Patrick/medassist-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: backend API key auth context and settings hardening (#406)

Browse Source 
* feat: add backend api-key auth context and settings hardening

* fix: harden api key token hashing
This commit is contained in:
Daniel Volz
2026-03-10 06:26:20 +01:00
committed by GitHub
parent 105eb7bc0d
commit c0507c4c4b
29 changed files with 4801 additions and 875 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/test/auth.test.ts
+2 -2
View File
@@ -228,7 +228,7 @@ describe("Auth Routes (AUTH_ENABLED=true)", () => {
});
expect(response.statusCode).toBe(400);
expect(response.json().code).toBe("VALIDATION_ERROR");
expect(response.json().code).toBe("FST_ERR_VALIDATION");
});
it("should reject short username", async () => {
@@ -242,7 +242,7 @@ describe("Auth Routes (AUTH_ENABLED=true)", () => {
});
expect(response.statusCode).toBe(400);
expect(response.json().code).toBe("VALIDATION_ERROR");
expect(response.json().code).toBe("FST_ERR_VALIDATION");
});
it("should register with trimmed username when input has whitespace", async () => {
backend/src/test/business-authz-real.test.ts
+485
View File
@@ -0,0 +1,485 @@
import { dirname, resolve } from "node:path";
import { fileURLToPath } from "node:url";
import cookie from "@fastify/cookie";
import jwt from "@fastify/jwt";
import sensible from "@fastify/sensible";
import { migrate } from "drizzle-orm/libsql/migrator";
import Fastify, { type FastifyInstance } from "fastify";
import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
import { runAlterMigrations } from "../db/db-utils.js";
const { testClient, testDb, mockedEnv } = vi.hoisted(() => {
const { createClient } = require("@libsql/client");
const { drizzle } = require("drizzle-orm/libsql");
const client = createClient({ url: ":memory:" });
const db = drizzle(client);
return {
testClient: client,
testDb: db,
mockedEnv: {
AUTH_ENABLED: true,
REGISTRATION_ENABLED: true,
FORM_LOGIN_ENABLED: true,
OIDC_ENABLED: false,
OIDC_PROVIDER_NAME: "SSO",
NODE_ENV: "test",
LOG_LEVEL: "silent",
PORT: 3000,
CORS_ORIGINS: "*",
JWT_SECRET: "test-jwt-secret",
REFRESH_SECRET: "test-refresh-secret",
COOKIE_SECRET: "test-cookie-secret",
ACCESS_TOKEN_TTL_MINUTES: 15,
REFRESH_TOKEN_TTL_DAYS: 7,
OPENAPI_DOCS_ENABLED: false,
},
};
});
vi.mock("../db/client.js", () => ({
db: testDb,
migrationsReady: Promise.resolve(),
}));
vi.mock("../plugins/env.js", () => ({ env: mockedEnv }));
const { medicationRoutes } = await import("../routes/medications.js");
const { doseRoutes } = await import("../routes/doses.js");
const { refillRoutes } = await import("../routes/refills.js");
const { shareRoutes } = await import("../routes/share.js");
const { reportRoutes } = await import("../routes/report.js");
const { exportRoutes } = await import("../routes/export.js");
const { hashApiKeyToken } = await import("../plugins/auth.js");
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const migrationsFolder = resolve(__dirname, "../../drizzle");
async function clearTables() {
await testClient.execute("DELETE FROM refill_history");
await testClient.execute("DELETE FROM dose_tracking");
await testClient.execute("DELETE FROM share_tokens");
await testClient.execute("DELETE FROM user_settings");
await testClient.execute("DELETE FROM medications");
await testClient.execute("DELETE FROM api_keys");
await testClient.execute("DELETE FROM refresh_tokens");
await testClient.execute("DELETE FROM users");
}
async function createUser(username: string) {
const result = await testClient.execute({
sql: "INSERT INTO users (username, auth_provider, is_active) VALUES (?, 'local', 1) RETURNING id",
args: [username],
});
return Number(result.rows[0].id);
}
function buildSessionCookie(app: FastifyInstance, userId: number, username: string) {
const token = app.jwt.sign({ sub: userId, username });
return `access_token=${token}`;
}
async function insertApiKey(options: {
userId: number;
token: string;
scope?: "read" | "write";
isActive?: boolean;
expiresAt?: Date | null;
}) {
const expiresAtValue = options.expiresAt ? Math.floor(options.expiresAt.getTime() / 1000) : null;
await testClient.execute({
sql: `INSERT INTO api_keys (user_id, name, key_hash, token_prefix, scope, is_active, expires_at)
VALUES (?, ?, ?, ?, ?, ?, ?)`,
args: [
options.userId,
"Seeded Key",
hashApiKeyToken(options.token),
`${options.token.slice(0, 12)}...`,
options.scope ?? "write",
options.isActive === false ? 0 : 1,
expiresAtValue,
],
});
}
async function seedMedication(options: {
userId: number;
name: string;
takenBy?: string[];
packCount?: number;
looseTablets?: number;
start?: string;
}) {
const start = options.start ?? "2026-01-01T08:00:00.000Z";
const takenBy = options.takenBy ?? ["Daniel"];
const result = await testClient.execute({
sql: `INSERT INTO medications (
user_id, name, generic_name, taken_by_json, medication_form, package_type,
pack_count, blisters_per_pack, pills_per_blister, loose_tablets,
usage_json, every_json, start_json, intakes_json,
stock_adjustment, intake_reminders_enabled
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING id`,
args: [
options.userId,
options.name,
`${options.name} Generic`,
JSON.stringify(takenBy),
"tablet",
"blister",
options.packCount ?? 1,
1,
10,
options.looseTablets ?? 0,
JSON.stringify([1]),
JSON.stringify([1]),
JSON.stringify([start]),
JSON.stringify([
{
usage: 1,
every: 1,
start,
takenBy: takenBy[0] ?? null,
intakeRemindersEnabled: true,
},
]),
0,
1,
],
});
return Number(result.rows[0].id);
}
async function seedDose(options: { userId: number; doseId: string; dismissed?: boolean }) {
await testClient.execute({
sql: "INSERT INTO dose_tracking (user_id, dose_id, dismissed) VALUES (?, ?, ?)",
args: [options.userId, options.doseId, options.dismissed ? 1 : 0],
});
}
async function seedRefill(options: {
userId: number;
medicationId: number;
packsAdded?: number;
loosePillsAdded?: number;
}) {
await testClient.execute({
sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription)
VALUES (?, ?, ?, ?, 0)`,
args: [options.medicationId, options.userId, options.packsAdded ?? 1, options.loosePillsAdded ?? 0],
});
}
function buildMedicationPayload(name: string) {
return {
name,
genericName: `${name} Generic`,
takenBy: ["Daniel"],
packCount: 1,
blistersPerPack: 1,
pillsPerBlister: 10,
looseTablets: 0,
blisters: [{ usage: 1, every: 1, start: "2026-01-01T08:00:00.000Z" }],
};
}
function buildImportPayload() {
return {
version: "1.3",
exportedAt: new Date().toISOString(),
includeSensitiveData: false,
medications: [],
doseHistory: [],
refillHistory: [],
settings: {
emailEnabled: false,
emailStockReminders: true,
emailIntakeReminders: true,
emailPrescriptionReminders: true,
shoutrrrStockReminders: true,
shoutrrrIntakeReminders: true,
shoutrrrPrescriptionReminders: true,
reminderDaysBefore: 7,
repeatDailyReminders: false,
skipRemindersForTakenDoses: false,
repeatRemindersEnabled: false,
reminderRepeatIntervalMinutes: 30,
maxNaggingReminders: 5,
lowStockDays: 30,
normalStockDays: 90,
highStockDays: 180,
language: "en",
stockCalculationMode: "automatic",
shareStockStatus: true,
},
shareLinks: [],
};
}
describe("Real business route authz contracts", () => {
let app: FastifyInstance;
beforeAll(async () => {
await migrate(testDb, { migrationsFolder });
await runAlterMigrations(testClient);
app = Fastify({ logger: false });
await app.register(sensible);
await app.register(cookie, { secret: "test-cookie-secret" });
await app.register(jwt, {
secret: "test-jwt-secret",
cookie: { cookieName: "access_token", signed: false },
});
await app.register(medicationRoutes);
await app.register(doseRoutes);
await app.register(refillRoutes);
await app.register(shareRoutes);
await app.register(reportRoutes);
await app.register(exportRoutes);
await app.ready();
});
afterAll(async () => {
await app.close();
testClient.close();
});
beforeEach(async () => {
vi.clearAllMocks();
await clearTables();
});
it("rejects protected business endpoints without authentication", async () => {
const endpoints: Array<{
method: "GET" | "POST";
url: string;
payload?: Record<string, unknown>;
}> = [
{ method: "GET", url: "/medications" },
{ method: "GET", url: "/doses/taken" },
{ method: "POST", url: "/share", payload: { takenBy: "Daniel", scheduleDays: 7 } },
{ method: "GET", url: "/export" },
