2.3 KiB
2.3 KiB
Plan: Add Testing to Eyrun Auth System
Context
The project has zero test infrastructure. We need to add a test framework and write tests covering the auth system we just built, plus the lib utilities. The buildApp() factory pattern in src/app.ts is ideal for integration testing with Fastify's .inject() method.
Setup
Install dependencies:
vitest— test runner (ESM + TypeScript native support, no config hassle)
Config files:
vitest.config.tsat project root (minimal — just point at src)- Add
"test": "vitest run"script topackage.json
Test Structure
src/
├── lib/
│ ├── jwt.test.ts # Unit tests
│ ├── otp.test.ts # Unit tests
│ └── tokens.test.ts # Unit tests
└── routes/
└── auth.test.ts # Integration tests (full auth flow)
Unit Tests
src/lib/jwt.test.ts — sign returns JWT string, verify decodes correct sub, verify throws on invalid/expired tokens
src/lib/otp.test.ts — generates 6-digit string, produces varying codes
src/lib/tokens.test.ts — returns non-empty string, produces unique tokens
Integration Tests — src/routes/auth.test.ts
Uses buildApp() + app.inject() against the real local DB. Cleans up test data (otp_codes, sessions, users by test email) in afterAll.
Test cases:
POST /auth/login— returns message, creates OTP row in DBPOST /auth/login— rate limits after 3 requests per email/hourPOST /auth/verify— valid code → returns accessToken + refreshTokenPOST /auth/verify— wrong code → 400POST /auth/verify— creates user if email not in users tablePOST /auth/refresh— valid refresh token → rotated tokensPOST /auth/refresh— reuse old token → theft detection, all sessions revokedGET /auth/me— valid Bearer → returns userGET /auth/me— no token → 401POST /auth/logout— revokes sessions, refresh afterward fails
Files to Create/Modify
package.json— add vitest devDep +testscriptvitest.config.ts— newsrc/lib/jwt.test.ts— newsrc/lib/otp.test.ts— newsrc/lib/tokens.test.ts— newsrc/routes/auth.test.ts— new
Verification
pnpm testpasses all testspnpm buildstill compiles