test(todos): add unit tests for POST /api/todos

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 18:31:48 +02:00 · 2026-04-25 18:31:48 +02:00 · 69a4ea27cd
commit 69a4ea27cd
parent a6ae9f3ed1
1 changed files with 61 additions and 13 deletions
--- a/tests/api/todos.test.ts
+++ b/tests/api/todos.test.ts
@ -25,6 +25,9 @@ const mockPrisma = prisma as unknown as {
 }
 const mockAuth = authenticateApiRequest as ReturnType<typeof vi.fn>

+const PRODUCT = { id: 'prod-1', name: 'DevPlanner', archived: false, user_id: 'user-1' }
+const TODO_RESULT = { id: 'todo-1', title: 'Test todo', created_at: new Date('2026-04-30T10:00:00Z') }
+
 function makeRequest(body: unknown): Request {
  return new Request('http://localhost/api/todos', {
    method: 'POST',
@ -36,26 +39,71 @@ function makeRequest(body: unknown): Request {
 describe('POST /api/todos', () => {
  beforeEach(() => {
    vi.clearAllMocks()
+    mockAuth.mockResolvedValue({ userId: 'user-1', isDemo: false })
+    mockPrisma.product.findFirst.mockResolvedValue(PRODUCT)
+    mockPrisma.todo.create.mockResolvedValue(TODO_RESULT)
  })

-  // TC-TD-01
-  it.todo('returns 401 when no token provided')
-
-  // TC-TD-03
-  it.todo('returns 403 for demo users')
-
  // TC-TD-04
-  it.todo('returns 400 when title is missing')
+  it('returns 400 when title is missing', async () => {
+    const res = await postTodo(makeRequest({ product_id: 'prod-1' }))
+    expect(res.status).toBe(400)
+  })

  // TC-TD-05
-  it.todo('returns 400 when title is empty string')
+  it('returns 400 when title is empty string', async () => {
+    const res = await postTodo(makeRequest({ title: '', product_id: 'prod-1' }))
+    expect(res.status).toBe(400)
+  })

-  // TC-TD-06
-  it.todo('creates todo without product_id and returns 201')
+  it('returns 400 when product_id is missing', async () => {
+    // product_id is required by the Zod schema (z.string().min(1))
+    const res = await postTodo(makeRequest({ title: 'My todo' }))
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 400 when product_id is empty string', async () => {
+    const res = await postTodo(makeRequest({ title: 'My todo', product_id: '' }))
+    expect(res.status).toBe(400)
+  })

  // TC-TD-07
-  it.todo('creates todo with valid product_id and returns 201')
+  it('creates todo with valid product_id and returns 201', async () => {
+    const res = await postTodo(makeRequest({ title: 'Test todo', product_id: 'prod-1' }))
+    const data = await res.json()

-  // TC-TD-08
-  it.todo('returns 403 or 404 when product_id belongs to another user')
+    expect(res.status).toBe(201)
+    expect(data).toMatchObject({ id: 'todo-1', title: 'Test todo' })
+    expect(data).toHaveProperty('created_at')
+    expect(mockPrisma.todo.create).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({
+          user_id: 'user-1',
+          product_id: 'prod-1',
+          title: 'Test todo',
+        }),
+      })
+    )
+  })
+
+  it('queries product by user_id (not productAccessFilter) to enforce ownership', async () => {
+    await postTodo(makeRequest({ title: 'Test todo', product_id: 'prod-1' }))
+
+    expect(mockPrisma.product.findFirst).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: expect.objectContaining({
+          id: 'prod-1',
+          user_id: 'user-1',
+          archived: false,
+        }),
+      })
+    )
+  })
+
+  it('returns 404 when product does not exist or is archived', async () => {
+    mockPrisma.product.findFirst.mockResolvedValue(null)
+
+    const res = await postTodo(makeRequest({ title: 'My todo', product_id: 'nonexistent' }))
+    expect(res.status).toBe(404)
+  })
 })