|
||||
s.listTemplates(); expect(pk.listTemplates).toHaveBeenCalled();
|
||||
s.applyTemplate('5', 't1'); expect(pk.applyTemplate).toHaveBeenCalledWith('5', 't1');
|
||||
s.saveAsTemplate('5', 1, 'Tpl'); expect(pk.saveAsTemplate).toHaveBeenCalledWith('5', 1, 'Tpl');
|
||||
s.getCategoryAssignees('5'); expect(pk.getCategoryAssignees).toHaveBeenCalledWith('5');
|
||||
s.updateCategoryAssignees('5', 'Clothes', [2]); expect(pk.updateCategoryAssignees).toHaveBeenCalledWith('5', 'Clothes', [2]);
|
||||
});
|
||||
|
||||
describe('notifyTagged', () => {
|
||||
it('does nothing when no users are tagged', () => {
|
||||
svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', []);
|
||||
svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', 'nope');
|
||||
expect(dbMock.prepare).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('fires the notification when users are tagged (fire-and-forget, no throw)', () => {
|
||||
expect(() => svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', [2, 3])).not.toThrow();
|
||||
});
|
||||
|
||||
it('queries the trip title and dispatches the notification with the resolved title', async () => {
|
||||
dbMock._stmt.get.mockReturnValue({ title: 'Iceland 2026' });
|
||||
svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', [2, 3]);
|
||||
// Flush the dynamic import().then microtask chain.
|
||||
await new Promise((resolve) => setTimeout(resolve, 0));
|
||||
expect(dbMock.prepare).toHaveBeenCalledWith('SELECT title FROM trips WHERE id = ?');
|
||||
expect(send).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
event: 'packing_tagged',
|
||||
actorId: 1,
|
||||
scope: 'trip',
|
||||
targetId: 5,
|
||||
params: expect.objectContaining({ trip: 'Iceland 2026', actor: 'a@b.c', category: 'Clothes', tripId: '5' }),
|
||||
}),
|
||||
);
|
||||
});
|
||||
|
||||
it('falls back to "Untitled" when the trip row is missing (?? / default branch)', async () => {
|
||||
dbMock._stmt.get.mockReturnValue(undefined);
|
||||
svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', [2]);
|
||||
await new Promise((resolve) => setTimeout(resolve, 0));
|
||||
expect(send).toHaveBeenCalledWith(
|
||||
expect.objectContaining({ params: expect.objectContaining({ trip: 'Untitled' }) }),
|
||||
);
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,228 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { PlacesController } from '../../../src/nest/places/places.controller';
|
||||
import type { PlacesService } from '../../../src/nest/places/places.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { user_id: 1 };
|
||||
|
||||
function svc(o: Partial<PlacesService> = {}): PlacesService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip), canEdit: vi.fn().mockReturnValue(true), broadcast: vi.fn(),
|
||||
onCreated: vi.fn(), onUpdated: vi.fn(), onDeleted: vi.fn(),
|
||||
...o,
|
||||
} as unknown as PlacesService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try { await fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.spyOn(console, 'error').mockImplementation(() => {}));
|
||||
|
||||
describe('PlacesController (parity with the legacy /api/trips/:tripId/places route)', () => {
|
||||
it('GET / lists with filters; 404 when trip not accessible', () => {
|
||||
expect(thrown(() => new PlacesController(svc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).list(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const list = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
expect(new PlacesController(svc({ list } as Partial<PlacesService>)).list(user, '5', 'beach', 'cat', 'tag')).toEqual({ places: [{ id: 1 }] });
|
||||
expect(list).toHaveBeenCalledWith('5', { search: 'beach', category: 'cat', tag: 'tag' });
|
||||
});
|
||||
|
||||
describe('POST / (create)', () => {
|
||||
it('400 on an over-long name (length guard before permission)', () => {
|
||||
const canEdit = vi.fn().mockReturnValue(false); // would 403 if reached
|
||||
expect(thrown(() => new PlacesController(svc({ canEdit })).create(user, '5', { name: 'x'.repeat(201) }))).toEqual({
|
||||
status: 400, body: { error: 'name must be 200 characters or less' },
|
||||
});
|
||||
expect(canEdit).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('403 without place_edit, 400 without name, then creates + hooks', () => {
|
||||
expect(thrown(() => new PlacesController(svc({ canEdit: vi.fn().mockReturnValue(false) })).create(user, '5', { name: 'Spot' }))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(thrown(() => new PlacesController(svc()).create(user, '5', {}))).toEqual({ status: 400, body: { error: 'Place name is required' } });
|
||||
const create = vi.fn().mockReturnValue({ id: 9 }); const broadcast = vi.fn(); const onCreated = vi.fn();
|
||||
const s = svc({ create, broadcast, onCreated } as Partial<PlacesService>);
|
||||
expect(new PlacesController(s).create(user, '5', { name: 'Spot' }, 'sock')).toEqual({ place: { id: 9 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'place:created', { place: { id: 9 } }, 'sock');
|
||||
expect(onCreated).toHaveBeenCalledWith('5', 9);
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /import/gpx', () => {
|
||||
const file = { buffer: Buffer.from('gpx'), originalname: 'r.gpx' } as Express.Multer.File;
|
||||
it('400 without a file', () => {
|
||||
expect(thrown(() => new PlacesController(svc()).importGpx(user, '5', undefined, {}))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
|
||||
});
|
||||
it('400 when all import types are disabled', () => {
|
||||
expect(thrown(() => new PlacesController(svc()).importGpx(user, '5', file, { importWaypoints: 'false', importRoutes: 'false', importTracks: 'false' }))).toEqual({
|
||||
status: 400, body: { error: 'No import types selected' },
|
||||
});
|
||||
});
|
||||
it('400 when the GPX yields nothing', () => {
|
||||
expect(thrown(() => new PlacesController(svc({ importGpx: vi.fn().mockReturnValue(null) } as Partial<PlacesService>)).importGpx(user, '5', file, {}))).toEqual({
|
||||
status: 400, body: { error: 'No matching places found in GPX file' },
|
||||
});
|
||||
});
|
||||
it('imports and broadcasts per place', () => {
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ importGpx: vi.fn().mockReturnValue({ places: [{ id: 1 }, { id: 2 }], count: 2, skipped: 0 }), broadcast } as Partial<PlacesService>);
|
||||
expect(new PlacesController(s).importGpx(user, '5', file, {}, 'sock')).toEqual({ places: [{ id: 1 }, { id: 2 }], count: 2, skipped: 0 });
|
||||
expect(broadcast).toHaveBeenCalledTimes(2);
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /import/map', () => {
|
||||
const file = { buffer: Buffer.from('<kml/>'), originalname: 'm.kml' } as Express.Multer.File;
|
||||
it('400 without a file', async () => {
|
||||
expect(await thrownAsync(() => new PlacesController(svc()).importMap(user, '5', undefined, {}))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
|
||||
});
|
||||
it('403 without place_edit (permission runs before the file check)', async () => {
|
||||
const importMapFile = vi.fn();
|
||||
const s = svc({ canEdit: vi.fn().mockReturnValue(false), importMapFile } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importMap(user, '5', file, {}))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
expect(importMapFile).not.toHaveBeenCalled();
|
||||
});
|
||||
it('400 when both import types are disabled', async () => {
|
||||
expect(await thrownAsync(() => new PlacesController(svc()).importMap(user, '5', file, { importPoints: 'false', importPaths: 'false' }))).toEqual({
|
||||
status: 400, body: { error: 'No import types selected' },
|
||||
});
|
||||
});
|
||||
it('400 when the map file has no Placemarks (and carries the summary through)', async () => {
|
||||
const summary = { totalPlacemarks: 0 };
|
||||
const s = svc({ importMapFile: vi.fn().mockResolvedValue({ places: [], summary }) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importMap(user, '5', file, {}))).toEqual({
|
||||
status: 400, body: { error: 'No valid Placemarks found in map file', summary },
|
||||
});
|
||||
});
|
||||
it('imports, broadcasts per place + returns the service result', async () => {
|
||||
const broadcast = vi.fn();
|
||||
const result = { places: [{ id: 1 }, { id: 2 }], summary: { totalPlacemarks: 2 }, count: 2 };
|
||||
const s = svc({ importMapFile: vi.fn().mockResolvedValue(result), broadcast } as Partial<PlacesService>);
|
||||
expect(await new PlacesController(s).importMap(user, '5', file, {}, 'sock')).toEqual(result);
|
||||
expect(broadcast).toHaveBeenCalledTimes(2);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'place:created', { place: { id: 1 } }, 'sock');
|
||||
});
|
||||
it('passes a missing summary through (no zero-placemark guard) and still imports', async () => {
|
||||
const result = { places: [{ id: 7 }] };
|
||||
const s = svc({ importMapFile: vi.fn().mockResolvedValue(result), broadcast: vi.fn() } as Partial<PlacesService>);
|
||||
expect(await new PlacesController(s).importMap(user, '5', file, {})).toEqual(result);
|
||||
});
|
||||
it('wraps a thrown Error from the service in a 400 with its message', async () => {
|
||||
const s = svc({ importMapFile: vi.fn().mockRejectedValue(new Error('bad kml')) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importMap(user, '5', file, {}))).toEqual({ status: 400, body: { error: 'bad kml' } });
|
||||
});
|
||||
it('falls back to a generic 400 message for a non-Error rejection', async () => {
|
||||
const s = svc({ importMapFile: vi.fn().mockRejectedValue('boom') } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importMap(user, '5', file, {}))).toEqual({ status: 400, body: { error: 'Failed to import map file' } });
|
||||
});
|
||||
it('re-throws an HttpException raised inside the try untouched', async () => {
|
||||
const s = svc({ importMapFile: vi.fn().mockRejectedValue(new HttpException({ error: 'teapot' }, 418)) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importMap(user, '5', file, {}))).toEqual({ status: 418, body: { error: 'teapot' } });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /import/google-list + naver-list', () => {
|
||||
it('400 without a url', async () => {
|
||||
expect(await thrownAsync(() => new PlacesController(svc()).importGoogle(user, '5', undefined))).toEqual({ status: 400, body: { error: 'URL is required' } });
|
||||
});
|
||||
it('400 when url is the wrong type (not a string)', async () => {
|
||||
expect(await thrownAsync(() => new PlacesController(svc()).importNaver(user, '5', 123))).toEqual({ status: 400, body: { error: 'URL is required' } });
|
||||
});
|
||||
it('maps a service { error, status } to the same response', async () => {
|
||||
const s = svc({ importGoogleList: vi.fn().mockResolvedValue({ error: 'List is empty', status: 400 }) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importGoogle(user, '5', 'http://x'))).toEqual({ status: 400, body: { error: 'List is empty' } });
|
||||
});
|
||||
it('imports a naver list and returns the count + listName', async () => {
|
||||
const s = svc({ importNaverList: vi.fn().mockResolvedValue({ places: [{ id: 1 }], listName: 'Trip', skipped: 2 }), broadcast: vi.fn() } as Partial<PlacesService>);
|
||||
expect(await new PlacesController(s).importNaver(user, '5', 'http://x')).toEqual({ places: [{ id: 1 }], count: 1, listName: 'Trip', skipped: 2 });
|
||||
});
|
||||
it('forwards the enrich flag + userId and broadcasts each imported place', async () => {
|
||||
const importGoogleList = vi.fn().mockResolvedValue({ places: [{ id: 1 }, { id: 2 }], listName: 'L', skipped: 0 });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ importGoogleList, broadcast } as Partial<PlacesService>);
|
||||
expect(await new PlacesController(s).importGoogle(user, '5', 'http://x', 'true', 'sock')).toEqual({ places: [{ id: 1 }, { id: 2 }], count: 2, listName: 'L', skipped: 0 });
|
||||
expect(importGoogleList).toHaveBeenCalledWith('5', 'http://x', { enrich: true, userId: 1 });
|
||||
expect(broadcast).toHaveBeenCalledTimes(2);
|
||||
});
|
||||
it('wraps a thrown Error in the provider-specific 400 (Google)', async () => {
|
||||
const s = svc({ importGoogleList: vi.fn().mockRejectedValue(new Error('network down')) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importGoogle(user, '5', 'http://x'))).toEqual({
|
||||
status: 400, body: { error: 'Failed to import Google Maps list. Make sure the list is shared publicly.' },
|
||||
});
|
||||
});
|
||||
it('wraps a non-Error rejection in the provider-specific 400 (Naver)', async () => {
|
||||
const s = svc({ importNaverList: vi.fn().mockRejectedValue('weird') } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(s).importNaver(user, '5', 'http://x'))).toEqual({
|
||||
status: 400, body: { error: 'Failed to import Naver Maps list. Make sure the list is shared publicly.' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /bulk-delete', () => {
|
||||
it('400 when ids is not an array of numbers', () => {
|
||||
expect(thrown(() => new PlacesController(svc()).bulkDelete(user, '5', ['a']))).toEqual({ status: 400, body: { error: 'ids must be an array of numbers' } });
|
||||
});
|
||||
it('returns empty for an empty list without touching the service', () => {
|
||||
const removeMany = vi.fn();
|
||||
expect(new PlacesController(svc({ removeMany } as Partial<PlacesService>)).bulkDelete(user, '5', [])).toEqual({ deleted: [], count: 0 });
|
||||
expect(removeMany).not.toHaveBeenCalled();
|
||||
});
|
||||
it('deletes, fires hooks + broadcasts per deleted id', () => {
|
||||
const removeMany = vi.fn().mockReturnValue([1, 2]); const onDeleted = vi.fn(); const broadcast = vi.fn();
|
||||
const s = svc({ removeMany, onDeleted, broadcast } as Partial<PlacesService>);
|
||||
expect(new PlacesController(s).bulkDelete(user, '5', [1, 2], 'sock')).toEqual({ deleted: [1, 2], count: 2 });
|
||||
expect(onDeleted).toHaveBeenCalledTimes(2);
|
||||
expect(broadcast).toHaveBeenCalledTimes(2);
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /:id returns the place when found, 404 when missing', () => {
|
||||
expect(thrown(() => new PlacesController(svc({ get: vi.fn().mockReturnValue(undefined) } as Partial<PlacesService>)).get(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Place not found' } });
|
||||
const s = svc({ get: vi.fn().mockReturnValue({ id: 9 }) } as Partial<PlacesService>);
|
||||
expect(new PlacesController(s).get(user, '5', '9')).toEqual({ place: { id: 9 } });
|
||||
});
|
||||
|
||||
it('PUT /:id 404 when missing, else updates + hooks', () => {
|
||||
expect(thrown(() => new PlacesController(svc({ update: vi.fn().mockReturnValue(null) } as Partial<PlacesService>)).update(user, '5', '9', { name: 'X' }))).toEqual({ status: 404, body: { error: 'Place not found' } });
|
||||
const update = vi.fn().mockReturnValue({ id: 9 }); const onUpdated = vi.fn(); const broadcast = vi.fn();
|
||||
const s = svc({ update, onUpdated, broadcast } as Partial<PlacesService>);
|
||||
expect(new PlacesController(s).update(user, '5', '9', { name: 'X' }, 'sock')).toEqual({ place: { id: 9 } });
|
||||
expect(onUpdated).toHaveBeenCalledWith(9);
|
||||
});
|
||||
|
||||
it('DELETE /:id fires the hook then 404 / success', () => {
|
||||
const onDeleted = vi.fn();
|
||||
expect(thrown(() => new PlacesController(svc({ remove: vi.fn().mockReturnValue(false), onDeleted } as Partial<PlacesService>)).remove(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Place not found' } });
|
||||
expect(onDeleted).toHaveBeenCalledWith(9);
|
||||
const s = svc({ remove: vi.fn().mockReturnValue(true), broadcast: vi.fn() } as Partial<PlacesService>);
|
||||
expect(new PlacesController(s).remove(user, '5', '9')).toEqual({ success: true });
|
||||
});
|
||||
|
||||
it('GET /:id/image maps service error + returns photos', async () => {
|
||||
const s = svc({ searchImage: vi.fn().mockResolvedValue({ photos: [{ url: 'x' }] }) } as Partial<PlacesService>);
|
||||
expect(await new PlacesController(s).image(user, '5', '9')).toEqual({ photos: [{ url: 'x' }] });
|
||||
const e = svc({ searchImage: vi.fn().mockResolvedValue({ error: 'No key', status: 400 }) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(e).image(user, '5', '9'))).toEqual({ status: 400, body: { error: 'No key' } });
|
||||
});
|
||||
|
||||
it('GET /:id/image turns an unexpected throw into a 500, but re-throws an HttpException as-is', async () => {
|
||||
const boom = svc({ searchImage: vi.fn().mockRejectedValue(new Error('Unsplash down')) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(boom).image(user, '5', '9'))).toEqual({ status: 500, body: { error: 'Error searching for image' } });
|
||||
const http = svc({ searchImage: vi.fn().mockRejectedValue(new HttpException({ error: 'rate limited' }, 429)) } as Partial<PlacesService>);
|
||||
expect(await thrownAsync(() => new PlacesController(http).image(user, '5', '9'))).toEqual({ status: 429, body: { error: 'rate limited' } });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,513 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
import { NotFoundException } from '@nestjs/common';
|
||||
|
||||
// --- hoisted mock fns so the vi.mock factories can reference them -----------------
|
||||
const h = vi.hoisted(() => ({
|
||||
verifyJwtAndLoadUser: vi.fn(),
|
||||
isAddonEnabled: vi.fn(),
|
||||
getMcpSafeUrl: vi.fn(() => 'https://trek.example.test'),
|
||||
dbPrepare: vi.fn(),
|
||||
existsSync: vi.fn(),
|
||||
// SDK middleware spies — each returns a tagged handler so we can identify which
|
||||
// app.use call received it.
|
||||
metaRouter: vi.fn(),
|
||||
authorizeHandler: vi.fn(),
|
||||
registerHandler: vi.fn(),
|
||||
mcpHandler: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('../../../src/middleware/auth', () => ({ verifyJwtAndLoadUser: h.verifyJwtAndLoadUser }));
|
||||
vi.mock('../../../src/db/database', () => ({ db: { prepare: h.dbPrepare } }));
|
||||
vi.mock('../../../src/mcp', () => ({ mcpHandler: h.mcpHandler }));
|
||||
vi.mock('../../../src/mcp/oauthProvider', () => ({ trekOAuthProvider: {}, trekClientsStore: {} }));
|
||||
vi.mock('../../../src/services/adminService', () => ({ isAddonEnabled: h.isAddonEnabled }));
|
||||
vi.mock('../../../src/services/notifications', () => ({ getMcpSafeUrl: h.getMcpSafeUrl }));
|
||||
|
||||
// SDK router/handler factories return distinct tagged middleware so we never hit
|
||||
// real new URL(...) wiring during registration.
|
||||
vi.mock('@modelcontextprotocol/sdk/server/auth/router', () => ({
|
||||
mcpAuthMetadataRouter: vi.fn(() => h.metaRouter),
|
||||
}));
|
||||
vi.mock('@modelcontextprotocol/sdk/server/auth/handlers/authorize', () => ({
|
||||
authorizationHandler: vi.fn(() => h.authorizeHandler),
|
||||
}));
|
||||
vi.mock('@modelcontextprotocol/sdk/server/auth/handlers/register', () => ({
|
||||
clientRegistrationHandler: vi.fn(() => h.registerHandler),
|
||||
}));
|
||||
|
||||
vi.mock('node:fs', async (orig) => {
|
||||
const real = (await orig()) as Record<string, unknown>;
|
||||
return { ...real, default: { ...(real.default as object), existsSync: h.existsSync }, existsSync: h.existsSync };
|
||||
});
|
||||
|
||||
import {
|
||||
applyPlatformUploads,
|
||||
applyPlatformTransport,
|
||||
applyPlatformSpa,
|
||||
applyPlatformStatic,
|
||||
} from '../../../src/nest/platform/platform.routes';
|
||||
import { SpaFallbackFilter } from '../../../src/nest/platform/spa-fallback.filter';
|
||||
|
||||
// Tagged sentinel for express.static — we only need to know it was registered on
|
||||
// the right path, not run it.
|
||||
vi.mock('express', async () => {
|
||||
const staticFn = vi.fn(() => 'STATIC' as unknown);
|
||||
const fn: unknown = () => ({});
|
||||
Object.assign(fn as object, { static: staticFn });
|
||||
return { default: fn, static: staticFn };
|
||||
});
|
||||
|
||||
type Handler = (...args: unknown[]) => unknown;
|
||||
|
||||
/**
|
||||
* A fake express.Application that records every route/middleware registration so
|
||||
* individual handlers can be pulled out and exercised in isolation.
|
||||
*/
|
||||
function fakeApp() {
|
||||
const calls: Array<{ method: string; path?: string; handlers: Handler[] }> = [];
|
||||
const record = (method: string) => (...args: unknown[]) => {
|
||||
if (typeof args[0] === 'string' || args[0] instanceof RegExp) {
|
||||
calls.push({ method, path: String(args[0]), handlers: args.slice(1) as Handler[] });
|
||||
} else {
|
||||
calls.push({ method, handlers: args as Handler[] });
|
||||
}
|
||||
};
|
||||
const app = {
|
||||
use: record('use'),
|
||||
get: record('get'),
|
||||
post: record('post'),
|
||||
delete: record('delete'),
|
||||
} as never;
|
||||
return { app, calls };
|
||||
}
|
||||
|
||||
function makeRes() {
|
||||
const res = {
|
||||
statusCode: 200,
|
||||
body: undefined as unknown,
|
||||
headers: {} as Record<string, string>,
|
||||
status: vi.fn(function (this: typeof res, c: number) { this.statusCode = c; return this; }),
|
||||
json: vi.fn(function (this: typeof res, b: unknown) { this.body = b; return this; }),
|
||||
send: vi.fn(function (this: typeof res, b: unknown) { this.body = b; return this; }),
|
||||
end: vi.fn(function (this: typeof res) { return this; }),
|
||||
sendFile: vi.fn(function (this: typeof res, p: string) { this.body = `FILE:${p}`; return this; }),
|
||||
setHeader: vi.fn(function (this: typeof res, k: string, v: string) { this.headers[k] = v; return this; }),
|
||||
};
|
||||
return res;
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
h.getMcpSafeUrl.mockReturnValue('https://trek.example.test');
|
||||
});
|
||||
|
||||
describe('applyPlatformUploads', () => {
|
||||
it('registers the static avatar/cover/journey mounts + the files block', () => {
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformUploads(app);
|
||||
const paths = calls.filter((c) => c.method === 'use').map((c) => c.path);
|
||||
expect(paths).toEqual(
|
||||
expect.arrayContaining(['/uploads/avatars', '/uploads/covers', '/uploads/journey', '/uploads/files']),
|
||||
);
|
||||
});
|
||||
|
||||
it('the /uploads/files block always answers 401', () => {
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformUploads(app);
|
||||
const filesBlock = calls.find((c) => c.path === '/uploads/files')!.handlers[0];
|
||||
const res = makeRes();
|
||||
filesBlock({}, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toBe('Authentication required');
|
||||
});
|
||||
|
||||
describe('GET /uploads/photos/:filename', () => {
|
||||
function photoHandler() {
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformUploads(app);
|
||||
return calls.find((c) => c.method === 'get' && c.path === '/uploads/photos/:filename')!.handlers[0];
|
||||
}
|
||||
|
||||
it('403 when the resolved path escapes the photos dir', () => {
|
||||
// basename() strips the traversal, but feed a name that resolves outside by
|
||||
// stubbing path indirectly is hard — instead exercise the existsSync 404 etc.
|
||||
// The startsWith guard is defensive; cover it via a filename of '..'.
|
||||
const handler = photoHandler();
|
||||
const res = makeRes();
|
||||
// path.basename('..') === '..' -> join(photos,'..') resolves to uploads -> not under photos
|
||||
handler({ params: { filename: '..' }, headers: {}, query: {} }, res);
|
||||
expect(res.statusCode).toBe(403);
|
||||
expect(res.body).toBe('Forbidden');
|
||||
});
|
||||
|
||||
it('404 when the file does not exist', () => {
|
||||
h.existsSync.mockReturnValue(false);
|
||||
const res = makeRes();
|
||||
photoHandler()({ params: { filename: 'a.jpg' }, headers: {}, query: {} }, res);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.body).toBe('Not found');
|
||||
});
|
||||
|
||||
it('401 when no token is supplied', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
const res = makeRes();
|
||||
photoHandler()({ params: { filename: 'a.jpg' }, headers: {}, query: {} }, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
expect(res.body).toBe('Authentication required');
|
||||
});
|
||||
|
||||
it('serves the file for a valid JWT session (Bearer header)', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
h.verifyJwtAndLoadUser.mockReturnValue({ id: 1 });
|
||||
const res = makeRes();
|
||||
photoHandler()(
|
||||
{ params: { filename: 'a.jpg' }, headers: { authorization: 'Bearer jwt123' }, query: {} },
|
||||
res,
|
||||
);
|
||||
expect(h.verifyJwtAndLoadUser).toHaveBeenCalledWith('jwt123');
|
||||
expect(String(res.body)).toContain('FILE:');
|
||||
});
|
||||
|
||||
it('reads the token from the query string when there is no Bearer header', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
h.verifyJwtAndLoadUser.mockReturnValue({ id: 1 });
|
||||
const res = makeRes();
|
||||
photoHandler()({ params: { filename: 'a.jpg' }, headers: {}, query: { token: 'qtok' } }, res);
|
||||
expect(h.verifyJwtAndLoadUser).toHaveBeenCalledWith('qtok');
|
||||
expect(String(res.body)).toContain('FILE:');
|
||||
});
|
||||
|
||||
it('401 when the token is not a session and the photo row is missing', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
h.verifyJwtAndLoadUser.mockReturnValue(null);
|
||||
h.dbPrepare.mockReturnValue({ get: vi.fn().mockReturnValue(undefined) });
|
||||
const res = makeRes();
|
||||
photoHandler()({ params: { filename: 'a.jpg' }, headers: {}, query: { token: 'share1' } }, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
|
||||
it('401 when a share token does not cover the photo trip', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
h.verifyJwtAndLoadUser.mockReturnValue(null);
|
||||
const photoStmt = { get: vi.fn().mockReturnValue({ trip_id: 7 }) };
|
||||
const shareStmt = { get: vi.fn().mockReturnValue({ trip_id: 8 }) };
|
||||
h.dbPrepare.mockImplementationOnce(() => photoStmt).mockImplementationOnce(() => shareStmt);
|
||||
const res = makeRes();
|
||||
photoHandler()({ params: { filename: 'a.jpg' }, headers: {}, query: { token: 'share1' } }, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
|
||||
it('401 when there is no matching share token at all', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
h.verifyJwtAndLoadUser.mockReturnValue(null);
|
||||
const photoStmt = { get: vi.fn().mockReturnValue({ trip_id: 7 }) };
|
||||
const shareStmt = { get: vi.fn().mockReturnValue(undefined) };
|
||||
h.dbPrepare.mockImplementationOnce(() => photoStmt).mockImplementationOnce(() => shareStmt);
|
||||
const res = makeRes();
|
||||
photoHandler()({ params: { filename: 'a.jpg' }, headers: {}, query: { token: 'share1' } }, res);
|
||||
expect(res.statusCode).toBe(401);
|
||||
});
|
||||
|
||||
it('serves the file when the share token covers the photo trip', () => {
|
||||
h.existsSync.mockReturnValue(true);
|
||||
h.verifyJwtAndLoadUser.mockReturnValue(null);
|
||||
const photoStmt = { get: vi.fn().mockReturnValue({ trip_id: 7 }) };
|
||||
const shareStmt = { get: vi.fn().mockReturnValue({ trip_id: 7 }) };
|
||||
h.dbPrepare.mockImplementationOnce(() => photoStmt).mockImplementationOnce(() => shareStmt);
|
||||
const res = makeRes();
|
||||
photoHandler()(
|
||||
{ params: { filename: 'a.jpg' }, headers: { authorization: 'Bearer share1' }, query: {} },
|
||||
res,
|
||||
);
|
||||
expect(String(res.body)).toContain('FILE:');
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('applyPlatformTransport', () => {
|
||||
function build() {
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformTransport(app);
|
||||
return calls;
|
||||
}
|
||||
|
||||
it('GET /api/health sets no-store and returns ok', () => {
|
||||
const calls = build();
|
||||
const health = calls.find((c) => c.method === 'get' && c.path === '/api/health')!.handlers[0];
|
||||
const res = makeRes();
|
||||
health({}, res);
|
||||
expect(res.headers['Cache-Control']).toBe('no-store, must-revalidate');
|
||||
expect(res.body).toEqual({ status: 'ok' });
|
||||
});
|
||||
|
||||
describe('the /.well-known metadata middleware', () => {
|
||||
function wellKnownMw(calls: ReturnType<typeof build>) {
|
||||
// first app.use with no path, registered right after /api/health
|
||||
return calls.find((c) => c.method === 'use' && c.path === undefined)!.handlers[0];
|
||||
}
|
||||
|
||||
it('404s a /.well-known path when MCP is disabled', () => {
|
||||
h.isAddonEnabled.mockReturnValue(false);
|
||||
const mw = wellKnownMw(build());
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
mw({ path: '/.well-known/oauth-authorization-server' }, res, next);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(next).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('delegates to the SDK meta router for a non-well-known path', () => {
|
||||
h.isAddonEnabled.mockReturnValue(true);
|
||||
const mw = wellKnownMw(build());
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
mw({ path: '/anything' }, res, next);
|
||||
expect(h.metaRouter).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('delegates to the SDK meta router for a well-known path when MCP is enabled', () => {
|
||||
h.isAddonEnabled.mockReturnValue(true);
|
||||
const mw = wellKnownMw(build());
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
mw({ path: '/.well-known/oauth-authorization-server' }, res, next);
|
||||
expect(h.metaRouter).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /.well-known/openid-configuration returns AS metadata + userinfo_endpoint', () => {
|
||||
const calls = build();
|
||||
const handler = calls.find((c) => c.path === '/.well-known/openid-configuration')!.handlers[0];
|
||||
const res = makeRes();
|
||||
handler({}, res);
|
||||
const body = res.body as { issuer: string; userinfo_endpoint: string };
|
||||
expect(body.issuer).toBe('https://trek.example.test');
|
||||
expect(body.userinfo_endpoint).toBe('https://trek.example.test/oauth/userinfo');
|
||||
});
|
||||
|
||||
it('trims trailing slashes off the configured base URL', () => {
|
||||
h.getMcpSafeUrl.mockReturnValue('https://trek.example.test///');
|
||||
const calls = build();
|
||||
const handler = calls.find((c) => c.path === '/.well-known/openid-configuration')!.handlers[0];
|
||||
const res = makeRes();
|
||||
handler({}, res);
|
||||
expect((res.body as { issuer: string }).issuer).toBe('https://trek.example.test');
|
||||
});
|
||||
|
||||
describe('GET /.well-known/oauth-protected-resource (flat)', () => {
|
||||
function handler() {
|
||||
return build().find((c) => c.method === 'get' && c.path === '/.well-known/oauth-protected-resource')!.handlers[0];
|
||||
}
|
||||
|
||||
it('404 when MCP is disabled', () => {
|
||||
h.isAddonEnabled.mockReturnValue(false);
|
||||
const res = makeRes();
|
||||
handler()({}, res);
|
||||
expect(res.statusCode).toBe(404);
|
||||
});
|
||||
|
||||
it('returns the PRM document when MCP is enabled', () => {
|
||||
h.isAddonEnabled.mockReturnValue(true);
|
||||
const res = makeRes();
|
||||
handler()({}, res);
|
||||
const body = res.body as { resource: string; authorization_servers: string[] };
|
||||
expect(body.resource).toBe('https://trek.example.test/mcp');
|
||||
expect(body.authorization_servers).toEqual(['https://trek.example.test']);
|
||||
});
|
||||
});
|
||||
|
||||
describe('mcpAddonGate (used on /oauth/authorize + /oauth/register)', () => {
|
||||
function gate() {
|
||||
// The gate is the first handler on the /oauth/authorize use registration.
