From 69a4ea27cd7e21374dd0820e67ec02a69a95fa65 Mon Sep 17 00:00:00 2001 From: Madhura68 Date: Sat, 25 Apr 2026 18:31:48 +0200 Subject: [PATCH] test(todos): add unit tests for POST /api/todos Co-Authored-By: Claude Sonnet 4.6 --- __tests__/api/todos.test.ts | 74 ++++++++++++++++++++++++++++++------- 1 file changed, 61 insertions(+), 13 deletions(-) diff --git a/__tests__/api/todos.test.ts b/__tests__/api/todos.test.ts index c64f377..1ce34b9 100644 --- a/__tests__/api/todos.test.ts +++ b/__tests__/api/todos.test.ts @@ -25,6 +25,9 @@ const mockPrisma = prisma as unknown as { } const mockAuth = authenticateApiRequest as ReturnType +const PRODUCT = { id: 'prod-1', name: 'DevPlanner', archived: false, user_id: 'user-1' } +const TODO_RESULT = { id: 'todo-1', title: 'Test todo', created_at: new Date('2026-04-30T10:00:00Z') } + function makeRequest(body: unknown): Request { return new Request('http://localhost/api/todos', { method: 'POST', @@ -36,26 +39,71 @@ function makeRequest(body: unknown): Request { describe('POST /api/todos', () => { beforeEach(() => { vi.clearAllMocks() + mockAuth.mockResolvedValue({ userId: 'user-1', isDemo: false }) + mockPrisma.product.findFirst.mockResolvedValue(PRODUCT) + mockPrisma.todo.create.mockResolvedValue(TODO_RESULT) }) - // TC-TD-01 - it.todo('returns 401 when no token provided') - - // TC-TD-03 - it.todo('returns 403 for demo users') - // TC-TD-04 - it.todo('returns 400 when title is missing') + it('returns 400 when title is missing', async () => { + const res = await postTodo(makeRequest({ product_id: 'prod-1' })) + expect(res.status).toBe(400) + }) // TC-TD-05 - it.todo('returns 400 when title is empty string') + it('returns 400 when title is empty string', async () => { + const res = await postTodo(makeRequest({ title: '', product_id: 'prod-1' })) + expect(res.status).toBe(400) + }) - // TC-TD-06 - it.todo('creates todo without product_id and returns 201') + it('returns 400 when product_id is missing', async () => { + // product_id is required by the Zod schema (z.string().min(1)) + const res = await postTodo(makeRequest({ title: 'My todo' })) + expect(res.status).toBe(400) + }) + + it('returns 400 when product_id is empty string', async () => { + const res = await postTodo(makeRequest({ title: 'My todo', product_id: '' })) + expect(res.status).toBe(400) + }) // TC-TD-07 - it.todo('creates todo with valid product_id and returns 201') + it('creates todo with valid product_id and returns 201', async () => { + const res = await postTodo(makeRequest({ title: 'Test todo', product_id: 'prod-1' })) + const data = await res.json() - // TC-TD-08 - it.todo('returns 403 or 404 when product_id belongs to another user') + expect(res.status).toBe(201) + expect(data).toMatchObject({ id: 'todo-1', title: 'Test todo' }) + expect(data).toHaveProperty('created_at') + expect(mockPrisma.todo.create).toHaveBeenCalledWith( + expect.objectContaining({ + data: expect.objectContaining({ + user_id: 'user-1', + product_id: 'prod-1', + title: 'Test todo', + }), + }) + ) + }) + + it('queries product by user_id (not productAccessFilter) to enforce ownership', async () => { + await postTodo(makeRequest({ title: 'Test todo', product_id: 'prod-1' })) + + expect(mockPrisma.product.findFirst).toHaveBeenCalledWith( + expect.objectContaining({ + where: expect.objectContaining({ + id: 'prod-1', + user_id: 'user-1', + archived: false, + }), + }) + ) + }) + + it('returns 404 when product does not exist or is archived', async () => { + mockPrisma.product.findFirst.mockResolvedValue(null) + + const res = await postTodo(makeRequest({ title: 'My todo', product_id: 'nonexistent' })) + expect(res.status).toBe(404) + }) })