{ method: "POST", url: "/medications/report-data", payload: { medicationIds: [1] } },
{ method: "POST", url: "/medications/1/refill", payload: { packsAdded: 1, loosePillsAdded: 0 } },
];
for (const endpoint of endpoints) {
const response = await app.inject({ method: endpoint.method, url: endpoint.url, payload: endpoint.payload });
expect(response.statusCode, `${endpoint.method} ${endpoint.url}`).toBe(401);
expect(response.json()).toMatchObject({ code: "AUTH_REQUIRED" });
}
});
it("scopes medication listing and export output to the authenticated user", async () => {
const ownerId = await createUser("owner-medications");
const otherId = await createUser("other-medications");
const ownerCookie = buildSessionCookie(app, ownerId, "owner-medications");
await seedMedication({ userId: ownerId, name: "Owner Only Med" });
await seedMedication({ userId: otherId, name: "Other User Med" });
const listResponse = await app.inject({
method: "GET",
url: "/medications",
headers: { cookie: ownerCookie },
});
expect(listResponse.statusCode).toBe(200);
expect(listResponse.body).toContain("Owner Only Med");
expect(listResponse.body).not.toContain("Other User Med");
const exportResponse = await app.inject({
method: "GET",
url: "/export",
headers: { cookie: ownerCookie },
});
expect(exportResponse.statusCode).toBe(200);
expect(exportResponse.body).toContain("Owner Only Med");
expect(exportResponse.body).not.toContain("Other User Med");
});
it("returns 404 when a user updates or deletes another user's medication", async () => {
const ownerId = await createUser("owner-update");
const otherId = await createUser("other-update");
const otherCookie = buildSessionCookie(app, otherId, "other-update");
const medicationId = await seedMedication({ userId: ownerId, name: "Protected Medication" });
const updateResponse = await app.inject({
method: "PUT",
url: `/medications/${medicationId}`,
headers: { cookie: otherCookie },
payload: buildMedicationPayload("Updated By Stranger"),
});
expect(updateResponse.statusCode).toBe(404);
const deleteResponse = await app.inject({
method: "DELETE",
url: `/medications/${medicationId}`,
headers: { cookie: otherCookie },
});
expect(deleteResponse.statusCode).toBe(404);
const dbState = await testClient.execute({
sql: "SELECT name FROM medications WHERE id = ?",
args: [medicationId],
});
expect(dbState.rows).toEqual([expect.objectContaining({ name: "Protected Medication" })]);
});
it("scopes dose reads and writes to the authenticated user", async () => {
const ownerId = await createUser("owner-dose");
const otherId = await createUser("other-dose");
const ownerCookie = buildSessionCookie(app, ownerId, "owner-dose");
const otherCookie = buildSessionCookie(app, otherId, "other-dose");
await seedDose({ userId: ownerId, doseId: "101-0-1760000000000" });
await seedDose({ userId: otherId, doseId: "202-0-1760000000000" });
const listResponse = await app.inject({
method: "GET",
url: "/doses/taken",
headers: { cookie: ownerCookie },
});
expect(listResponse.statusCode).toBe(200);
expect(listResponse.body).toContain("101-0-1760000000000");
expect(listResponse.body).not.toContain("202-0-1760000000000");
const deleteResponse = await app.inject({
method: "DELETE",
url: "/doses/taken/101-0-1760000000000",
headers: { cookie: otherCookie },
});
expect(deleteResponse.statusCode).toBe(200);
const ownerDose = await testClient.execute({
sql: "SELECT COUNT(*) AS count FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
args: [ownerId, "101-0-1760000000000"],
});
expect(Number(ownerDose.rows[0].count)).toBe(1);
});
it("enforces medication ownership on refill history and report generation", async () => {
const ownerId = await createUser("owner-refill");
const otherId = await createUser("other-refill");
const otherCookie = buildSessionCookie(app, otherId, "other-refill");
const medicationId = await seedMedication({ userId: ownerId, name: "Owner Refill Med", packCount: 2 });
await seedRefill({ userId: ownerId, medicationId });
const refillListResponse = await app.inject({
method: "GET",
url: `/medications/${medicationId}/refills`,
headers: { cookie: otherCookie },
});
expect(refillListResponse.statusCode).toBe(404);
const refillMutationResponse = await app.inject({
method: "POST",
url: `/medications/${medicationId}/refill`,
headers: { cookie: otherCookie },
payload: { packsAdded: 1, loosePillsAdded: 0 },
});
expect(refillMutationResponse.statusCode).toBe(404);
const reportResponse = await app.inject({
method: "POST",
url: "/medications/report-data",
headers: { cookie: otherCookie },
payload: { medicationIds: [medicationId] },
});
expect(reportResponse.statusCode).toBe(403);
expect(reportResponse.json()).toMatchObject({ error: "Access denied to medication" });
});
it("scopes share people to the authenticated user's medications", async () => {
const ownerId = await createUser("owner-share");
const otherId = await createUser("other-share");
const ownerCookie = buildSessionCookie(app, ownerId, "owner-share");
await seedMedication({ userId: ownerId, name: "Daniel Med", takenBy: ["Daniel"] });
await seedMedication({ userId: otherId, name: "Anna Med", takenBy: ["Anna"] });
const response = await app.inject({
method: "GET",
url: "/share/people",
headers: { cookie: ownerCookie },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ people: ["Daniel"] });
});
it("rejects mutation routes for read-only API keys across business endpoints", async () => {
const userId = await createUser("readonly-business-key");
const medicationId = await seedMedication({ userId, name: "Readonly Med" });
const apiToken = "ma_readonly_business_routes_123456789";
await insertApiKey({ userId, token: apiToken, scope: "read" });
const responses = await Promise.all([
app.inject({
method: "POST",
url: "/medications",
headers: { authorization: `Bearer ${apiToken}` },
payload: buildMedicationPayload("Blocked Create"),
}),
app.inject({
method: "POST",
url: "/doses/taken",
headers: { authorization: `Bearer ${apiToken}` },
payload: { doseId: "1-0-1760000000000" },
}),
app.inject({
method: "POST",
url: `/medications/${medicationId}/refill`,
headers: { authorization: `Bearer ${apiToken}` },
payload: { packsAdded: 1, loosePillsAdded: 0 },
}),
app.inject({
method: "POST",
url: "/share",
headers: { authorization: `Bearer ${apiToken}` },
payload: { takenBy: "Daniel", scheduleDays: 7 },
}),
app.inject({
method: "POST",
url: "/import",
headers: { authorization: `Bearer ${apiToken}` },
payload: buildImportPayload(),
}),
]);
for (const response of responses) {
expect(response.statusCode).toBe(403);
expect(response.json()).toMatchObject({ code: "API_KEY_SCOPE_FORBIDDEN" });
}
});
it("allows read-only API keys to use read endpoints while keeping data scoped to the key owner", async () => {
const userId = await createUser("readonly-export-user");
const otherId = await createUser("readonly-export-other");
await seedMedication({ userId, name: "Readable Owner Med" });
await seedMedication({ userId: otherId, name: "Unreadable Other Med" });
const apiToken = "ma_readonly_export_access_123456789";
await insertApiKey({ userId, token: apiToken, scope: "read" });
const response = await app.inject({
method: "GET",
url: "/export",
headers: { authorization: `Bearer ${apiToken}` },
});
expect(response.statusCode).toBe(200);
expect(response.body).toContain("Readable Owner Med");
expect(response.body).not.toContain("Unreadable Other Med");
});
});
backend/src/test/doses.test.ts
+249 -386
View File
@@ -1,487 +1,333 @@
/**
* Tests for /doses/taken API endpoints.
* Tests marking doses as taken, listing taken doses, and unmarking.
*/
import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
import { buildTestApp, clearTestData, closeTestApp, createTestUser, type TestContext } from "./setup.js";
import { dirname, resolve } from "node:path";
import { fileURLToPath } from "node:url";
import cookie from "@fastify/cookie";
import jwt from "@fastify/jwt";
import { migrate } from "drizzle-orm/libsql/migrator";
import Fastify, { type FastifyInstance } from "fastify";
import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
import { runAlterMigrations } from "../db/db-utils.js";
// =============================================================================
// Route Registration
// Since we can't easily import routes that depend on the global db,
// we'll create simplified route handlers for testing the core logic.