|
||||
return build().find((c) => c.method === 'use' && c.path === '/oauth/authorize')!.handlers[0];
|
||||
}
|
||||
|
||||
it('404 when MCP is disabled', () => {
|
||||
h.isAddonEnabled.mockReturnValue(false);
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
gate()({}, res, next);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(next).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('calls next() when MCP is enabled', () => {
|
||||
h.isAddonEnabled.mockReturnValue(true);
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
gate()({}, res, next);
|
||||
expect(next).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
it('wires the SDK authorize + register handlers behind the gate', () => {
|
||||
const calls = build();
|
||||
const authorize = calls.find((c) => c.path === '/oauth/authorize')!;
|
||||
const register = calls.find((c) => c.path === '/oauth/register')!;
|
||||
expect(authorize.handlers).toContain(h.authorizeHandler);
|
||||
expect(register.handlers).toContain(h.registerHandler);
|
||||
});
|
||||
|
||||
it('mounts the MCP handler on POST/GET/DELETE /mcp', () => {
|
||||
const calls = build();
|
||||
expect(calls.find((c) => c.method === 'post' && c.path === '/mcp')!.handlers[0]).toBe(h.mcpHandler);
|
||||
expect(calls.find((c) => c.method === 'get' && c.path === '/mcp')!.handlers[0]).toBe(h.mcpHandler);
|
||||
expect(calls.find((c) => c.method === 'delete' && c.path === '/mcp')!.handlers[0]).toBe(h.mcpHandler);
|
||||
});
|
||||
|
||||
describe('the terminal /.well-known JSON-404 middleware', () => {
|
||||
function mw() {
|
||||
// The pathless app.use registered after the /mcp routes.
|
||||
const calls = build();
|
||||
const pathless = calls.filter((c) => c.method === 'use' && c.path === undefined);
|
||||
// first pathless = meta router; second = the JSON 404.
|
||||
return pathless[1].handlers[0];
|
||||
}
|
||||
|
||||
it('404 JSON for an unhandled /.well-known path', () => {
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
mw()({ path: '/.well-known/unknown' }, res, next);
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.body).toEqual({ error: 'not_found' });
|
||||
expect(next).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('calls next() for any non-well-known path', () => {
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
mw()({ path: '/dashboard' }, res, next);
|
||||
expect(next).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
it('the /oauth/consent middleware relaxes COOP then continues', () => {
|
||||
const calls = build();
|
||||
const mw = calls.find((c) => c.method === 'use' && c.path === '/oauth/consent')!.handlers[0];
|
||||
const res = makeRes();
|
||||
const next = vi.fn();
|
||||
mw({}, res, next);
|
||||
expect(res.headers['Cross-Origin-Opener-Policy']).toBe('unsafe-none');
|
||||
expect(next).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('caches the OAuth metadata + SDK router across requests (lazy init runs once)', async () => {
|
||||
const router = await import('@modelcontextprotocol/sdk/server/auth/router');
|
||||
const calls = build();
|
||||
const openid = calls.find((c) => c.path === '/.well-known/openid-configuration')!.handlers[0];
|
||||
h.getMcpSafeUrl.mockClear();
|
||||
openid({}, makeRes());
|
||||
openid({}, makeRes());
|
||||
// getMcpSafeUrl is only consulted on the first lazy build of the metadata.
|
||||
expect(h.getMcpSafeUrl).toHaveBeenCalledTimes(1);
|
||||
|
||||
// Trigger the meta router lazy build twice; the SDK factory runs once.
|
||||
const metaMw = calls.find((c) => c.method === 'use' && c.path === undefined)!.handlers[0];
|
||||
h.isAddonEnabled.mockReturnValue(true);
|
||||
metaMw({ path: '/x' }, makeRes(), vi.fn());
|
||||
metaMw({ path: '/y' }, makeRes(), vi.fn());
|
||||
expect(router.mcpAuthMetadataRouter).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
});
|
||||
|
||||
describe('applyPlatformStatic', () => {
|
||||
const original = process.env.NODE_ENV;
|
||||
afterEach(() => { process.env.NODE_ENV = original; });
|
||||
|
||||
it('is a no-op outside production', () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformStatic(app);
|
||||
expect(calls).toHaveLength(0);
|
||||
});
|
||||
|
||||
it('serves the built client statics in production', () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformStatic(app);
|
||||
expect(calls.some((c) => c.method === 'use')).toBe(true);
|
||||
});
|
||||
|
||||
it('the static setHeaders callback adds no-cache for index.html only', async () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const expressMod = (await import('express')).default as unknown as { static: ReturnType<typeof vi.fn> };
|
||||
expressMod.static.mockClear();
|
||||
const { app } = fakeApp();
|
||||
applyPlatformStatic(app);
|
||||
const opts = expressMod.static.mock.calls[0][1] as { setHeaders: (res: unknown, p: string) => void };
|
||||
const indexRes = makeRes();
|
||||
opts.setHeaders(indexRes, '/some/index.html');
|
||||
expect(indexRes.headers['Cache-Control']).toBe('no-cache, no-store, must-revalidate');
|
||||
const assetRes = makeRes();
|
||||
opts.setHeaders(assetRes, '/some/app.js');
|
||||
expect(assetRes.headers['Cache-Control']).toBeUndefined();
|
||||
});
|
||||
});
|
||||
|
||||
describe('applyPlatformSpa', () => {
|
||||
const original = process.env.NODE_ENV;
|
||||
afterEach(() => { process.env.NODE_ENV = original; });
|
||||
|
||||
it('only serves statics (no catch-all) outside production', () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformSpa(app);
|
||||
expect(calls.some((c) => c.method === 'get' && c.path === '/.*/' )).toBe(false);
|
||||
});
|
||||
|
||||
it('registers the index.html catch-all in production', () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const { app, calls } = fakeApp();
|
||||
applyPlatformSpa(app);
|
||||
const catchAll = calls.find((c) => c.method === 'get');
|
||||
expect(catchAll).toBeDefined();
|
||||
const res = makeRes();
|
||||
catchAll!.handlers[0]({}, res);
|
||||
expect(res.headers['Cache-Control']).toBe('no-cache, no-store, must-revalidate');
|
||||
expect(String(res.body)).toContain('FILE:');
|
||||
expect(String(res.body)).toContain('index.html');
|
||||
});
|
||||
});
|
||||
|
||||
describe('SpaFallbackFilter', () => {
|
||||
const original = process.env.NODE_ENV;
|
||||
afterEach(() => { process.env.NODE_ENV = original; });
|
||||
|
||||
function host(req: { method: string }, res: ReturnType<typeof makeRes>) {
|
||||
return { switchToHttp: () => ({ getRequest: () => req, getResponse: () => res }) } as never;
|
||||
}
|
||||
|
||||
it('serves index.html for an unmatched GET in production', () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const res = makeRes();
|
||||
new SpaFallbackFilter().catch(new NotFoundException('nope'), host({ method: 'GET' }, res));
|
||||
expect(res.headers['Cache-Control']).toBe('no-cache, no-store, must-revalidate');
|
||||
expect(String(res.body)).toContain('index.html');
|
||||
});
|
||||
|
||||
it('keeps the JSON 404 envelope for a non-GET miss in production', () => {
|
||||
process.env.NODE_ENV = 'production';
|
||||
const res = makeRes();
|
||||
new SpaFallbackFilter().catch(new NotFoundException('gone'), host({ method: 'POST' }, res));
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.body).toEqual({ error: 'gone' });
|
||||
});
|
||||
|
||||
it('keeps the JSON 404 envelope outside production even for GET', () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const res = makeRes();
|
||||
new SpaFallbackFilter().catch(new NotFoundException('missing'), host({ method: 'GET' }, res));
|
||||
expect(res.statusCode).toBe(404);
|
||||
expect(res.body).toEqual({ error: 'missing' });
|
||||
});
|
||||
|
||||
it('falls back to Not Found when the exception has no message', () => {
|
||||
process.env.NODE_ENV = 'development';
|
||||
const res = makeRes();
|
||||
const exc = new NotFoundException();
|
||||
// force an empty message so the || branch is taken
|
||||
Object.defineProperty(exc, 'message', { value: '' });
|
||||
new SpaFallbackFilter().catch(exc, host({ method: 'GET' }, res));
|
||||
expect(res.body).toEqual({ error: 'Not Found' });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,114 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { ReservationsController } from '../../../src/nest/reservations/reservations.controller';
|
||||
import type { ReservationsService } from '../../../src/nest/reservations/reservations.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { id: 5, user_id: 1 };
|
||||
|
||||
function makeService(overrides: Partial<ReservationsService> = {}): ReservationsService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip),
|
||||
canEdit: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
syncBudgetOnCreate: vi.fn(),
|
||||
syncBudgetOnUpdate: vi.fn(),
|
||||
notifyBookingChange: vi.fn(),
|
||||
...overrides,
|
||||
} as unknown as ReservationsService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
describe('ReservationsController (parity with the legacy /api/trips/:tripId/reservations route)', () => {
|
||||
it('404 when trip not accessible', () => {
|
||||
const svc = makeService({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new ReservationsController(svc).list(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('GET / returns reservations', () => {
|
||||
const svc = makeService({ list: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<ReservationsService>);
|
||||
expect(new ReservationsController(svc).list(user, '5')).toEqual({ reservations: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
describe('POST /', () => {
|
||||
it('403 without permission', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new ReservationsController(svc).create(user, '5', { title: 'Hotel' }))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
});
|
||||
|
||||
it('400 without a title', () => {
|
||||
expect(thrown(() => new ReservationsController(makeService()).create(user, '5', {}))).toEqual({ status: 400, body: { error: 'Title is required' } });
|
||||
});
|
||||
|
||||
it('creates, runs budget sync, broadcasts accommodation + reservation, notifies', () => {
|
||||
const create = vi.fn().mockReturnValue({ reservation: { id: 9 }, accommodationCreated: true });
|
||||
const broadcast = vi.fn(); const syncBudgetOnCreate = vi.fn(); const notifyBookingChange = vi.fn();
|
||||
const svc = makeService({ create, broadcast, syncBudgetOnCreate, notifyBookingChange } as Partial<ReservationsService>);
|
||||
const body = { title: 'Hotel', type: 'lodging', create_budget_entry: { total_price: 200 } };
|
||||
expect(new ReservationsController(svc).create(user, '5', body, 'sock')).toEqual({ reservation: { id: 9 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'accommodation:created', {}, 'sock');
|
||||
expect(syncBudgetOnCreate).toHaveBeenCalledWith('5', 9, 'Hotel', 'lodging', { total_price: 200 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'reservation:created', { reservation: { id: 9 } }, 'sock');
|
||||
expect(notifyBookingChange).toHaveBeenCalledWith('5', user, 'Hotel', 'lodging');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /positions', () => {
|
||||
it('400 when positions is not an array', () => {
|
||||
expect(thrown(() => new ReservationsController(makeService()).updatePositions(user, '5', { positions: 'no' }))).toEqual({ status: 400, body: { error: 'positions must be an array' } });
|
||||
});
|
||||
|
||||
it('updates positions and broadcasts', () => {
|
||||
const updatePositions = vi.fn(); const broadcast = vi.fn();
|
||||
const svc = makeService({ updatePositions, broadcast } as Partial<ReservationsService>);
|
||||
const positions = [{ id: 1, day_plan_position: 0 }];
|
||||
expect(new ReservationsController(svc).updatePositions(user, '5', { positions, day_id: 3 }, 'sock')).toEqual({ success: true });
|
||||
expect(updatePositions).toHaveBeenCalledWith('5', positions, 3);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'reservation:positions', { positions, day_id: 3 }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when the reservation is missing', () => {
|
||||
const svc = makeService({ getReservation: vi.fn().mockReturnValue(undefined) } as Partial<ReservationsService>);
|
||||
expect(thrown(() => new ReservationsController(svc).update(user, '5', '9', { title: 'X' }))).toEqual({ status: 404, body: { error: 'Reservation not found' } });
|
||||
});
|
||||
|
||||
it('updates, syncs budget with current fallbacks, broadcasts + notifies', () => {
|
||||
const getReservation = vi.fn().mockReturnValue({ title: 'Old', type: 'lodging' });
|
||||
const update = vi.fn().mockReturnValue({ reservation: { id: 9 }, accommodationChanged: true });
|
||||
const broadcast = vi.fn(); const syncBudgetOnUpdate = vi.fn(); const notifyBookingChange = vi.fn();
|
||||
const svc = makeService({ getReservation, update, broadcast, syncBudgetOnUpdate, notifyBookingChange } as Partial<ReservationsService>);
|
||||
new ReservationsController(svc).update(user, '5', '9', { create_budget_entry: { total_price: 50 } }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'accommodation:updated', {}, 'sock');
|
||||
expect(syncBudgetOnUpdate).toHaveBeenCalledWith('5', '9', '', undefined, 'Old', 'lodging', { total_price: 50 }, 'sock');
|
||||
expect(notifyBookingChange).toHaveBeenCalledWith('5', user, 'Old', 'lodging');
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id', () => {
|
||||
it('404 when nothing deleted', () => {
|
||||
const svc = makeService({ remove: vi.fn().mockReturnValue({ deleted: undefined, accommodationDeleted: false, deletedBudgetItemId: null }) } as Partial<ReservationsService>);
|
||||
expect(thrown(() => new ReservationsController(svc).remove(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Reservation not found' } });
|
||||
});
|
||||
|
||||
it('broadcasts the accommodation + budget cascade then reservation:deleted', () => {
|
||||
const remove = vi.fn().mockReturnValue({ deleted: { id: 9, title: 'Hotel', type: 'lodging', accommodation_id: 3 }, accommodationDeleted: true, deletedBudgetItemId: 7 });
|
||||
const broadcast = vi.fn(); const notifyBookingChange = vi.fn();
|
||||
const svc = makeService({ remove, broadcast, notifyBookingChange } as Partial<ReservationsService>);
|
||||
expect(new ReservationsController(svc).remove(user, '5', '9', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'accommodation:deleted', { accommodationId: 3 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:deleted', { itemId: 7 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'reservation:deleted', { reservationId: 9 }, 'sock');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,106 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// Mock the data + side-effect dependencies the service reaches into directly.
|
||||
const { dbMock } = vi.hoisted(() => {
|
||||
const stmt = { get: vi.fn(), all: vi.fn(() => []), run: vi.fn() };
|
||||
return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
|
||||
});
|
||||
vi.mock('../../../src/db/database', () => ({ db: dbMock, closeDb: () => {}, reinitialize: () => {} }));
|
||||
|
||||
const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
|
||||
vi.mock('../../../src/websocket', () => ({ broadcast }));
|
||||
|
||||
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
|
||||
vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
|
||||
|
||||
const { budget } = vi.hoisted(() => ({
|
||||
budget: { createBudgetItem: vi.fn(), updateBudgetItem: vi.fn(), deleteBudgetItem: vi.fn(), linkBudgetItemToReservation: vi.fn() },
|
||||
}));
|
||||
vi.mock('../../../src/services/budgetService', () => budget);
|
||||
|
||||
const { resv } = vi.hoisted(() => ({
|
||||
resv: {
|
||||
verifyTripAccess: vi.fn(), listReservations: vi.fn(), createReservation: vi.fn(), updatePositions: vi.fn(),
|
||||
getReservation: vi.fn(), updateReservation: vi.fn(), deleteReservation: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/reservationService', () => resv);
|
||||
|
||||
import { ReservationsService } from '../../../src/nest/reservations/reservations.service';
|
||||
|
||||
function svc() {
|
||||
return new ReservationsService();
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
});
|
||||
|
||||
describe('ReservationsService', () => {
|
||||
it('canEdit delegates to checkPermission with reservation_edit', () => {
|
||||
svc().canEdit({ user_id: 2 } as never, { id: 1, role: 'user' } as never);
|
||||
expect(checkPermission).toHaveBeenCalledWith('reservation_edit', 'user', 2, 1, true);
|
||||
});
|
||||
|
||||
it('list/create/getReservation/remove delegate to the legacy service', () => {
|
||||
resv.listReservations.mockReturnValue([{ id: 1 }]);
|
||||
expect(svc().list('5')).toEqual([{ id: 1 }]);
|
||||
svc().create('5', { title: 'X' } as never);
|
||||
expect(resv.createReservation).toHaveBeenCalledWith('5', { title: 'X' });
|
||||
svc().getReservation('9', '5');
|
||||
expect(resv.getReservation).toHaveBeenCalledWith('9', '5');
|
||||
svc().remove('9', '5');
|
||||
expect(resv.deleteReservation).toHaveBeenCalledWith('9', '5');
|
||||
});
|
||||
|
||||
describe('syncBudgetOnCreate', () => {
|
||||
it('does nothing without a positive price', () => {
|
||||
svc().syncBudgetOnCreate('5', 9, 'Hotel', 'lodging', undefined, 'sock');
|
||||
svc().syncBudgetOnCreate('5', 9, 'Hotel', 'lodging', { total_price: 0 }, 'sock');
|
||||
expect(budget.linkBudgetItemToReservation).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('links a budget item and broadcasts budget:created', () => {
|
||||
budget.linkBudgetItemToReservation.mockReturnValue({ id: 7 });
|
||||
svc().syncBudgetOnCreate('5', 9, 'Hotel', 'lodging', { total_price: 200, category: 'Lodging' }, 'sock');
|
||||
expect(budget.linkBudgetItemToReservation).toHaveBeenCalledWith('5', 9, { name: 'Hotel', category: 'Lodging', total_price: 200 });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:created', { item: { id: 7 } }, 'sock');
|
||||
});
|
||||
|
||||
it('falls back to type then "Other" for the category and swallows errors', () => {
|
||||
budget.linkBudgetItemToReservation.mockImplementation(() => { throw new Error('boom'); });
|
||||
expect(() => svc().syncBudgetOnCreate('5', 9, 'Hotel', undefined, { total_price: 50 }, 'sock')).not.toThrow();
|
||||
});
|
||||
});
|
||||
|
||||
describe('syncBudgetOnUpdate', () => {
|
||||
it('deletes the linked item when the price is cleared', () => {
|
||||
dbMock._stmt.get.mockReturnValueOnce({ id: 7 });
|
||||
svc().syncBudgetOnUpdate('5', '9', 'Hotel', 'lodging', 'Hotel', 'lodging', undefined, 'sock');
|
||||
expect(budget.deleteBudgetItem).toHaveBeenCalledWith(7, '5');
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:deleted', { itemId: 7 }, 'sock');
|
||||
});
|
||||
|
||||
it('updates an existing linked item when a price is provided', () => {
|
||||
dbMock._stmt.get.mockReturnValueOnce({ id: 7 }); // existing lookup
|
||||
budget.updateBudgetItem.mockReturnValue({ id: 7 });
|
||||
svc().syncBudgetOnUpdate('5', '9', 'New', 'lodging', 'Old', 'lodging', { total_price: 80 }, 'sock');
|
||||
expect(budget.updateBudgetItem).toHaveBeenCalledWith(7, '5', { name: 'New', category: 'lodging', total_price: 80 });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:updated', { item: { id: 7 } }, 'sock');
|
||||
});
|
||||
|
||||
it('creates + links a new item when none exists, using the current title fallback', () => {
|
||||
dbMock._stmt.get.mockReturnValue(undefined); // no existing
|
||||
budget.createBudgetItem.mockReturnValue({ id: 9 });
|
||||
svc().syncBudgetOnUpdate('5', '9', '', undefined, 'Old title', 'flight', { total_price: 120 }, 'sock');
|
||||
expect(budget.createBudgetItem).toHaveBeenCalledWith('5', { name: 'Old title', category: 'flight', total_price: 120 });
|
||||
expect(dbMock._stmt.run).toHaveBeenCalled(); // UPDATE budget_items SET reservation_id
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'budget:created', { item: { id: 9, reservation_id: 9 } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
it('notifyBookingChange resolves without throwing (fire-and-forget)', () => {
|
||||
expect(() => svc().notifyBookingChange('5', { id: 1, email: 'a@b.c' } as never, 'Hotel', 'lodging')).not.toThrow();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,54 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
|
||||
import { SettingsController } from '../../../src/nest/settings/settings.controller';
|
||||
import type { SettingsService } from '../../../src/nest/settings/settings.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function svc(o: Partial<SettingsService> = {}): SettingsService {
|
||||
return { getUserSettings: vi.fn(), upsertSetting: vi.fn(), bulkUpsertSettings: vi.fn(), ...o } as unknown as SettingsService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('SettingsController', () => {
|
||||
it('GET / returns the settings', () => {
|
||||
expect(new SettingsController(svc({ getUserSettings: vi.fn().mockReturnValue({ theme: 'dark' }) } as Partial<SettingsService>)).list(user)).toEqual({ settings: { theme: 'dark' } });
|
||||
});
|
||||
|
||||
it('PUT / 400 without a key', () => {
|
||||
expect(thrown(() => new SettingsController(svc()).upsert(user, {}))).toEqual({ status: 400, body: { error: 'Key is required' } });
|
||||
});
|
||||
|
||||
it('PUT / no-ops on the masked sentinel without writing', () => {
|
||||
const upsertSetting = vi.fn();
|
||||
const c = new SettingsController(svc({ upsertSetting } as Partial<SettingsService>));
|
||||
expect(c.upsert(user, { key: 'immich_api_key', value: '••••••••' })).toEqual({ success: true, key: 'immich_api_key', unchanged: true });
|
||||
expect(upsertSetting).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('PUT / writes a real value', () => {
|
||||
const upsertSetting = vi.fn();
|
||||
const c = new SettingsController(svc({ upsertSetting } as Partial<SettingsService>));
|
||||
expect(c.upsert(user, { key: 'theme', value: 'dark' })).toEqual({ success: true, key: 'theme', value: 'dark' });
|
||||
expect(upsertSetting).toHaveBeenCalledWith(1, 'theme', 'dark');
|
||||
});
|
||||
|
||||
it('POST /bulk 400 without an object, 500 on a write error, else returns the count', () => {
|
||||
expect(thrown(() => new SettingsController(svc()).bulk(user, {}))).toEqual({ status: 400, body: { error: 'Settings object is required' } });
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
expect(thrown(() => new SettingsController(svc({ bulkUpsertSettings: vi.fn(() => { throw new Error('db'); }) } as Partial<SettingsService>)).bulk(user, { settings: { a: 1 } }))).toEqual({ status: 500, body: { error: 'Error saving settings' } });
|
||||
expect(new SettingsController(svc({ bulkUpsertSettings: vi.fn().mockReturnValue(3) } as Partial<SettingsService>)).bulk(user, { settings: { a: 1, b: 2, c: 3 } })).toEqual({ success: true, updated: 3 });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,137 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Response } from 'express';
|
||||
|
||||
const { createReadStream } = vi.hoisted(() => ({ createReadStream: vi.fn() }));
|
||||
vi.mock('node:fs', () => ({ createReadStream }));
|
||||
|
||||
import { TripShareController, SharedController } from '../../../src/nest/share/share.controller';
|
||||
import type { ShareService } from '../../../src/nest/share/share.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
|
||||
function svc(o: Partial<ShareService> = {}): ShareService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue({ user_id: 1 }),
|
||||
canManage: vi.fn().mockReturnValue(true),
|
||||
...o,
|
||||
} as unknown as ShareService;
|
||||
}
|
||||
|
||||
function res() {
|
||||
const r = { statusCode: 200, status: vi.fn((c: number) => { r.statusCode = c; return r; }) };
|
||||
return r as unknown as Response & { statusCode: number };
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('TripShareController', () => {
|
||||
it('POST 404 without access, 403 without share_manage', () => {
|
||||
expect(thrown(() => new TripShareController(svc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).create(user, '5', {}, res()))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(thrown(() => new TripShareController(svc({ canManage: vi.fn().mockReturnValue(false) })).create(user, '5', {}, res()))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
});
|
||||
|
||||
it('POST answers 201 on create, 200 on update', () => {
|
||||
const createdRes = res();
|
||||
const c1 = new TripShareController(svc({ createOrUpdate: vi.fn().mockReturnValue({ token: 't', created: true }) } as Partial<ShareService>));
|
||||
expect(c1.create(user, '5', { share_map: true }, createdRes)).toEqual({ token: 't' });
|
||||
expect(createdRes.statusCode).toBe(201);
|
||||
|
||||
const updatedRes = res();
|
||||
const c2 = new TripShareController(svc({ createOrUpdate: vi.fn().mockReturnValue({ token: 't', created: false }) } as Partial<ShareService>));
|
||||
expect(c2.create(user, '5', {}, updatedRes)).toEqual({ token: 't' });
|
||||
expect(updatedRes.statusCode).toBe(200);
|
||||
});
|
||||
|
||||
it('GET 404 without access, returns info or a null token', () => {
|
||||
expect(thrown(() => new TripShareController(svc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) })).get(user, '5'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(new TripShareController(svc({ get: vi.fn().mockReturnValue({ token: 't' }) } as Partial<ShareService>)).get(user, '5')).toEqual({ token: 't' });
|
||||
expect(new TripShareController(svc({ get: vi.fn().mockReturnValue(null) } as Partial<ShareService>)).get(user, '5')).toEqual({ token: null });
|
||||
});
|
||||
|
||||
it('DELETE 403 without share_manage, else removes', () => {
|
||||
expect(thrown(() => new TripShareController(svc({ canManage: vi.fn().mockReturnValue(false) })).remove(user, '5'))).toEqual({ status: 403, body: { error: 'No permission' } });
|
||||
const remove = vi.fn();
|
||||
expect(new TripShareController(svc({ remove } as Partial<ShareService>)).remove(user, '5')).toEqual({ success: true });
|
||||
expect(remove).toHaveBeenCalledWith('5');
|
||||
});
|
||||
});
|
||||
|
||||
describe('SharedController', () => {
|
||||
it('404 for an invalid token, else returns the snapshot', () => {
|
||||
expect(thrown(() => new SharedController(svc({ getSharedTripData: vi.fn().mockReturnValue(null) } as Partial<ShareService>)).read('bad'))).toEqual({ status: 404, body: { error: 'Invalid or expired link' } });
|
||||
expect(new SharedController(svc({ getSharedTripData: vi.fn().mockReturnValue({ trip: { id: 9 } }) } as Partial<ShareService>)).read('tok')).toEqual({ trip: { id: 9 } });
|
||||
});
|
||||
|
||||
describe('place-photo proxy', () => {
|
||||
function photoRes() {
|
||||
const r = {
|
||||
statusCode: 200,
|
||||
headersSent: false,
|
||||
status: vi.fn(function (this: unknown, c: number) { (r as { statusCode: number }).statusCode = c; return r; }),
|
||||
json: vi.fn(),
|
||||
set: vi.fn(),
|
||||
type: vi.fn(),
|
||||
};
|
||||
return r as unknown as Response & { status: ReturnType<typeof vi.fn>; json: ReturnType<typeof vi.fn>; set: ReturnType<typeof vi.fn>; type: ReturnType<typeof vi.fn> };
|
||||
}
|
||||
|
||||
beforeEach(() => createReadStream.mockReset());
|
||||
|
||||
function controller(path: string | null) {
|
||||
return new SharedController(svc({ getSharedPlacePhotoPath: vi.fn().mockReturnValue(path) } as Partial<ShareService>));
|
||||
}
|
||||
|
||||
it('404 without streaming when the photo is not cached for the token', () => {
|
||||
const res = photoRes();
|
||||
controller(null).placePhotoBytes('tok', 'p1', res);
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Photo not cached' });
|
||||
expect(createReadStream).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('streams the cached file with image/jpeg + an immutable cache header on a hit', () => {
|
||||
const stream = { on: vi.fn().mockReturnThis(), pipe: vi.fn() };
|
||||
createReadStream.mockReturnValue(stream);
|
||||
const res = photoRes();
|
||||
controller('/cache/p1.jpg').placePhotoBytes('tok', 'p1', res);
|
||||
expect(res.set).toHaveBeenCalledWith('Cache-Control', 'public, max-age=2592000, immutable');
|
||||
expect(res.type).toHaveBeenCalledWith('image/jpeg');
|
||||
expect(createReadStream).toHaveBeenCalledWith('/cache/p1.jpg');
|
||||
expect(stream.pipe).toHaveBeenCalledWith(res);
|
||||
});
|
||||
|
||||
it('falls back to 404 when the read stream errors before headers were sent', () => {
|
||||
let onError: () => void = () => {};
|
||||
const stream = { on: vi.fn((ev: string, cb: () => void) => { if (ev === 'error') onError = cb; return stream; }), pipe: vi.fn() };
|
||||
createReadStream.mockReturnValue(stream);
|
||||
const res = photoRes();
|
||||
controller('/cache/p1.jpg').placePhotoBytes('tok', 'p1', res);
|
||||
onError();
|
||||
expect(res.status).toHaveBeenCalledWith(404);
|
||||
expect(res.json).toHaveBeenCalledWith({ error: 'Photo not cached' });
|
||||
});
|
||||
|
||||
it('does not re-send a 404 when the stream errors after headers were flushed', () => {
|
||||
let onError: () => void = () => {};
|
||||
const stream = { on: vi.fn((ev: string, cb: () => void) => { if (ev === 'error') onError = cb; return stream; }), pipe: vi.fn() };
|
||||
createReadStream.mockReturnValue(stream);
|
||||
const res = photoRes();
|
||||
(res as { headersSent: boolean }).headersSent = true;
|
||||
controller('/cache/p1.jpg').placePhotoBytes('tok', 'p1', res);
|
||||
onError();
|
||||
expect(res.status).not.toHaveBeenCalled();
|
||||
expect(res.json).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,76 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// The wrapper delegates to legacy helpers; mock them so no real DB is loaded.
