Add comprehensive backend test suite (#339)

* add test suite, mostly covers integration testing, tests are only backend side

* workflow runs the correct script

* workflow runs the correct script

* workflow runs the correct script

* unit tests incoming

* Fix multer silent rejections and error handler info leak

- Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts,
  and files.ts so invalid uploads return an error instead of silently
  dropping the file
- Error handler in app.ts now always returns 500 / "Internal server
  error" instead of forwarding err.message to the client

* Use statusCode consistently for multer errors and error handler

- Error handler in app.ts reads err.statusCode to forward the correct
  HTTP status while keeping the response body generic

server/tests/helpers/auth.ts

@@ -0,0 +1,34 @@
+/**
+ * Auth helpers for integration tests.
+ *
+ * Provides utilities to generate JWTs and authenticate supertest requests
+ * using the fixed test JWT_SECRET from TEST_CONFIG.
+ */
+
+import jwt from 'jsonwebtoken';
+import { TEST_CONFIG } from './test-db';
+
+/** Signs a JWT for the given user ID using the test secret. */
+export function generateToken(userId: number, extraClaims: Record<string, unknown> = {}): string {
+  return jwt.sign(
+    { id: userId, ...extraClaims },
+    TEST_CONFIG.JWT_SECRET,
+    { algorithm: 'HS256', expiresIn: '1h' }
+  );
+}
+
+/**
+ * Returns a cookie string suitable for supertest:
+ *   request(app).get('/api/...').set('Cookie', authCookie(userId))
+ */
+export function authCookie(userId: number): string {
+  return `trek_session=${generateToken(userId)}`;
+}
+
+/**
+ * Returns an Authorization header object suitable for supertest:
+ *   request(app).get('/api/...').set(authHeader(userId))
+ */
+export function authHeader(userId: number): Record<string, string> {
+  return { Authorization: `Bearer ${generateToken(userId)}` };
+}