// =============================================================================
const { testClient, testDb, mockedEnv } = vi.hoisted(() => {
const { createClient } = require("@libsql/client");
const { drizzle } = require("drizzle-orm/libsql");
const client = createClient({ url: ":memory:" });
const db = drizzle(client);
async function registerDoseRoutes(ctx: TestContext) {
const { app, client } = ctx;
return {
testClient: client,
testDb: db,
mockedEnv: {
AUTH_ENABLED: true,
REGISTRATION_ENABLED: true,
FORM_LOGIN_ENABLED: true,
OIDC_ENABLED: false,
OIDC_PROVIDER_NAME: "SSO",
NODE_ENV: "test",
LOG_LEVEL: "silent",
PORT: 3000,
CORS_ORIGINS: "*",
JWT_SECRET: "test-jwt-secret",
REFRESH_SECRET: "test-refresh-secret",
COOKIE_SECRET: "test-cookie-secret",
ACCESS_TOKEN_TTL_MINUTES: 15,
REFRESH_TOKEN_TTL_DAYS: 7,
OPENAPI_DOCS_ENABLED: false,
},
};
});
// GET /doses/taken - List all taken doses
app.get("/doses/taken", async (_request, _reply) => {
// In test mode, use user ID 1 (will be created in tests)
const userId = 1;
vi.mock("../db/client.js", () => ({
db: testDb,
migrationsReady: Promise.resolve(),
}));
const result = await client.execute({
sql: `SELECT dose_id, taken_at, marked_by FROM dose_tracking WHERE user_id = ?`,
args: [userId],
});
vi.mock("../plugins/env.js", () => ({ env: mockedEnv }));
return {
doses: result.rows.map((d) => ({
doseId: d.dose_id,
takenAt: (d.taken_at as number) * 1000, // Convert to ms
markedBy: d.marked_by,
})),
};
const { doseRoutes } = await import("../routes/doses.js");
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const migrationsFolder = resolve(__dirname, "../../drizzle");
async function clearTables() {
await testClient.execute("DELETE FROM dose_tracking");
await testClient.execute("DELETE FROM share_tokens");
await testClient.execute("DELETE FROM api_keys");
await testClient.execute("DELETE FROM refresh_tokens");
await testClient.execute("DELETE FROM medications");
await testClient.execute("DELETE FROM user_settings");
await testClient.execute("DELETE FROM users");
}
async function createUser(username: string) {
const result = await testClient.execute({
sql: "INSERT INTO users (username, auth_provider, is_active) VALUES (?, 'local', 1) RETURNING id",
args: [username],
});
// POST /doses/taken - Mark a dose as taken
app.post<{ Body: { doseId: string } }>("/doses/taken", async (request, reply) => {
const userId = 1;
const { doseId } = request.body || {};
return Number(result.rows[0].id);
}
if (!doseId || typeof doseId !== "string" || doseId.length === 0) {
return reply.status(400).send({ error: "doseId is required" });
}
function buildSessionCookie(app: FastifyInstance, userId: number, username: string) {
const token = app.jwt.sign({ sub: userId, username });
return `access_token=${token}`;
}
// Check if already marked
const existing = await client.execute({
sql: `SELECT id FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
args: [userId, doseId],
});
if (existing.rows.length > 0) {
return { success: true, message: "Already marked" };
}
// Insert new record
await client.execute({
sql: `INSERT INTO dose_tracking (user_id, dose_id, marked_by) VALUES (?, ?, NULL)`,
args: [userId, doseId],
});
return { success: true };
});
// DELETE /doses/taken/:doseId - Unmark a dose
app.delete<{ Params: { doseId: string } }>("/doses/taken/:doseId", async (request, _reply) => {
const userId = 1;
const { doseId } = request.params;
// Check if this dose was also dismissed
const existing = await client.execute({
sql: `SELECT id, dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
args: [userId, doseId],
});
if (existing.rows.length > 0 && existing.rows[0].dismissed) {
// Already dismissed - keep the record as-is (don't delete)
// The dose stays dismissed, we just ignore the undo request
} else {
// Not dismissed - delete the record entirely
await client.execute({
sql: `DELETE FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
args: [userId, doseId],
});
}
return { success: true };
});
// POST /doses/dismiss - Dismiss missed doses without deducting stock
app.post<{ Body: { doseIds: string[] } }>("/doses/dismiss", async (request, reply) => {
const userId = 1;
const { doseIds } = request.body || {};
if (!doseIds || !Array.isArray(doseIds) || doseIds.length === 0) {
return reply.status(400).send({ error: "doseIds array is required" });
}
let dismissedCount = 0;
for (const doseId of doseIds) {
// Check if already exists
const existing = await client.execute({
sql: `SELECT id, dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
args: [userId, doseId],
});
if (existing.rows.length > 0) {
// Update to dismissed if not already
if (!existing.rows[0].dismissed) {
await client.execute({
sql: `UPDATE dose_tracking SET dismissed = 1 WHERE id = ?`,
args: [existing.rows[0].id],
});
dismissedCount++;
}
} else {
// Insert new dismissed record
await client.execute({
sql: `INSERT INTO dose_tracking (user_id, dose_id, dismissed) VALUES (?, ?, 1)`,
args: [userId, doseId],
});
dismissedCount++;
}
}
return { success: true, dismissedCount };
async function insertDose(options: {
userId: number;
doseId: string;
markedBy?: string | null;
dismissed?: boolean;
takenAt?: number | null;
takenSource?: "manual" | "automatic";
}) {
await testClient.execute({
sql: `INSERT INTO dose_tracking (user_id, dose_id, marked_by, dismissed, taken_at, taken_source)
VALUES (?, ?, ?, ?, ?, ?)`,
args: [
options.userId,
options.doseId,
options.markedBy ?? null,
options.dismissed ? 1 : 0,
options.takenAt === undefined ? Math.floor(Date.now() / 1000) : (options.takenAt ?? 0),
options.takenSource ?? "manual",
],
});
}
// =============================================================================
// Tests
// =============================================================================
describe("Dose Tracking API", () => {
let ctx: TestContext;
let app: FastifyInstance;
let userId: number;
let cookieHeader: string;
beforeAll(async () => {
ctx = await buildTestApp();
await registerDoseRoutes(ctx);
await ctx.app.ready();
await migrate(testDb, { migrationsFolder });
await runAlterMigrations(testClient);
app = Fastify({ logger: false });
await app.register(cookie, { secret: "test-cookie-secret" });
await app.register(jwt, {
secret: "test-jwt-secret",
cookie: { cookieName: "access_token", signed: false },
});
await app.register(doseRoutes);
await app.ready();
});
afterAll(async () => {
await closeTestApp(ctx);
await app.close();
testClient.close();
});
beforeEach(async () => {
await clearTestData(ctx.client);
// Create test user - will get ID 1 since table is cleared
userId = await createTestUser(ctx.client, { username: "testuser" });
// Reset SQLite autoincrement so user gets ID 1
await ctx.client.execute("DELETE FROM sqlite_sequence WHERE name='users'");
await clearTestData(ctx.client);
userId = await createTestUser(ctx.client, { username: "testuser" });
await clearTables();
userId = await createUser("dose-test-user");
cookieHeader = buildSessionCookie(app, userId, "dose-test-user");
});
// ---------------------------------------------------------------------------
// POST /doses/taken
// ---------------------------------------------------------------------------
describe("POST /doses/taken", () => {
it("should mark a dose as taken", async () => {
it("marks a dose as taken", async () => {
const doseId = "1-0-1735344000000";
const response = await ctx.app.inject({
const response = await app.inject({
method: "POST",
url: "/doses/taken",
headers: { cookie: cookieHeader },
payload: { doseId },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true });
// Verify in database
const result = await ctx.client.execute({
sql: `SELECT dose_id, marked_by FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
const result = await testClient.execute({
sql: "SELECT dose_id, marked_by, taken_source FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
args: [userId, doseId],
});
expect(result.rows.length).toBe(1);
expect(result.rows[0].dose_id).toBe(doseId);
expect(result.rows[0].marked_by).toBeNull();
expect(result.rows).toEqual([
expect.objectContaining({ dose_id: doseId, marked_by: null, taken_source: "manual" }),
]);
});
it("should return idempotent response when dose already marked", async () => {
it("returns an idempotent response when the dose is already marked", async () => {
const doseId = "1-0-1735344000000";
await insertDose({ userId, doseId });
// Mark once
await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId },
});
// Mark again
const response = await ctx.app.inject({
const response = await app.inject({
method: "POST",
url: "/doses/taken",
headers: { cookie: cookieHeader },
payload: { doseId },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true, message: "Already marked" });
// Should still only have one record
const result = await ctx.client.execute({
sql: `SELECT COUNT(*) as count FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
const countResult = await testClient.execute({
sql: "SELECT COUNT(*) AS count FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
args: [userId, doseId],
});
expect(result.rows[0].count).toBe(1);
expect(Number(countResult.rows[0].count)).toBe(1);