|
||||
const { canAccessTrip } = vi.hoisted(() => ({ canAccessTrip: vi.fn() }));
|
||||
vi.mock('../../../src/db/database', () => ({ canAccessTrip, closeDb: () => {}, reinitialize: () => {} }));
|
||||
|
||||
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn() }));
|
||||
vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
|
||||
|
||||
const { share } = vi.hoisted(() => ({
|
||||
share: {
|
||||
createOrUpdateShareLink: vi.fn(),
|
||||
getShareLink: vi.fn(),
|
||||
deleteShareLink: vi.fn(),
|
||||
getSharedTripData: vi.fn(),
|
||||
getSharedPlacePhotoPath: vi.fn(),
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/shareService', () => share);
|
||||
|
||||
import { ShareService } from '../../../src/nest/share/share.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
function svc() {
|
||||
return new ShareService();
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('ShareService', () => {
|
||||
it('verifyTripAccess delegates to canAccessTrip', () => {
|
||||
canAccessTrip.mockReturnValue({ id: 5, user_id: 2 });
|
||||
expect(svc().verifyTripAccess('5', 2)).toEqual({ id: 5, user_id: 2 });
|
||||
expect(canAccessTrip).toHaveBeenCalledWith('5', 2);
|
||||
});
|
||||
|
||||
it('canManage forwards the ownership flag when the user owns the trip', () => {
|
||||
checkPermission.mockReturnValue(true);
|
||||
const trip = { user_id: 1 } as never;
|
||||
const user = { id: 1, role: 'user' } as User;
|
||||
expect(svc().canManage(trip, user)).toBe(true);
|
||||
expect(checkPermission).toHaveBeenCalledWith('share_manage', 'user', 1, 1, false);
|
||||
});
|
||||
|
||||
it('canManage marks the user as a guest when they do not own the trip', () => {
|
||||
checkPermission.mockReturnValue(false);
|
||||
const trip = { user_id: 2 } as never;
|
||||
const user = { id: 1, role: 'user' } as User;
|
||||
expect(svc().canManage(trip, user)).toBe(false);
|
||||
expect(checkPermission).toHaveBeenCalledWith('share_manage', 'user', 2, 1, true);
|
||||
});
|
||||
|
||||
it('createOrUpdate delegates to the legacy share service', () => {
|
||||
share.createOrUpdateShareLink.mockReturnValue({ token: 't', created: true });
|
||||
const perms = { share_map: true };
|
||||
expect(svc().createOrUpdate('5', 2, perms)).toEqual({ token: 't', created: true });
|
||||
expect(share.createOrUpdateShareLink).toHaveBeenCalledWith('5', 2, perms);
|
||||
});
|
||||
|
||||
it('get / remove / getSharedTripData / getSharedPlacePhotoPath delegate', () => {
|
||||
share.getShareLink.mockReturnValue({ token: 't' });
|
||||
expect(svc().get('5')).toEqual({ token: 't' });
|
||||
expect(share.getShareLink).toHaveBeenCalledWith('5');
|
||||
|
||||
svc().remove('5');
|
||||
expect(share.deleteShareLink).toHaveBeenCalledWith('5');
|
||||
|
||||
share.getSharedTripData.mockReturnValue({ trip: { id: 9 } });
|
||||
expect(svc().getSharedTripData('tok')).toEqual({ trip: { id: 9 } });
|
||||
expect(share.getSharedTripData).toHaveBeenCalledWith('tok');
|
||||
|
||||
share.getSharedPlacePhotoPath.mockReturnValue('/cache/p1.jpg');
|
||||
expect(svc().getSharedPlacePhotoPath('tok', 'p1')).toBe('/cache/p1.jpg');
|
||||
expect(share.getSharedPlacePhotoPath).toHaveBeenCalledWith('tok', 'p1');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,55 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { SystemNoticesController } from '../../../src/nest/system-notices/system-notices.controller';
|
||||
import type { SystemNoticesService } from '../../../src/nest/system-notices/system-notices.service';
|
||||
import type { User } from '../../../src/types';
|
||||
import type { SystemNoticeDto } from '@trek/shared';
|
||||
|
||||
function makeController(svc: Partial<SystemNoticesService>) {
|
||||
return new SystemNoticesController(svc as SystemNoticesService);
|
||||
}
|
||||
|
||||
const user = { id: 7 } as User;
|
||||
|
||||
const notice: SystemNoticeDto = {
|
||||
id: 'welcome', display: 'modal', severity: 'info',
|
||||
titleKey: 'notice.welcome.title', bodyKey: 'notice.welcome.body', dismissible: true,
|
||||
};
|
||||
|
||||
/** Run `fn`, expecting an HttpException; return its { status, body }. */
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('SystemNoticesController (parity with the legacy /api/system-notices route)', () => {
|
||||
describe('GET /active', () => {
|
||||
it('returns the evaluated notices for the current user', () => {
|
||||
const getActiveFor = vi.fn().mockReturnValue([notice]);
|
||||
expect(makeController({ getActiveFor }).active(user)).toEqual([notice]);
|
||||
expect(getActiveFor).toHaveBeenCalledWith(7);
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /:id/dismiss', () => {
|
||||
it('returns nothing (204) when the dismiss succeeds', () => {
|
||||
const dismiss = vi.fn().mockReturnValue(true);
|
||||
expect(makeController({ dismiss }).dismiss(user, 'welcome')).toBeUndefined();
|
||||
expect(dismiss).toHaveBeenCalledWith(7, 'welcome');
|
||||
});
|
||||
|
||||
it('404 { error: NOTICE_NOT_FOUND } when the id is unknown', () => {
|
||||
const dismiss = vi.fn().mockReturnValue(false);
|
||||
expect(thrown(() => makeController({ dismiss }).dismiss(user, 'nope'))).toEqual({
|
||||
status: 404,
|
||||
body: { error: 'NOTICE_NOT_FOUND' },
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,86 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { TagsController } from '../../../src/nest/tags/tags.controller';
|
||||
import type { TagsService } from '../../../src/nest/tags/tags.service';
|
||||
import type { User } from '../../../src/types';
|
||||
import type { Tag } from '@trek/shared';
|
||||
|
||||
const user = { id: 5 } as User;
|
||||
|
||||
function makeController(svc: Partial<TagsService>) {
|
||||
return new TagsController(svc as TagsService);
|
||||
}
|
||||
|
||||
const tag: Tag = { id: 1, user_id: 5, name: 'Beach', color: '#10b981' };
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('TagsController (parity with the legacy /api/tags route)', () => {
|
||||
it('GET / returns the caller\'s tags wrapped in { tags }', () => {
|
||||
const list = vi.fn().mockReturnValue([tag]);
|
||||
expect(makeController({ list }).list(user)).toEqual({ tags: [tag] });
|
||||
expect(list).toHaveBeenCalledWith(5);
|
||||
});
|
||||
|
||||
describe('POST /', () => {
|
||||
it('400 when name is missing', () => {
|
||||
const create = vi.fn();
|
||||
expect(thrown(() => makeController({ create }).create(user, undefined))).toEqual({
|
||||
status: 400, body: { error: 'Tag name is required' },
|
||||
});
|
||||
expect(create).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('creates a tag for the caller', () => {
|
||||
const create = vi.fn().mockReturnValue(tag);
|
||||
expect(makeController({ create }).create(user, 'Beach', '#10b981')).toEqual({ tag });
|
||||
expect(create).toHaveBeenCalledWith(5, 'Beach', '#10b981');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when the tag is not owned by the caller', () => {
|
||||
const getByIdAndUser = vi.fn().mockReturnValue(undefined);
|
||||
const update = vi.fn();
|
||||
expect(thrown(() => makeController({ getByIdAndUser, update }).update(user, '9', 'X'))).toEqual({
|
||||
status: 404, body: { error: 'Tag not found' },
|
||||
});
|
||||
expect(getByIdAndUser).toHaveBeenCalledWith('9', 5);
|
||||
expect(update).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('updates an owned tag', () => {
|
||||
const getByIdAndUser = vi.fn().mockReturnValue(tag);
|
||||
const update = vi.fn().mockReturnValue({ ...tag, name: 'Hike' });
|
||||
expect(makeController({ getByIdAndUser, update }).update(user, '1', 'Hike')).toEqual({ tag: { ...tag, name: 'Hike' } });
|
||||
expect(update).toHaveBeenCalledWith('1', 'Hike', undefined);
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id', () => {
|
||||
it('404 when the tag is not owned by the caller', () => {
|
||||
const getByIdAndUser = vi.fn().mockReturnValue(undefined);
|
||||
const remove = vi.fn();
|
||||
expect(thrown(() => makeController({ getByIdAndUser, remove }).remove(user, '9'))).toEqual({
|
||||
status: 404, body: { error: 'Tag not found' },
|
||||
});
|
||||
expect(remove).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('deletes an owned tag', () => {
|
||||
const getByIdAndUser = vi.fn().mockReturnValue(tag);
|
||||
const remove = vi.fn();
|
||||
expect(makeController({ getByIdAndUser, remove }).remove(user, '1')).toEqual({ success: true });
|
||||
expect(remove).toHaveBeenCalledWith('1');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,123 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { TodoController } from '../../../src/nest/todo/todo.controller';
|
||||
import type { TodoService } from '../../../src/nest/todo/todo.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const trip = { id: 5, user_id: 1 };
|
||||
|
||||
function makeService(overrides: Partial<TodoService> = {}): TodoService {
|
||||
return {
|
||||
verifyTripAccess: vi.fn().mockReturnValue(trip),
|
||||
canEdit: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
...overrides,
|
||||
} as unknown as TodoService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try {
|
||||
fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('TodoController (parity with the legacy /api/trips/:tripId/todo route)', () => {
|
||||
it('404 when the trip is not accessible', () => {
|
||||
const svc = makeService({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new TodoController(svc).list(user, '5'))).toEqual({
|
||||
status: 404, body: { error: 'Trip not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('GET / returns items', () => {
|
||||
const svc = makeService({ listItems: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<TodoService>);
|
||||
expect(new TodoController(svc).list(user, '5')).toEqual({ items: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
describe('POST /', () => {
|
||||
it('403 without permission', () => {
|
||||
const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
|
||||
expect(thrown(() => new TodoController(svc).create(user, '5', { name: 'Pack' }))).toEqual({
|
||||
status: 403, body: { error: 'No permission' },
|
||||
});
|
||||
});
|
||||
|
||||
it('400 when name missing', () => {
|
||||
expect(thrown(() => new TodoController(makeService()).create(user, '5', {}))).toEqual({
|
||||
status: 400, body: { error: 'Item name is required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('creates and broadcasts', () => {
|
||||
const createItem = vi.fn().mockReturnValue({ id: 9, name: 'Pack' });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ createItem, broadcast } as Partial<TodoService>);
|
||||
expect(new TodoController(svc).create(user, '5', { name: 'Pack', priority: 2 }, 'sock')).toEqual({ item: { id: 9, name: 'Pack' } });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'todo:created', { item: { id: 9, name: 'Pack' } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when item missing', () => {
|
||||
const svc = makeService({ updateItem: vi.fn().mockReturnValue(null) } as Partial<TodoService>);
|
||||
expect(thrown(() => new TodoController(svc).update(user, '5', '9', { name: 'X' }))).toEqual({
|
||||
status: 404, body: { error: 'Item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('updates, forwards changed keys, broadcasts', () => {
|
||||
const updateItem = vi.fn().mockReturnValue({ id: 9 });
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ updateItem, broadcast } as Partial<TodoService>);
|
||||
new TodoController(svc).update(user, '5', '9', { checked: true }, 'sock');
|
||||
expect(updateItem).toHaveBeenCalledWith('5', '9', expect.objectContaining({ checked: true }), ['checked']);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'todo:updated', { item: { id: 9 } }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id', () => {
|
||||
it('404 when item missing', () => {
|
||||
const svc = makeService({ deleteItem: vi.fn().mockReturnValue(false) } as Partial<TodoService>);
|
||||
expect(thrown(() => new TodoController(svc).remove(user, '5', '9'))).toEqual({
|
||||
status: 404, body: { error: 'Item not found' },
|
||||
});
|
||||
});
|
||||
|
||||
it('deletes and broadcasts', () => {
|
||||
const deleteItem = vi.fn().mockReturnValue(true);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ deleteItem, broadcast } as Partial<TodoService>);
|
||||
expect(new TodoController(svc).remove(user, '5', '9', 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'todo:deleted', { itemId: 9 }, 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
it('PUT /reorder succeeds with permission', () => {
|
||||
const reorderItems = vi.fn();
|
||||
const svc = makeService({ reorderItems } as Partial<TodoService>);
|
||||
expect(new TodoController(svc).reorder(user, '5', [3, 1, 2])).toEqual({ success: true });
|
||||
expect(reorderItems).toHaveBeenCalledWith('5', [3, 1, 2]);
|
||||
});
|
||||
|
||||
describe('category assignees', () => {
|
||||
it('GET returns assignees', () => {
|
||||
const svc = makeService({ getCategoryAssignees: vi.fn().mockReturnValue([{ user_id: 2 }]) } as Partial<TodoService>);
|
||||
expect(new TodoController(svc).categoryAssignees(user, '5')).toEqual({ assignees: [{ user_id: 2 }] });
|
||||
});
|
||||
|
||||
it('PUT updates, decodes the category and broadcasts', () => {
|
||||
const updateCategoryAssignees = vi.fn().mockReturnValue([{ user_id: 2 }]);
|
||||
const broadcast = vi.fn();
|
||||
const svc = makeService({ updateCategoryAssignees, broadcast } as Partial<TodoService>);
|
||||
new TodoController(svc).updateCategoryAssignees(user, '5', 'To%20Buy', [2], 'sock');
|
||||
expect(updateCategoryAssignees).toHaveBeenCalledWith('5', 'To Buy', [2]);
|
||||
expect(broadcast).toHaveBeenCalledWith('5', 'todo:assignees', { category: 'To Buy', assignees: [{ user_id: 2 }] }, 'sock');
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,293 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import type { Request } from 'express';
|
||||
|
||||
vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4'), logInfo: vi.fn() }));
|
||||
const { isDemoEmail } = vi.hoisted(() => ({ isDemoEmail: vi.fn(() => false) }));
|
||||
vi.mock('../../../src/services/demo', () => ({ isDemoEmail }));
|
||||
|
||||
import { TripsController } from '../../../src/nest/trips/trips.controller';
|
||||
import type { TripsService } from '../../../src/nest/trips/trips.service';
|
||||
import { NotFoundError, ValidationError } from '../../../src/services/tripService';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
|
||||
const req = { headers: {} } as Request;
|
||||
|
||||
function svc(o: Partial<TripsService> = {}): TripsService {
|
||||
return {
|
||||
canAccessTrip: vi.fn().mockReturnValue({ user_id: 1 }),
|
||||
can: vi.fn().mockReturnValue(true),
|
||||
broadcast: vi.fn(),
|
||||
notifyInvite: vi.fn(),
|
||||
...o,
|
||||
} as unknown as TripsService;
|
||||
}
|
||||
|
||||
function thrown(fn: () => unknown): { status: number; body: unknown } {
|
||||
try { fn(); } catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected throw');
|
||||
}
|
||||
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('TripsController (parity with the legacy /api/trips route)', () => {
|
||||
it('GET / lists for the user with the archived flag', () => {
|
||||
const list = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
expect(new TripsController(svc({ list } as Partial<TripsService>)).list(user, '1')).toEqual({ trips: [{ id: 1 }] });
|
||||
expect(list).toHaveBeenCalledWith(1, 1);
|
||||
});
|
||||
|
||||
it('GET / defaults the archived flag to 0 when not "1"', () => {
|
||||
const list = vi.fn().mockReturnValue([]);
|
||||
const c = new TripsController(svc({ list } as Partial<TripsService>));
|
||||
c.list(user, undefined);
|
||||
expect(list).toHaveBeenLastCalledWith(1, 0);
|
||||
c.list(user, '0');
|
||||
expect(list).toHaveBeenLastCalledWith(1, 0);
|
||||
});
|
||||
|
||||
describe('POST / (create)', () => {
|
||||
it('403 without trip_create, 400 without title', () => {
|
||||
expect(thrown(() => new TripsController(svc({ can: vi.fn().mockReturnValue(false) })).create(user, { title: 'T' }, req))).toEqual({ status: 403, body: { error: 'No permission to create trips' } });
|
||||
expect(thrown(() => new TripsController(svc()).create(user, {}, req))).toEqual({ status: 400, body: { error: 'Title is required' } });
|
||||
});
|
||||
|
||||
it('infers end_date from start_date (+6 days) and creates', () => {
|
||||
const create = vi.fn().mockReturnValue({ trip: { id: 9 }, tripId: 9, reminderDays: 0 });
|
||||
new TripsController(svc({ create } as Partial<TripsService>)).create(user, { title: 'T', start_date: '2026-07-01' }, req);
|
||||
expect(create).toHaveBeenCalledWith(1, expect.objectContaining({ start_date: '2026-07-01', end_date: '2026-07-07' }));
|
||||
});
|
||||
|
||||
it('400 when end_date precedes start_date', () => {
|
||||
expect(thrown(() => new TripsController(svc()).create(user, { title: 'T', start_date: '2026-07-10', end_date: '2026-07-01' }, req))).toEqual({
|
||||
status: 400, body: { error: 'End date must be after start date' },
|
||||
});
|
||||
});
|
||||
|
||||
it('infers start_date from end_date (-6 days) and parses day_count', () => {
|
||||
const create = vi.fn().mockReturnValue({ trip: { id: 9 }, tripId: 9, reminderDays: 0 });
|
||||
new TripsController(svc({ create } as Partial<TripsService>)).create(user, { title: 'T', end_date: '2026-07-07', day_count: '40' }, req);
|
||||
expect(create).toHaveBeenCalledWith(1, expect.objectContaining({ start_date: '2026-07-01', end_date: '2026-07-07', day_count: 40 }));
|
||||
});
|
||||
|
||||
it('clamps a non-numeric day_count to the default of 7', () => {
|
||||
const create = vi.fn().mockReturnValue({ trip: { id: 9 }, tripId: 9, reminderDays: 0 });
|
||||
new TripsController(svc({ create } as Partial<TripsService>)).create(user, { title: 'T', day_count: 'abc' }, req);
|
||||
expect(create).toHaveBeenCalledWith(1, expect.objectContaining({ day_count: 7 }));
|
||||
});
|
||||
|
||||
it('logs the reminder when reminderDays is set', () => {
|
||||
const create = vi.fn().mockReturnValue({ trip: { id: 9 }, tripId: 9, reminderDays: 3 });
|
||||
expect(new TripsController(svc({ create } as Partial<TripsService>)).create(user, { title: 'T' }, req)).toEqual({ trip: { id: 9 } });
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /:id 404 when missing', () => {
|
||||
expect(thrown(() => new TripsController(svc({ get: vi.fn().mockReturnValue(undefined) } as Partial<TripsService>)).get(user, '9'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('GET /:id returns the trip when present', () => {
|
||||
const s = svc({ get: vi.fn().mockReturnValue({ id: 9 }) } as Partial<TripsService>);
|
||||
expect(new TripsController(s).get(user, '9')).toEqual({ trip: { id: 9 } });
|
||||
});
|
||||
|
||||
describe('PUT /:id', () => {
|
||||
it('404 when no access; 403 on archive without trip_archive', () => {
|
||||
expect(thrown(() => new TripsController(svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) })).update(user, '9', {}, req))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const s = svc({ can: vi.fn().mockImplementation((a: string) => a !== 'trip_archive') });
|
||||
expect(thrown(() => new TripsController(s).update(user, '9', { is_archived: 1 }, req))).toEqual({ status: 403, body: { error: 'No permission to archive/unarchive this trip' } });
|
||||
});
|
||||
|
||||
it('updates, audits a change and broadcasts', () => {
|
||||
const update = vi.fn().mockReturnValue({ updatedTrip: { id: 9 }, changes: { title: { oldValue: 'a', newValue: 'b' } }, newTitle: 'b', newReminder: 0, oldReminder: 0 });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ update, broadcast } as Partial<TripsService>);
|
||||
expect(new TripsController(s).update(user, '9', { title: 'b' }, req, 'sock')).toEqual({ trip: { id: 9 } });
|
||||
expect(broadcast).toHaveBeenCalledWith('9', 'trip:updated', { trip: { id: 9 } }, 'sock');
|
||||
});
|
||||
|
||||
it('403 on cover_image without trip_cover_upload', () => {
|
||||
const s = svc({ can: vi.fn().mockImplementation((a: string) => a !== 'trip_cover_upload') });
|
||||
expect(thrown(() => new TripsController(s).update(user, '9', { cover_image: '/x.jpg' }, req))).toEqual({ status: 403, body: { error: 'No permission to change cover image' } });
|
||||
});
|
||||
|
||||
it('403 on an edit field without trip_edit', () => {
|
||||
const s = svc({ can: vi.fn().mockImplementation((a: string) => a !== 'trip_edit') });
|
||||
expect(thrown(() => new TripsController(s).update(user, '9', { title: 'b' }, req))).toEqual({ status: 403, body: { error: 'No permission to edit this trip' } });
|
||||
});
|
||||
|
||||
it('admin edit logs the owner and reminder changes', () => {
|
||||
const update = vi.fn().mockReturnValue({
|
||||
updatedTrip: { id: 9 }, changes: { title: { oldValue: 'a', newValue: 'b' } }, newTitle: 'b',
|
||||
ownerEmail: 'owner@x.y', isAdminEdit: true, newReminder: 5, oldReminder: 0,
|
||||
});
|
||||
const s = svc({ update } as Partial<TripsService>);
|
||||
expect(new TripsController(s).update(user, '9', { title: 'b' }, req)).toEqual({ trip: { id: 9 } });
|
||||
});
|
||||
|
||||
it('logs when a reminder is removed', () => {
|
||||
const update = vi.fn().mockReturnValue({
|
||||
updatedTrip: { id: 9 }, changes: {}, newTitle: 'b', newReminder: 0, oldReminder: 5,
|
||||
});
|
||||
const s = svc({ update } as Partial<TripsService>);
|
||||
expect(new TripsController(s).update(user, '9', { reminder_days: 0 }, req)).toEqual({ trip: { id: 9 } });
|
||||
});
|
||||
|
||||
it('maps a NotFoundError to 404 and a ValidationError to 400', () => {
|
||||
const nf = svc({ update: vi.fn().mockImplementation(() => { throw new NotFoundError('gone'); }) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(nf).update(user, '9', { title: 'b' }, req))).toEqual({ status: 404, body: { error: 'gone' } });
|
||||
const ve = svc({ update: vi.fn().mockImplementation(() => { throw new ValidationError('bad'); }) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(ve).update(user, '9', { title: 'b' }, req))).toEqual({ status: 400, body: { error: 'bad' } });
|
||||
});
|
||||
|
||||
it('re-throws an unknown error from update', () => {
|
||||
const s = svc({ update: vi.fn().mockImplementation(() => { throw new Error('boom'); }) } as Partial<TripsService>);
|
||||
expect(() => new TripsController(s).update(user, '9', { title: 'b' }, req)).toThrow('boom');
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /:id/copy', () => {
|
||||
it('403 without trip_create, 404 without access', () => {
|
||||
expect(thrown(() => new TripsController(svc({ can: vi.fn().mockReturnValue(false) })).copy(user, '9', undefined, req))).toEqual({ status: 403, body: { error: 'No permission to create trips' } });
|
||||
expect(thrown(() => new TripsController(svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) })).copy(user, '9', undefined, req))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('copies + returns the new trip', () => {
|
||||
const s = svc({ copy: vi.fn().mockReturnValue(42), getCopiedTrip: vi.fn().mockReturnValue({ id: 42 }) } as Partial<TripsService>);
|
||||
expect(new TripsController(s).copy(user, '9', 'Copy', req)).toEqual({ trip: { id: 42 } });
|
||||
});
|
||||
});
|
||||
|
||||
describe('DELETE /:id', () => {
|
||||
it('404 when no owner, 403 without trip_delete', () => {
|
||||
expect(thrown(() => new TripsController(svc({ getOwner: vi.fn().mockReturnValue(undefined) } as Partial<TripsService>)).remove(user, '9', req))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const s = svc({ getOwner: vi.fn().mockReturnValue({ user_id: 1 }), can: vi.fn().mockReturnValue(false) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(s).remove(user, '9', req))).toEqual({ status: 403, body: { error: 'No permission to delete this trip' } });
|
||||
});
|
||||
|
||||
it('deletes, audits and broadcasts', () => {
|
||||
const remove = vi.fn().mockReturnValue({ tripId: 9, title: 'T', isAdminDelete: false }); const broadcast = vi.fn();
|
||||
const s = svc({ getOwner: vi.fn().mockReturnValue({ user_id: 1 }), remove, broadcast } as Partial<TripsService>);
|
||||
expect(new TripsController(s).remove(user, '9', req, 'sock')).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('9', 'trip:deleted', { id: 9 }, 'sock');
|
||||
});
|
||||
|
||||
it('admin delete logs the owner', () => {
|
||||
const remove = vi.fn().mockReturnValue({ tripId: 9, title: 'T', isAdminDelete: true, ownerEmail: 'owner@x.y' });
|
||||
const broadcast = vi.fn();
|
||||
const s = svc({ getOwner: vi.fn().mockReturnValue({ user_id: 2 }), remove, broadcast } as Partial<TripsService>);
|
||||
expect(new TripsController(s).remove(user, '9', req)).toEqual({ success: true });
|
||||
expect(broadcast).toHaveBeenCalledWith('9', 'trip:deleted', { id: 9 }, undefined);
|
||||
});
|
||||
});
|
||||
|
||||
describe('members', () => {
|
||||
it('GET 404 without access, else owner+members+current_user_id', () => {
|
||||
expect(thrown(() => new TripsController(svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) })).members(user, '9'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const s = svc({ listMembers: vi.fn().mockReturnValue({ owner: { id: 1 }, members: [] }) } as Partial<TripsService>);
|
||||
expect(new TripsController(s).members(user, '9')).toEqual({ owner: { id: 1 }, members: [], current_user_id: 1 });
|
||||
});
|
||||
|
||||
it('POST 403 without member_manage, else adds + notifies', () => {
|
||||
expect(thrown(() => new TripsController(svc({ can: vi.fn().mockReturnValue(false) })).addMember(user, '9', 'bob@x.y'))).toEqual({ status: 403, body: { error: 'No permission to manage members' } });
|
||||
const addMember = vi.fn().mockReturnValue({ member: { id: 2, email: 'bob@x.y' }, targetUserId: 2, tripTitle: 'T' });
|
||||
const notifyInvite = vi.fn();
|
||||
const s = svc({ addMember, notifyInvite } as Partial<TripsService>);
|
||||
expect(new TripsController(s).addMember(user, '9', 'bob@x.y')).toEqual({ member: { id: 2, email: 'bob@x.y' } });
|
||||
expect(notifyInvite).toHaveBeenCalledWith('9', user, 2, 'T', 'bob@x.y');
|
||||
});
|
||||
|
||||
it('POST 404 without trip access', () => {
|
||||
const s = svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new TripsController(s).addMember(user, '9', 'bob@x.y'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('POST maps NotFoundError to 404, ValidationError to 400, re-throws others', () => {
|
||||
const nf = svc({ addMember: vi.fn().mockImplementation(() => { throw new NotFoundError('no user'); }) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(nf).addMember(user, '9', 'bob@x.y'))).toEqual({ status: 404, body: { error: 'no user' } });
|
||||
const ve = svc({ addMember: vi.fn().mockImplementation(() => { throw new ValidationError('already a member'); }) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(ve).addMember(user, '9', 'bob@x.y'))).toEqual({ status: 400, body: { error: 'already a member' } });
|
||||
const other = svc({ addMember: vi.fn().mockImplementation(() => { throw new Error('boom'); }) } as Partial<TripsService>);
|
||||
expect(() => new TripsController(other).addMember(user, '9', 'bob@x.y')).toThrow('boom');
|
||||
});
|
||||
|
||||
it('DELETE 404 without trip access', () => {
|
||||
const s = svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) });
|
||||
expect(thrown(() => new TripsController(s).removeMember(user, '9', '2'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
});
|
||||
|
||||
it('DELETE self needs no permission; removing others needs member_manage', () => {
|
||||
const removeMember = vi.fn();
|
||||
const s = svc({ can: vi.fn().mockReturnValue(false), removeMember } as Partial<TripsService>);
|
||||
// self-removal (targetId === user.id) bypasses the permission check
|
||||
expect(new TripsController(s).removeMember(user, '9', '1')).toEqual({ success: true });
|
||||
expect(thrown(() => new TripsController(s).removeMember(user, '9', '2'))).toEqual({ status: 403, body: { error: 'No permission to remove members' } });
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /:id/bundle 404 then aggregates', () => {
|
||||
expect(thrown(() => new TripsController(svc({ get: vi.fn().mockReturnValue(undefined) } as Partial<TripsService>)).bundle(user, '9'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const bundle = vi.fn().mockReturnValue({ trip: { id: 9 }, days: [] });
|
||||
const s = svc({ get: vi.fn().mockReturnValue({ user_id: 1 }), bundle } as Partial<TripsService>);
|
||||
expect(new TripsController(s).bundle(user, '9')).toEqual({ trip: { id: 9 }, days: [] });
|
||||
});
|
||||
|
||||
describe('POST /:id/cover', () => {
|
||||
