maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(backend): +31 integration tests for permissions/overview/search/sessions/features

Browse Source 
Coverage:
- Permissions: role/user toggle + audit + token_version bump, /me, 403 non-admin (10 tests)
- Admin overview: shape, all fields, types, auth guard, empty DB zeros (4 tests)
- Cmd+K search: shape, min-query empty, SQL injection sanity, user lookup (5 tests)
- Session delete: CASCADE, audit entry, 404 missing, 403 non-admin (4 tests)
- Feature gates: disabled flag returns 404, enabled returns 401/200, admin API toggle (5 tests)
- setup.js: add /api/permissions, /api/pet, /api/biochem routes for test coverage

tests 66 (was 35) · pass 63 (was 32) · fail 3 (baseline auth.test.js, unchanged)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Maxim Dolgolyov
2026-05-22 21:58:37 +03:00
parent 696049271f
commit 1fdbb9a445
6 changed files with 553 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/tests/admin-search.test.js
+91
View File
@@ -0,0 +1,91 @@
'use strict';
/**
* Integration tests: GET /api/admin/search (Cmd+K palette)
* Covers: shape, min-query guard, SQL-injection sanity, auth.
*/
const { describe, it, before, after } = require('node:test');
const assert = require('node:assert/strict');
const { inject, getToken, cleanup } = require('./setup');
after(() => cleanup());
describe('Admin Search (Cmd+K)', () => {
let adminToken, studentToken;
before(async () => {
const a = await getToken('admin');
adminToken = a.token;
const s = await getToken('student');
studentToken = s.token;
});
// ── 1. Auth guard ────────────────────────────────────────────────────────
it('returns 401 without auth token', async () => {
const res = await inject('GET', '/api/admin/search?q=test', null, null);
assert.equal(res.status, 401, `expected 401, got ${res.status}`);
});
it('returns 403 for student (non-admin)', async () => {
const res = await inject('GET', '/api/admin/search?q=test', null, studentToken);
assert.equal(res.status, 403, `expected 403, got ${res.status}`);
});
// ── 2. Short query returns empty arrays ───────────────────────────────────
it('q shorter than 2 chars returns empty arrays without error', async () => {
const res = await inject('GET', '/api/admin/search?q=x', null, adminToken);
assert.equal(res.status, 200, `expected 200, got ${res.status}`);
assert.ok(Array.isArray(res.body.users), 'users should be array');
assert.ok(Array.isArray(res.body.tests), 'tests should be array');
assert.ok(Array.isArray(res.body.classes), 'classes should be array');
assert.equal(res.body.users.length, 0, 'users should be empty for q.length < 2');
assert.equal(res.body.tests.length, 0, 'tests should be empty for q.length < 2');
assert.equal(res.body.classes.length, 0, 'classes should be empty for q.length < 2');
});
it('missing q param returns empty arrays', async () => {
const res = await inject('GET', '/api/admin/search', null, adminToken);
assert.equal(res.status, 200, `expected 200, got ${res.status}`);
assert.equal(res.body.users.length, 0);
});
// ── 3. Valid query returns expected shape ─────────────────────────────────
it('valid query returns shape with users, tests, classes arrays', async () => {
const res = await inject('GET', '/api/admin/search?q=test', null, adminToken);
assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`);
assert.ok(Array.isArray(res.body.users), 'users must be array');
assert.ok(Array.isArray(res.body.tests), 'tests must be array');
assert.ok(Array.isArray(res.body.classes), 'classes must be array');
});
// ── 4. SQL injection sanity: parameterized — no crash ────────────────────
it('SQL injection in q does not crash the server', async () => {
const injected = encodeURIComponent("%' OR 1=1 --");
const res = await inject('GET', `/api/admin/search?q=${injected}`, null, adminToken);
// Must not 500 — should return 200 with arrays (possibly empty)
assert.ok(res.status < 500, `server crashed with SQL injection input: status ${res.status}`);
if (res.status === 200) {
assert.ok(Array.isArray(res.body.users), 'users should still be array');
}
});
// ── 5. Search finds existing user ────────────────────────────────────────
it('search finds a registered user by partial name', async () => {
// Create a user with a unique name we can search
const uniqueName = `Findable-${Date.now()}`;
const reg = await inject('POST', '/api/auth/register', {
email: `findable_${Date.now()}@search.test`,
password: 'password123',
name: uniqueName,
});
assert.equal(reg.status, 201);
const q = encodeURIComponent(uniqueName.slice(0, 8));
const res = await inject('GET', `/api/admin/search?q=${q}`, null, adminToken);
assert.equal(res.status, 200);
const found = res.body.users.find(u => u.name === uniqueName);
assert.ok(found, `Expected to find user "${uniqueName}" in search results`);
assert.ok('id' in found, 'user result should have id');
assert.ok('email' in found, 'user result should have email');
assert.ok('role' in found, 'user result should have role');
});
});