'use strict'; /** * Integration tests: GET /api/admin/search (Cmd+K palette) * Covers: shape, min-query guard, SQL-injection sanity, auth. */ const { describe, it, before, after } = require('node:test'); const assert = require('node:assert/strict'); const { inject, getToken, cleanup } = require('./setup'); after(() => cleanup()); describe('Admin Search (Cmd+K)', () => { let adminToken, studentToken; before(async () => { const a = await getToken('admin'); adminToken = a.token; const s = await getToken('student'); studentToken = s.token; }); // ── 1. Auth guard ──────────────────────────────────────────────────────── it('returns 401 without auth token', async () => { const res = await inject('GET', '/api/admin/search?q=test', null, null); assert.equal(res.status, 401, `expected 401, got ${res.status}`); }); it('returns 403 for student (non-admin)', async () => { const res = await inject('GET', '/api/admin/search?q=test', null, studentToken); assert.equal(res.status, 403, `expected 403, got ${res.status}`); }); // ── 2. Short query returns empty arrays ─────────────────────────────────── it('q shorter than 2 chars returns empty arrays without error', async () => { const res = await inject('GET', '/api/admin/search?q=x', null, adminToken); assert.equal(res.status, 200, `expected 200, got ${res.status}`); assert.ok(Array.isArray(res.body.users), 'users should be array'); assert.ok(Array.isArray(res.body.tests), 'tests should be array'); assert.ok(Array.isArray(res.body.classes), 'classes should be array'); assert.equal(res.body.users.length, 0, 'users should be empty for q.length < 2'); assert.equal(res.body.tests.length, 0, 'tests should be empty for q.length < 2'); assert.equal(res.body.classes.length, 0, 'classes should be empty for q.length < 2'); }); it('missing q param returns empty arrays', async () => { const res = await inject('GET', '/api/admin/search', null, adminToken); assert.equal(res.status, 200, `expected 200, got ${res.status}`); assert.equal(res.body.users.length, 0); }); // ── 3. Valid query returns expected shape ───────────────────────────────── it('valid query returns shape with users, tests, classes arrays', async () => { const res = await inject('GET', '/api/admin/search?q=test', null, adminToken); assert.equal(res.status, 200, `expected 200, got ${res.status}: ${JSON.stringify(res.body)}`); assert.ok(Array.isArray(res.body.users), 'users must be array'); assert.ok(Array.isArray(res.body.tests), 'tests must be array'); assert.ok(Array.isArray(res.body.classes), 'classes must be array'); }); // ── 4. SQL injection sanity: parameterized — no crash ──────────────────── it('SQL injection in q does not crash the server', async () => { const injected = encodeURIComponent("%' OR 1=1 --"); const res = await inject('GET', `/api/admin/search?q=${injected}`, null, adminToken); // Must not 500 — should return 200 with arrays (possibly empty) assert.ok(res.status < 500, `server crashed with SQL injection input: status ${res.status}`); if (res.status === 200) { assert.ok(Array.isArray(res.body.users), 'users should still be array'); } }); // ── 5. Search finds existing user ──────────────────────────────────────── it('search finds a registered user by partial name', async () => { // Create a user with a unique name we can search const uniqueName = `Findable-${Date.now()}`; const reg = await inject('POST', '/api/auth/register', { email: `findable_${Date.now()}@search.test`, password: 'password123', name: uniqueName, }); assert.equal(reg.status, 201); const q = encodeURIComponent(uniqueName.slice(0, 8)); const res = await inject('GET', `/api/admin/search?q=${q}`, null, adminToken); assert.equal(res.status, 200); const found = res.body.users.find(u => u.name === uniqueName); assert.ok(found, `Expected to find user "${uniqueName}" in search results`); assert.ok('id' in found, 'user result should have id'); assert.ok('email' in found, 'user result should have email'); assert.ok('role' in found, 'user result should have role'); }); });