const file = { filename: 'abc.jpg' } as Express.Multer.File;
|
||||
it('404 without access, 403 without permission, 404 raw trip, 400 no file, else returns url', () => {
|
||||
expect(thrown(() => new TripsController(svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) })).cover(user, '9', file))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(thrown(() => new TripsController(svc({ can: vi.fn().mockReturnValue(false) })).cover(user, '9', file))).toEqual({ status: 403, body: { error: 'No permission to change the cover image' } });
|
||||
expect(thrown(() => new TripsController(svc({ getRaw: vi.fn().mockReturnValue(undefined) } as Partial<TripsService>)).cover(user, '9', file))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
expect(thrown(() => new TripsController(svc({ getRaw: vi.fn().mockReturnValue({ cover_image: null }) } as Partial<TripsService>)).cover(user, '9', undefined))).toEqual({ status: 400, body: { error: 'No image uploaded' } });
|
||||
const deleteOldCover = vi.fn(); const updateCoverImage = vi.fn();
|
||||
const s = svc({ getRaw: vi.fn().mockReturnValue({ cover_image: '/old.jpg' }), deleteOldCover, updateCoverImage } as Partial<TripsService>);
|
||||
expect(new TripsController(s).cover(user, '9', file)).toEqual({ cover_image: '/uploads/covers/abc.jpg' });
|
||||
expect(deleteOldCover).toHaveBeenCalledWith('/old.jpg');
|
||||
expect(updateCoverImage).toHaveBeenCalledWith('9', '/uploads/covers/abc.jpg');
|
||||
});
|
||||
|
||||
it('403 in demo mode for a demo account', () => {
|
||||
const prev = process.env.DEMO_MODE;
|
||||
process.env.DEMO_MODE = 'true';
|
||||
isDemoEmail.mockReturnValueOnce(true);
|
||||
try {
|
||||
expect(thrown(() => new TripsController(svc()).cover(user, '9', file))).toEqual({
|
||||
status: 403, body: { error: 'Uploads are disabled in demo mode. Self-host TREK for full functionality.' },
|
||||
});
|
||||
} finally {
|
||||
if (prev === undefined) delete process.env.DEMO_MODE;
|
||||
else process.env.DEMO_MODE = prev;
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /:id/export.ics', () => {
|
||||
function makeRes() { return { setHeader: vi.fn(), send: vi.fn() } as never; }
|
||||
it('404 without access, else sends the calendar with headers', () => {
|
||||
expect(thrown(() => new TripsController(svc({ canAccessTrip: vi.fn().mockReturnValue(undefined) })).exportIcs(user, '9', makeRes()))).toEqual({ status: 404, body: { error: 'Trip not found' } });
|
||||
const res = { setHeader: vi.fn(), send: vi.fn() };
|
||||
const s = svc({ exportICS: vi.fn().mockReturnValue({ ics: 'BEGIN:VCALENDAR', filename: 'trip.ics' }) } as Partial<TripsService>);
|
||||
new TripsController(s).exportIcs(user, '9', res as never);
|
||||
expect(res.setHeader).toHaveBeenCalledWith('Content-Type', 'text/calendar; charset=utf-8');
|
||||
expect(res.setHeader).toHaveBeenCalledWith('Content-Disposition', 'attachment; filename="trip.ics"');
|
||||
expect(res.send).toHaveBeenCalledWith('BEGIN:VCALENDAR');
|
||||
});
|
||||
|
||||
it('maps a NotFoundError from the export to 404 and re-throws others', () => {
|
||||
const nf = svc({ exportICS: vi.fn().mockImplementation(() => { throw new NotFoundError('gone'); }) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(nf).exportIcs(user, '9', makeRes()))).toEqual({ status: 404, body: { error: 'gone' } });
|
||||
const other = svc({ exportICS: vi.fn().mockImplementation(() => { throw new Error('boom'); }) } as Partial<TripsService>);
|
||||
expect(() => new TripsController(other).exportIcs(user, '9', makeRes())).toThrow('boom');
|
||||
});
|
||||
});
|
||||
|
||||
it('POST /:id/copy maps a copy failure to 500', () => {
|
||||
const s = svc({ copy: vi.fn().mockImplementation(() => { throw new Error('boom'); }) } as Partial<TripsService>);
|
||||
expect(thrown(() => new TripsController(s).copy(user, '9', undefined, req))).toEqual({ status: 500, body: { error: 'Failed to copy trip' } });
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,88 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
const { dbMock } = vi.hoisted(() => {
|
||||
const stmt = { get: vi.fn(() => ({ id: 42 })), all: vi.fn(() => []), run: vi.fn() };
|
||||
return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
|
||||
});
|
||||
const { canAccessTrip } = vi.hoisted(() => ({ canAccessTrip: vi.fn(() => ({ user_id: 1 })) }));
|
||||
vi.mock('../../../src/db/database', () => ({ db: dbMock, canAccessTrip, closeDb: () => {}, reinitialize: () => {} }));
|
||||
|
||||
const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
|
||||
vi.mock('../../../src/websocket', () => ({ broadcast }));
|
||||
const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
|
||||
vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
|
||||
|
||||
const { tripSvc } = vi.hoisted(() => ({
|
||||
tripSvc: {
|
||||
listTrips: vi.fn(), createTrip: vi.fn(), getTrip: vi.fn(), updateTrip: vi.fn(), deleteTrip: vi.fn(),
|
||||
getTripRaw: vi.fn(), getTripOwner: vi.fn(), deleteOldCover: vi.fn(), updateCoverImage: vi.fn(),
|
||||
listMembers: vi.fn(() => ({ owner: { id: 1 }, members: [] })), addMember: vi.fn(), removeMember: vi.fn(),
|
||||
exportICS: vi.fn(), copyTripById: vi.fn(), TRIP_SELECT: 'SELECT * FROM trips t',
|
||||
},
|
||||
}));
|
||||
vi.mock('../../../src/services/tripService', () => tripSvc);
|
||||
vi.mock('../../../src/services/dayService', () => ({ listDays: () => ({ days: [1] }), listAccommodations: () => [] }));
|
||||
vi.mock('../../../src/services/placeService', () => ({ listPlaces: () => [] }));
|
||||
vi.mock('../../../src/services/packingService', () => ({ listItems: () => [] }));
|
||||
vi.mock('../../../src/services/todoService', () => ({ listItems: () => [] }));
|
||||
vi.mock('../../../src/services/budgetService', () => ({ listBudgetItems: () => [] }));
|
||||
vi.mock('../../../src/services/reservationService', () => ({ listReservations: () => [] }));
|
||||
vi.mock('../../../src/services/fileService', () => ({ listFiles: () => [] }));
|
||||
|
||||
import { TripsService } from '../../../src/nest/trips/trips.service';
|
||||
|
||||
function svc() { return new TripsService(); }
|
||||
beforeEach(() => vi.clearAllMocks());
|
||||
|
||||
describe('TripsService (wrapper delegation + bundle/copy/notify helpers)', () => {
|
||||
it('delegates the simple wrappers to tripService', () => {
|
||||
const s = svc();
|
||||
s.list(1, 0); expect(tripSvc.listTrips).toHaveBeenCalledWith(1, 0);
|
||||
s.create(1, { title: 'T' } as never); expect(tripSvc.createTrip).toHaveBeenCalledWith(1, { title: 'T' });
|
||||
s.get('9', 1); expect(tripSvc.getTrip).toHaveBeenCalledWith('9', 1);
|
||||
s.getRaw('9'); expect(tripSvc.getTripRaw).toHaveBeenCalledWith('9');
|
||||
s.getOwner('9'); expect(tripSvc.getTripOwner).toHaveBeenCalledWith('9');
|
||||
s.update('9', 1, {} as never, 'user'); expect(tripSvc.updateTrip).toHaveBeenCalledWith('9', 1, {}, 'user');
|
||||
s.remove('9', 1, 'user'); expect(tripSvc.deleteTrip).toHaveBeenCalledWith('9', 1, 'user');
|
||||
s.deleteOldCover('/old.jpg'); expect(tripSvc.deleteOldCover).toHaveBeenCalledWith('/old.jpg');
|
||||
s.updateCoverImage('9', '/n.jpg'); expect(tripSvc.updateCoverImage).toHaveBeenCalledWith('9', '/n.jpg');
|
||||
s.copy('9', 1, 'C'); expect(tripSvc.copyTripById).toHaveBeenCalledWith('9', 1, 'C');
|
||||
s.listMembers('9', 1); expect(tripSvc.listMembers).toHaveBeenCalledWith('9', 1);
|
||||
s.addMember('9', 'b@x.y', 1, 1); expect(tripSvc.addMember).toHaveBeenCalledWith('9', 'b@x.y', 1, 1);
|
||||
s.removeMember('9', 2); expect(tripSvc.removeMember).toHaveBeenCalledWith('9', 2);
|
||||
s.exportICS('9'); expect(tripSvc.exportICS).toHaveBeenCalledWith('9');
|
||||
});
|
||||
|
||||
it('canAccessTrip delegates to the db helper', () => {
|
||||
canAccessTrip.mockReturnValueOnce({ user_id: 7 });
|
||||
expect(svc().canAccessTrip('9', 7)).toEqual({ user_id: 7 });
|
||||
expect(canAccessTrip).toHaveBeenCalledWith('9', 7);
|
||||
});
|
||||
|
||||
it('can() delegates to checkPermission; broadcast forwards', () => {
|
||||
svc().can('trip_edit', 'user', 1, 1, false);
|
||||
expect(checkPermission).toHaveBeenCalledWith('trip_edit', 'user', 1, 1, false);
|
||||
svc().broadcast('9', 'trip:updated', { a: 1 }, 'sock');
|
||||
expect(broadcast).toHaveBeenCalledWith('9', 'trip:updated', { a: 1 }, 'sock');
|
||||
});
|
||||
|
||||
it('getCopiedTrip re-reads via the TRIP_SELECT query', () => {
|
||||
expect(svc().getCopiedTrip(42, 1)).toEqual({ id: 42 });
|
||||
expect(dbMock.prepare).toHaveBeenCalledWith(expect.stringContaining('SELECT * FROM trips t'));
|
||||
});
|
||||
|
||||
it('bundle aggregates every sub-collection + the member list', () => {
|
||||
const result = svc().bundle('9', { user_id: 1 });
|
||||
expect(result).toMatchObject({ trip: { user_id: 1 }, days: [1], places: [], members: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('bundle tolerates a null member list', () => {
|
||||
tripSvc.listMembers.mockReturnValueOnce({ owner: { id: 1 }, members: null });
|
||||
const result = svc().bundle('9', { user_id: 1 });
|
||||
expect(result).toMatchObject({ members: [{ id: 1 }] });
|
||||
});
|
||||
|
||||
it('notifyInvite is fire-and-forget (no throw)', () => {
|
||||
expect(() => svc().notifyInvite('9', { id: 1, email: 'a@b.c' } as never, 2, 'T', 'b@x.y')).not.toThrow();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,175 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { VacayController } from '../../../src/nest/vacay/vacay.controller';
|
||||
import type { VacayService } from '../../../src/nest/vacay/vacay.service';
|
||||
import type { User } from '../../../src/types';
|
||||
|
||||
const user = { id: 1, username: 'u', email: 'u@example.test', role: 'user' } as User;
|
||||
|
||||
function makeController(svc: Partial<VacayService>) {
|
||||
return new VacayController(svc as VacayService);
|
||||
}
|
||||
|
||||
async function thrown(fn: () => unknown): Promise<{ status: number; body: unknown }> {
|
||||
try {
|
||||
await fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
// Default plan helpers shared by most handlers.
|
||||
const planBase = { getActivePlanId: vi.fn().mockReturnValue(10), getActivePlan: vi.fn().mockReturnValue({ id: 10 }) };
|
||||
|
||||
describe('VacayController (parity with the legacy /api/addons/vacay route)', () => {
|
||||
it('GET /plan delegates getPlanData', () => {
|
||||
const getPlanData = vi.fn().mockReturnValue({ plan: { id: 10 } });
|
||||
expect(makeController({ getPlanData }).getPlan(user)).toEqual({ plan: { id: 10 } });
|
||||
});
|
||||
|
||||
it('PUT /plan forwards the socket id', async () => {
|
||||
const updatePlan = vi.fn().mockResolvedValue({ ok: true });
|
||||
await makeController({ ...planBase, updatePlan }).updatePlan(user, { foo: 1 }, 'sock-1');
|
||||
expect(updatePlan).toHaveBeenCalledWith(10, { foo: 1 }, 'sock-1');
|
||||
});
|
||||
|
||||
describe('holiday calendars', () => {
|
||||
it('400 when region missing', () => {
|
||||
return thrown(() => makeController({ ...planBase }).addHolidayCalendar(user, {})).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'region required' } }));
|
||||
});
|
||||
|
||||
it('creates a calendar', () => {
|
||||
const addHolidayCalendar = vi.fn().mockReturnValue({ id: 1, region: 'DE-BY' });
|
||||
const res = makeController({ ...planBase, addHolidayCalendar }).addHolidayCalendar(user, { region: 'DE-BY', label: 'Bayern' }, 'sock');
|
||||
expect(res).toEqual({ calendar: { id: 1, region: 'DE-BY' } });
|
||||
expect(addHolidayCalendar).toHaveBeenCalledWith(10, 'DE-BY', 'Bayern', undefined, undefined, 'sock');
|
||||
});
|
||||
|
||||
it('404 on update of a missing calendar', () => {
|
||||
const updateHolidayCalendar = vi.fn().mockReturnValue(null);
|
||||
return thrown(() => makeController({ ...planBase, updateHolidayCalendar }).updateHolidayCalendar(user, '9', {})).then((r) =>
|
||||
expect(r).toEqual({ status: 404, body: { error: 'Calendar not found' } }));
|
||||
});
|
||||
|
||||
it('404 on delete of a missing calendar', () => {
|
||||
const deleteHolidayCalendar = vi.fn().mockReturnValue(false);
|
||||
return thrown(() => makeController({ ...planBase, deleteHolidayCalendar }).deleteHolidayCalendar(user, '9')).then((r) =>
|
||||
expect(r).toEqual({ status: 404, body: { error: 'Calendar not found' } }));
|
||||
});
|
||||
});
|
||||
|
||||
describe('color', () => {
|
||||
it('403 when the target user is not in the plan', () => {
|
||||
const getPlanUsers = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
return thrown(() => makeController({ ...planBase, getPlanUsers }).setColor(user, { color: '#fff', target_user_id: 99 })).then((r) =>
|
||||
expect(r).toEqual({ status: 403, body: { error: 'User not in plan' } }));
|
||||
});
|
||||
|
||||
it('sets the colour for an in-plan user', () => {
|
||||
const getPlanUsers = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
const setUserColor = vi.fn();
|
||||
expect(makeController({ ...planBase, getPlanUsers, setUserColor }).setColor(user, { color: '#fff' }, 'sock')).toEqual({ success: true });
|
||||
expect(setUserColor).toHaveBeenCalledWith(1, 10, '#fff', 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('invites', () => {
|
||||
it('400 when user_id missing', () => {
|
||||
return thrown(() => makeController({ ...planBase }).invite(user, undefined)).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'user_id required' } }));
|
||||
});
|
||||
|
||||
it('maps a sendInvite error to its status', () => {
|
||||
const sendInvite = vi.fn().mockReturnValue({ error: 'Already in a plan', status: 409 });
|
||||
return thrown(() => makeController({ ...planBase, sendInvite }).invite(user, 2)).then((r) =>
|
||||
expect(r).toEqual({ status: 409, body: { error: 'Already in a plan' } }));
|
||||
});
|
||||
|
||||
it('sends an invite', () => {
|
||||
const sendInvite = vi.fn().mockReturnValue({});
|
||||
expect(makeController({ ...planBase, sendInvite }).invite(user, 2)).toEqual({ success: true });
|
||||
expect(sendInvite).toHaveBeenCalledWith(10, 1, 'u', 'u@example.test', 2);
|
||||
});
|
||||
|
||||
it('maps an acceptInvite error', () => {
|
||||
const acceptInvite = vi.fn().mockReturnValue({ error: 'Invite not found', status: 404 });
|
||||
return thrown(() => makeController({ acceptInvite }).acceptInvite(user, 5)).then((r) =>
|
||||
expect(r).toEqual({ status: 404, body: { error: 'Invite not found' } }));
|
||||
});
|
||||
|
||||
it('decline / cancel / dissolve return success', () => {
|
||||
const declineInvite = vi.fn(); const cancelInvite = vi.fn(); const dissolvePlan = vi.fn();
|
||||
expect(makeController({ declineInvite }).declineInvite(user, 5)).toEqual({ success: true });
|
||||
expect(makeController({ ...planBase, cancelInvite }).cancelInvite(user, 2)).toEqual({ success: true });
|
||||
expect(makeController({ dissolvePlan }).dissolve(user)).toEqual({ success: true });
|
||||
});
|
||||
});
|
||||
|
||||
describe('years', () => {
|
||||
it('400 when year missing on add', () => {
|
||||
return thrown(() => makeController({ ...planBase }).addYear(user, undefined)).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'Year required' } }));
|
||||
});
|
||||
|
||||
it('adds and deletes years', () => {
|
||||
const addYear = vi.fn().mockReturnValue([2026]); const deleteYear = vi.fn().mockReturnValue([]);
|
||||
expect(makeController({ ...planBase, addYear }).addYear(user, 2026, 'sock')).toEqual({ years: [2026] });
|
||||
expect(makeController({ ...planBase, deleteYear }).deleteYear(user, '2026', 'sock')).toEqual({ years: [] });
|
||||
});
|
||||
});
|
||||
|
||||
describe('entries', () => {
|
||||
it('400 when date missing on toggle', () => {
|
||||
return thrown(() => makeController({ ...planBase }).toggleEntry(user, {})).then((r) =>
|
||||
expect(r).toEqual({ status: 400, body: { error: 'date required' } }));
|
||||
});
|
||||
|
||||
it('403 when toggling for a user not in the plan', () => {
|
||||
const getPlanUsers = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
return thrown(() => makeController({ ...planBase, getPlanUsers }).toggleEntry(user, { date: '2026-07-01', target_user_id: 99 })).then((r) =>
|
||||
expect(r).toEqual({ status: 403, body: { error: 'User not in plan' } }));
|
||||
});
|
||||
|
||||
it('toggles for the caller', () => {
|
||||
const toggleEntry = vi.fn().mockReturnValue({ action: 'added' });
|
||||
expect(makeController({ ...planBase, toggleEntry }).toggleEntry(user, { date: '2026-07-01' }, 'sock')).toEqual({ action: 'added' });
|
||||
expect(toggleEntry).toHaveBeenCalledWith(1, 10, '2026-07-01', 'sock');
|
||||
});
|
||||
});
|
||||
|
||||
describe('stats', () => {
|
||||
it('GET wraps stats', () => {
|
||||
const getStats = vi.fn().mockReturnValue({ used: 5 });
|
||||
expect(makeController({ ...planBase, getStats }).stats(user, '2026')).toEqual({ stats: { used: 5 } });
|
||||
});
|
||||
|
||||
it('403 on updateStats for a user not in the plan', () => {
|
||||
const getPlanUsers = vi.fn().mockReturnValue([{ id: 1 }]);
|
||||
return thrown(() => makeController({ ...planBase, getPlanUsers }).updateStats(user, '2026', { vacation_days: 30, target_user_id: 99 })).then((r) =>
|
||||
expect(r).toEqual({ status: 403, body: { error: 'User not in plan' } }));
|
||||
});
|
||||
});
|
||||
|
||||
describe('public holidays', () => {
|
||||
it('502 when the upstream country lookup fails', () => {
|
||||
const getCountries = vi.fn().mockResolvedValue({ error: 'upstream down' });
|
||||
return thrown(() => makeController({ getCountries }).holidayCountries()).then((r) =>
|
||||
expect(r).toEqual({ status: 502, body: { error: 'upstream down' } }));
|
||||
});
|
||||
|
||||
it('returns the country data on success', async () => {
|
||||
const getCountries = vi.fn().mockResolvedValue({ data: [{ code: 'DE' }] });
|
||||
expect(await makeController({ getCountries }).holidayCountries()).toEqual([{ code: 'DE' }]);
|
||||
});
|
||||
|
||||
it('502 when the holidays lookup fails', () => {
|
||||
const getHolidays = vi.fn().mockResolvedValue({ error: 'upstream down' });
|
||||
return thrown(() => makeController({ getHolidays }).holidays('2026', 'DE')).then((r) =>
|
||||
expect(r).toEqual({ status: 502, body: { error: 'upstream down' } }));
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,93 @@
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { WeatherController } from '../../../src/nest/weather/weather.controller';
|
||||
import { ApiError } from '../../../src/services/weatherService';
|
||||
import type { WeatherService } from '../../../src/nest/weather/weather.service';
|
||||
|
||||
function makeController(svc: Partial<WeatherService>) {
|
||||
return new WeatherController(svc as WeatherService);
|
||||
}
|
||||
|
||||
/** Run `fn`, expecting it to throw an HttpException; return its { status, body }. */
|
||||
async function thrown(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
|
||||
try {
|
||||
await fn();
|
||||
} catch (err) {
|
||||
expect(err).toBeInstanceOf(HttpException);
|
||||
const e = err as HttpException;
|
||||
return { status: e.getStatus(), body: e.getResponse() };
|
||||
}
|
||||
throw new Error('expected the handler to throw');
|
||||
}
|
||||
|
||||
describe('WeatherController (parity with the legacy /api/weather route)', () => {
|
||||
const sample = { temp: 21, main: 'Clear', description: 'Klar', type: 'current' };
|
||||
|
||||
describe('GET /api/weather', () => {
|
||||
it('400 { error } with the exact legacy message when lat/lng missing', async () => {
|
||||
const c = makeController({ get: vi.fn() });
|
||||
expect(await thrown(() => c.getWeather(undefined, '13.4'))).toEqual({
|
||||
status: 400,
|
||||
body: { error: 'Latitude and longitude are required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('returns the service result and defaults lang to "de" when absent', async () => {
|
||||
const get = vi.fn().mockResolvedValue(sample);
|
||||
const c = makeController({ get });
|
||||
const res = await c.getWeather('52.5', '13.4', undefined, undefined);
|
||||
expect(res).toEqual(sample);
|
||||
expect(get).toHaveBeenCalledWith('52.5', '13.4', undefined, 'de');
|
||||
});
|
||||
|
||||
it('passes an explicit lang and date through unchanged', async () => {
|
||||
const get = vi.fn().mockResolvedValue(sample);
|
||||
const c = makeController({ get });
|
||||
await c.getWeather('1', '2', '2026-07-01', 'en');
|
||||
expect(get).toHaveBeenCalledWith('1', '2', '2026-07-01', 'en');
|
||||
});
|
||||
|
||||
it('maps an ApiError to its status + { error: message }', async () => {
|
||||
const c = makeController({ get: vi.fn().mockRejectedValue(new ApiError(404, 'Open-Meteo API error')) });
|
||||
expect(await thrown(() => c.getWeather('1', '2'))).toEqual({
|
||||
status: 404,
|
||||
body: { error: 'Open-Meteo API error' },
|
||||
});
|
||||
});
|
||||
|
||||
it('maps an unexpected error to the exact legacy 500 body', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const c = makeController({ get: vi.fn().mockRejectedValue(new Error('boom')) });
|
||||
expect(await thrown(() => c.getWeather('1', '2'))).toEqual({
|
||||
status: 500,
|
||||
body: { error: 'Error fetching weather data' },
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /api/weather/detailed', () => {
|
||||
it('400 { error } with the exact legacy message when date missing', async () => {
|
||||
const c = makeController({ getDetailed: vi.fn() });
|
||||
expect(await thrown(() => c.getDetailed('1', '2', undefined))).toEqual({
|
||||
status: 400,
|
||||
body: { error: 'Latitude, longitude, and date are required' },
|
||||
});
|
||||
});
|
||||
|
||||
it('returns the detailed result and defaults lang to "de"', async () => {
|
||||
const getDetailed = vi.fn().mockResolvedValue(sample);
|
||||
const c = makeController({ getDetailed });
|
||||
await c.getDetailed('1', '2', '2026-07-01', undefined);
|
||||
expect(getDetailed).toHaveBeenCalledWith('1', '2', '2026-07-01', 'de');
|
||||
});
|
||||
|
||||
it('maps an unexpected error to the exact detailed 500 body', async () => {
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
const c = makeController({ getDetailed: vi.fn().mockRejectedValue(new Error('boom')) });
|
||||
expect(await thrown(() => c.getDetailed('1', '2', '2026-07-01'))).toEqual({
|
||||
status: 500,
|
||||
body: { error: 'Error fetching detailed weather data' },
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,40 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { Test } from '@nestjs/testing';
|
||||
import { AppModule } from '../../../src/nest/app.module';
|
||||
import { HealthController } from '../../../src/nest/health/health.controller';
|
||||
import { DatabaseService } from '../../../src/nest/database/database.service';
|
||||
import { AdminGuard } from '../../../src/nest/auth/admin.guard';
|
||||
|
||||
function ctx(user: unknown) {
|
||||
return { switchToHttp: () => ({ getRequest: () => ({ user }) }) } as never;
|
||||
}
|
||||
|
||||
describe('AppModule wiring', () => {
|
||||
it('compiles with the global filter + DB provider and resolves the controller', async () => {
|
||||
const moduleRef = await Test.createTestingModule({ imports: [AppModule] })
|
||||
.overrideProvider(DatabaseService)
|
||||
.useValue({ get: () => ({ n: 0 }) })
|
||||
.compile();
|
||||
expect(moduleRef.get(HealthController)).toBeInstanceOf(HealthController);
|
||||
});
|
||||
});
|
||||
|
||||
describe('AdminGuard', () => {
|
||||
const guard = new AdminGuard();
|
||||
it('allows admins', () => {
|
||||
expect(guard.canActivate(ctx({ role: 'admin' }))).toBe(true);
|
||||
});
|
||||
it('blocks non-admins and anonymous with 403 { error }', () => {
|
||||
expect(() => guard.canActivate(ctx({ role: 'user' }))).toThrow(HttpException);
|
||||
expect(() => guard.canActivate(ctx(undefined))).toThrow(HttpException);
|
||||
});
|
||||
});
|
||||
|
||||
describe('DatabaseService (shared connection)', () => {
|
||||
it('runs real queries against the existing SQLite connection', () => {
|
||||
const svc = new DatabaseService();
|
||||
expect(svc.get('SELECT 1 AS one')).toEqual({ one: 1 });
|
||||
expect(svc.all('SELECT 1 AS one')).toEqual([{ one: 1 }]);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,52 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { z } from 'zod';
|
||||
import { HttpException } from '@nestjs/common';
|
||||
import { ZodValidationPipe } from '../../../src/nest/common/zod-validation.pipe';
|
||||
|
||||
describe('ZodValidationPipe', () => {
|
||||
const pipe = new ZodValidationPipe(z.object({ name: z.string().min(1) }));
|
||||
const meta = {} as never;
|
||||
|
||||
it('returns the parsed value for valid input', () => {
|
||||
expect(pipe.transform({ name: 'x' }, meta)).toEqual({ name: 'x' });
|
||||
});
|
||||
|
||||
it('throws TREK { error } envelope with status 400 on invalid input', () => {
|
||||
let thrown: unknown;
|
||||
try {
|
||||
pipe.transform({ name: '' }, meta);
|
||||
} catch (e) {
|
||||
thrown = e;
|
||||
}
|
||||
expect(thrown).toBeInstanceOf(HttpException);
|
||||
expect((thrown as HttpException).getStatus()).toBe(400);
|
||||
expect((thrown as HttpException).getResponse()).toHaveProperty('error');
|
||||
});
|
||||
|
||||
it("labels a root-level (empty path) issue as 'body'", () => {
|
||||
const rootPipe = new ZodValidationPipe(z.string());
|
||||
let thrown: unknown;
|
||||
try {
|
||||
rootPipe.transform(123, meta);
|
||||
} catch (e) {
|
||||
thrown = e;
|
||||
}
|
||||
expect(thrown).toBeInstanceOf(HttpException);
|
||||
const body = (thrown as HttpException).getResponse() as { error: string };
|
||||
expect(body.error).toMatch(/^body: /);
|
||||
});
|
||||
|
||||
it('joins multiple issues with a semicolon', () => {
|
||||
const multiPipe = new ZodValidationPipe(z.object({ a: z.string(), b: z.number() }));
|
||||
let thrown: unknown;
|
||||
try {
|
||||
multiPipe.transform({ a: 1, b: 'x' }, meta);
|
||||
} catch (e) {
|
||||
thrown = e;
|
||||
}
|
||||
const body = (thrown as HttpException).getResponse() as { error: string };
|
||||
expect(body.error).toContain('a: ');
|
||||
expect(body.error).toContain('b: ');
|
||||
expect(body.error).toContain('; ');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,134 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { canonicalHash, mapFlightToReservation, normalizeFlight } from '../../../src/services/airtrail/airtrailMapper';
|
||||
import type { AirtrailFlightRaw } from '../../../src/services/airtrail/airtrailClient';
|
||||
|
||||
function airport(over: Partial<AirtrailFlightRaw['from']> = {}): NonNullable<AirtrailFlightRaw['from']> {
|
||||
return {
|
||||
id: 1,
|
||||
icao: 'KJFK',
|
||||
iata: 'JFK',
|
||||
name: 'John F. Kennedy Intl.',
|
||||
lat: 40.6413,
|
||||
lon: -73.7781,
|
||||
tz: 'America/New_York',
|
||||
country: 'US',
|
||||
...over,
|
||||
};
|
||||
}
|
||||
|
||||
function flight(over: Partial<AirtrailFlightRaw> = {}): AirtrailFlightRaw {
|
||||
return {
|
||||
id: 42,
|
||||
from: airport(),
|
||||
to: airport({ id: 2, icao: 'EGLL', iata: 'LHR', name: 'London Heathrow', lat: 51.4706, lon: -0.4619, tz: 'Europe/London' }),
|
||||
date: '2021-09-01',
|
||||
datePrecision: 'day',
|
||||
departure: '2021-09-01T23:00:00.000+00:00', // 19:00 local at JFK (EDT, UTC-4)
|
||||
arrival: '2021-09-02T07:00:00.000+00:00', // 08:00 local at LHR (BST, UTC+1)
|
||||
airline: { id: 1, icao: 'BAW', iata: 'BA', name: 'British Airways' },
|
||||
flightNumber: 'BA178',
|
||||
aircraft: { id: 1, icao: 'B772', name: 'Boeing 777' },
|
||||
aircraftReg: 'G-VIIL',
|
||||
flightReason: 'leisure',
|
||||
note: 'window seat',
|
||||
seats: [{ userId: 'u1', guestName: null, seat: 'window', seatNumber: '12A', seatClass: 'economy' }],
|
||||
...over,
|
||||
};
|
||||
}
|
||||
|
||||
describe('airtrailMapper.normalizeFlight', () => {
|
||||
it('prefers IATA codes and exposes the picker fields', () => {
|
||||
const n = normalizeFlight(flight());
|
||||
expect(n).toMatchObject({
|
||||
id: '42',
|
||||
fromCode: 'JFK',
|
||||
toCode: 'LHR',
|
||||
date: '2021-09-01',
|
||||
airline: 'BAW',
|
||||
flightNumber: 'BA178',
|
||||
seatClass: 'economy',
|
||||
});
|
||||
});
|
||||
|
||||
it('falls back to ICAO when IATA is missing and tolerates null airports', () => {
|
||||
const n = normalizeFlight(flight({ from: airport({ iata: null }), to: null }));
|
||||
expect(n.fromCode).toBe('KJFK');
|
||||
expect(n.toCode).toBeNull();
|
||||
expect(n.toName).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
describe('airtrailMapper.mapFlightToReservation', () => {
|
||||
it('composes airport-local times from the instant + airport tz', () => {
|
||||
const m = mapFlightToReservation(flight());
|
||||
// 23:00 UTC at JFK in September is 19:00 EDT; date stays the AirTrail local date.
