ST-1242: Verwijder todo-tests, herstel security-test en verifieer volledige build (#134)
* feat(cleanup): verwijder Todo's navlink en todo-referenties uit marketing page [cmotto5ia000nx3178lq6xk8d]
- nav-bar.tsx: Todo's navLink verwijderd; Ideas-link blijft staan
- app/page.tsx: /todos quick-access link, feature-entry en /api/todos API-doc verwijderd
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(cleanup): verwijder app/(app)/todos/ en components/todos/ [cmottjvzo000cx3172472cu4g]
* test(cleanup): verwijder POST /api/todos import en describe-block uit security.test.ts [cmotto5jn000px317kjqlba89]
- Import 'POST as postTodo' uit verwijderde todos-route verwijderd
- describe('POST /api/todos') sectie (3 tests) verwijderd
- 73 testfiles / 561 tests groen
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test(cleanup): verwijder __tests__/api/todos.test.ts en __tests__/actions/todos-promote-idea.test.ts [cmottjw1u000fx317igq27mh5]
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Janpeter Visser
GitHub
parent
628fbd7e7b
commit
52c610b11c
3 changed files with 0 additions and 267 deletions
|
|
@ -41,7 +41,6 @@ import { GET as getSprintTasks } from '@/app/api/sprints/[id]/tasks/route'
|
|||
import { PATCH as patchReorder } from '@/app/api/stories/[id]/tasks/reorder/route'
|
||||
import { POST as postStoryLog } from '@/app/api/stories/[id]/log/route'
|
||||
import { PATCH as patchTask } from '@/app/api/tasks/[id]/route'
|
||||
import { POST as postTodo } from '@/app/api/todos/route'
|
||||
|
||||
const mockPrisma = prisma as unknown as {
|
||||
product: { findMany: ReturnType<typeof vi.fn>; findFirst: ReturnType<typeof vi.fn> }
|
||||
|
|
@ -419,46 +418,3 @@ describe('PATCH /api/tasks/:id', () => {
|
|||
expect(res.status).toBe(200)
|
||||
})
|
||||
})
|
||||
|
||||
// ─── POST /api/todos ──────────────────────────────────────────────────────────
|
||||
|
||||
describe('POST /api/todos', () => {
|
||||
// product_id is required by the Zod schema (z.string().min(1))
|
||||
const VALID_BODY = { title: 'Test todo', product_id: 'prod-1' }
|
||||
|
||||
// TC-TD-01
|
||||
it('returns 401 when no valid token provided', async () => {
|
||||
mockAuth.mockResolvedValue(UNAUTHORIZED)
|
||||
const res = await postTodo(makePost('http://localhost/api/todos', VALID_BODY))
|
||||
expect(res.status).toBe(401)
|
||||
})
|
||||
|
||||
// TC-TD-03
|
||||
it('returns 403 for demo users', async () => {
|
||||
mockAuth.mockResolvedValue(DEMO_AUTH)
|
||||
const res = await postTodo(makePost('http://localhost/api/todos', VALID_BODY))
|
||||
expect(res.status).toBe(403)
|
||||
const data = await res.json()
|
||||
expect(data.error).toBe('Niet beschikbaar in demo-modus')
|
||||
})
|
||||
|
||||
// TC-TD-08
|
||||
it('returns 404 when product_id belongs to another user', async () => {
|
||||
mockAuth.mockResolvedValue(USER_2_AUTH)
|
||||
mockPrisma.product.findFirst.mockResolvedValue(null)
|
||||
|
||||
const res = await postTodo(
|
||||
makePost('http://localhost/api/todos', { title: 'Todo', product_id: 'prod-owned-by-user-1' })
|
||||
)
|
||||
expect(res.status).toBe(404)
|
||||
// Verify it queries by user_id, not productAccessFilter
|
||||
expect(mockPrisma.product.findFirst).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
where: expect.objectContaining({
|
||||
id: 'prod-owned-by-user-1',
|
||||
user_id: 'user-2',
|
||||
}),
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
|
|
|||
|
|
@ -1,109 +0,0 @@
|
|||
import { describe, it, expect, vi, beforeEach } from 'vitest'
|
||||
|
||||
vi.mock('@/lib/prisma', () => ({
|
||||
prisma: {
|
||||
product: {
|
||||
findFirst: vi.fn(),
|
||||
},
|
||||
todo: {
|
||||
create: vi.fn(),
|
||||
