fredjens/eyrun-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
eyrun-api/.claude/plans/goofy-beaming-kurzweil.md
Fredrik Jensen 60f870ece8 first commit
2026-02-07 17:53:23 +01:00

62 lines
2.3 KiB
Markdown
Raw Blame History

# Plan: Add Testing to Eyrun Auth System
## Context
The project has zero test infrastructure. We need to add a test framework and write tests covering the auth system we just built, plus the lib utilities. The `buildApp()` factory pattern in `src/app.ts` is ideal for integration testing with Fastify's `.inject()` method.
## Setup
**Install dependencies:**
- `vitest` — test runner (ESM + TypeScript native support, no config hassle)
**Config files:**
- `vitest.config.ts` at project root (minimal — just point at src)
- Add `"test": "vitest run"` script to `package.json`
## Test Structure
```
src/
├── lib/
│ ├── jwt.test.ts # Unit tests
│ ├── otp.test.ts # Unit tests
│ └── tokens.test.ts # Unit tests
└── routes/
└── auth.test.ts # Integration tests (full auth flow)
```
## Unit Tests
**`src/lib/jwt.test.ts`** — sign returns JWT string, verify decodes correct `sub`, verify throws on invalid/expired tokens
**`src/lib/otp.test.ts`** — generates 6-digit string, produces varying codes
**`src/lib/tokens.test.ts`** — returns non-empty string, produces unique tokens
## Integration Tests — `src/routes/auth.test.ts`
Uses `buildApp()` + `app.inject()` against the real local DB. Cleans up test data (otp_codes, sessions, users by test email) in afterAll.
**Test cases:**
1. `POST /auth/login` — returns message, creates OTP row in DB
2. `POST /auth/login` — rate limits after 3 requests per email/hour
3. `POST /auth/verify` — valid code → returns accessToken + refreshToken
4. `POST /auth/verify` — wrong code → 400
5. `POST /auth/verify` — creates user if email not in users table
6. `POST /auth/refresh` — valid refresh token → rotated tokens
7. `POST /auth/refresh` — reuse old token → theft detection, all sessions revoked
8. `GET /auth/me` — valid Bearer → returns user
9. `GET /auth/me` — no token → 401
10. `POST /auth/logout` — revokes sessions, refresh afterward fails
## Files to Create/Modify
- `package.json` — add vitest devDep + `test` script
- `vitest.config.ts` — new
- `src/lib/jwt.test.ts` — new
- `src/lib/otp.test.ts` — new
- `src/lib/tokens.test.ts` — new
- `src/routes/auth.test.ts` — new
## Verification
- `pnpm test` passes all tests
- `pnpm build` still compiles
Reference in New Issue View Git Blame Copy Permalink