|
||||
expect(m.reservation_time).toBe('2021-09-01T19:00');
|
||||
// 07:00 UTC at LHR in September is 08:00 BST.
|
||||
expect(m.reservation_end_time).toBe('2021-09-02T08:00');
|
||||
});
|
||||
|
||||
it('builds two endpoints with codes, coords and timezones', () => {
|
||||
const m = mapFlightToReservation(flight());
|
||||
expect(m.endpoints).toHaveLength(2);
|
||||
expect(m.endpoints[0]).toMatchObject({ role: 'from', code: 'JFK', lat: 40.6413, timezone: 'America/New_York', local_date: '2021-09-01', local_time: '19:00' });
|
||||
expect(m.endpoints[1]).toMatchObject({ role: 'to', code: 'LHR', timezone: 'Europe/London', local_time: '08:00' });
|
||||
expect(m.needs_review).toBe(0);
|
||||
});
|
||||
|
||||
it('titles from the flight number, else the route', () => {
|
||||
expect(mapFlightToReservation(flight()).title).toBe('BA178');
|
||||
expect(mapFlightToReservation(flight({ airline: null, flightNumber: null })).title).toBe('JFK → LHR');
|
||||
});
|
||||
|
||||
it('carries flight metadata', () => {
|
||||
const m = mapFlightToReservation(flight());
|
||||
expect(m.metadata).toMatchObject({ airline: 'BAW', flight_number: 'BA178', aircraft: 'B772', aircraft_reg: 'G-VIIL', flight_reason: 'leisure', seat: '12A' });
|
||||
expect(m.type).toBe('flight');
|
||||
expect(m.status).toBe('confirmed');
|
||||
expect(m.notes).toBe('window seat');
|
||||
});
|
||||
|
||||
it('flags needs_review for a non-day date precision', () => {
|
||||
expect(mapFlightToReservation(flight({ datePrecision: 'month' })).needs_review).toBe(1);
|
||||
});
|
||||
|
||||
it('flags needs_review and drops the endpoint when an airport has no coordinates', () => {
|
||||
const m = mapFlightToReservation(flight({ from: airport({ lat: null, lon: null }) }));
|
||||
expect(m.needs_review).toBe(1);
|
||||
expect(m.endpoints.find(e => e.role === 'from')).toBeUndefined();
|
||||
expect(m.endpoints.find(e => e.role === 'to')).toBeDefined();
|
||||
});
|
||||
|
||||
it('leaves the end time null for a partial flight with no arrival', () => {
|
||||
const m = mapFlightToReservation(flight({ arrival: null }));
|
||||
expect(m.reservation_end_time).toBeNull();
|
||||
expect(m.reservation_time).toBe('2021-09-01T19:00');
|
||||
});
|
||||
});
|
||||
|
||||
describe('airtrailMapper.canonicalHash', () => {
|
||||
it('is stable for the same flight', () => {
|
||||
expect(canonicalHash(flight())).toBe(canonicalHash(flight()));
|
||||
});
|
||||
|
||||
it('changes when a meaningful field changes', () => {
|
||||
expect(canonicalHash(flight())).not.toBe(canonicalHash(flight({ flightNumber: 'BA179' })));
|
||||
expect(canonicalHash(flight())).not.toBe(canonicalHash(flight({ note: 'aisle seat' })));
|
||||
});
|
||||
|
||||
it('is independent of seat ordering', () => {
|
||||
const a = flight({
|
||||
seats: [
|
||||
{ userId: 'u1', guestName: null, seat: null, seatNumber: '1A', seatClass: 'economy' },
|
||||
{ userId: 'u2', guestName: null, seat: null, seatNumber: '1B', seatClass: 'economy' },
|
||||
],
|
||||
});
|
||||
const b = flight({
|
||||
seats: [
|
||||
{ userId: 'u2', guestName: null, seat: null, seatNumber: '1B', seatClass: 'economy' },
|
||||
{ userId: 'u1', guestName: null, seat: null, seatNumber: '1A', seatClass: 'economy' },
|
||||
],
|
||||
});
|
||||
expect(canonicalHash(a)).toBe(canonicalHash(b));
|
||||
});
|
||||
});
|
||||
@@ -31,7 +31,7 @@ import { createTables } from '../../../src/db/schema';
|
||||
import { runMigrations } from '../../../src/db/migrations';
|
||||
import { resetTestDb } from '../../helpers/test-db';
|
||||
import { createUser, createTrip } from '../../helpers/factories';
|
||||
import { getStats, getCached, setCache, getCountryFromCoords, getCountryFromAddress, reverseGeocodeCountry, getRegionGeo, getCountryPlaces, getVisitedRegions } from '../../../src/services/atlasService';
|
||||
import { getStats, getCached, setCache, getCountryFromCoords, getCountryFromAddress, reverseGeocodeCountry, getRegionGeo, getCountryGeo, getCountryPlaces, getVisitedRegions } from '../../../src/services/atlasService';
|
||||
|
||||
function insertPlace(db: any, tripId: number, name: string, address: string | null = null) {
|
||||
const cat = db.prepare('SELECT id FROM categories LIMIT 1').get() as { id: number } | undefined;
|
||||
@@ -243,38 +243,57 @@ describe('reverseGeocodeCountry', () => {
|
||||
|
||||
// ── getRegionGeo ────────────────────────────────────────────────────────────
|
||||
|
||||
// These read the committed geoBoundaries bundle (server/assets/atlas/admin1.geojson.gz),
|
||||
// so they double as a guard that the bundle ships current sub-national data (#1119).
|
||||
describe('getRegionGeo', () => {
|
||||
it('ATLAS-SVC-017: returns empty FeatureCollection when fetch throws a network error', async () => {
|
||||
// Override the default stub to throw so loadAdmin1Geo's .catch handler runs,
|
||||
// returning null — which causes getRegionGeo to return the empty FeatureCollection.
|
||||
// (The default ok:false stub does NOT trigger the catch; it still resolves json()
|
||||
// to {}, which loadAdmin1Geo caches as a non-null truthy value.)
|
||||
vi.stubGlobal('fetch', vi.fn().mockRejectedValue(new Error('Network failure')));
|
||||
const result = await getRegionGeo(['DE', 'FR']);
|
||||
it('ATLAS-SVC-017: returns an empty FeatureCollection for a country with no admin-1 features', async () => {
|
||||
const result = await getRegionGeo(['ZZ']);
|
||||
expect(result).toEqual({ type: 'FeatureCollection', features: [] });
|
||||
});
|
||||
|
||||
it('ATLAS-SVC-018: returns filtered features for matching country codes when fetch returns mock GeoJSON', async () => {
|
||||
// ATLAS-SVC-017 ran with a throwing fetch, so admin1GeoCache is null and
|
||||
// admin1GeoLoading is null — this test's fetch override will be called.
|
||||
const mockGeoJson = {
|
||||
type: 'FeatureCollection',
|
||||
features: [
|
||||
{ type: 'Feature', properties: { iso_a2: 'DE' }, geometry: {} },
|
||||
{ type: 'Feature', properties: { iso_a2: 'FR' }, geometry: {} },
|
||||
],
|
||||
};
|
||||
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
||||
ok: true,
|
||||
json: async () => mockGeoJson,
|
||||
}));
|
||||
|
||||
// Pass lowercase 'de' — getRegionGeo uppercases internally for matching
|
||||
const result = await getRegionGeo(['de']);
|
||||
it('ATLAS-SVC-018: returns the current geoBoundaries regions for a country, case-insensitively', async () => {
|
||||
// Pass lowercase 'no' — getRegionGeo uppercases internally for matching.
|
||||
const result = await getRegionGeo(['no']);
|
||||
|
||||
expect(result.type).toBe('FeatureCollection');
|
||||
expect(result.features).toHaveLength(1);
|
||||
expect(result.features[0].properties.iso_a2).toBe('DE');
|
||||
expect(result.features.length).toBeGreaterThan(0);
|
||||
expect(result.features.every((f: any) => f.properties.iso_a2 === 'NO')).toBe(true);
|
||||
|
||||
const names = result.features.map((f: any) => f.properties.name);
|
||||
const codes = result.features.map((f: any) => f.properties.iso_3166_2);
|
||||
// Post-2020 reform is present…
|
||||
expect(codes).toContain('NO-34'); // Innlandet
|
||||
expect(codes).toContain('NO-46'); // Vestland
|
||||
// …and the merged-away pre-2020 counties are gone (the original #1119 bug).
|
||||
expect(names).not.toContain('Oppland');
|
||||
expect(names).not.toContain('Hordaland');
|
||||
expect(names).not.toContain('Sogn og Fjordane');
|
||||
});
|
||||
});
|
||||
|
||||
describe('getCountryGeo', () => {
|
||||
it('ATLAS-SVC-019: returns the admin-0 FeatureCollection with ISO_A2/ADM0_A3 properties', () => {
|
||||
const geo = getCountryGeo();
|
||||
expect(geo.type).toBe('FeatureCollection');
|
||||
expect(geo.features.length).toBeGreaterThan(0);
|
||||
const no = geo.features.find((f: any) => f.properties.ISO_A2 === 'NO');
|
||||
expect(no).toBeDefined();
|
||||
expect(no.properties.ADM0_A3).toBe('NOR');
|
||||
expect(no.properties.NAME).toBe('Norway');
|
||||
});
|
||||
|
||||
it('ATLAS-SVC-020: includes territories that the curated list dropped (Greenland + Svalbard)', () => {
|
||||
const geo = getCountryGeo();
|
||||
// Greenland is its own feature.
|
||||
expect(geo.features.some((f: any) => f.properties.ISO_A2 === 'GL')).toBe(true);
|
||||
// Svalbard has no separate ISO entity in geoBoundaries; it sits inside Norway's
|
||||
// geometry (lat ~74-81°N). Guard that the country polygon reaches those latitudes.
|
||||
const no = geo.features.find((f: any) => f.properties.ISO_A2 === 'NO');
|
||||
const maxLat = (function max(coords: any): number {
|
||||
if (typeof coords[0] === 'number') return coords[1];
|
||||
return Math.max(...coords.map(max));
|
||||
})(no.geometry.coordinates);
|
||||
expect(maxLat).toBeGreaterThan(78);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -505,4 +524,33 @@ describe('getVisitedRegions', () => {
|
||||
const codes = result.regions['FR'].map((r: any) => r.code);
|
||||
expect(codes).toContain('FR-75');
|
||||
});
|
||||
|
||||
it('ATLAS-UNIT-021: GB places resolving to a constituent country are re-resolved to the finer admin-1 code', async () => {
|
||||
vi.useFakeTimers();
|
||||
// A zoom-8 lookup only yields the constituent country (GB-ENG); the zoom-10 lookup
|
||||
// exposes the borough code (GB-MAN) that Natural Earth's polygons actually carry.
|
||||
vi.stubGlobal('fetch', vi.fn().mockImplementation((url: string) => Promise.resolve({
|
||||
ok: true,
|
||||
json: async () => ({
|
||||
address: url.includes('zoom=10')
|
||||
? { country_code: 'gb', 'ISO3166-2-lvl8': 'GB-MAN', city: 'Manchester', state: 'England', 'ISO3166-2-lvl4': 'GB-ENG' }
|
||||
: { country_code: 'gb', 'ISO3166-2-lvl4': 'GB-ENG', state: 'England' },
|
||||
}),
|
||||
})));
|
||||
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id, { title: 'Manchester Trip' });
|
||||
insertPlaceWithCoords(testDb, trip.id, 'Old Trafford', 53.4631, -2.2913);
|
||||
|
||||
await getVisitedRegions(user.id);
|
||||
await vi.runAllTimersAsync();
|
||||
const result = await getVisitedRegions(user.id);
|
||||
|
||||
expect(result.regions['GB']).toBeDefined();
|
||||
const codes = result.regions['GB'].map((r: any) => r.code);
|
||||
expect(codes).toContain('GB-MAN');
|
||||
expect(codes).not.toContain('GB-ENG');
|
||||
|
||||
vi.useRealTimers();
|
||||
});
|
||||
});
|
||||
|
||||
@@ -36,6 +36,7 @@ vi.mock('../../../src/db/database', () => dbMock);
|
||||
vi.mock('../../../src/config', () => ({
|
||||
JWT_SECRET: 'test-secret',
|
||||
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
||||
SESSION_DURATION_SECONDS: 86400,
|
||||
updateJwtSecret: () => {},
|
||||
}));
|
||||
vi.mock('../../../src/services/mfaCrypto', () => ({
|
||||
@@ -84,11 +85,14 @@ import {
|
||||
validateInviteToken,
|
||||
registerUser,
|
||||
loginUser,
|
||||
requestPasswordReset,
|
||||
changePassword,
|
||||
verifyMfaLogin,
|
||||
createMcpToken,
|
||||
deleteMcpToken,
|
||||
generateToken,
|
||||
} from '../../../src/services/authService';
|
||||
import { verifyJwtAndLoadUser } from '../../../src/middleware/auth';
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Lifecycle
|
||||
@@ -103,6 +107,35 @@ beforeEach(() => resetTestDb(testDb));
|
||||
|
||||
afterAll(() => testDb.close());
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// requestPasswordReset — OIDC/SSO accounts (#1129)
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
describe('requestPasswordReset — OIDC/SSO accounts', () => {
|
||||
it('AUTH-DB-PR1: refuses a reset for an OIDC-linked account that has a (random) password hash', () => {
|
||||
const { user } = createUser(testDb);
|
||||
// OIDC users are created with a random bcrypt hash, so password_hash is set —
|
||||
// the old guard keyed off a missing hash and therefore let the reset through.
|
||||
testDb.prepare('UPDATE users SET oidc_sub = ?, oidc_issuer = ? WHERE id = ?')
|
||||
.run('sub-1129', 'https://idp.example', user.id);
|
||||
|
||||
const result = requestPasswordReset(user.email, null);
|
||||
|
||||
expect(result.reason).toBe('oidc_only');
|
||||
expect(result.tokenForDelivery).toBeNull();
|
||||
const { n } = testDb.prepare('SELECT COUNT(*) AS n FROM password_reset_tokens WHERE user_id = ?')
|
||||
.get(user.id) as { n: number };
|
||||
expect(n).toBe(0);
|
||||
});
|
||||
|
||||
it('AUTH-DB-PR2: still issues a reset for a normal local (non-SSO) account', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const result = requestPasswordReset(user.email, null);
|
||||
expect(result.reason).toBe('issued');
|
||||
expect(result.tokenForDelivery).toBeTruthy();
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// updateSettings
|
||||
// ---------------------------------------------------------------------------
|
||||
@@ -573,6 +606,39 @@ describe('changePassword — OIDC-only mode', () => {
|
||||
});
|
||||
});
|
||||
|
||||
describe('changePassword — session invalidation', () => {
|
||||
const pvOf = (id: number) =>
|
||||
(testDb.prepare('SELECT password_version FROM users WHERE id = ?').get(id) as { password_version: number }).password_version;
|
||||
const mcpCount = (id: number) =>
|
||||
(testDb.prepare('SELECT COUNT(*) c FROM mcp_tokens WHERE user_id = ?').get(id) as { c: number }).c;
|
||||
|
||||
it('AUTH-DB-036b: bumps password_version, prunes MCP tokens, and re-issues a session', () => {
|
||||
const { user, password } = createUser(testDb);
|
||||
createMcpToken(user.id, 'cli');
|
||||
|
||||
expect(pvOf(user.id)).toBe(0);
|
||||
expect(mcpCount(user.id)).toBe(1);
|
||||
|
||||
const result = changePassword(user.id, user.email, { current_password: password, new_password: 'New1234!' });
|
||||
|
||||
expect(result.success).toBe(true);
|
||||
expect(typeof result.token).toBe('string'); // fresh session for the current device
|
||||
expect(pvOf(user.id)).toBe(1); // old JWT/cookie sessions now rejected by the pv gate
|
||||
expect(mcpCount(user.id)).toBe(0); // static MCP tokens revoked
|
||||
});
|
||||
|
||||
it('AUTH-DB-036c: a token minted before the change no longer validates afterwards', () => {
|
||||
const { user, password } = createUser(testDb);
|
||||
const stolen = generateToken({ id: user.id }); // pv=0 at mint time
|
||||
|
||||
expect(verifyJwtAndLoadUser(stolen)).not.toBeNull();
|
||||
|
||||
changePassword(user.id, user.email, { current_password: password, new_password: 'New1234!' });
|
||||
|
||||
expect(verifyJwtAndLoadUser(stolen)).toBeNull(); // invalidated by the pv bump
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// disableMfa — require_mfa policy
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -19,12 +19,16 @@ const fsMock = vi.hoisted(() => ({
|
||||
rmSync: vi.fn(),
|
||||
copyFileSync: vi.fn(),
|
||||
cpSync: vi.fn(),
|
||||
// Identity by default: when uploadsDir is a plain directory, realpathSync
|
||||
// returns it unchanged. Tests that exercise the symlink case override this.
|
||||
realpathSync: vi.fn((p: string) => p),
|
||||
}));
|
||||
|
||||
const archiverInstanceMock = vi.hoisted(() => ({
|
||||
pipe: vi.fn(),
|
||||
file: vi.fn(),
|
||||
directory: vi.fn(),
|
||||
glob: vi.fn(),
|
||||
finalize: vi.fn(),
|
||||
on: vi.fn(),
|
||||
}));
|
||||
@@ -33,6 +37,9 @@ const archiverMock = vi.hoisted(() => vi.fn());
|
||||
|
||||
const unzipperMock = vi.hoisted(() => ({
|
||||
Extract: vi.fn(),
|
||||
// Central-directory reader used for the pre-extract zip-bomb size check.
|
||||
// Default to an empty archive so existing restore tests proceed to Extract.
|
||||
Open: { file: vi.fn().mockResolvedValue({ files: [] }) },
|
||||
}));
|
||||
|
||||
const dbMock = vi.hoisted(() => ({
|
||||
@@ -438,7 +445,7 @@ describe('BACKUP-036 createBackup', () => {
|
||||
);
|
||||
});
|
||||
|
||||
it('BACKUP-036e — includes uploads directory when it exists', async () => {
|
||||
it('BACKUP-036e — includes uploads but excludes the re-derivable photo caches', async () => {
|
||||
fsMock.existsSync.mockImplementation((p: string) => {
|
||||
if (String(p).endsWith('uploads')) return true;
|
||||
return false;
|
||||
@@ -464,9 +471,80 @@ describe('BACKUP-036 createBackup', () => {
|
||||
|
||||
await createBackup();
|
||||
|
||||
expect(archiverInstanceMock.directory).toHaveBeenCalledWith(
|
||||
expect.stringContaining('uploads'),
|
||||
'uploads'
|
||||
expect(archiverInstanceMock.glob).toHaveBeenCalledWith(
|
||||
'**/*',
|
||||
expect.objectContaining({
|
||||
cwd: expect.stringContaining('uploads'),
|
||||
ignore: ['photos/google/**', 'photos/trek/**'],
|
||||
}),
|
||||
{ prefix: 'uploads' },
|
||||
);
|
||||
// The re-derivable caches must not be archived verbatim.
|
||||
expect(archiverInstanceMock.directory).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('BACKUP-036f — bundles .encryption_key when present and ENCRYPTION_KEY env is unset', async () => {
|
||||
const prevEnvKey = process.env.ENCRYPTION_KEY;
|
||||
delete process.env.ENCRYPTION_KEY;
|
||||
try {
|
||||
fsMock.existsSync.mockImplementation((p: string) => String(p).endsWith('.encryption_key'));
|
||||
fsMock.mkdirSync.mockReturnValue(undefined);
|
||||
|
||||
const writableEvents: Record<string, Function> = {};
|
||||
const fakeWriteStream = {
|
||||
on: vi.fn((event: string, cb: Function) => {
|
||||
writableEvents[event] = cb;
|
||||
}),
|
||||
};
|
||||
fsMock.createWriteStream.mockReturnValue(fakeWriteStream);
|
||||
|
||||
archiverInstanceMock.on.mockImplementation((_e: string, _cb: Function) => {});
|
||||
archiverInstanceMock.pipe.mockReturnValue(undefined);
|
||||
archiverInstanceMock.finalize.mockImplementation(() => {
|
||||
if (writableEvents['close']) writableEvents['close']();
|
||||
});
|
||||
archiverMock.mockReturnValue(archiverInstanceMock);
|
||||
|
||||
fsMock.statSync.mockReturnValue({ size: 1024, birthtime: new Date('2026-04-06T12:00:00Z') });
|
||||
|
||||
await createBackup();
|
||||
|
||||
expect(archiverInstanceMock.file).toHaveBeenCalledWith(
|
||||
expect.stringContaining('.encryption_key'),
|
||||
{ name: '.encryption_key' },
|
||||
);
|
||||
} finally {
|
||||
process.env.ENCRYPTION_KEY = prevEnvKey;
|
||||
}
|
||||
});
|
||||
|
||||
it('BACKUP-036g — does NOT bundle .encryption_key when ENCRYPTION_KEY env is set', async () => {
|
||||
// setup.ts sets process.env.ENCRYPTION_KEY, so the env is the source of truth.