});
it("should reject request without doseId", async () => {
const response = await ctx.app.inject({
it("rejects requests without a doseId", async () => {
const response = await app.inject({
method: "POST",
url: "/doses/taken",
headers: { cookie: cookieHeader },
payload: {},
});
expect(response.statusCode).toBe(400);
expect(response.json()).toEqual({ error: "doseId is required" });
expect(response.json()).toEqual({ error: "Required" });
});
it("should reject request with empty doseId", async () => {
const response = await ctx.app.inject({
it("accepts dose IDs with a person suffix and special characters", async () => {
const doseId = "5-0-1735344000000-Max Müller";
const response = await app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId: "" },
headers: { cookie: cookieHeader },
payload: { doseId },
});
expect(response.statusCode).toBe(400);
expect(response.json()).toEqual({ error: "doseId is required" });
expect(response.statusCode).toBe(200);
const getResponse = await app.inject({
method: "GET",
url: "/doses/taken",
headers: { cookie: cookieHeader },
});
expect(getResponse.statusCode).toBe(200);
expect(getResponse.json().doses[0].doseId).toBe(doseId);
});
});
// ---------------------------------------------------------------------------
// GET /doses/taken
// ---------------------------------------------------------------------------
describe("GET /doses/taken", () => {
it("should return empty array when no doses taken", async () => {
const response = await ctx.app.inject({
it("returns an empty array when no doses were taken", async () => {
const response = await app.inject({
method: "GET",
url: "/doses/taken",
headers: { cookie: cookieHeader },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ doses: [] });
});
it("should return list of taken doses", async () => {
const doseId1 = "1-0-1735344000000";
const doseId2 = "1-0-1735430400000";
// Mark two doses
await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId: doseId1 },
});
await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId: doseId2 },
it("returns only the authenticated user's taken doses with metadata", async () => {
const otherUserId = await createUser("dose-other-user");
await insertDose({
userId,
doseId: "1-0-1735344000000",
markedBy: "Daniel",
takenSource: "automatic",
});
await insertDose({ userId, doseId: "1-0-1735430400000" });
await insertDose({ userId: otherUserId, doseId: "9-0-1735516800000" });
const response = await ctx.app.inject({
const response = await app.inject({
method: "GET",
url: "/doses/taken",
headers: { cookie: cookieHeader },
});
expect(response.statusCode).toBe(200);
const data = response.json();
expect(data.doses).toHaveLength(2);
expect(data.doses.map((d: { doseId: string }) => d.doseId).sort()).toEqual([doseId1, doseId2].sort());
// Each dose should have a takenAt timestamp
for (const dose of data.doses) {
expect(dose.takenAt).toBeTypeOf("number");
expect(dose.takenAt).toBeGreaterThan(0);
expect(dose.markedBy).toBeNull();
}
});
it("should include markedBy when present", async () => {
const doseId = "1-0-1735344000000";
// Insert directly with markedBy
await ctx.client.execute({
sql: `INSERT INTO dose_tracking (user_id, dose_id, marked_by) VALUES (?, ?, ?)`,
args: [userId, doseId, "Daniel"],
});
const response = await ctx.app.inject({
method: "GET",
url: "/doses/taken",
});
expect(response.statusCode).toBe(200);
const data = response.json();
expect(data.doses).toHaveLength(1);
expect(data.doses[0].markedBy).toBe("Daniel");
expect(data.doses.map((dose: { doseId: string }) => dose.doseId).sort()).toEqual([
"1-0-1735344000000",
"1-0-1735430400000",
]);
expect(data.doses).toEqual(
expect.arrayContaining([
expect.objectContaining({ markedBy: "Daniel", takenSource: "automatic" }),
expect.objectContaining({ markedBy: null, takenSource: "manual" }),
])
);
});
});
// ---------------------------------------------------------------------------
// DELETE /doses/taken/:doseId
// ---------------------------------------------------------------------------
describe("DELETE /doses/taken/:doseId", () => {
it("should unmark a dose", async () => {
it("unmarks an existing dose", async () => {
const doseId = "1-0-1735344000000";
await insertDose({ userId, doseId });
// Mark first
await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId },
});
// Verify marked
let result = await ctx.client.execute({
sql: `SELECT COUNT(*) as count FROM dose_tracking WHERE dose_id = ?`,
args: [doseId],
});
expect(result.rows[0].count).toBe(1);
// Unmark
const response = await ctx.app.inject({
const response = await app.inject({
method: "DELETE",
url: `/doses/taken/${encodeURIComponent(doseId)}`,
headers: { cookie: cookieHeader },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true });
// Verify unmarked
result = await ctx.client.execute({
sql: `SELECT COUNT(*) as count FROM dose_tracking WHERE dose_id = ?`,
args: [doseId],
const countResult = await testClient.execute({
sql: "SELECT COUNT(*) AS count FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
args: [userId, doseId],
});
expect(result.rows[0].count).toBe(0);
expect(Number(countResult.rows[0].count)).toBe(0);
});
it("should succeed even if dose was not marked", async () => {
const doseId = "nonexistent-dose-id";
it("keeps the record when the dose is dismissed", async () => {
const doseId = "1-0-1735344000000";
await insertDose({ userId, doseId, dismissed: true });
const response = await ctx.app.inject({
const response = await app.inject({
method: "DELETE",
url: `/doses/taken/${encodeURIComponent(doseId)}`,
headers: { cookie: cookieHeader },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true });
const result = await testClient.execute({
sql: "SELECT dose_id, dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
args: [userId, doseId],
});
expect(result.rows).toEqual([expect.objectContaining({ dose_id: doseId, dismissed: 1 })]);
});
it("should preserve dismissed status when unmarking a dose", async () => {
const doseId = "1-0-1735344000000";
// First dismiss the dose
await ctx.app.inject({
method: "POST",
url: "/doses/dismiss",
payload: { doseIds: [doseId] },
});
// Verify it's dismissed
let result = await ctx.client.execute({
sql: `SELECT dismissed, taken_at FROM dose_tracking WHERE dose_id = ?`,
args: [doseId],
});
expect(result.rows[0].dismissed).toBe(1);
const originalTakenAt = result.rows[0].taken_at;
// Now try to unmark it (undo) - should keep the dismissed record
const response = await ctx.app.inject({
it("still succeeds when the dose does not exist", async () => {
const response = await app.inject({
method: "DELETE",
url: `/doses/taken/${encodeURIComponent(doseId)}`,
url: "/doses/taken/nonexistent-dose-id",
headers: { cookie: cookieHeader },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true });
// Verify the record still exists and is still dismissed
result = await ctx.client.execute({
sql: `SELECT dose_id, dismissed, taken_at FROM dose_tracking WHERE dose_id = ?`,
args: [doseId],
});
expect(result.rows.length).toBe(1);
expect(result.rows[0].dismissed).toBe(1);
expect(result.rows[0].taken_at).toBe(originalTakenAt); // unchanged
});
});
// ---------------------------------------------------------------------------
// Dose ID Format Tests
// ---------------------------------------------------------------------------
describe("Dose ID Format", () => {
it("should handle standard dose ID format: {medId}-{blisterIdx}-{timestamp}", async () => {
const doseId = "5-0-1735344000000";
const response = await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true });
});
it("should handle dose ID with person: {medId}-{blisterIdx}-{timestamp}-{person}", async () => {
const doseId = "5-0-1735344000000-Daniel";
const response = await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true });
});
it("should handle special characters in dose ID", async () => {
// Dose ID with URL-unsafe characters (edge case)
const doseId = "5-0-1735344000000-Max Müller";
const response = await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId },
});
expect(response.statusCode).toBe(200);
// Can retrieve it
const getResponse = await ctx.app.inject({
method: "GET",
url: "/doses/taken",
});
expect(getResponse.json().doses[0].doseId).toBe(doseId);
});
});
// ---------------------------------------------------------------------------
// Dismiss Doses Tests (POST /doses/dismiss)
// ---------------------------------------------------------------------------
describe("POST /doses/dismiss", () => {
it("should dismiss multiple doses", async () => {
const doseIds = ["1-0-1735344000000", "1-0-1735430400000"];
const response = await ctx.app.inject({
it("dismisses multiple doses", async () => {
const response = await app.inject({
method: "POST",
url: "/doses/dismiss",
payload: { doseIds },
headers: { cookie: cookieHeader },
payload: { doseIds: ["1-0-1735344000000", "1-0-1735430400000"] },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true, dismissedCount: 2 });
// Verify in database
const result = await ctx.client.execute({
sql: `SELECT dose_id, dismissed FROM dose_tracking WHERE user_id = ? AND dismissed = 1`,
const result = await testClient.execute({
