Add comprehensive backend test suite (#339)

* add test suite, mostly covers integration testing, tests are only backend side * workflow runs the correct script * workflow runs the correct script * workflow runs the correct script * unit tests incoming * Fix multer silent rejections and error handler info leak - Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts, and files.ts so invalid uploads return an error instead of silently dropping the file - Error handler in app.ts now always returns 500 / "Internal server error" instead of forwarding err.message to the client * Use statusCode consistently for multer errors and error handler - Error handler in app.ts reads err.statusCode to forward the correct HTTP status while keeping the response body generic
2026-04-03 13:17:53 +02:00
parent d48714d17a
commit 905c7d460b
74 changed files with 12821 additions and 311 deletions
--- a/server/tests/unit/services/ephemeralTokens.test.ts
+++ b/server/tests/unit/services/ephemeralTokens.test.ts
@@ -0,0 +1,71 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
+// Reset module between tests that need a fresh token store
+beforeEach(() => {
+  vi.resetModules();
+});
+
+describe('ephemeralTokens', () => {
+  async function getModule() {
+    return import('../../../src/services/ephemeralTokens');
+  }
+
+  // AUTH-030 — Resource token creation (single-use)
+  describe('createEphemeralToken', () => {
+    it('AUTH-030: creates a token and returns a hex string', async () => {
+      const { createEphemeralToken } = await getModule();
+      const token = createEphemeralToken(1, 'download');
+      expect(token).not.toBeNull();
+      expect(typeof token).toBe('string');
+      expect(token!.length).toBe(64); // 32 bytes hex
+    });
+
+    it('AUTH-030: different calls produce different tokens', async () => {
+      const { createEphemeralToken } = await getModule();
+      const t1 = createEphemeralToken(1, 'download');
+      const t2 = createEphemeralToken(1, 'download');
+      expect(t1).not.toBe(t2);
+    });
+  });
+
+  // AUTH-029 — WebSocket token expiry (single-use)
+  describe('consumeEphemeralToken', () => {
+    it('AUTH-030: token is consumed and returns userId on first use', async () => {
+      const { createEphemeralToken, consumeEphemeralToken } = await getModule();
+      const token = createEphemeralToken(42, 'download')!;
+      const userId = consumeEphemeralToken(token, 'download');
+      expect(userId).toBe(42);
+    });
+
+    it('AUTH-030: token is single-use — second consume returns null', async () => {
+      const { createEphemeralToken, consumeEphemeralToken } = await getModule();
+      const token = createEphemeralToken(42, 'download')!;
+      consumeEphemeralToken(token, 'download'); // first use
+      const second = consumeEphemeralToken(token, 'download'); // second use
+      expect(second).toBeNull();
+    });
+
+    it('AUTH-029: purpose mismatch returns null', async () => {
+      const { createEphemeralToken, consumeEphemeralToken } = await getModule();
+      const token = createEphemeralToken(42, 'ws')!;
+      const result = consumeEphemeralToken(token, 'download');
+      expect(result).toBeNull();
+    });
+
+    it('AUTH-029: expired token returns null', async () => {
+      vi.useFakeTimers();
+      const { createEphemeralToken, consumeEphemeralToken } = await getModule();
+      const token = createEphemeralToken(42, 'ws')!; // 30s TTL
+      vi.advanceTimersByTime(31_000); // advance past expiry
+      const result = consumeEphemeralToken(token, 'ws');
+      expect(result).toBeNull();
+      vi.useRealTimers();
+    });
+
+    it('returns null for unknown token', async () => {
+      const { consumeEphemeralToken } = await getModule();
+      const result = consumeEphemeralToken('nonexistent-token', 'download');
+      expect(result).toBeNull();
+    });
+  });
+});