|
||||
fsMock.existsSync.mockImplementation((p: string) => String(p).endsWith('.encryption_key'));
|
||||
fsMock.mkdirSync.mockReturnValue(undefined);
|
||||
|
||||
const writableEvents: Record<string, Function> = {};
|
||||
const fakeWriteStream = {
|
||||
on: vi.fn((event: string, cb: Function) => {
|
||||
writableEvents[event] = cb;
|
||||
}),
|
||||
};
|
||||
fsMock.createWriteStream.mockReturnValue(fakeWriteStream);
|
||||
|
||||
archiverInstanceMock.on.mockImplementation((_e: string, _cb: Function) => {});
|
||||
archiverInstanceMock.pipe.mockReturnValue(undefined);
|
||||
archiverInstanceMock.finalize.mockImplementation(() => {
|
||||
if (writableEvents['close']) writableEvents['close']();
|
||||
});
|
||||
archiverMock.mockReturnValue(archiverInstanceMock);
|
||||
|
||||
fsMock.statSync.mockReturnValue({ size: 1024, birthtime: new Date('2026-04-06T12:00:00Z') });
|
||||
|
||||
await createBackup();
|
||||
|
||||
expect(archiverInstanceMock.file).not.toHaveBeenCalledWith(
|
||||
expect.stringContaining('.encryption_key'),
|
||||
expect.anything(),
|
||||
);
|
||||
});
|
||||
});
|
||||
@@ -532,6 +610,19 @@ describe('BACKUP-038 restoreFromZip', () => {
|
||||
expect(result.error).toMatch(/travel\.db not found/i);
|
||||
expect(result.status).toBe(400);
|
||||
});
|
||||
|
||||
it('BACKUP-038b — rejects a zip bomb whose declared decompressed size exceeds the cap', async () => {
|
||||
unzipperMock.Open.file.mockResolvedValueOnce({
|
||||
files: [{ uncompressedSize: 6 * 1024 * 1024 * 1024 }], // 6 GB > 5 GB cap
|
||||
});
|
||||
|
||||
const result = await restoreFromZip('/data/tmp/bomb.zip');
|
||||
|
||||
expect(result.success).toBe(false);
|
||||
expect(result.status).toBe(400);
|
||||
expect(result.error).toMatch(/decompressed size/i);
|
||||
expect(unzipperMock.Extract).not.toHaveBeenCalled(); // bailed before extracting
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
@@ -678,7 +769,9 @@ describe('BACKUP-042 restoreFromZip — integrity check fails', () => {
|
||||
}),
|
||||
close: vi.fn(),
|
||||
};
|
||||
DatabaseMock.mockReturnValue(fakeDbInstance);
|
||||
DatabaseMock.mockImplementation(function () {
|
||||
return fakeDbInstance;
|
||||
});
|
||||
|
||||
const result = await restoreFromZip('/data/tmp/upload.zip');
|
||||
|
||||
@@ -712,7 +805,9 @@ describe('BACKUP-043 restoreFromZip — missing required table', () => {
|
||||
}),
|
||||
close: vi.fn(),
|
||||
};
|
||||
DatabaseMock.mockReturnValue(fakeDbInstance);
|
||||
DatabaseMock.mockImplementation(function () {
|
||||
return fakeDbInstance;
|
||||
});
|
||||
|
||||
const result = await restoreFromZip('/data/tmp/upload.zip');
|
||||
|
||||
@@ -736,7 +831,7 @@ describe('BACKUP-044 restoreFromZip — Database constructor throws (invalid SQL
|
||||
);
|
||||
fsMock.rmSync.mockReturnValue(undefined);
|
||||
|
||||
DatabaseMock.mockImplementation(() => {
|
||||
DatabaseMock.mockImplementation(function () {
|
||||
throw new Error('file is not a database');
|
||||
});
|
||||
|
||||
@@ -771,7 +866,9 @@ describe('BACKUP-045 restoreFromZip — full success path (no uploads)', () => {
|
||||
}),
|
||||
close: vi.fn(),
|
||||
};
|
||||
DatabaseMock.mockReturnValue(fakeDbInstance);
|
||||
DatabaseMock.mockImplementation(function () {
|
||||
return fakeDbInstance;
|
||||
});
|
||||
return fakeDbInstance;
|
||||
}
|
||||
|
||||
@@ -833,6 +930,53 @@ describe('BACKUP-045 restoreFromZip — full success path (no uploads)', () => {
|
||||
|
||||
expect(dbMock.reinitialize).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('BACKUP-045d — restores bundled .encryption_key when the archive carries one', async () => {
|
||||
setupSuccessfulExtraction();
|
||||
setupAllTablesPresent();
|
||||
|
||||
fsMock.existsSync.mockImplementation((p: string) => {
|
||||
if (String(p).endsWith('travel.db')) return true;
|
||||
if (String(p).endsWith('.encryption_key')) return true; // extracted key present
|
||||
if (String(p).includes('uploads')) return false;
|
||||
return true;
|
||||
});
|
||||
fsMock.unlinkSync.mockReturnValue(undefined);
|
||||
fsMock.copyFileSync.mockReturnValue(undefined);
|
||||
fsMock.rmSync.mockReturnValue(undefined);
|
||||
|
||||
const result = await restoreFromZip('/data/tmp/upload.zip');
|
||||
|
||||
expect(result).toEqual({ success: true });
|
||||
// Key copied from the extract dir into the live data dir.
|
||||
expect(fsMock.copyFileSync).toHaveBeenCalledWith(
|
||||
expect.stringContaining('.encryption_key'),
|
||||
expect.stringContaining('.encryption_key'),
|
||||
);
|
||||
});
|
||||
|
||||
it('BACKUP-045e — skips key restore when the archive has no .encryption_key', async () => {
|
||||
setupSuccessfulExtraction();
|
||||
setupAllTablesPresent();
|
||||
|
||||
fsMock.existsSync.mockImplementation((p: string) => {
|
||||
if (String(p).endsWith('travel.db')) return true;
|
||||
if (String(p).endsWith('.encryption_key')) return false; // no key in archive
|
||||
if (String(p).includes('uploads')) return false;
|
||||
return true;
|
||||
});
|
||||
fsMock.unlinkSync.mockReturnValue(undefined);
|
||||
fsMock.copyFileSync.mockReturnValue(undefined);
|
||||
fsMock.rmSync.mockReturnValue(undefined);
|
||||
|
||||
const result = await restoreFromZip('/data/tmp/upload.zip');
|
||||
|
||||
expect(result).toEqual({ success: true });
|
||||
expect(fsMock.copyFileSync).not.toHaveBeenCalledWith(
|
||||
expect.stringContaining('.encryption_key'),
|
||||
expect.stringContaining('.encryption_key'),
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe('BACKUP-046 restoreFromZip — with uploads directory', () => {
|
||||
@@ -859,7 +1003,9 @@ describe('BACKUP-046 restoreFromZip — with uploads directory', () => {
|
||||
}),
|
||||
close: vi.fn(),
|
||||
};
|
||||
DatabaseMock.mockReturnValue(fakeDbInstance);
|
||||
DatabaseMock.mockImplementation(function () {
|
||||
return fakeDbInstance;
|
||||
});
|
||||
|
||||
fsMock.existsSync.mockImplementation((p: string) => {
|
||||
// travel.db present, extractedUploads present
|
||||
@@ -889,6 +1035,66 @@ describe('BACKUP-046 restoreFromZip — with uploads directory', () => {
|
||||
{ recursive: true, force: true }
|
||||
);
|
||||
});
|
||||
|
||||
it('BACKUP-046b — copies into the symlink target, not the symlink itself (#1193)', async () => {
|
||||
// In Docker, uploadsDir (/app/server/uploads) is a symlink to the mounted
|
||||
// /app/uploads volume. cpSync(dereference:false) would throw
|
||||
// ERR_FS_CP_DIR_TO_NON_DIR overwriting the symlink node with a directory.
|
||||
// The fix resolves the symlink with realpathSync first, so the copy targets
|
||||
// the real directory behind it.
|
||||
setupSuccessfulExtraction();
|
||||
|
||||
const fakeDbInstance = {
|
||||
prepare: vi.fn()
|
||||
.mockReturnValueOnce({
|
||||
get: vi.fn().mockReturnValue({ integrity_check: 'ok' }),
|
||||
})
|
||||
.mockReturnValueOnce({
|
||||
all: vi.fn().mockReturnValue([
|
||||
{ name: 'users' },
|
||||
{ name: 'trips' },
|
||||
{ name: 'trip_members' },
|
||||
{ name: 'places' },
|
||||
{ name: 'days' },
|
||||
]),
|
||||
}),
|
||||
close: vi.fn(),
|
||||
};
|
||||
DatabaseMock.mockImplementation(function () {
|
||||
return fakeDbInstance;
|
||||
});
|
||||
|
||||
fsMock.existsSync.mockImplementation((p: string) => {
|
||||
if (String(p).endsWith('travel.db')) return true;
|
||||
if (String(p).includes('uploads')) return true;
|
||||
return true;
|
||||
});
|
||||
fsMock.readdirSync.mockImplementation((p: string) => {
|
||||
if (String(p).includes('uploads') && !String(p).includes('restore-')) {
|
||||
return ['photos'] as any;
|
||||
}
|
||||
if (String(p).includes('photos')) return ['img1.jpg'] as any;
|
||||
return [] as any;
|
||||
});
|
||||
fsMock.statSync.mockReturnValue({ isDirectory: () => true } as any);
|
||||
fsMock.unlinkSync.mockReturnValue(undefined);
|
||||
fsMock.copyFileSync.mockReturnValue(undefined);
|
||||
fsMock.cpSync.mockReturnValue(undefined);
|
||||
fsMock.rmSync.mockReturnValue(undefined);
|
||||
// Resolve the uploads symlink to a distinct real target directory.
|
||||
const REAL_TARGET = '/app/uploads';
|
||||
fsMock.realpathSync.mockReturnValueOnce(REAL_TARGET);
|
||||
|
||||
const result = await restoreFromZip('/data/tmp/upload.zip');
|
||||
|
||||
expect(result).toEqual({ success: true });
|
||||
// The copy destination must be the resolved real path, never the symlink.
|
||||
expect(fsMock.cpSync).toHaveBeenCalledWith(
|
||||
expect.stringContaining('uploads'),
|
||||
REAL_TARGET,
|
||||
{ recursive: true, force: true }
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -2,26 +2,14 @@ import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// ── DB mock setup ────────────────────────────────────────────────────────────
|
||||
|
||||
interface MockPrepared {
|
||||
all: ReturnType<typeof vi.fn>;
|
||||
get: ReturnType<typeof vi.fn>;
|
||||
run: ReturnType<typeof vi.fn>;
|
||||
}
|
||||
|
||||
const preparedMap: Record<string, MockPrepared> = {};
|
||||
let defaultAll: ReturnType<typeof vi.fn>;
|
||||
let defaultGet: ReturnType<typeof vi.fn>;
|
||||
|
||||
const mockDb = vi.hoisted(() => {
|
||||
return {
|
||||
db: {
|
||||
prepare: vi.fn((sql: string) => {
|
||||
return {
|
||||
all: vi.fn(() => []),
|
||||
get: vi.fn(() => undefined),
|
||||
run: vi.fn(),
|
||||
};
|
||||
}),
|
||||
prepare: vi.fn(() => ({
|
||||
all: vi.fn(() => []),
|
||||
get: vi.fn(() => undefined),
|
||||
run: vi.fn(),
|
||||
})),
|
||||
},
|
||||
canAccessTrip: vi.fn(() => true),
|
||||
};
|
||||
@@ -30,25 +18,29 @@ const mockDb = vi.hoisted(() => {
|
||||
vi.mock('../../../src/db/database', () => mockDb);
|
||||
|
||||
import { calculateSettlement } from '../../../src/services/budgetService';
|
||||
import type { BudgetItem, BudgetItemMember } from '../../../src/types';
|
||||
import type { BudgetItem, BudgetItemMember, BudgetItemPayer } from '../../../src/types';
|
||||
|
||||
// ── Helpers ──────────────────────────────────────────────────────────────────
|
||||
// Who actually paid is recorded as explicit payers (budget_item_payers); members
|
||||
// are only the equal-split participants.
|
||||
|
||||
function makeItem(id: number, total_price: number, trip_id = 1): BudgetItem {
|
||||
return { id, trip_id, name: `Item ${id}`, total_price, category: 'Other' } as BudgetItem;
|
||||
return { id, trip_id, name: `Item ${id}`, total_price, category: 'other' } as BudgetItem;
|
||||
}
|
||||
|
||||
function makeMember(budget_item_id: number, user_id: number, paid: boolean | 0 | 1, username: string): BudgetItemMember & { budget_item_id: number } {
|
||||
return {
|
||||
budget_item_id,
|
||||
user_id,
|
||||
paid: paid ? 1 : 0,
|
||||
username,
|
||||
avatar: null,
|
||||
} as BudgetItemMember & { budget_item_id: number };
|
||||
function makeMember(budget_item_id: number, user_id: number, username: string): BudgetItemMember & { budget_item_id: number } {
|
||||
return { budget_item_id, user_id, paid: 0, username, avatar: null } as BudgetItemMember & { budget_item_id: number };
|
||||
}
|
||||
|
||||
function setupDb(items: BudgetItem[], members: (BudgetItemMember & { budget_item_id: number })[]) {
|
||||
function makePayer(budget_item_id: number, user_id: number, amount: number, username: string): BudgetItemPayer & { budget_item_id: number } {
|
||||
return { budget_item_id, user_id, amount, username, avatar: null } as BudgetItemPayer & { budget_item_id: number };
|
||||
}
|
||||
|
||||
function setupDb(
|
||||
items: BudgetItem[],
|
||||
members: (BudgetItemMember & { budget_item_id: number })[],
|
||||
payers: (BudgetItemPayer & { budget_item_id: number })[] = [],
|
||||
) {
|
||||
mockDb.db.prepare.mockImplementation((sql: string) => {
|
||||
if (sql.includes('SELECT * FROM budget_items')) {
|
||||
return { all: vi.fn(() => items), get: vi.fn(), run: vi.fn() };
|
||||
@@ -56,45 +48,51 @@ function setupDb(items: BudgetItem[], members: (BudgetItemMember & { budget_item
|
||||
if (sql.includes('budget_item_members')) {
|
||||
return { all: vi.fn(() => members), get: vi.fn(), run: vi.fn() };
|
||||
}
|
||||
if (sql.includes('budget_item_payers')) {
|
||||
return { all: vi.fn(() => payers), get: vi.fn(), run: vi.fn() };
|
||||
}
|
||||
// budget_settlements and anything else → empty
|
||||
return { all: vi.fn(() => []), get: vi.fn(), run: vi.fn() };
|
||||
});
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
setupDb([], []);
|
||||
setupDb([], [], []);
|
||||
});
|
||||
|
||||
// ── calculateSettlement ──────────────────────────────────────────────────────
|
||||
|
||||
describe('calculateSettlement', () => {
|
||||
it('returns empty balances and flows when trip has no items', () => {
|
||||
setupDb([], []);
|
||||
setupDb([], [], []);
|
||||
const result = calculateSettlement(1);
|
||||
expect(result.balances).toEqual([]);
|
||||
expect(result.flows).toEqual([]);
|
||||
});
|
||||
|
||||
it('returns no flows when there are items but no members', () => {
|
||||
setupDb([makeItem(1, 100)], []);
|
||||
setupDb([makeItem(1, 100)], [], [makePayer(1, 1, 100, 'alice')]);
|
||||
const result = calculateSettlement(1);
|
||||
expect(result.flows).toEqual([]);
|
||||
});
|
||||
|
||||
it('returns no flows when no one is marked as paid', () => {
|
||||
it('returns no flows when no one has paid', () => {
|
||||
setupDb(
|
||||
[makeItem(1, 100)],
|
||||
[makeMember(1, 1, 0, 'alice'), makeMember(1, 2, 0, 'bob')],
|
||||
[makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob')],
|
||||
[],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
expect(result.flows).toEqual([]);
|
||||
});
|
||||
|
||||
it('2 members, 1 payer: payer is owed half, non-payer owes half', () => {
|
||||
// Item: $100. Alice paid, Bob did not. Each owes $50. Alice net: +$50. Bob net: -$50.
|
||||
// Item: $100. Alice paid all, [Alice, Bob] split. Each owes $50. Alice net: +$50. Bob: -$50.
|
||||
setupDb(
|
||||
[makeItem(1, 100)],
|
||||
[makeMember(1, 1, 1, 'alice'), makeMember(1, 2, 0, 'bob')],
|
||||
[makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob')],
|
||||
[makePayer(1, 1, 100, 'alice')],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
const alice = result.balances.find(b => b.user_id === 1)!;
|
||||
@@ -111,7 +109,8 @@ describe('calculateSettlement', () => {
|
||||
// Item: $90. Alice paid. Each of 3 owes $30. Alice net: +$60. Bob: -$30. Carol: -$30.
|
||||
setupDb(
|
||||
[makeItem(1, 90)],
|
||||
[makeMember(1, 1, 1, 'alice'), makeMember(1, 2, 0, 'bob'), makeMember(1, 3, 0, 'carol')],
|
||||
[makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob'), makeMember(1, 3, 'carol')],
|
||||
[makePayer(1, 1, 90, 'alice')],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
const alice = result.balances.find(b => b.user_id === 1)!;
|
||||
@@ -124,12 +123,11 @@ describe('calculateSettlement', () => {
|
||||
});
|
||||
|
||||
it('all paid equally: all balances are zero, no flows', () => {
|
||||
// Item: $60. 3 members, all paid equally (each paid $20, each owes $20). Net: 0.
|
||||
// Actually with "paid" flag it means: paidPerPayer = item.total / numPayers.
|
||||
// If all 3 paid: each gets +20 credit, each owes -20 = net 0 for everyone.
|
||||
// Item: $60. 3 members, each paid $20 and owes $20. Net: 0 for everyone.
|
||||
setupDb(
|
||||
[makeItem(1, 60)],
|
||||
[makeMember(1, 1, 1, 'alice'), makeMember(1, 2, 1, 'bob'), makeMember(1, 3, 1, 'carol')],
|
||||
[makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob'), makeMember(1, 3, 'carol')],
|
||||
[makePayer(1, 1, 20, 'alice'), makePayer(1, 2, 20, 'bob'), makePayer(1, 3, 20, 'carol')],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
for (const b of result.balances) {
|
||||
@@ -142,7 +140,8 @@ describe('calculateSettlement', () => {
|
||||
// Alice paid $100 for 2 people. Bob owes Alice $50.
|
||||
setupDb(
|
||||
[makeItem(1, 100)],
|
||||
[makeMember(1, 1, 1, 'alice'), makeMember(1, 2, 0, 'bob')],
|
||||
[makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob')],
|
||||
[makePayer(1, 1, 100, 'alice')],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
const flow = result.flows[0];
|
||||
@@ -154,7 +153,8 @@ describe('calculateSettlement', () => {
|
||||
// Item: $10. 3 members, 1 payer. Share = 3.333... Each rounded to 3.33.
|
||||
setupDb(
|
||||
[makeItem(1, 10)],
|
||||
[makeMember(1, 1, 1, 'alice'), makeMember(1, 2, 0, 'bob'), makeMember(1, 3, 0, 'carol')],
|
||||
[makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob'), makeMember(1, 3, 'carol')],
|
||||
[makePayer(1, 1, 10, 'alice')],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
for (const b of result.balances) {
|
||||
@@ -176,9 +176,10 @@ describe('calculateSettlement', () => {
|
||||
setupDb(
|
||||
[makeItem(1, 100), makeItem(2, 60)],
|
||||
[
|
||||
makeMember(1, 1, 1, 'alice'), makeMember(1, 2, 0, 'bob'),
|
||||
makeMember(2, 1, 0, 'alice'), makeMember(2, 2, 1, 'bob'),
|
||||
makeMember(1, 1, 'alice'), makeMember(1, 2, 'bob'),
|
||||
makeMember(2, 1, 'alice'), makeMember(2, 2, 'bob'),
|
||||
],
|
||||
[makePayer(1, 1, 100, 'alice'), makePayer(2, 2, 60, 'bob')],
|
||||
);
|
||||
const result = calculateSettlement(1);
|
||||
const alice = result.balances.find(b => b.user_id === 1)!;
|
||||
|
||||
@@ -0,0 +1,83 @@
|
||||
/**
|
||||
* DB-backed unit tests for budgetService trip-scoping (BUDGET-SVC-DB-001+).
|
||||
* Uses a real in-memory SQLite DB so the SQL WHERE clauses are exercised.
|
||||
*/
|
||||
import { describe, it, expect, vi, beforeAll, beforeEach, afterAll } from 'vitest';
|
||||
|
||||
const { testDb, dbMock } = vi.hoisted(() => {
|
||||
const Database = require('better-sqlite3');
|
||||
const db = new Database(':memory:');
|
||||
db.exec('PRAGMA journal_mode = WAL');
|
||||
db.exec('PRAGMA foreign_keys = ON');
|
||||
db.exec('PRAGMA busy_timeout = 5000');
|
||||
const mock = {
|
||||
db,
|
||||
closeDb: () => {},
|
||||
reinitialize: () => {},
|
||||
getPlaceWithTags: () => null,
|
||||
canAccessTrip: () => null,
|
||||
isOwner: () => false,
|
||||
};
|
||||
return { testDb: db, dbMock: mock };
|
||||
});
|
||||
|
||||
vi.mock('../../../src/db/database', () => dbMock);
|
||||
vi.mock('../../../src/config', () => ({
|
||||
JWT_SECRET: 'test-secret',
|
||||
ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
|
||||
updateJwtSecret: () => {},
|
||||
}));
|
||||
|
||||
import { createTables } from '../../../src/db/schema';
|
||||
import { runMigrations } from '../../../src/db/migrations';
|
||||
import { resetTestDb } from '../../helpers/test-db';
|
||||
import { createUser, createTrip } from '../../helpers/factories';
|
||||
import { createBudgetItem, updateMembers, toggleMemberPaid } from '../../../src/services/budgetService';
|
||||
|
||||
beforeAll(() => {
|
||||
createTables(testDb);
|
||||
runMigrations(testDb);
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
resetTestDb(testDb);
|
||||
});
|
||||
|
||||
afterAll(() => {
|
||||
testDb.close();
|
||||
});
|
||||
|
||||
function paidFlag(itemId: number, memberId: number): number | undefined {
|
||||
const row = testDb
|
||||
.prepare('SELECT paid FROM budget_item_members WHERE budget_item_id = ? AND user_id = ?')
|
||||
.get(itemId, memberId) as { paid: number } | undefined;
|
||||
return row?.paid;
|
||||
}
|
||||
|
||||
describe('toggleMemberPaid trip-scoping', () => {
|
||||
it('BUDGET-SVC-DB-001: toggles paid for an item that belongs to the given trip', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id, { title: 'Trip A' });
|
||||
const item = createBudgetItem(trip.id, { name: 'Hotel', total_price: 100 });
|
||||
updateMembers(item.id, trip.id, [user.id]);
|
||||
|
||||
const member = toggleMemberPaid(item.id, trip.id, user.id, true);
|
||||
|
||||
expect(member).not.toBeNull();
|
||||
expect(paidFlag(item.id, user.id)).toBe(1);
|
||||
});
|
||||
|
||||
it('BUDGET-SVC-DB-002: refuses to toggle an item from a different trip (cross-trip IDOR)', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const tripA = createTrip(testDb, user.id, { title: 'Trip A' });
|
||||
const tripB = createTrip(testDb, user.id, { title: 'Trip B' });
|
||||
const itemB = createBudgetItem(tripB.id, { name: 'Foreign expense', total_price: 50 });
|
||||
updateMembers(itemB.id, tripB.id, [user.id]);
|
||||
|
||||
// Caller passes a trip they can access (A) but the item lives in trip B.
|
||||
const member = toggleMemberPaid(itemB.id, tripA.id, user.id, true);
|
||||
|
||||
expect(member).toBeNull();
|
||||
expect(paidFlag(itemB.id, user.id)).toBe(0); // unchanged
|
||||
});
|
||||
});
|
||||
@@ -1,6 +1,7 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
|
||||
|
||||
import { cookieOptions } from '../../../src/services/cookie';
|
||||
import { SESSION_DURATION_MS, SESSION_DURATION_REMEMBER_MS } from '../../../src/config';
|
||||
|
||||
describe('cookieOptions', () => {
|
||||
afterEach(() => {
|
||||
@@ -53,4 +54,16 @@ describe('cookieOptions', () => {
|
||||
const opts = cookieOptions(true);
|
||||
expect(opts).not.toHaveProperty('maxAge');
|
||||
});
|
||||
|
||||
it('keeps the default SESSION_DURATION maxAge when remember is undefined', () => {
|
||||
expect(cookieOptions(false, undefined)).toHaveProperty('maxAge', SESSION_DURATION_MS);
|
||||
});
|
||||
|
||||
it('uses the longer SESSION_DURATION_REMEMBER maxAge when remember is true', () => {
|
||||
expect(cookieOptions(false, undefined, true)).toHaveProperty('maxAge', SESSION_DURATION_REMEMBER_MS);
|
||||
});
|
||||
|
||||
it('omits maxAge (session cookie) when remember is false', () => {
|
||||
expect(cookieOptions(false, undefined, false)).not.toHaveProperty('maxAge');
|
||||
});
|
||||
});
|
||||
|
||||
@@ -17,7 +17,15 @@ const { testDb, dbMock } = vi.hoisted(() => {
|
||||
closeDb: () => {},
|
||||
reinitialize: () => {},
|
||||
getPlaceWithTags: () => null,
|
||||
canAccessTrip: () => null,
|
||||
// Mirror the real canAccessTrip semantics against the test DB (owner or member
|
||||
// → truthy access row, else undefined) so addTripToJourney's trip-access guard
|
||||
// behaves as in production. (Was an unused `() => null` stub before the guard existed.)
|
||||
canAccessTrip: (tripId: number | string, userId: number) =>
|
||||
db
|
||||
.prepare(
|
||||
'SELECT t.id, t.user_id FROM trips t LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ? WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)',
|
||||
)
|
||||
.get(userId, tripId, userId),
|
||||
isOwner: () => false,
|
||||
};
|
||||
return { testDb: db, dbMock: mock };
|
||||
@@ -417,6 +425,22 @@ describe('addTripToJourney / removeTripFromJourney', () => {
|
||||
expect(link).toBeDefined();
|
||||
});
|
||||
|
||||
it('JOURNEY-SVC-024b: refuses to link a trip the caller cannot access (IDOR guard)', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const { user: stranger } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
// A trip owned by someone else, that `user` is not a member of.
|
||||
const foreignTrip = createTrip(testDb, stranger.id, { title: "Stranger's Trip" });
|
||||
|
||||
const result = addTripToJourney(journey.id, foreignTrip.id, user.id);
|
||||
|
||||
expect(result).toBe(false);
|
||||
const link = testDb.prepare(
|
||||
'SELECT * FROM journey_trips WHERE journey_id = ? AND trip_id = ?'
|
||||
).get(journey.id, foreignTrip.id);
|
||||
expect(link).toBeUndefined();
|
||||
});
|
||||
|
||||
it('JOURNEY-SVC-025: syncs places as skeleton entries when linking a trip', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
@@ -572,6 +596,32 @@ describe('updateEntry', () => {
|
||||
|
||||
expect(result).toBeNull();
|
||||
});
|
||||
|
||||
it('JOURNEY-SVC-034b: ignores injection column keys and mass-assignment attempts', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
const entry = createJourneyEntry(testDb, journey.id, user.id, {
|
||||
title: 'Safe',
|
||||
story: 'original',
|
||||
entry_date: '2026-03-01',
|
||||
});
|
||||
|
||||
// The keys come straight from the request body. A crafted key was previously
|
||||
// interpolated as a raw SQL column name (`${key} = ?`), enabling subquery
|
||||
// injection (full DB read) and mass-assignment of protected columns.