sql: "SELECT COUNT(*) AS count FROM dose_tracking WHERE user_id = ? AND dismissed = 1",
args: [userId],
});
expect(result.rows.length).toBe(2);
expect(Number(result.rows[0].count)).toBe(2);
});
it("should not double-count already dismissed doses", async () => {
it("does not double-count already dismissed doses", async () => {
const doseId = "1-0-1735344000000";
await insertDose({ userId, doseId, dismissed: true });
// Dismiss once
await ctx.app.inject({
method: "POST",
url: "/doses/dismiss",
payload: { doseIds: [doseId] },
});
// Dismiss again
const response = await ctx.app.inject({
const response = await app.inject({
method: "POST",
url: "/doses/dismiss",
headers: { cookie: cookieHeader },
payload: { doseIds: [doseId] },
});
@@ -489,54 +335,71 @@ describe("Dose Tracking API", () => {
expect(response.json()).toEqual({ success: true, dismissedCount: 0 });
});
it("should reject empty doseIds array", async () => {
const response = await ctx.app.inject({
method: "POST",
url: "/doses/dismiss",
payload: { doseIds: [] },
});
expect(response.statusCode).toBe(400);
expect(response.json()).toEqual({ error: "doseIds array is required" });
});
it("should reject missing doseIds", async () => {
const response = await ctx.app.inject({
method: "POST",
url: "/doses/dismiss",
payload: {},
});
expect(response.statusCode).toBe(400);
expect(response.json()).toEqual({ error: "doseIds array is required" });
});
it("should dismiss a dose that was already taken (convert to dismissed)", async () => {
it("converts a taken dose into a dismissed one", async () => {
const doseId = "1-0-1735344000000";
await insertDose({ userId, doseId, dismissed: false });
// First mark as taken
await ctx.app.inject({
method: "POST",
url: "/doses/taken",
payload: { doseId },
});
// Then dismiss it
const response = await ctx.app.inject({
const response = await app.inject({
method: "POST",
url: "/doses/dismiss",
headers: { cookie: cookieHeader },
payload: { doseIds: [doseId] },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true, dismissedCount: 1 });
// Verify it's now dismissed
const result = await ctx.client.execute({
sql: `SELECT dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
const result = await testClient.execute({
sql: "SELECT dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
args: [userId, doseId],
});
expect(result.rows[0].dismissed).toBe(1);
expect(result.rows).toEqual([expect.objectContaining({ dismissed: 1 })]);
});
it("rejects missing or empty doseIds", async () => {
const emptyResponse = await app.inject({
method: "POST",
url: "/doses/dismiss",
headers: { cookie: cookieHeader },
payload: { doseIds: [] },
});
expect(emptyResponse.statusCode).toBe(400);
expect(emptyResponse.json()).toEqual({ error: "At least one doseId is required" });
const missingResponse = await app.inject({
method: "POST",
url: "/doses/dismiss",
headers: { cookie: cookieHeader },
payload: {},
});
expect(missingResponse.statusCode).toBe(400);
expect(missingResponse.json()).toEqual({ error: "Required" });
});
});
describe("DELETE /doses/dismiss", () => {
it("clears dismissed-only records and removes the dismissed flag from taken doses", async () => {
await insertDose({ userId, doseId: "1-0-1735344000000", dismissed: true, takenAt: null });
await insertDose({ userId, doseId: "1-0-1735430400000", dismissed: true, markedBy: "Daniel" });
const response = await app.inject({
method: "DELETE",
url: "/doses/dismiss",
headers: { cookie: cookieHeader },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true, clearedCount: 2 });
const rows = await testClient.execute({
sql: "SELECT dose_id, dismissed, marked_by FROM dose_tracking WHERE user_id = ? ORDER BY dose_id ASC",
args: [userId],
});
expect(rows.rows).toEqual([
expect.objectContaining({ dose_id: "1-0-1735430400000", dismissed: 0, marked_by: "Daniel" }),
]);
});
});
});
backend/src/test/e2e-routes.test.ts
+253 -3
View File
@@ -345,6 +345,37 @@ describe("E2E Tests with Real Routes", () => {
usedPrescription: true,
});
});
it("should not include refill history entries from another user for the same medication", async () => {
const medId = await createMedication(testClient, userId, "Report Isolation Med", ["Daniel"]);
const otherUserId = await _createUser(testClient, "report-isolation-other-user");
await testClient.execute({
sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription, refill_date)
VALUES (?, ?, ?, ?, ?, ?)`,
args: [medId, userId, 1, 0, 0, 1735603200],
});
await testClient.execute({
sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription, refill_date)
VALUES (?, ?, ?, ?, ?, ?)`,
args: [medId, otherUserId, 9, 99, 1, 1735689600],
});
const response = await app.inject({
method: "POST",
url: "/medications/report-data",
payload: { medicationIds: [medId] },
});
expect(response.statusCode).toBe(200);
const data = response.json();
expect(data[medId].refills).toHaveLength(1);
expect(data[medId].refills[0]).toMatchObject({
packsAdded: 1,
loosePillsAdded: 0,
usedPrescription: false,
});
});
});
afterAll(async () => {
@@ -503,6 +534,80 @@ describe("E2E Tests with Real Routes", () => {
expect(response.statusCode).toBe(404);
});
it("should return shared medication overview for a valid token", async () => {
await createMedication(testClient, userId, "Aspirin", ["Daniel"]);
const token = "abcdef0123456789";
await createShareToken(testClient, userId, "Daniel", token);
const response = await app.inject({
method: "GET",
url: `/share/${token}/overview`,
});
expect(response.statusCode).toBe(200);
expect(response.headers["cache-control"]).toBe("no-store");
const data = response.json();
expect(data.takenBy).toBe("Daniel");
expect(data.sharedBy).toBe("__anonymous__");
expect(Array.isArray(data.medications)).toBe(true);
expect(data.medications).toHaveLength(1);
expect(data.medications[0].name).toBe("Aspirin");
expect(data.medications[0].currentStock).toBeTypeOf("number");
});
it("should return 404 for unknown overview token", async () => {
const response = await app.inject({
method: "GET",
url: "/share/abcdef0123456789/overview",
});
expect(response.statusCode).toBe(404);
expect(response.json()).toEqual({ error: "not_found" });
});
it("should return 410 for expired overview token", async () => {
const token = "fedcba9876543210";
await testClient.execute({
sql: "INSERT INTO share_tokens (user_id, token, taken_by, schedule_days, expires_at) VALUES (?, ?, ?, 30, ?)",
args: [userId, token, "Daniel", Math.floor(Date.now() / 1000) - 60],
});
const response = await app.inject({
method: "GET",
url: `/share/${token}/overview`,
});
expect(response.statusCode).toBe(410);
const data = response.json();
expect(data.error).toBe("expired");
expect(data.expiredAt).toBeTypeOf("string");
});
it("should hide stock fields in overview when share_stock_status is disabled", async () => {
await createMedication(testClient, userId, "Ibuprofen", ["Daniel"]);
const token = "0123456789abcdef";
await createShareToken(testClient, userId, "Daniel", token);
await testClient.execute({
sql: "INSERT INTO user_settings (user_id, share_stock_status, low_stock_days) VALUES (?, 0, 30)",
args: [userId],
});
const response = await app.inject({
method: "GET",
url: `/share/${token}/overview`,
});
expect(response.statusCode).toBe(200);
const [medication] = response.json().medications;
expect(medication.currentStock).toBeNull();
expect(medication.capacity).toBeNull();
expect(medication.daysLeft).toBeNull();
expect(medication.depletionDate).toBeNull();
expect(medication.priority).toBeNull();
});
});
// ---------------------------------------------------------------------------
@@ -834,7 +939,7 @@ describe("E2E Tests with Real Routes", () => {
});
expect(response.statusCode).toBe(400);
expect(response.json().error).toBe("Invalid language");
expect(response.json().error).toMatch(/Invalid language|Bad Request/);
});
it("should create and update language via lightweight language endpoint", async () => {
@@ -1929,6 +2034,47 @@ describe("E2E Tests with Real Routes", () => {
expect(hasLooseRefill).toBe(true);
});
it("should not return refill history entries from another user for the same medication", async () => {
const createResponse = await app.inject({
method: "POST",
url: "/medications",
payload: {
name: "Refill Isolation Med",
packCount: 1,
blistersPerPack: 2,
pillsPerBlister: 10,
blisters: [{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }],
},
});
const medId = createResponse.json().id;
const otherUserId = await _createUser(testClient, "refill-isolation-other-user");
await testClient.execute({
sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription, refill_date)
VALUES (?, ?, ?, ?, ?, ?)`,
args: [medId, userId, 2, 3, 0, 1735603200],
});
await testClient.execute({
sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription, refill_date)
VALUES (?, ?, ?, ?, ?, ?)`,
args: [medId, otherUserId, 8, 88, 1, 1735689600],
});
const response = await app.inject({
method: "GET",
url: `/medications/${medId}/refills`,
});
expect(response.statusCode).toBe(200);
const refills = response.json();
expect(refills).toHaveLength(1);
expect(refills[0]).toMatchObject({
packsAdded: 2,
loosePillsAdded: 3,