},
|
||||
},
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/api-auth', () => ({
|
||||
authenticateApiRequest: vi.fn(),
|
||||
}))
|
||||
|
||||
import { prisma } from '@/lib/prisma'
|
||||
import { authenticateApiRequest } from '@/lib/api-auth'
|
||||
import { POST as postTodo } from '@/app/api/todos/route'
|
||||
|
||||
const mockPrisma = prisma as unknown as {
|
||||
product: { findFirst: ReturnType<typeof vi.fn> }
|
||||
todo: { create: ReturnType<typeof vi.fn> }
|
||||
}
|
||||
const mockAuth = authenticateApiRequest as ReturnType<typeof vi.fn>
|
||||
|
||||
const PRODUCT = { id: 'prod-1', name: 'DevPlanner', archived: false, user_id: 'user-1' }
|
||||
const TODO_RESULT = { id: 'todo-1', title: 'Test todo', created_at: new Date('2026-04-30T10:00:00Z') }
|
||||
|
||||
function makeRequest(body: unknown): Request {
|
||||
return new Request('http://localhost/api/todos', {
|
||||
method: 'POST',
|
||||
headers: { Authorization: 'Bearer test-token', 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(body),
|
||||
})
|
||||
}
|
||||
|
||||
describe('POST /api/todos', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockAuth.mockResolvedValue({ userId: 'user-1', isDemo: false })
|
||||
mockPrisma.product.findFirst.mockResolvedValue(PRODUCT)
|
||||
mockPrisma.todo.create.mockResolvedValue(TODO_RESULT)
|
||||
})
|
||||
|
||||
// TC-TD-04
|
||||
it('returns 422 when title is missing', async () => {
|
||||
const res = await postTodo(makeRequest({ product_id: 'prod-1' }))
|
||||
expect(res.status).toBe(422)
|
||||
})
|
||||
|
||||
// TC-TD-05
|
||||
it('returns 422 when title is empty string', async () => {
|
||||
const res = await postTodo(makeRequest({ title: '', product_id: 'prod-1' }))
|
||||
expect(res.status).toBe(422)
|
||||
})
|
||||
|
||||
it('returns 422 when product_id is missing', async () => {
|
||||
// product_id is required by the Zod schema (z.string().min(1))
|
||||
const res = await postTodo(makeRequest({ title: 'My todo' }))
|
||||
expect(res.status).toBe(422)
|
||||
})
|
||||
|
||||
it('returns 422 when product_id is empty string', async () => {
|
||||
const res = await postTodo(makeRequest({ title: 'My todo', product_id: '' }))
|
||||
expect(res.status).toBe(422)
|
||||
})
|
||||
|
||||
// TC-TD-07
|
||||
it('creates todo with valid product_id and returns 201', async () => {
|
||||
const res = await postTodo(makeRequest({ title: 'Test todo', product_id: 'prod-1' }))
|
||||
const data = await res.json()
|
||||
|
||||
expect(res.status).toBe(201)
|
||||
expect(data).toMatchObject({ id: 'todo-1', title: 'Test todo' })
|
||||
expect(data).toHaveProperty('created_at')
|
||||
expect(mockPrisma.todo.create).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
data: expect.objectContaining({
|
||||
user_id: 'user-1',
|
||||
product_id: 'prod-1',
|
||||
title: 'Test todo',
|
||||
}),
|
||||
})
|
||||
)
|
||||
})
|
||||
|
||||
it('queries product by user_id (not productAccessFilter) to enforce ownership', async () => {
|
||||
await postTodo(makeRequest({ title: 'Test todo', product_id: 'prod-1' }))
|
||||
|
||||
expect(mockPrisma.product.findFirst).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
where: expect.objectContaining({
|
||||
id: 'prod-1',
|
||||
user_id: 'user-1',
|
||||
archived: false,
|
||||
}),
|
||||
})
|
||||
)
|
||||
})
|
||||
|
||||
it('returns 404 when product does not exist or is archived', async () => {
|
||||
mockPrisma.product.findFirst.mockResolvedValue(null)
|
||||
|
||||
const res = await postTodo(makeRequest({ title: 'My todo', product_id: 'nonexistent' }))
|
||||
expect(res.status).toBe(404)
|
||||
})
|
||||
})
|
||||
Loading…
Add table
Add a link
Reference in a new issue