|
||||
const malicious: Record<string, unknown> = {
|
||||
title: 'Updated',
|
||||
[`story = (SELECT password_hash FROM users WHERE id = ${user.id}), updated_at`]: 'x',
|
||||
author_id: 999999,
|
||||
};
|
||||
|
||||
const updated = updateEntry(entry.id, user.id, malicious as Parameters<typeof updateEntry>[2]);
|
||||
|
||||
expect(updated).not.toBeNull();
|
||||
expect(updated!.title).toBe('Updated'); // legit field still applied
|
||||
expect(updated!.story).toBe('original'); // injection key dropped — no hash leaked into story
|
||||
expect(updated!.author_id).toBe(user.id); // mass-assignment blocked
|
||||
});
|
||||
});
|
||||
|
||||
describe('deleteEntry', () => {
|
||||
|
||||
@@ -300,15 +300,17 @@ describe('validateShareTokenForAsset', () => {
|
||||
expect(result).toBeNull();
|
||||
});
|
||||
|
||||
it('JOURNEY-SHARE-015: falls back to journey owner when asset not found in photos', () => {
|
||||
it('JOURNEY-SHARE-015: denies (returns null) when the asset is not part of the shared journey', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
const { token } = createOrUpdateJourneyShareLink(journey.id, user.id, {});
|
||||
|
||||
// A valid share token must NOT resolve arbitrary asset IDs to the owner —
|
||||
// otherwise it could proxy any asset out of the owner's Immich/Synology
|
||||
// library (IDOR). Only assets actually in the journey may resolve.
|
||||
const result = validateShareTokenForAsset(token, 'nonexistent-asset');
|
||||
|
||||
expect(result).not.toBeNull();
|
||||
expect(result!.ownerId).toBe(user.id);
|
||||
expect(result).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
@@ -414,4 +416,76 @@ describe('getPublicJourney', () => {
|
||||
expect(result!.stats.photos).toBe(0);
|
||||
expect(result!.stats.places).toBe(0);
|
||||
});
|
||||
|
||||
it('JOURNEY-SHARE-021: withholds timeline, gallery and GPS when all flags are off', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id, { title: 'Secret' });
|
||||
const entry = createJourneyEntry(testDb, journey.id, user.id, {
|
||||
type: 'entry', title: 'Day 1', story: 'private notes', entry_date: '2026-05-01', location_name: 'Paris',
|
||||
});
|
||||
testDb.prepare('UPDATE journey_entries SET location_lat = ?, location_lng = ? WHERE id = ?').run(48.8566, 2.3522, entry.id);
|
||||
insertJourneyPhoto(entry.id);
|
||||
const { token } = createOrUpdateJourneyShareLink(journey.id, user.id, {
|
||||
share_timeline: false, share_gallery: false, share_map: false,
|
||||
});
|
||||
|
||||
const result = getPublicJourney(token)!;
|
||||
expect(result.entries).toEqual([]); // no timeline / story / GPS leaked
|
||||
expect(result.gallery).toEqual([]); // no gallery leaked
|
||||
expect(result.stats.entries).toBe(1); // counts stay accurate
|
||||
});
|
||||
|
||||
it('JOURNEY-SHARE-022: shares the timeline but strips GPS when the map flag is off', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
const entry = createJourneyEntry(testDb, journey.id, user.id, {
|
||||
type: 'entry', title: 'Day 1', story: 'notes', entry_date: '2026-05-01', location_name: 'Paris',
|
||||
});
|
||||
testDb.prepare('UPDATE journey_entries SET location_lat = ?, location_lng = ? WHERE id = ?').run(48.8566, 2.3522, entry.id);
|
||||
const { token } = createOrUpdateJourneyShareLink(journey.id, user.id, {
|
||||
share_timeline: true, share_gallery: true, share_map: false,
|
||||
});
|
||||
|
||||
const result = getPublicJourney(token)!;
|
||||
expect(result.entries).toHaveLength(1);
|
||||
const e = result.entries[0] as Record<string, unknown>;
|
||||
expect(e.story).toBe('notes'); // narrative present
|
||||
expect(e.location_lat).toBeNull(); // GPS withheld
|
||||
expect(e.location_lng).toBeNull();
|
||||
});
|
||||
|
||||
it('JOURNEY-SHARE-023: map-only share exposes coordinates but not the story', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
const entry = createJourneyEntry(testDb, journey.id, user.id, {
|
||||
type: 'entry', title: 'Day 1', story: 'private notes', entry_date: '2026-05-01', location_name: 'Paris',
|
||||
});
|
||||
testDb.prepare('UPDATE journey_entries SET location_lat = ?, location_lng = ? WHERE id = ?').run(48.8566, 2.3522, entry.id);
|
||||
const { token } = createOrUpdateJourneyShareLink(journey.id, user.id, {
|
||||
share_timeline: false, share_gallery: false, share_map: true,
|
||||
});
|
||||
|
||||
const result = getPublicJourney(token)!;
|
||||
expect(result.entries).toHaveLength(1);
|
||||
const e = result.entries[0] as Record<string, unknown>;
|
||||
expect(e.location_lat).toBe(48.8566); // coords for the map
|
||||
expect(e.story).toBeUndefined(); // narrative withheld
|
||||
});
|
||||
|
||||
it('JOURNEY-SHARE-024: strips inline entry photos (and their asset metadata) when the gallery is off', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const journey = createJourney(testDb, user.id);
|
||||
const entry = createJourneyEntry(testDb, journey.id, user.id, {
|
||||
type: 'entry', title: 'Day 1', story: 'notes', entry_date: '2026-05-01',
|
||||
});
|
||||
insertJourneyPhoto(entry.id, { ownerId: user.id });
|
||||
const { token } = createOrUpdateJourneyShareLink(journey.id, user.id, {
|
||||
share_timeline: true, share_gallery: false, share_map: true,
|
||||
});
|
||||
|
||||
const result = getPublicJourney(token)!;
|
||||
expect(result.gallery).toEqual([]); // gallery array withheld
|
||||
expect(result.entries).toHaveLength(1);
|
||||
expect((result.entries[0] as Record<string, unknown>).photos).toEqual([]); // inline photos withheld too
|
||||
});
|
||||
});
|
||||
|
||||
@@ -0,0 +1,70 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { mapReservations } from '../../../src/nest/booking-import/kitinerary-mapper';
|
||||
|
||||
const airport = (iata: string, lat: number, lng: number) => ({
|
||||
iataCode: iata,
|
||||
name: iata,
|
||||
geo: { latitude: lat, longitude: lng },
|
||||
});
|
||||
|
||||
const flight = (pnr: string, dep: any, arr: any, depTime: string, arrTime: string, flightNumber: string) => ({
|
||||
'@type': 'FlightReservation',
|
||||
reservationNumber: pnr,
|
||||
reservationFor: {
|
||||
departureAirport: dep,
|
||||
arrivalAirport: arr,
|
||||
departureTime: depTime,
|
||||
arrivalTime: arrTime,
|
||||
airline: { name: 'Lufthansa', iataCode: 'LH' },
|
||||
flightNumber,
|
||||
},
|
||||
});
|
||||
|
||||
const FRA = airport('FRA', 50.04, 8.57);
|
||||
const BER = airport('BER', 52.36, 13.50);
|
||||
const HND = airport('HND', 35.55, 139.78);
|
||||
|
||||
describe('kitinerary mapper — multi-leg flight grouping', () => {
|
||||
it('groups two connecting same-PNR legs into one multi-leg booking', () => {
|
||||
const { items } = mapReservations([
|
||||
flight('ABC123', FRA, BER, '2026-06-11T10:00:00', '2026-06-11T12:00:00', 'LH 100'),
|
||||
flight('ABC123', BER, HND, '2026-06-11T14:30:00', '2026-06-11T23:30:00', 'LH 200'),
|
||||
] as any, 'test.json');
|
||||
|
||||
expect(items).toHaveLength(1);
|
||||
const booking = items[0];
|
||||
expect(booking.type).toBe('flight');
|
||||
expect(booking.endpoints).toHaveLength(3);
|
||||
expect(booking.endpoints!.map(e => e.role)).toEqual(['from', 'stop', 'to']);
|
||||
expect(booking.endpoints!.map(e => e.sequence)).toEqual([0, 1, 2]);
|
||||
const meta = booking.metadata as any;
|
||||
expect(meta.legs).toHaveLength(2);
|
||||
expect(meta.legs[0]).toMatchObject({ from: 'FRA', to: 'BER', flight_number: 'LH 100' });
|
||||
expect(meta.legs[1]).toMatchObject({ from: 'BER', to: 'HND', flight_number: 'LH 200' });
|
||||
expect(meta.departure_airport).toBe('FRA');
|
||||
expect(meta.arrival_airport).toBe('HND');
|
||||
expect(booking.reservation_time).toContain('10:00');
|
||||
expect(booking.reservation_end_time).toContain('23:30');
|
||||
});
|
||||
|
||||
it('keeps a round trip (same PNR, multi-day gap) as two separate bookings', () => {
|
||||
const { items } = mapReservations([
|
||||
flight('RT999', FRA, HND, '2026-06-11T10:00:00', '2026-06-11T20:00:00', 'LH 700'),
|
||||
flight('RT999', HND, FRA, '2026-06-20T10:00:00', '2026-06-20T18:00:00', 'LH 701'),
|
||||
] as any, 'test.json');
|
||||
|
||||
expect(items).toHaveLength(2);
|
||||
expect((items[0].metadata as any).legs).toBeUndefined();
|
||||
expect((items[1].metadata as any).legs).toBeUndefined();
|
||||
});
|
||||
|
||||
it('leaves a single flight unchanged (two endpoints, no legs array)', () => {
|
||||
const { items } = mapReservations([
|
||||
flight('S1', FRA, BER, '2026-06-11T10:00:00', '2026-06-11T12:00:00', 'LH 1'),
|
||||
] as any, 'test.json');
|
||||
|
||||
expect(items).toHaveLength(1);
|
||||
expect(items[0].endpoints).toHaveLength(2);
|
||||
expect((items[0].metadata as any).legs).toBeUndefined();
|
||||
});
|
||||
});
|
||||
@@ -29,9 +29,26 @@ vi.mock('../../../src/db/database', () => ({
|
||||
},
|
||||
}));
|
||||
|
||||
vi.mock('../../../src/utils/ssrfGuard', () => ({
|
||||
checkSsrf: mockCheckSsrf,
|
||||
}));
|
||||
vi.mock('../../../src/utils/ssrfGuard', () => {
|
||||
class SsrfBlockedError extends Error {
|
||||
constructor(message: string) {
|
||||
super(message);
|
||||
this.name = 'SsrfBlockedError';
|
||||
}
|
||||
}
|
||||
return {
|
||||
checkSsrf: mockCheckSsrf,
|
||||
SsrfBlockedError,
|
||||
// Mirror the real per-hop helper closely enough for unit tests: run the
|
||||
// (mocked) SSRF check, then fetch through the (stubbed) global fetch. The
|
||||
// fetch stubs in these tests already return the final resolved response.
|
||||
safeFetchFollow: vi.fn(async (url: string, init?: any) => {
|
||||
const ssrf = await mockCheckSsrf(url);
|
||||
if (!ssrf.allowed) throw new SsrfBlockedError(ssrf.error ?? 'Request blocked by SSRF guard');
|
||||
return (globalThis.fetch as any)(url, init);
|
||||
}),
|
||||
};
|
||||
});
|
||||
|
||||
vi.mock('../../../src/services/apiKeyCrypto', () => ({
|
||||
decrypt_api_key: (v: string | null) => v,
|
||||
@@ -521,6 +538,31 @@ describe('fetchWikimediaPhoto (fetch stubbed)', () => {
|
||||
expect(result!.attribution).toBe('Alice');
|
||||
});
|
||||
|
||||
it('MAPS-036b: geosearch prefers the scaled thumburl over the full-res original', async () => {
|
||||
const wikiResponse = { ok: true, json: async () => ({ query: { pages: { '-1': {} } } }) };
|
||||
const commonsResponse = {
|
||||
ok: true,
|
||||
json: async () => ({
|
||||
query: { pages: { '1': {
|
||||
imageinfo: [{
|
||||
url: 'https://commons.org/original-16mb.jpg',
|
||||
thumburl: 'https://commons.org/thumb-400.jpg',
|
||||
mime: 'image/jpeg',
|
||||
extmetadata: { Artist: { value: 'Alice' } },
|
||||
}],
|
||||
} } },
|
||||
}),
|
||||
};
|
||||
vi.stubGlobal('fetch', vi.fn()
|
||||
.mockResolvedValueOnce(wikiResponse)
|
||||
.mockResolvedValueOnce(commonsResponse));
|
||||
const { fetchWikimediaPhoto } = await import('../../../src/services/mapsService');
|
||||
const result = await fetchWikimediaPhoto(48.8, 2.3, 'Some Place');
|
||||
expect(result).toBeDefined();
|
||||
expect(result!.photoUrl).toBe('https://commons.org/thumb-400.jpg');
|
||||
expect(result!.attribution).toBe('Alice');
|
||||
});
|
||||
|
||||
it('MAPS-037: returns null when both strategies find nothing', async () => {
|
||||
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
||||
ok: true,
|
||||
@@ -1032,6 +1074,26 @@ describe('getPlaceDetails (fetch stubbed)', () => {
|
||||
expect(place.summary).toBeNull();
|
||||
});
|
||||
|
||||
it('MAPS-041b2: normalises non-standard TREK language codes for Google (br→pt-BR, gr→el)', async () => {
|
||||
const fetchMock = vi.fn().mockResolvedValue({
|
||||
ok: true,
|
||||
json: async () => ({ id: 'ChIJ1', displayName: { text: 'X' }, location: { latitude: 0, longitude: 0 } }),
|
||||
});
|
||||
mockDbGet.mockReturnValue({ maps_api_key: 'gkey' });
|
||||
vi.stubGlobal('fetch', fetchMock);
|
||||
const { getPlaceDetails } = await import('../../../src/services/mapsService');
|
||||
|
||||
await getPlaceDetails(1, 'ChIJ-br', 'br');
|
||||
expect(String(fetchMock.mock.calls[0][0])).toContain('languageCode=pt-BR');
|
||||
|
||||
await getPlaceDetails(1, 'ChIJ-gr', 'gr');
|
||||
expect(String(fetchMock.mock.calls[1][0])).toContain('languageCode=el');
|
||||
|
||||
// A code that is already valid passes through unchanged.
|
||||
await getPlaceDetails(1, 'ChIJ-de', 'de');
|
||||
expect(String(fetchMock.mock.calls[2][0])).toContain('languageCode=de');
|
||||
});
|
||||
|
||||
it('MAPS-041c: throws with status when Google API returns non-ok response', async () => {
|
||||
mockDbGet.mockReturnValueOnce({ maps_api_key: 'gkey' });
|
||||
vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
|
||||
@@ -1337,4 +1399,36 @@ describe('getPlacePhoto (fetch stubbed)', () => {
|
||||
expect(result.photoUrl).toBe(`/api/maps/place-photo/${encodeURIComponent(uniqueId)}/bytes`);
|
||||
expect(mockCachePut).toHaveBeenCalledOnce();
|
||||
});
|
||||
|
||||
it('MAPS-044g: falls back to Wikipedia/OSM for a Google place_id when the Google photo call fails', async () => {
|
||||
// A key is present and the placeId is a Google id, but Google rejects the
|
||||
// photo request (e.g. 403). The lookup must still return an image via the
|
||||
// coordinate-based Wikipedia fallback instead of giving up with a 404 —
|
||||
// matching what right-click (coords:) places already do.
|
||||
mockDbGet.mockReturnValueOnce({ maps_api_key: 'gkey' });
|
||||
vi.stubGlobal('fetch', vi.fn()
|
||||
// 1) Google photo details → 403
|
||||
.mockResolvedValueOnce({
|
||||
ok: false,
|
||||
status: 403,
|
||||
text: async () => JSON.stringify({ error: { message: 'PERMISSION_DENIED' } }),
|
||||
})
|
||||
// 2) Wikipedia pageimages → thumbnail
|
||||
.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
json: async () => ({ query: { pages: { '1': { thumbnail: { source: 'https://wiki.org/guinness.jpg' } } } } }),
|
||||
})
|
||||
// 3) image bytes
|
||||
.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
arrayBuffer: async () => new ArrayBuffer(200),
|
||||
})
|
||||
);
|
||||
const { getPlacePhoto } = await import('../../../src/services/mapsService');
|
||||
const placeId = `ChIJFallback-${Date.now()}`;
|
||||
const result = await getPlacePhoto(1, placeId, 53.34, -6.28, 'Guinness Storehouse');
|
||||
expect(result.photoUrl).toBe(`/api/maps/place-photo/${encodeURIComponent(placeId)}/bytes`);
|
||||
expect(result.attribution).toBe('Wikipedia');
|
||||
expect(mockCachePut).toHaveBeenCalledOnce();
|
||||
});
|
||||
});
|
||||
|
||||
@@ -83,17 +83,20 @@ afterAll(() => {
|
||||
// ── createState / consumeState ────────────────────────────────────────────────
|
||||
|
||||
describe('createState / consumeState', () => {
|
||||
it('OIDC-SVC-001: createState returns a hex token', () => {
|
||||
const state = createState('https://example.com/callback');
|
||||
it('OIDC-SVC-001: createState returns a hex token + PKCE S256 challenge', () => {
|
||||
const { state, codeChallenge } = createState('https://example.com/callback');
|
||||
expect(state).toMatch(/^[0-9a-f]{64}$/);
|
||||
expect(codeChallenge).toMatch(/^[A-Za-z0-9_-]{43}$/); // base64url SHA-256, no padding
|
||||
});
|
||||
|
||||
it('OIDC-SVC-002: consumeState returns stored data and deletes state', () => {
|
||||
const state = createState('https://example.com/callback', 'invite-abc');
|
||||
it('OIDC-SVC-002: consumeState returns stored data (incl. verifier) and deletes state', () => {
|
||||
const { state } = createState('https://example.com/callback', 'invite-abc');
|
||||
const data = consumeState(state);
|
||||
expect(data).not.toBeNull();
|
||||
expect(data!.redirectUri).toBe('https://example.com/callback');
|
||||
expect(data!.inviteToken).toBe('invite-abc');
|
||||
expect(typeof data!.codeVerifier).toBe('string');
|
||||
expect(data!.codeVerifier.length).toBeGreaterThan(20);
|
||||
// State is consumed — second call returns null
|
||||
expect(consumeState(state)).toBeNull();
|
||||
});
|
||||
@@ -103,8 +106,8 @@ describe('createState / consumeState', () => {
|
||||
});
|
||||
|
||||
it('OIDC-SVC-004: two different states do not conflict', () => {
|
||||
const s1 = createState('http://a.example.com');
|
||||
const s2 = createState('http://b.example.com');
|
||||
const { state: s1 } = createState('http://a.example.com');
|
||||
const { state: s2 } = createState('http://b.example.com');
|
||||
expect(s1).not.toBe(s2);
|
||||
expect(consumeState(s1)!.redirectUri).toBe('http://a.example.com');
|
||||
expect(consumeState(s2)!.redirectUri).toBe('http://b.example.com');
|
||||
@@ -310,7 +313,7 @@ describe('findOrCreateUser', () => {
|
||||
const { user } = createUser(testDb, { email: 'bob@example.com' });
|
||||
|
||||
const result = findOrCreateUser(
|
||||
{ sub: 'sub-bob-new', email: 'bob@example.com', name: 'Bob' },
|
||||
{ sub: 'sub-bob-new', email: 'bob@example.com', name: 'Bob', email_verified: true },
|
||||
MOCK_CONFIG
|
||||
);
|
||||
expect('user' in result).toBe(true);
|
||||
@@ -349,13 +352,13 @@ describe('findOrCreateUser', () => {
|
||||
expect((result as { error: string }).error).toBe('registration_disabled');
|
||||
});
|
||||
|
||||
it('OIDC-SVC-025: links oidc_sub when existing user has none', () => {
|
||||
it('OIDC-SVC-025: links oidc_sub when existing user has none (verified email)', () => {
|
||||
const { user } = createUser(testDb, { email: 'charlie@example.com' });
|
||||
// Ensure no oidc_sub set
|
||||
testDb.prepare('UPDATE users SET oidc_sub = NULL, oidc_issuer = NULL WHERE id = ?').run(user.id);
|
||||
|
||||
findOrCreateUser(
|
||||
{ sub: 'sub-charlie-linked', email: 'charlie@example.com', name: 'Charlie' },
|
||||
{ sub: 'sub-charlie-linked', email: 'charlie@example.com', name: 'Charlie', email_verified: true },
|
||||
MOCK_CONFIG
|
||||
);
|
||||
|
||||
@@ -363,6 +366,23 @@ describe('findOrCreateUser', () => {
|
||||
expect(updated.oidc_sub).toBe('sub-charlie-linked');
|
||||
});
|
||||
|
||||
it('OIDC-SVC-025b: refuses to link an unverified email to an existing local account', () => {
|
||||
const { user } = createUser(testDb, { email: 'dora@example.com' });
|
||||
testDb.prepare('UPDATE users SET oidc_sub = NULL, oidc_issuer = NULL WHERE id = ?').run(user.id);
|
||||
|
||||
// No email_verified claim — an IdP that lets users set arbitrary emails must
|
||||
// not be able to take over a pre-existing password account.
|
||||
const result = findOrCreateUser(
|
||||
{ sub: 'sub-dora-attacker', email: 'dora@example.com', name: 'Dora' },
|
||||
MOCK_CONFIG
|
||||
);
|
||||
|
||||
expect('error' in result).toBe(true);
|
||||
expect((result as { error: string }).error).toBe('email_not_verified');
|
||||
const updated = testDb.prepare('SELECT oidc_sub FROM users WHERE id = ?').get(user.id) as any;
|
||||
expect(updated.oidc_sub).toBeNull(); // account not linked / not hijacked
|
||||
});
|
||||
|
||||
it('OIDC-SVC-026: existing user role is updated when OIDC claim mapping changes it', () => {
|
||||
const { user } = createUser(testDb, { email: 'diana@example.com', role: 'user' });
|
||||
// Link oidc_sub manually so the user is found by sub lookup
|
||||
|
||||
@@ -37,6 +37,7 @@ import { createUser, createTrip } from '../../helpers/factories';
|
||||
import {
|
||||
saveAsTemplate,
|
||||
applyTemplate,
|
||||
listTemplates,
|
||||
setBagMembers,
|
||||
createBag,
|
||||
deleteBag,
|
||||
@@ -92,6 +93,27 @@ describe('saveAsTemplate', () => {
|
||||
});
|
||||
});
|
||||
|
||||
// ── listTemplates ───────────────────────────────────────────────────────────────
|
||||
|
||||
describe('listTemplates', () => {
|
||||
it('PACK-SVC-LIST-001: returns templates with id, name and item_count', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id);
|
||||
|
||||
testDb.prepare('INSERT INTO packing_items (trip_id, name, category, checked, sort_order) VALUES (?, ?, ?, 0, ?)').run(trip.id, 'Shirt', 'Clothes', 0);
|
||||
testDb.prepare('INSERT INTO packing_items (trip_id, name, category, checked, sort_order) VALUES (?, ?, ?, 0, ?)').run(trip.id, 'Toothbrush', 'Toiletries', 1);
|
||||
const saved = saveAsTemplate(trip.id, user.id, 'Weekend');
|
||||
|
||||
const templates = listTemplates();
|
||||
expect(templates).toHaveLength(1);
|
||||
expect(templates[0]).toMatchObject({ id: saved!.id, name: 'Weekend', item_count: 2 });
|
||||
});
|
||||
|
||||
it('PACK-SVC-LIST-002: returns an empty array when no templates exist', () => {
|
||||
expect(listTemplates()).toEqual([]);
|
||||
});
|
||||
});
|
||||
|
||||
// ── applyTemplate ─────────────────────────────────────────────────────────────
|
||||
|
||||
describe('applyTemplate', () => {
|
||||
@@ -253,3 +275,27 @@ describe('bulkImport with bag field', () => {
|
||||
expect(items[1].bag_id).toBe(bags[0].id);
|
||||
});
|
||||
});
|
||||
|
||||
// ── bulkImport with quantity field ────────────────────────────────────────────
|
||||
|
||||
describe('bulkImport with quantity field', () => {
|
||||
it('PACK-SVC-013: bulk import respects per-item quantity, defaults to 1, and clamps out-of-range', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id);
|
||||
|
||||
bulkImport(trip.id, [
|
||||
{ name: 'Socks', quantity: 5 },
|
||||
{ name: 'Toothbrush' },
|
||||
{ name: 'Batteries', quantity: 9999 },
|
||||
{ name: 'Charger', quantity: 0 },
|
||||
]);
|
||||
|
||||
const byName = (n: string) =>
|
||||
testDb.prepare('SELECT * FROM packing_items WHERE trip_id = ? AND name = ?').get(trip.id, n) as any;
|
||||
|
||||
expect(byName('Socks').quantity).toBe(5);
|
||||
expect(byName('Toothbrush').quantity).toBe(1);
|
||||
expect(byName('Batteries').quantity).toBe(999);
|
||||
expect(byName('Charger').quantity).toBe(1);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
/**
|
||||
* Unit tests for the import-enrichment match selector (#886).
|
||||
* Covers PENRICH-001 to PENRICH-004 — the coordinate-validation guard that
|
||||
* prevents a name search from overwriting an imported place with the wrong POI.
|
||||
*/
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
|
||||
// placeEnrichment pulls in the DB, websocket and maps service at import time;
|
||||
// stub them so the pure match selector can be tested in isolation.
|
||||
vi.mock('../../../src/db/database', () => ({ db: {}, getPlaceWithTags: () => null }));
|
||||
vi.mock('../../../src/websocket', () => ({ broadcast: () => {} }));
|
||||
vi.mock('../../../src/services/mapsService', () => ({
|
||||
getMapsKey: () => null,
|
||||
searchPlaces: async () => ({ places: [], source: 'none' }),
|
||||
getPlacePhoto: async () => ({ photoUrl: '', attribution: null }),
|
||||
}));
|
||||
|
||||
import { pickEnrichmentMatch } from '../../../src/services/placeEnrichment';
|
||||
|
||||
const target = { lat: 48.85, lng: 2.35 };
|
||||
|
||||
describe('pickEnrichmentMatch', () => {
|
||||
it('PENRICH-001: picks the closest Google candidate within the radius', () => {
|
||||
const candidates = [
|
||||
{ google_place_id: 'far', lat: 48.8512, lng: 2.3512 }, // ~170 m
|
||||
{ google_place_id: 'near', lat: 48.85, lng: 2.35 }, // exact
|
||||
];
|
||||
const match = pickEnrichmentMatch(candidates, target);
|
||||
expect(match?.google_place_id).toBe('near');
|
||||
});
|
||||
|
||||
it('PENRICH-002: returns null when every candidate is beyond the radius', () => {
|
||||
const candidates = [{ google_place_id: 'A', lat: 48.86, lng: 2.36 }]; // ~1.2 km
|
||||
expect(pickEnrichmentMatch(candidates, target)).toBeNull();
|
||||
});
|
||||
|
||||
it('PENRICH-003: ignores candidates without a google_place_id (e.g. OSM results)', () => {
|
||||
const candidates = [
|
||||
{ google_place_id: null, lat: 48.85, lng: 2.35 },
|
||||
{ name: 'no id', lat: 48.85, lng: 2.35 },
|
||||
];
|
||||
expect(pickEnrichmentMatch(candidates, target)).toBeNull();
|
||||
});
|
||||
|
||||
it('PENRICH-004: ignores candidates with non-numeric coordinates', () => {
|
||||
const candidates = [{ google_place_id: 'A', lat: 'x', lng: 'y' }];
|
||||
expect(pickEnrichmentMatch(candidates as never, target)).toBeNull();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,151 @@
|
||||
/**
|
||||
* Unit tests for placePhotoCache — PPC-001 through PPC-010.
|
||||
* Covers the downscale guard in put(), removeIfUnreferenced(), and sweepOrphans().
|
||||
* Uses a real in-memory SQLite DB and a throwaway temp upload dir
|
||||
* (TREK_PLACE_PHOTO_DIR) so the real uploads tree is never touched.
|
||||
*/
|
||||
import { describe, it, expect, beforeAll, beforeEach, afterAll, vi } from 'vitest';
|
||||
import path from 'node:path';
|
||||
import fs from 'node:fs';
|
||||
import os from 'node:os';
|
||||
import crypto from 'node:crypto';
|
||||
import { Jimp, JimpMime } from 'jimp';
|
||||
import Database from 'better-sqlite3';
|
||||
|
||||
// Throwaway upload dir — set before importing the module under test (it reads the
|
||||
// env at load time and mkdirs the dir).
|
||||
const TMP_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'ppc-'));
|
||||
process.env.TREK_PLACE_PHOTO_DIR = TMP_DIR;
|
||||
|
||||
// Minimal real DB with just the two tables placePhotoCache touches.