usedPrescription: false,
});
});
it("should return 404 for non-existent medication", async () => {
const response = await app.inject({
method: "GET",
@@ -2302,6 +2448,29 @@ describe("E2E Tests with Real Routes", () => {
payload: {
emailEnabled: true,
notificationEmail: "test@example.com",
reminderDaysBefore: 7,
repeatDailyReminders: false,
lowStockDays: 30,
normalStockDays: 90,
highStockDays: 180,
shoutrrrEnabled: false,
shoutrrrUrl: "",
emailStockReminders: true,
emailIntakeReminders: true,
emailPrescriptionReminders: true,
shoutrrrStockReminders: true,
shoutrrrIntakeReminders: true,
shoutrrrPrescriptionReminders: true,
skipRemindersForTakenDoses: false,
repeatRemindersEnabled: false,
reminderRepeatIntervalMinutes: 30,
maxNaggingReminders: 5,
language: "en",
stockCalculationMode: "automatic",
shareStockStatus: true,
upcomingTodayOnly: false,
shareScheduleTodayOnly: false,
swapDashboardMainSections: false,
},
});
@@ -2506,10 +2675,10 @@ describe("E2E Tests with Real Routes", () => {
});
// ---------------------------------------------------------------------------
// Package Type (blister, bottle, liquid_container) Tests
// Package Type (blister, bottle, tube, liquid_container) Tests
// ---------------------------------------------------------------------------
describe("Package type handling (blister, bottle, liquid_container)", () => {
describe("Package type handling (blister, bottle, tube, liquid_container)", () => {
const bottleMedication = {
name: "Vitamin D Drops",
packageType: "bottle",
@@ -2542,6 +2711,21 @@ describe("E2E Tests with Real Routes", () => {
blisters: [{ usage: 5, every: 1, start: "2025-01-01T08:00:00.000Z" }],
};
const tubeMedication = {
name: "Topical Cream",
medicationForm: "topical",
packageType: "tube",
doseUnit: "units",
packCount: 2,
packageAmountValue: 40,
packageAmountUnit: "g",
blistersPerPack: 1,
pillsPerBlister: 1,
totalPills: 80,
looseTablets: 80,
blisters: [{ usage: 2, every: 1, start: "2025-01-01T08:00:00.000Z" }],
};
it("should create and return bottle type medication", async () => {
const response = await app.inject({
method: "POST",
@@ -2698,6 +2882,72 @@ describe("E2E Tests with Real Routes", () => {
expect(data.refill.totalPillsAdded).toBe(35); // 1*30 + 5
});
it("should keep liquid_container refill additive and preserve amount baseline", async () => {
const createResponse = await app.inject({
method: "POST",
url: "/medications",
payload: {
...liquidContainerMedication,
packCount: 1,
packageAmountValue: 180,
totalPills: 180,
looseTablets: 180,
},
});
expect(createResponse.statusCode).toBe(200);
const medId = createResponse.json().id;
const refillResponse = await app.inject({
method: "POST",
url: `/medications/${medId}/refill`,
payload: { packsAdded: 1, loosePillsAdded: 0 },
});
expect(refillResponse.statusCode).toBe(200);
const refillData = refillResponse.json();
expect(refillData.refill.packsAdded).toBe(1);
expect(refillData.refill.loosePillsAdded).toBe(180);
expect(refillData.refill.totalPillsAdded).toBe(180);
expect(refillData.newStock.totalPills).toBe(360);
const medsResponse = await app.inject({ method: "GET", url: "/medications" });
expect(medsResponse.statusCode).toBe(200);
const med = medsResponse.json().find((m: Record<string, unknown>) => m.id === medId);
expect(med).toBeTruthy();
expect(med.totalPills).toBe(360);
expect(med.looseTablets).toBe(360);
});
it("should keep tube refill additive and preserve amount baseline", async () => {
const createResponse = await app.inject({
method: "POST",
url: "/medications",
payload: tubeMedication,
});
expect(createResponse.statusCode).toBe(200);
const medId = createResponse.json().id;
const refillResponse = await app.inject({
method: "POST",
url: `/medications/${medId}/refill`,
payload: { packsAdded: 1, loosePillsAdded: 0 },
});
expect(refillResponse.statusCode).toBe(200);
const refillData = refillResponse.json();
expect(refillData.refill.packsAdded).toBe(1);
expect(refillData.refill.loosePillsAdded).toBe(40);
expect(refillData.refill.totalPillsAdded).toBe(40);
expect(refillData.newStock.totalPills).toBe(120);
const medsResponse = await app.inject({ method: "GET", url: "/medications" });
expect(medsResponse.statusCode).toBe(200);
const med = medsResponse.json().find((m: Record<string, unknown>) => m.id === medId);
expect(med).toBeTruthy();
expect(med.totalPills).toBe(120);
expect(med.looseTablets).toBe(120);
});
it("should return correct totalPillsAdded in refill history for bottle type", async () => {
const createResponse = await app.inject({
method: "POST",
backend/src/test/routes-real.test.ts
+297 -2
View File
@@ -45,7 +45,9 @@ vi.mock("nodemailer", () => ({
},
}));
const { settingsRoutes, sendShoutrrrNotification } = await import("../routes/settings.js");
const { settingsRoutes, sendShoutrrrNotification, loadUserSettings, getAllUserSettings } = await import(
"../routes/settings.js"
);
const { exportRoutes } = await import("../routes/export.js");
const { reportRoutes } = await import("../routes/report.js");
@@ -142,6 +144,73 @@ describe("Real route coverage: settings/export/report", () => {
expect(body.shareScheduleTodayOnly).toBe(false);
});
it("GET /settings returns a non-empty serialized payload with SMTP fields", async () => {
process.env.SMTP_HOST = "smtp.example.com";
process.env.SMTP_PORT = "2525";
process.env.SMTP_USER = "mailer@example.com";
process.env.SMTP_FROM = "MedAssist <mailer@example.com>";
process.env.SMTP_PASS = "secret";
await app.inject({
method: "PUT",
url: "/settings",
payload: {
emailEnabled: true,
notificationEmail: "person@example.com",
reminderDaysBefore: 5,
repeatDailyReminders: true,
lowStockDays: 14,
normalStockDays: 45,
highStockDays: 90,
shoutrrrEnabled: false,
shoutrrrUrl: "",
emailStockReminders: true,
emailIntakeReminders: true,
emailPrescriptionReminders: true,
shoutrrrStockReminders: true,
shoutrrrIntakeReminders: true,
shoutrrrPrescriptionReminders: true,
skipRemindersForTakenDoses: false,
repeatRemindersEnabled: true,
reminderRepeatIntervalMinutes: 20,
maxNaggingReminders: 4,
language: "en",
stockCalculationMode: "manual",
shareStockStatus: true,
upcomingTodayOnly: true,
shareScheduleTodayOnly: true,
swapDashboardMainSections: true,
},
});
const response = await app.inject({ method: "GET", url: "/settings" });
expect(response.statusCode).toBe(200);
expect(response.body).not.toBe("{}");
const body = response.json();
expect(body).toEqual(
expect.objectContaining({
emailEnabled: true,
notificationEmail: "person@example.com",
reminderDaysBefore: 5,
repeatDailyReminders: true,
repeatRemindersEnabled: true,
reminderRepeatIntervalMinutes: 20,
maxNaggingReminders: 4,
stockCalculationMode: "manual",
upcomingTodayOnly: true,
shareScheduleTodayOnly: true,
swapDashboardMainSections: true,
smtpHost: "smtp.example.com",
smtpPort: 2525,
smtpUser: "mailer@example.com",
smtpFrom: "MedAssist <mailer@example.com>",
hasSmtpPassword: true,
})
);
});
it("PUT /settings disables repeatDailyReminders when no stock reminder channel exists", async () => {
const response = await app.inject({
method: "PUT",
@@ -190,7 +259,30 @@ describe("Real route coverage: settings/export/report", () => {
payload: { language: "fr" },
});
expect(response.statusCode).toBe(400);
expect(response.json().error).toBe("Invalid language");
expect(response.json().error).toMatch(/Invalid language|Bad Request/);
});
it("PUT /settings/language creates and updates the stored language", async () => {
let response = await app.inject({
method: "PUT",
url: "/settings/language",
payload: { language: "de" },
});
expect(response.statusCode).toBe(200);
response = await app.inject({
method: "PUT",
url: "/settings/language",
payload: { language: "en" },
});
expect(response.statusCode).toBe(200);
const stored = await testClient.execute({
sql: "SELECT language FROM user_settings WHERE user_id = 1",
});
expect(stored.rows[0].language).toBe("en");
});
it("POST /settings/test-email fails when SMTP is not configured", async () => {
@@ -224,6 +316,22 @@ describe("Real route coverage: settings/export/report", () => {
expect(nodemailerSendMail).toHaveBeenCalledTimes(1);
});
it("POST /settings/test-email maps generic transport failures to HTTP 500", async () => {
process.env.SMTP_HOST = "smtp.example.com";
process.env.SMTP_USER = "mailer@example.com";
process.env.SMTP_PASS = "secret";
nodemailerSendMail.mockRejectedValue(new Error("socket hang up"));
const response = await app.inject({
method: "POST",
url: "/settings/test-email",
payload: { email: "person@example.com" },
});
expect(response.statusCode).toBe(500);
expect(response.json()).toMatchObject({ code: "TEST_EMAIL_FAILED" });
});
it("POST /settings/test-shoutrrr validates URL presence", async () => {
const response = await app.inject({
method: "POST",
@@ -233,6 +341,30 @@ describe("Real route coverage: settings/export/report", () => {
expect(response.statusCode).toBe(400);
});
it("POST /settings/test-shoutrrr returns 500 when notification delivery fails", async () => {
const response = await app.inject({
method: "POST",
url: "/settings/test-shoutrrr",
payload: { url: "ftp://invalid.example.com/topic" },
});
expect(response.statusCode).toBe(500);
