test: expand test suite to 87.3% backend coverage

Add new integration test files covering previously untested routes: - categories.test.ts — GET /api/categories - oidc.test.ts — full OIDC login flow (callback, state, errors) - settings.test.ts — GET/PUT /api/settings, bulk save - tags.test.ts — CRUD for trip tags - todo.test.ts — todo items CRUD and reorder Add new unit test files covering service-layer logic: - adminService.test.ts — user/invite management, packing templates, OIDC settings - atlasService.test.ts — atlas search and place enrichment - authServiceDb.test.ts — DB-backed auth helpers (login, register, MFA) - backupService.test.ts — export/import/restore logic - categoryService.test.ts — category CRUD - dayService.test.ts — day management and accommodation helpers - mapsService.test.ts — route/directions helpers - oidcService.test.ts — OIDC state, auth code, role resolution, user upsert - packingService.test.ts — packing item/bag/template operations - placeService.test.ts — place CRUD and tag attachment - settingsService.test.ts — settings get/set/bulk - tagService.test.ts — tag CRUD - todoService.test.ts — todo CRUD and reorder - tripService.test.ts — trip CRUD, member management, archiving - vacayService.test.ts — vacay integration helpers - tripAccess.test.ts (middleware) — requireTripAccess middleware Expand existing integration and unit test files with additional cases across admin, atlas, auth, backup, collab, days, files, maps, memories (Immich/Synology), notifications, places, reservations, share, vacay, weather, auth middleware, ephemeral tokens, notification preferences, permissions, SSRF guard, and WebSocket connection tests. Update test helpers (factories.ts, test-db.ts) with new factory functions and seed data required by the expanded suite. Fix minor issues in server/src/routes/reservations.ts and server/src/services/atlasService.ts surfaced by new test coverage. Update sonar-project.properties to reflect new coverage thresholds.
2026-06-21 06:11:45 +00:00 · 2026-04-06 20:06:46 +02:00
parent 5bcadb3cc6
commit b4922322ae
49 changed files with 12177 additions and 36 deletions
@@ -1,11 +1,13 @@
-import { describe, it, expect, vi } from 'vitest';
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import jwt from 'jsonwebtoken';

 vi.mock('../../../src/db/database', () => ({
-  db: { prepare: () => ({ get: vi.fn(), all: vi.fn() }) },
+  db: { prepare: vi.fn(() => ({ get: vi.fn(), all: vi.fn() })) },
 }));
 vi.mock('../../../src/config', () => ({ JWT_SECRET: 'test-secret' }));

 import { extractToken, authenticate, adminOnly } from '../../../src/middleware/auth';
+import { db } from '../../../src/db/database';
 import type { Request, Response, NextFunction } from 'express';

 function makeReq(overrides: {
@@ -82,6 +84,56 @@ describe('authenticate', () => {
    expect(next).not.toHaveBeenCalled();
    expect(status).toHaveBeenCalledWith(401);
  });
+
+  it('AUTH-MW-003: calls next() and sets req.user for a valid JWT', () => {
+    const mockUser = { id: 1, username: 'alice', email: 'alice@example.com', role: 'user' };
+    vi.mocked(db.prepare).mockReturnValue({ get: vi.fn(() => mockUser), all: vi.fn() } as any);
+
+    const token = jwt.sign({ id: 1 }, 'test-secret', { algorithm: 'HS256' });
+    const req = makeReq({ cookies: { trek_session: token } });
+    const next = vi.fn() as unknown as NextFunction;
+    const { res } = makeRes();
+
+    authenticate(req, res, next);
+
+    expect(next).toHaveBeenCalledOnce();
+    expect((req as any).user).toEqual(mockUser);
+  });
+
+  it('AUTH-MW-004: returns 401 for a valid JWT when user does not exist in DB', () => {
+    vi.mocked(db.prepare).mockReturnValue({ get: vi.fn(() => undefined), all: vi.fn() } as any);
+
+    const token = jwt.sign({ id: 99999 }, 'test-secret', { algorithm: 'HS256' });
+    const next = vi.fn() as unknown as NextFunction;
+    const { res, status } = makeRes();
+
+    authenticate(makeReq({ cookies: { trek_session: token } }), res, next);
+
+    expect(next).not.toHaveBeenCalled();
+    expect(status).toHaveBeenCalledWith(401);
+  });
+
+  it('AUTH-MW-005: returns 401 for an expired JWT', () => {
+    const expiredToken = jwt.sign(
+      { id: 1, exp: Math.floor(Date.now() / 1000) - 3600 },
+      'test-secret',
+      { algorithm: 'HS256' }
+    );
+    const next = vi.fn() as unknown as NextFunction;
+    const { res, status } = makeRes();
+    authenticate(makeReq({ cookies: { trek_session: expiredToken } }), res, next);
+    expect(next).not.toHaveBeenCalled();
+    expect(status).toHaveBeenCalledWith(401);
+  });
+
+  it('AUTH-MW-006: returns 401 for a JWT signed with the wrong secret', () => {
+    const tamperedToken = jwt.sign({ id: 1 }, 'wrong-secret', { algorithm: 'HS256' });
+    const next = vi.fn() as unknown as NextFunction;
+    const { res, status } = makeRes();
+    authenticate(makeReq({ cookies: { trek_session: tamperedToken } }), res, next);
+    expect(next).not.toHaveBeenCalled();
+    expect(status).toHaveBeenCalledWith(401);
+  });
 });

 // ── adminOnly ─────────────────────────────────────────────────────────────────