|
||||
const testDb = new Database(':memory:');
|
||||
testDb.exec(`
|
||||
CREATE TABLE places (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
google_place_id TEXT,
|
||||
image_url TEXT
|
||||
);
|
||||
CREATE TABLE google_place_photo_meta (
|
||||
place_id TEXT PRIMARY KEY,
|
||||
attribution TEXT,
|
||||
fetched_at INTEGER NOT NULL,
|
||||
error_at INTEGER
|
||||
);
|
||||
`);
|
||||
|
||||
vi.mock('../../../src/db/database', () => ({ db: testDb }));
|
||||
|
||||
function filePathFor(placeId: string): string {
|
||||
const hash = crypto.createHash('sha1').update(placeId).digest('hex');
|
||||
return path.join(TMP_DIR, `${hash}.jpg`);
|
||||
}
|
||||
|
||||
async function makeJpeg(width: number, height: number): Promise<Buffer> {
|
||||
const img = new Jimp({ width, height, color: 0xff0000ff });
|
||||
return img.getBuffer(JimpMime.jpeg, { quality: 80 });
|
||||
}
|
||||
|
||||
let cache: typeof import('../../../src/services/placePhotoCache');
|
||||
|
||||
beforeAll(async () => {
|
||||
cache = await import('../../../src/services/placePhotoCache');
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
testDb.exec('DELETE FROM places; DELETE FROM google_place_photo_meta;');
|
||||
for (const f of fs.readdirSync(TMP_DIR)) fs.rmSync(path.join(TMP_DIR, f), { force: true });
|
||||
});
|
||||
|
||||
afterAll(() => {
|
||||
testDb.close();
|
||||
fs.rmSync(TMP_DIR, { recursive: true, force: true });
|
||||
});
|
||||
|
||||
describe('placePhotoCache.put() downscale guard', () => {
|
||||
it('PPC-001: downscales an oversized image to <= 800px', async () => {
|
||||
const big = await makeJpeg(1600, 1200);
|
||||
await cache.put('big-place', big, 'Alice');
|
||||
|
||||
const written = fs.readFileSync(filePathFor('big-place'));
|
||||
const decoded = await Jimp.read(written);
|
||||
expect(Math.max(decoded.bitmap.width, decoded.bitmap.height)).toBeLessThanOrEqual(800);
|
||||
expect(written.length).toBeLessThan(big.length);
|
||||
});
|
||||
|
||||
it('PPC-002: passes a small image through unchanged', async () => {
|
||||
const small = await makeJpeg(100, 100);
|
||||
await cache.put('small-place', small, null);
|
||||
|
||||
const written = fs.readFileSync(filePathFor('small-place'));
|
||||
expect(written.equals(small)).toBe(true);
|
||||
});
|
||||
|
||||
it('PPC-003: falls back to original bytes when the input is not a decodable image', async () => {
|
||||
const garbage = Buffer.from('definitely not an image');
|
||||
await cache.put('garbage-place', garbage, null);
|
||||
|
||||
const written = fs.readFileSync(filePathFor('garbage-place'));
|
||||
expect(written.equals(garbage)).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('placePhotoCache.removeIfUnreferenced()', () => {
|
||||
it('PPC-004: removes a cache entry that no place references', async () => {
|
||||
await cache.put('orphan', await makeJpeg(50, 50), null);
|
||||
expect(fs.existsSync(filePathFor('orphan'))).toBe(true);
|
||||
|
||||
cache.removeIfUnreferenced('orphan');
|
||||
|
||||
expect(fs.existsSync(filePathFor('orphan'))).toBe(false);
|
||||
expect(testDb.prepare('SELECT 1 FROM google_place_photo_meta WHERE place_id = ?').get('orphan')).toBeUndefined();
|
||||
});
|
||||
|
||||
it('PPC-005: keeps an entry still referenced by google_place_id', async () => {
|
||||
await cache.put('gid-1', await makeJpeg(50, 50), null);
|
||||
testDb.prepare('INSERT INTO places (google_place_id) VALUES (?)').run('gid-1');
|
||||
|
||||
cache.removeIfUnreferenced('gid-1');
|
||||
|
||||
expect(fs.existsSync(filePathFor('gid-1'))).toBe(true);
|
||||
});
|
||||
|
||||
it('PPC-006: keeps an entry referenced by a coords proxy URL in image_url', async () => {
|
||||
const id = 'coords:48.8:2.3';
|
||||
await cache.put(id, await makeJpeg(50, 50), null);
|
||||
const proxy = `/api/maps/place-photo/${encodeURIComponent(id)}/bytes`;
|
||||
testDb.prepare('INSERT INTO places (image_url) VALUES (?)').run(proxy);
|
||||
|
||||
cache.removeIfUnreferenced(id);
|
||||
|
||||
expect(fs.existsSync(filePathFor(id))).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('placePhotoCache.sweepOrphans()', () => {
|
||||
it('PPC-007: removes orphaned meta rows + files, keeps referenced ones, deletes stray files', async () => {
|
||||
await cache.put('keep-gid', await makeJpeg(50, 50), null);
|
||||
await cache.put('drop-me', await makeJpeg(50, 50), null);
|
||||
testDb.prepare('INSERT INTO places (google_place_id) VALUES (?)').run('keep-gid');
|
||||
|
||||
// A stray .jpg on disk with no meta row (e.g. a crash between write and upsert).
|
||||
const strayPath = path.join(TMP_DIR, 'deadbeef'.padEnd(40, '0') + '.jpg');
|
||||
fs.writeFileSync(strayPath, 'stray');
|
||||
|
||||
const removed = cache.sweepOrphans();
|
||||
|
||||
expect(fs.existsSync(filePathFor('keep-gid'))).toBe(true);
|
||||
expect(fs.existsSync(filePathFor('drop-me'))).toBe(false);
|
||||
expect(fs.existsSync(strayPath)).toBe(false);
|
||||
expect(testDb.prepare('SELECT 1 FROM google_place_photo_meta WHERE place_id = ?').get('drop-me')).toBeUndefined();
|
||||
expect(testDb.prepare('SELECT 1 FROM google_place_photo_meta WHERE place_id = ?').get('keep-gid')).toBeDefined();
|
||||
expect(removed).toBe(2); // drop-me (orphan meta+file) + stray file
|
||||
});
|
||||
|
||||
it('PPC-008: returns 0 when every entry is referenced', async () => {
|
||||
await cache.put('ref-a', await makeJpeg(50, 50), null);
|
||||
testDb.prepare('INSERT INTO places (google_place_id) VALUES (?)').run('ref-a');
|
||||
|
||||
expect(cache.sweepOrphans()).toBe(0);
|
||||
expect(fs.existsSync(filePathFor('ref-a'))).toBe(true);
|
||||
});
|
||||
});
|
||||
@@ -41,6 +41,14 @@ vi.mock('../../../src/config', () => ({
|
||||
updateJwtSecret: () => {},
|
||||
}));
|
||||
|
||||
// Spy on the photo-cache reclaim hook so delete tests assert the wiring without
|
||||
// touching disk. The removal logic itself is covered in placePhotoCache.test.ts.
|
||||
const { removeIfUnreferencedSpy } = vi.hoisted(() => ({ removeIfUnreferencedSpy: vi.fn() }));
|
||||
vi.mock('../../../src/services/placePhotoCache', async (importOriginal) => ({
|
||||
...(await importOriginal<typeof import('../../../src/services/placePhotoCache')>()),
|
||||
removeIfUnreferenced: removeIfUnreferencedSpy,
|
||||
}));
|
||||
|
||||
import { createTables } from '../../../src/db/schema';
|
||||
import { runMigrations } from '../../../src/db/migrations';
|
||||
import { resetTestDb } from '../../helpers/test-db';
|
||||
@@ -252,6 +260,18 @@ describe('deletePlace', () => {
|
||||
expect(remaining).toHaveLength(1);
|
||||
expect(remaining[0].id).toBe(p1.id);
|
||||
});
|
||||
|
||||
it('PLACE-SVC-019b — reclaims the photo cache for the deleted place', () => {
|
||||
removeIfUnreferencedSpy.mockClear();
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id);
|
||||
const place = createPlace(testDb, trip.id, { name: 'With Photo' }) as any;
|
||||
testDb.prepare('UPDATE places SET google_place_id = ? WHERE id = ?').run('ChIJgid', place.id);
|
||||
|
||||
deletePlace(String(trip.id), String(place.id));
|
||||
|
||||
expect(removeIfUnreferencedSpy).toHaveBeenCalledWith('ChIJgid');
|
||||
});
|
||||
});
|
||||
|
||||
// ── importGpx ─────────────────────────────────────────────────────────────────
|
||||
@@ -346,6 +366,39 @@ describe('importGpx', () => {
|
||||
const result = importGpx(String(trip.id), gpx);
|
||||
expect(result).toBeNull();
|
||||
});
|
||||
|
||||
it('PLACE-SVC-037 — multiple unnamed tracks in one file get distinct names instead of collapsing to one', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id);
|
||||
const gpx = Buffer.from(`<?xml version="1.0"?><gpx version="1.1">
|
||||
<trk><trkseg>
|
||||
<trkpt lat="48.8566" lon="2.3522"></trkpt>
|
||||
<trkpt lat="48.8570" lon="2.3530"></trkpt>
|
||||
</trkseg></trk>
|
||||
<trk><trkseg>
|
||||
<trkpt lat="40.0000" lon="-3.0000"></trkpt>
|
||||
<trkpt lat="40.1000" lon="-3.1000"></trkpt>
|
||||
</trkseg></trk>
|
||||
</gpx>`);
|
||||
const result = importGpx(String(trip.id), gpx) as any;
|
||||
expect(result.places).toHaveLength(2);
|
||||
const names = result.places.map((p: any) => p.name);
|
||||
expect(new Set(names).size).toBe(2);
|
||||
});
|
||||
|
||||
it('PLACE-SVC-038 — unnamed tracks fall back to the source filename', () => {
|
||||
const { user } = createUser(testDb);
|
||||
const trip = createTrip(testDb, user.id);
|
||||
const gpx = Buffer.from(`<?xml version="1.0"?><gpx version="1.1">
|
||||
<trk><trkseg>
|
||||
<trkpt lat="48.8566" lon="2.3522"></trkpt>
|
||||
<trkpt lat="48.8570" lon="2.3530"></trkpt>
|
||||
</trkseg></trk>
|
||||
</gpx>`);
|
||||
const result = importGpx(String(trip.id), gpx, { defaultName: 'morning-hike.gpx' }) as any;
|
||||
expect(result.places).toHaveLength(1);
|
||||
expect(result.places[0].name).toBe('morning-hike');
|
||||
});
|
||||
});
|
||||
|
||||
// ── importGoogleList ──────────────────────────────────────────────────────────
|
||||
|
||||
@@ -34,7 +34,8 @@ import { createTables } from '../../../src/db/schema';
|
||||
import { runMigrations } from '../../../src/db/migrations';
|
||||
import { resetTestDb } from '../../helpers/test-db';
|
||||
import { createUser, createTrip, createReservation, createPlace, createDay, createDayAssignment, createDayNote } from '../../helpers/factories';
|
||||
import { exportICS, generateDays } from '../../../src/services/tripService';
|
||||
import { exportICS, generateDays, deleteOldCover } from '../../../src/services/tripService';
|
||||
import fs from 'fs';
|
||||
|
||||
beforeAll(() => {
|
||||
createTables(testDb);
|
||||
@@ -242,6 +243,33 @@ describe('generateDays', () => {
|
||||
const nums = daysAfter.map(d => d.day_number).sort((a, b) => a - b);
|
||||
expect(nums).toEqual([1, 2, 3, 4, 5]);
|
||||
});
|
||||
|
||||
it('TRIP-SVC-017: switching a dateless trip to a shorter dated range drops empty leftover days but keeps ones with content (#1083)', () => {
|
||||
const { user } = createUser(testDb);
|
||||
// A 7-day trip, then cleared to dateless placeholders (day_count = 7).
|
||||
const trip = createTrip(testDb, user.id, { start_date: '2025-12-01', end_date: '2025-12-07' });
|
||||
generateDays(trip.id, null, null);
|
||||
const dateless = getDays(trip.id);
|
||||
expect(dateless).toHaveLength(7);
|
||||
expect(dateless.every(d => d.date === null)).toBe(true);
|
||||
|
||||
// Give the LAST dateless day real content so it must be preserved.
|
||||
const place = createPlace(testDb, trip.id);
|
||||
const assignment = createDayAssignment(testDb, dateless[6].id, place.id);
|
||||
|
||||
// Now set an explicit 2-day range. The first two dateless days are reused for
|
||||
// the dates; the four empty leftovers must be removed, the one with content kept.
|
||||
generateDays(trip.id, '2026-01-10', '2026-01-11');
|
||||
|
||||
const daysAfter = getDays(trip.id);
|
||||
const dated = daysAfter.filter(d => d.date !== null);
|
||||
const stillDateless = daysAfter.filter(d => d.date === null);
|
||||
expect(dated.map(d => d.date)).toEqual(['2026-01-10', '2026-01-11']);
|
||||
// day_count is COUNT(*) FROM days: 2 dated + 1 content-bearing dateless = 3 (not the stale 7)
|
||||
expect(daysAfter).toHaveLength(3);
|
||||
expect(stillDateless).toHaveLength(1);
|
||||
expect(getAssignments(stillDateless[0].id)[0].id).toBe(assignment.id);
|
||||
});
|
||||
});
|
||||
|
||||
describe('exportICS', () => {
|
||||
@@ -370,3 +398,41 @@ describe('exportICS', () => {
|
||||
expect(ics).toContain('DTEND:20250602T160000');
|
||||
});
|
||||
});
|
||||
|
||||
// ── deleteOldCover — path containment ──────────────────────────────────────────
|
||||
|
||||
describe('deleteOldCover', () => {
|
||||
it('TRIP-SVC-COVER-001: never unlinks outside uploads/covers for a crafted cover_image', () => {
|
||||
const existsSpy = vi.spyOn(fs, 'existsSync').mockReturnValue(true);
|
||||
const unlinkSpy = vi.spyOn(fs, 'unlinkSync').mockImplementation(() => {});
|
||||
try {
|
||||
// Attacker-controlled values aimed at auth-gated sibling upload dirs.
|
||||
deleteOldCover('/uploads/files/victim.pdf');
|
||||
deleteOldCover('/uploads/covers/../files/secret.pdf');
|
||||
deleteOldCover('/uploads/avatars/someone.png');
|
||||
|
||||
for (const call of unlinkSpy.mock.calls) {
|
||||
const target = String(call[0]);
|
||||
expect(target).toMatch(/[\\/]uploads[\\/]covers[\\/]/); // stays in covers
|
||||
expect(target).not.toMatch(/[\\/]files[\\/]/);
|
||||
expect(target).not.toMatch(/[\\/]avatars[\\/]/);
|
||||
}
|
||||
} finally {
|
||||
existsSpy.mockRestore();
|
||||
unlinkSpy.mockRestore();
|
||||
}
|
||||
});
|
||||
|
||||
it('TRIP-SVC-COVER-002: deletes a legitimate cover file', () => {
|
||||
const existsSpy = vi.spyOn(fs, 'existsSync').mockReturnValue(true);
|
||||
const unlinkSpy = vi.spyOn(fs, 'unlinkSync').mockImplementation(() => {});
|
||||
try {
|
||||
deleteOldCover('/uploads/covers/abc123.jpg');
|
||||
expect(unlinkSpy).toHaveBeenCalledTimes(1);
|
||||
expect(String(unlinkSpy.mock.calls[0][0])).toMatch(/[\\/]covers[\\/]abc123\.jpg$/);
|
||||
} finally {
|
||||
existsSpy.mockRestore();
|
||||
unlinkSpy.mockRestore();
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
@@ -0,0 +1,103 @@
|
||||
/**
|
||||
* webauthnConfig.test.ts
|
||||
*
|
||||
* The RP-ID / allowed-origin resolver is the single highest-risk piece of the
|
||||
* passkey feature: a wrong RP ID permanently bricks every enrolled credential.
|
||||
* These tests pin the security-relevant rules — config wins over APP_URL, bare
|
||||
* IPs are rejected, localhost dev uses the browser (Vite) origin, and the
|
||||
* resolver NEVER reads request headers.
|
||||
*/
|
||||
|
||||
const { settingsStore, appUrlRef } = vi.hoisted(() => ({
|
||||
settingsStore: new Map<string, string>(),
|
||||
appUrlRef: { value: '' },
|
||||
}));
|
||||
|
||||
vi.mock('../../../src/db/database', () => ({
|
||||
db: {
|
||||
prepare: (_sql: string) => ({
|
||||
get: (key: string) => {
|
||||
const v = settingsStore.get(key);
|
||||
return v === undefined ? undefined : { value: v };
|
||||
},
|
||||
}),
|
||||
},
|
||||
}));
|
||||
|
||||
vi.mock('../../../src/services/notifications', () => ({
|
||||
getAppUrl: () => appUrlRef.value,
|
||||
}));
|
||||
|
||||
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
|
||||
import { resolveWebauthnConfig, isPasskeyConfigured } from '../../../src/services/webauthnConfig';
|
||||
|
||||
beforeEach(() => {
|
||||
settingsStore.clear();
|
||||
appUrlRef.value = '';
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
vi.unstubAllEnvs();
|
||||
});
|
||||
|
||||
describe('resolveWebauthnConfig', () => {
|
||||
it('WAC-001: derives the RP ID and single origin from a real APP_URL domain', () => {
|
||||
appUrlRef.value = 'https://trek.example.org';
|
||||
const cfg = resolveWebauthnConfig();
|
||||
expect(cfg).not.toBeNull();
|
||||
expect(cfg!.rpID).toBe('trek.example.org');
|
||||
expect(cfg!.origins).toEqual(['https://trek.example.org']);
|
||||
expect(isPasskeyConfigured()).toBe(true);
|
||||
});
|
||||
|
||||
it('WAC-002: returns null for a bare-IP host (IPs are not valid RP IDs)', () => {
|
||||
appUrlRef.value = 'http://192.168.1.50:3001';
|
||||
expect(resolveWebauthnConfig()).toBeNull();
|
||||
expect(isPasskeyConfigured()).toBe(false);
|
||||
});
|
||||
|
||||
it('WAC-003: returns null when nothing is configured', () => {
|
||||
expect(resolveWebauthnConfig()).toBeNull();
|
||||
expect(isPasskeyConfigured()).toBe(false);
|
||||
});
|
||||
|
||||
it('WAC-004: localhost dev uses the browser (Vite :5173) origin, not just the API port', () => {
|
||||
appUrlRef.value = 'http://localhost:3001';
|
||||
const cfg = resolveWebauthnConfig();
|
||||
expect(cfg!.rpID).toBe('localhost');
|
||||
expect(cfg!.origins).toContain('http://localhost:5173');
|
||||
expect(cfg!.origins).toContain('http://localhost:3001');
|
||||
});
|
||||
|
||||
it('WAC-005: an explicit webauthn_rp_id app-setting overrides APP_URL', () => {
|
||||
appUrlRef.value = 'https://internal.example.org';
|
||||
settingsStore.set('webauthn_rp_id', 'public.example.org');
|
||||
settingsStore.set('webauthn_origins', 'https://public.example.org');
|
||||
const cfg = resolveWebauthnConfig();
|
||||
expect(cfg!.rpID).toBe('public.example.org');
|
||||
expect(cfg!.origins).toEqual(['https://public.example.org']);
|
||||
});
|
||||
|
||||
it('WAC-006: webauthn_origins is parsed as a comma-separated, trimmed list', () => {
|
||||
settingsStore.set('webauthn_rp_id', 'example.org');
|
||||
settingsStore.set('webauthn_origins', 'https://a.example.org , https://b.example.org/');
|
||||
const cfg = resolveWebauthnConfig();
|
||||
expect(cfg!.origins).toEqual(['https://a.example.org', 'https://b.example.org']);
|
||||
});
|
||||
|
||||
it('WAC-007: the WEBAUTHN_RP_ID env var takes priority', () => {
|
||||
vi.stubEnv('WEBAUTHN_RP_ID', 'env.example.org');
|
||||
vi.stubEnv('WEBAUTHN_ORIGINS', 'https://env.example.org');
|
||||
appUrlRef.value = 'https://ignored.example.org';
|
||||
const cfg = resolveWebauthnConfig();
|
||||
expect(cfg!.rpID).toBe('env.example.org');
|
||||
expect(cfg!.origins).toEqual(['https://env.example.org']);
|
||||
});
|
||||
|
||||
it('WAC-008: a configured RP ID with no origins falls back to the APP_URL origin', () => {
|
||||
appUrlRef.value = 'https://trek.example.org';
|
||||
settingsStore.set('webauthn_rp_id', 'trek.example.org');
|
||||
const cfg = resolveWebauthnConfig();
|
||||
expect(cfg!.origins).toEqual(['https://trek.example.org']);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,10 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
// Smoke test: proves the server toolchain (tsx / vitest) resolves @trek/shared.
|
||||
import { idParamSchema, paginationQuerySchema } from '@trek/shared';
|
||||
|
||||
describe('@trek/shared resolves in the server toolchain', () => {
|
||||
it('imports and uses a shared schema', () => {
|
||||
expect(idParamSchema.parse('7')).toBe(7);
|
||||
expect(paginationQuerySchema.parse({})).toEqual({ page: 1, perPage: 50 });
|
||||
});
|
||||
});
|
||||
@@ -21,7 +21,7 @@ vi.mock('undici', () => ({
|
||||
}));
|
||||
|
||||
import dns from 'dns/promises';
|
||||
import { checkSsrf, SsrfBlockedError, safeFetch, createPinnedDispatcher } from '../../../src/utils/ssrfGuard';
|
||||
import { checkSsrf, SsrfBlockedError, safeFetch, safeFetchFollow, createPinnedDispatcher } from '../../../src/utils/ssrfGuard';
|
||||
|
||||
const mockLookup = vi.mocked(dns.lookup);
|
||||
|
||||
@@ -163,7 +163,7 @@ describe('checkSsrf', () => {
|
||||
const result = await checkSsrf('http://nxdomain.example.com');
|
||||
expect(result.allowed).toBe(false);
|
||||
expect(result.isPrivate).toBe(false);
|
||||
expect(result.error).toBe('Could not resolve hostname');
|
||||
expect(result.error).toContain('Could not resolve hostname');
|
||||
});
|
||||
});
|
||||
|
||||
@@ -215,6 +215,117 @@ describe('safeFetch', () => {
|
||||
});
|
||||
});
|
||||
|
||||
describe('safeFetchFollow (manual per-hop redirect SSRF)', () => {
|
||||
afterEach(() => {
|
||||
vi.unstubAllGlobals();
|
||||
vi.unstubAllEnvs();
|
||||
mockLookup.mockReset();
|
||||
});
|
||||
|
||||
/** Build a minimal Response-like object for a given hop. */
|
||||
function fakeResponse(opts: { status: number; location?: string; url: string; ok?: boolean }) {
|
||||
return {
|
||||
status: opts.status,
|
||||
ok: opts.ok ?? (opts.status >= 200 && opts.status < 300),
|
||||
url: opts.url,
|
||||
headers: { get: (h: string) => (h.toLowerCase() === 'location' ? opts.location ?? null : null) },
|
||||
body: { cancel: () => Promise.resolve() },
|
||||
};
|
||||
}
|
||||
|
||||
it('follows a legitimate cross-host redirect (goo.gl -> maps.google.com) to the final response', async () => {
|
||||
// Both hops resolve to public IPs.
|
||||
mockLookup.mockResolvedValue({ address: '142.250.0.0', family: 4 });
|
||||
const mockFetch = vi.fn()
|
||||
.mockResolvedValueOnce(fakeResponse({ status: 302, location: 'https://maps.google.com/maps/place/Foo', url: 'https://goo.gl/abc' }))
|
||||
.mockResolvedValueOnce(fakeResponse({ status: 200, url: 'https://maps.google.com/maps/place/Foo' }));
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
|
||||
const res = await safeFetchFollow('https://goo.gl/abc');
|
||||
expect(mockFetch).toHaveBeenCalledTimes(2);
|
||||
expect(res.status).toBe(200);
|
||||
expect(res.url).toBe('https://maps.google.com/maps/place/Foo');
|
||||
});
|
||||
|
||||
it('blocks a redirect whose target resolves to an internal IP', async () => {
|
||||
vi.stubEnv('ALLOW_INTERNAL_NETWORK', 'false');
|
||||
// First hop (public) is allowed; the redirect target resolves to a private IP.
|
||||
mockLookup
|
||||
.mockResolvedValueOnce({ address: '142.250.0.0', family: 4 }) // goo.gl
|
||||
.mockResolvedValue({ address: '169.254.169.254', family: 4 }); // redirect → metadata
|
||||
const mockFetch = vi.fn()
|
||||
.mockResolvedValueOnce(fakeResponse({ status: 302, location: 'http://169.254.169.254/latest/meta-data/', url: 'https://goo.gl/evil' }));
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
|
||||
await expect(safeFetchFollow('https://goo.gl/evil')).rejects.toThrow(SsrfBlockedError);
|
||||
// Only the first hop should have been fetched; the internal hop is blocked BEFORE fetch.
|
||||
expect(mockFetch).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
|
||||
it('blocks a redirect to a loopback address even with ALLOW_INTERNAL_NETWORK=true', async () => {
|
||||
mockLookup
|
||||
.mockResolvedValueOnce({ address: '142.250.0.0', family: 4 })
|
||||
.mockResolvedValue({ address: '127.0.0.1', family: 4 });
|
||||
const mockFetch = vi.fn()
|
||||
.mockResolvedValueOnce(fakeResponse({ status: 301, location: 'http://internal/', url: 'https://goo.gl/x' }));
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
|
||||
await expect(safeFetchFollow('https://goo.gl/x', undefined, { bypassInternalIpAllowed: true }))
|
||||
.rejects.toThrow(SsrfBlockedError);
|
||||
expect(mockFetch).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
|
||||
it('rejects the initial URL if it is already internal', async () => {
|
||||
mockLookup.mockResolvedValue({ address: '10.0.0.5', family: 4 });
|
||||
const mockFetch = vi.fn();
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
await expect(safeFetchFollow('http://intranet.example')).rejects.toThrow(SsrfBlockedError);
|
||||
expect(mockFetch).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('returns the response immediately when not a redirect', async () => {
|
||||
mockLookup.mockResolvedValue({ address: '8.8.8.8', family: 4 });
|
||||
const mockFetch = vi.fn().mockResolvedValue(fakeResponse({ status: 200, url: 'https://example.com' }));
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
const res = await safeFetchFollow('https://example.com');
|
||||
expect(mockFetch).toHaveBeenCalledTimes(1);
|
||||
expect(res.status).toBe(200);
|
||||
});
|
||||
|
||||
it('returns a 3xx with no Location header as-is (nothing to follow)', async () => {
|
||||
mockLookup.mockResolvedValue({ address: '8.8.8.8', family: 4 });
|
||||
const mockFetch = vi.fn().mockResolvedValue(fakeResponse({ status: 304, url: 'https://example.com' }));
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
const res = await safeFetchFollow('https://example.com');
|
||||
expect(res.status).toBe(304);
|
||||
});
|
||||
|
||||
it('throws after exceeding the max redirect hops', async () => {
|
||||
mockLookup.mockResolvedValue({ address: '8.8.8.8', family: 4 });
|
||||
// Always 302 to a new public host → loops until the hop cap.
|
||||
let n = 0;
|
||||
const mockFetch = vi.fn().mockImplementation(() =>
|
||||
Promise.resolve(fakeResponse({ status: 302, location: `https://h${++n}.example.com/`, url: `https://h${n}.example.com/` })),
|
||||
);
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
await expect(safeFetchFollow('https://start.example.com', undefined, { maxRedirects: 2 }))
|
||||
.rejects.toThrow(SsrfBlockedError);
|
||||
// initial + 2 allowed redirects = 3 fetches, then the 4th hop is rejected before fetch
|
||||
expect(mockFetch).toHaveBeenCalledTimes(3);
|
||||
});
|
||||
|
||||
it('resolves relative redirect Location against the current URL', async () => {
|
||||
mockLookup.mockResolvedValue({ address: '8.8.8.8', family: 4 });
|
||||
const mockFetch = vi.fn()
|
||||
.mockResolvedValueOnce(fakeResponse({ status: 302, location: '/resolved/path', url: 'https://example.com/start' }))
|
||||
.mockResolvedValueOnce(fakeResponse({ status: 200, url: 'https://example.com/resolved/path' }));
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
await safeFetchFollow('https://example.com/start');
|
||||
// Second fetch must target the absolute resolution of the relative Location.
|
||||
expect(mockFetch.mock.calls[1][0]).toBe('https://example.com/resolved/path');
|
||||
});
|
||||
});
|
||||
|
||||
describe('createPinnedDispatcher', () => {
|
||||
it('returns an object (Agent instance)', () => {
|
||||
const dispatcher = createPinnedDispatcher('93.184.216.34');
|
||||
|
||||
Reference in New Issue
Block a user