expect(response.json().error).toMatch(/Only HTTP\/HTTPS protocols are allowed|Unsupported URL format/);
});
it("POST /settings/test-shoutrrr returns 200 for a valid ntfy target", async () => {
fetchMock.mockResolvedValue({ ok: true });
const response = await app.inject({
method: "POST",
url: "/settings/test-shoutrrr",
payload: { url: "ntfy://ntfy.sh/medassist" },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual({ success: true, message: "Test notification sent successfully" });
});
it("sendShoutrrrNotification blocks localhost/private targets", async () => {
const result = await sendShoutrrrNotification("http://127.0.0.1/hook", "test", "message");
expect(result.success).toBe(false);
@@ -266,6 +398,169 @@ describe("Real route coverage: settings/export/report", () => {
expect(JSON.parse(call[1].body)).toMatchObject({ title: "Title", message: "Body" });
});
it("sendShoutrrrNotification returns HTTP response errors for ntfy-style endpoints", async () => {
fetchMock.mockResolvedValue({ ok: false, status: 429, text: () => Promise.resolve("rate limited") });
const result = await sendShoutrrrNotification("https://ntfy.sh/medassist", "Title", "Body");
expect(result).toEqual({ success: false, error: "HTTP 429: rate limited" });
});
it("sendShoutrrrNotification rejects invalid Discord webhook identifiers", async () => {
const result = await sendShoutrrrNotification("discord://bad-token@not-a-number", "Title", "Body");
expect(result).toEqual({ success: false, error: "Invalid Discord webhook ID" });
});
it("sendShoutrrrNotification validates Pushover URL credentials", async () => {
const result = await sendShoutrrrNotification("pushover://missing-token", "Title", "Body");
expect(result).toEqual({ success: false, error: "Invalid Pushover URL format" });
});
it("sendShoutrrrNotification requires Telegram chats and validates tokens", async () => {
let result = await sendShoutrrrNotification("telegram://123:abc@telegram", "Title", "Body");
expect(result).toEqual({ success: false, error: "Telegram URL requires chats parameter" });
result = await sendShoutrrrNotification("telegram://invalid@telegram?chats=123", "Title", "Body");
expect(result).toEqual({ success: false, error: "Invalid Telegram token format" });
});
it("sendShoutrrrNotification converts Gotify URLs and supports disabletls", async () => {
fetchMock.mockResolvedValue({ ok: true });
const result = await sendShoutrrrNotification(
"gotify://push.example.com/basepath/token123?disabletls=yes&priority=8",
"Title",
"Body"
);
expect(result).toEqual({ success: true });
const [targetUrl, requestInit] = fetchMock.mock.calls[0];
expect(targetUrl).toBe("http://push.example.com/basepath/message?token=token123");
expect(requestInit.body).toBe("Body\n\n(priority=8)");
expect(requestInit.headers).toMatchObject({ Tags: "pill" });
});
it("loadUserSettings creates defaults for users without settings", async () => {
const settings = await loadUserSettings(1);
expect(settings).toEqual(
expect.objectContaining({
userId: 1,
emailEnabled: false,
emailPrescriptionReminders: true,
shoutrrrPrescriptionReminders: true,
stockCalculationMode: "automatic",
shareStockStatus: true,
})
);
});
it("loadUserSettings maps persisted settings", async () => {
await testClient.execute({
sql: `INSERT INTO user_settings (
user_id, email_enabled, notification_email, email_stock_reminders, email_intake_reminders,
email_prescription_reminders, shoutrrr_enabled, shoutrrr_url, shoutrrr_stock_reminders,
shoutrrr_intake_reminders, shoutrrr_prescription_reminders, reminder_days_before,
repeat_daily_reminders, low_stock_days, normal_stock_days, high_stock_days, language,
stock_calculation_mode, share_stock_status, skip_reminders_for_taken_doses,
repeat_reminders_enabled, reminder_repeat_interval_minutes, max_nagging_reminders,
upcoming_today_only, share_schedule_today_only, swap_dashboard_main_sections
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
args: [
1,
1,
"person@example.com",
1,
1,
1,
0,
null,
1,
1,
1,
4,
0,
12,
30,
90,
"de",
"manual",
1,
0,
0,
30,
5,
0,
0,
0,
],
});
const settings = await loadUserSettings(1);
expect(settings).toEqual(
expect.objectContaining({
notificationEmail: "person@example.com",
skipRemindersForTakenDoses: false,
repeatRemindersEnabled: false,
reminderRepeatIntervalMinutes: 30,
maxNaggingReminders: 5,
stockCalculationMode: "manual",
shareStockStatus: true,
upcomingTodayOnly: false,
shareScheduleTodayOnly: false,
swapDashboardMainSections: false,
})
);
});
it("getAllUserSettings returns mapped entries for each persisted user", async () => {
await testClient.execute({
sql: "INSERT INTO users (id, username, auth_provider, is_active) VALUES (?, ?, ?, 1)",
args: [2, "second-user", "local"],
});
await testClient.execute({
sql: `INSERT INTO user_settings (
user_id, email_enabled, notification_email, email_stock_reminders, email_intake_reminders,
email_prescription_reminders, shoutrrr_enabled, shoutrrr_url, shoutrrr_stock_reminders,
shoutrrr_intake_reminders, shoutrrr_prescription_reminders, reminder_days_before,
repeat_daily_reminders, low_stock_days, normal_stock_days, high_stock_days, language,
stock_calculation_mode, share_stock_status, upcoming_today_only, share_schedule_today_only,
swap_dashboard_main_sections
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
args: [1, 0, null, 1, 1, 1, 1, "ntfy://ntfy.sh/topic", 1, 1, 1, 7, 1, 30, 60, 120, "en", "manual", 1, 1, 0, 1],
});
await testClient.execute({
sql: `INSERT INTO user_settings (
user_id, email_enabled, notification_email, email_stock_reminders, email_intake_reminders,
email_prescription_reminders, shoutrrr_enabled, shoutrrr_url, shoutrrr_stock_reminders,
shoutrrr_intake_reminders, shoutrrr_prescription_reminders, reminder_days_before,
repeat_daily_reminders, low_stock_days, normal_stock_days, high_stock_days, language,
stock_calculation_mode, share_stock_status, upcoming_today_only, share_schedule_today_only,
swap_dashboard_main_sections
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
args: [2, 1, "second@example.com", 0, 1, 1, 0, null, 1, 1, 1, 10, 0, 20, 50, 100, "de", "automatic", 1, 0, 0, 0],
});
const allSettings = await getAllUserSettings();
expect(allSettings).toHaveLength(2);
expect(allSettings).toEqual(
expect.arrayContaining([
expect.objectContaining({ userId: 1, stockCalculationMode: "manual", upcomingTodayOnly: true }),
expect.objectContaining({
userId: 2,
emailPrescriptionReminders: true,
shoutrrrPrescriptionReminders: true,
stockCalculationMode: "automatic",
shareStockStatus: true,
}),
])
);
});
it("POST /medications/report-data returns 403 for meds not owned by user", async () => {
await seedMedication("Owned Med");
const response = await app.inject({
backend/src/test/settings-auth-security.test.ts
+395
View File
@@ -0,0 +1,395 @@
import { dirname, resolve } from "node:path";
import { fileURLToPath } from "node:url";
import cookie from "@fastify/cookie";
import jwt from "@fastify/jwt";
import sensible from "@fastify/sensible";
import { migrate } from "drizzle-orm/libsql/migrator";
import Fastify, { type FastifyInstance } from "fastify";
import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
import { runAlterMigrations } from "../db/db-utils.js";
const { testClient, testDb, mockedEnv, nodemailerSendMail } = vi.hoisted(() => {
const { createClient } = require("@libsql/client");
const { drizzle } = require("drizzle-orm/libsql");
const client = createClient({ url: ":memory:" });
const db = drizzle(client);
return {
testClient: client,
testDb: db,
mockedEnv: {
AUTH_ENABLED: true,
REGISTRATION_ENABLED: true,
FORM_LOGIN_ENABLED: true,
OIDC_ENABLED: false,
OIDC_PROVIDER_NAME: "SSO",
NODE_ENV: "test",
LOG_LEVEL: "silent",
PORT: 3000,
CORS_ORIGINS: "*",
JWT_SECRET: "test-jwt-secret",
REFRESH_SECRET: "test-refresh-secret",
COOKIE_SECRET: "test-cookie-secret",
ACCESS_TOKEN_TTL_MINUTES: 15,
REFRESH_TOKEN_TTL_DAYS: 7,
OPENAPI_DOCS_ENABLED: false,
},
nodemailerSendMail: vi.fn(),
};
});
vi.mock("../db/client.js", () => ({
db: testDb,
migrationsReady: Promise.resolve(),
}));
vi.mock("../plugins/env.js", () => ({ env: mockedEnv }));
vi.mock("nodemailer", () => ({
default: {
createTransport: () => ({
sendMail: nodemailerSendMail,
}),
},
}));
const { settingsRoutes } = await import("../routes/settings.js");
const { apiKeyRoutes } = await import("../routes/api-keys.js");
const { hashApiKeyToken } = await import("../plugins/auth.js");
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const migrationsFolder = resolve(__dirname, "../../drizzle");
async function clearTables() {
await testClient.execute("DELETE FROM api_keys");
await testClient.execute("DELETE FROM refresh_tokens");
await testClient.execute("DELETE FROM user_settings");
await testClient.execute("DELETE FROM users");
}
async function createUser(username: string) {
const result = await testClient.execute({
sql: "INSERT INTO users (username, auth_provider, is_active) VALUES (?, 'local', 1) RETURNING id",
args: [username],
});
return Number(result.rows[0].id);
}
function buildSessionCookie(app: FastifyInstance, userId: number, username: string) {
const token = app.jwt.sign({ sub: userId, username });
return `access_token=${token}`;
}
async function insertApiKey(options: {
userId: number;
token: string;
scope?: "read" | "write";
isActive?: boolean;
expiresAt?: Date | null;
}) {
const expiresAtValue = options.expiresAt ? Math.floor(options.expiresAt.getTime() / 1000) : null;
const result = await testClient.execute({
sql: `INSERT INTO api_keys (user_id, name, key_hash, token_prefix, scope, is_active, expires_at)
VALUES (?, ?, ?, ?, ?, ?, ?) RETURNING id`,
args: [
options.userId,
"Seeded Key",
hashApiKeyToken(options.token),
`${options.token.slice(0, 12)}...`,
options.scope ?? "write",
options.isActive === false ? 0 : 1,
expiresAtValue,
],
});
return Number(result.rows[0].id);
}
describe("Settings and API key security contracts", () => {
let app: FastifyInstance;
beforeAll(async () => {
await migrate(testDb, { migrationsFolder });
await runAlterMigrations(testClient);
app = Fastify({ logger: false });
await app.register(sensible);
await app.register(cookie, { secret: "test-cookie-secret" });
await app.register(jwt, {
secret: "test-jwt-secret",
cookie: { cookieName: "access_token", signed: false },
});
await app.register(settingsRoutes);
await app.register(apiKeyRoutes);
await app.ready();
});
afterAll(async () => {
await app.close();
testClient.close();
});
beforeEach(async () => {
vi.clearAllMocks();
await clearTables();
delete process.env.SMTP_HOST;
delete process.env.SMTP_USER;
delete process.env.SMTP_TOKEN;
delete process.env.SMTP_PASS;
delete process.env.SMTP_FROM;
delete process.env.SMTP_PORT;
delete process.env.SMTP_SECURE;
});
it("rejects GET /settings without authentication when auth is enabled", async () => {
const response = await app.inject({ method: "GET", url: "/settings" });
expect(response.statusCode).toBe(401);
expect(response.json()).toMatchObject({ code: "AUTH_REQUIRED" });
});
it("returns settings defaults for an authenticated session cookie", async () => {
const userId = await createUser("settings-session-user");
const response = await app.inject({
method: "GET",
url: "/settings",
headers: { cookie: buildSessionCookie(app, userId, "settings-session-user") },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual(
expect.objectContaining({
emailEnabled: false,
language: "en",
stockCalculationMode: "automatic",
})
);
});
it("allows GET /settings with a read-only API key", async () => {
const userId = await createUser("settings-read-user");
process.env.SMTP_HOST = "smtp.example.com";
process.env.SMTP_PORT = "2525";
const apiToken = "ma_read_only_valid_token_123456789";
await insertApiKey({ userId, token: apiToken, scope: "read" });
const response = await app.inject({
method: "GET",
url: "/settings",
headers: { authorization: `Bearer ${apiToken}` },
});
expect(response.statusCode).toBe(200);
expect(response.json()).toEqual(
expect.objectContaining({
smtpHost: "smtp.example.com",
smtpPort: 2525,
})
);
});
it("rejects PUT /settings with a read-only API key", async () => {
const userId = await createUser("settings-read-mutation-user");
const apiToken = "ma_read_only_mutation_token_123456789";
await insertApiKey({ userId, token: apiToken, scope: "read" });
const response = await app.inject({
method: "PUT",
url: "/settings",
headers: { authorization: `Bearer ${apiToken}` },
payload: {
emailEnabled: false,
notificationEmail: "",
reminderDaysBefore: 7,
repeatDailyReminders: false,
lowStockDays: 30,
normalStockDays: 90,
highStockDays: 180,
shoutrrrEnabled: false,
shoutrrrUrl: "",
emailStockReminders: true,
emailIntakeReminders: true,
emailPrescriptionReminders: true,
shoutrrrStockReminders: true,
shoutrrrIntakeReminders: true,
shoutrrrPrescriptionReminders: true,
skipRemindersForTakenDoses: false,
repeatRemindersEnabled: false,
reminderRepeatIntervalMinutes: 30,
maxNaggingReminders: 5,
language: "en",
stockCalculationMode: "automatic",
shareStockStatus: true,
upcomingTodayOnly: false,
shareScheduleTodayOnly: false,
swapDashboardMainSections: false,
},
});
expect(response.statusCode).toBe(403);
expect(response.json()).toMatchObject({ code: "API_KEY_SCOPE_FORBIDDEN" });
});
it("rejects invalid API key bearer tokens for GET /settings", async () => {
const response = await app.inject({
method: "GET",
url: "/settings",
headers: { authorization: "Bearer definitely-not-a-medassist-key" },
});
expect(response.statusCode).toBe(401);
expect(response.json()).toMatchObject({ code: "INVALID_API_KEY" });
});
it("rejects expired API keys for GET /settings", async () => {
const userId = await createUser("settings-expired-key-user");
const apiToken = "ma_expired_token_for_settings_123456789";
await insertApiKey({
userId,
token: apiToken,
scope: "read",
expiresAt: new Date(Date.now() - 60_000),
});
const response = await app.inject({
method: "GET",
url: "/settings",
headers: { authorization: `Bearer ${apiToken}` },
});
expect(response.statusCode).toBe(401);
expect(response.json()).toMatchObject({ code: "API_KEY_EXPIRED" });
});
it("rotates API keys and does not leak raw tokens from the list endpoint", async () => {
const userId = await createUser("api-key-session-user");
const cookieHeader = buildSessionCookie(app, userId, "api-key-session-user");
const firstCreate = await app.inject({
method: "POST",
url: "/auth/api-keys",
headers: { cookie: cookieHeader },
payload: { name: "Primary key", scope: "write", expiresInDays: 30 },
});
expect(firstCreate.statusCode).toBe(201);
const firstBody = firstCreate.json();
expect(firstBody.token).toMatch(/^ma_/);
const secondCreate = await app.inject({
method: "POST",
url: "/auth/api-keys",
headers: { cookie: cookieHeader },
payload: { name: "Rotated key", scope: "write", expiresInDays: 30 },
});
expect(secondCreate.statusCode).toBe(201);
const secondBody = secondCreate.json();
const listResponse = await app.inject({
method: "GET",
url: "/auth/api-keys",
headers: { cookie: cookieHeader },
});
expect(listResponse.statusCode).toBe(200);
expect(listResponse.body).not.toContain(firstBody.token);
expect(listResponse.body).not.toContain(secondBody.token);
expect(listResponse.body).not.toContain("keyHash");
expect(listResponse.json().keys).toHaveLength(2);
const dbState = await testClient.execute({
sql: "SELECT name, is_active FROM api_keys WHERE user_id = ? ORDER BY id ASC",
args: [userId],
});
expect(dbState.rows).toEqual([
expect.objectContaining({ name: "Primary key", is_active: 0 }),
expect.objectContaining({ name: "Rotated key", is_active: 1 }),
]);
});
it("rejects API key rotation when authenticated with a read-only API key", async () => {
const userId = await createUser("api-key-readonly-rotate-user");
const readOnlyToken = "ma_readonly_rotation_denied_123456789";
await insertApiKey({ userId, token: readOnlyToken, scope: "read" });
const response = await app.inject({
method: "POST",
url: "/auth/api-keys",
headers: { authorization: `Bearer ${readOnlyToken}` },
payload: { name: "Blocked rotation", scope: "write", expiresInDays: 30 },
});
expect(response.statusCode).toBe(403);
expect(response.json()).toMatchObject({ code: "API_KEY_SCOPE_FORBIDDEN" });
});
it("returns 404 when deleting an API key owned by a different user", async () => {
const ownerUserId = await createUser("api-key-owner");
const otherUserId = await createUser("api-key-other-user");
const otherCookieHeader = buildSessionCookie(app, otherUserId, "api-key-other-user");
const keyId = await insertApiKey({
userId: ownerUserId,
token: "ma_write_owner_token_123456789",
scope: "write",
});
const response = await app.inject({
method: "DELETE",
url: `/auth/api-keys/${keyId}`,
headers: { cookie: otherCookieHeader },
});
expect(response.statusCode).toBe(404);
expect(response.json()).toMatchObject({ code: "API_KEY_NOT_FOUND" });
});
it("maps SMTP recipient rejection to HTTP 400 instead of a generic 500", async () => {
const userId = await createUser("settings-email-recipient-user");
process.env.SMTP_HOST = "smtp.example.com";
process.env.SMTP_USER = "mailer@example.com";
process.env.SMTP_PASS = "secret";
nodemailerSendMail.mockResolvedValue({
accepted: [],
rejected: ["missing@example.com"],
response: "550 5.1.1 recipient address rejected",
});
const response = await app.inject({
method: "POST",
url: "/settings/test-email",
headers: { cookie: buildSessionCookie(app, userId, "settings-email-recipient-user") },
payload: { email: "missing@example.com" },
});
expect(response.statusCode).toBe(400);
expect(response.json()).toMatchObject({ code: "EMAIL_RECIPIENT_REJECTED" });
});
it("maps missing SMTP acceptance to HTTP 502 for test email", async () => {
const userId = await createUser("settings-email-unconfirmed-user");
process.env.SMTP_HOST = "smtp.example.com";
process.env.SMTP_USER = "mailer@example.com";
process.env.SMTP_PASS = "secret";
nodemailerSendMail.mockResolvedValue({
accepted: [],
rejected: [],
response: "250 queued without explicit acceptance",
});
const response = await app.inject({
method: "POST",
url: "/settings/test-email",
headers: { cookie: buildSessionCookie(app, userId, "settings-email-unconfirmed-user") },
payload: { email: "person@example.com" },
});
expect(response.statusCode).toBe(502);
expect(response.json()).toMatchObject({ code: "SMTP_DELIVERY_UNCONFIRMED" });
});
});