From edb3fc3595c5044fa1d14fcb19f568cc4b66b558 Mon Sep 17 00:00:00 2001
From: Scrum4Me Agent <30029041+madhura68@users.noreply.github.com>
Date: Wed, 6 May 2026 11:20:15 +0200
Subject: [PATCH] test(cleanup): verwijder POST /api/todos import en
 describe-block uit security.test.ts [cmotto5jn000px317kjqlba89]

- Import 'POST as postTodo' uit verwijderde todos-route verwijderd
- describe('POST /api/todos') sectie (3 tests) verwijderd
- 73 testfiles / 561 tests groen

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 __tests__/api/security.test.ts | 44 ----------------------------------
 1 file changed, 44 deletions(-)

diff --git a/__tests__/api/security.test.ts b/__tests__/api/security.test.ts
index 4d37fdd..6266cda 100644
--- a/__tests__/api/security.test.ts
+++ b/__tests__/api/security.test.ts
@@ -41,7 +41,6 @@ import { GET as getSprintTasks } from '@/app/api/sprints/[id]/tasks/route'
 import { PATCH as patchReorder } from '@/app/api/stories/[id]/tasks/reorder/route'
 import { POST as postStoryLog } from '@/app/api/stories/[id]/log/route'
 import { PATCH as patchTask } from '@/app/api/tasks/[id]/route'
-import { POST as postTodo } from '@/app/api/todos/route'
 
 const mockPrisma = prisma as unknown as {
   product: { findMany: ReturnType<typeof vi.fn>; findFirst: ReturnType<typeof vi.fn> }
@@ -419,46 +418,3 @@ describe('PATCH /api/tasks/:id', () => {
     expect(res.status).toBe(200)
   })
 })
-
-// ─── POST /api/todos ──────────────────────────────────────────────────────────
-
-describe('POST /api/todos', () => {
-  // product_id is required by the Zod schema (z.string().min(1))
-  const VALID_BODY = { title: 'Test todo', product_id: 'prod-1' }
-
-  // TC-TD-01
-  it('returns 401 when no valid token provided', async () => {
-    mockAuth.mockResolvedValue(UNAUTHORIZED)
-    const res = await postTodo(makePost('http://localhost/api/todos', VALID_BODY))
-    expect(res.status).toBe(401)
-  })
-
-  // TC-TD-03
-  it('returns 403 for demo users', async () => {
-    mockAuth.mockResolvedValue(DEMO_AUTH)
-    const res = await postTodo(makePost('http://localhost/api/todos', VALID_BODY))
-    expect(res.status).toBe(403)
-    const data = await res.json()
-    expect(data.error).toBe('Niet beschikbaar in demo-modus')
-  })
-
-  // TC-TD-08
-  it('returns 404 when product_id belongs to another user', async () => {
-    mockAuth.mockResolvedValue(USER_2_AUTH)
-    mockPrisma.product.findFirst.mockResolvedValue(null)
-
-    const res = await postTodo(
-      makePost('http://localhost/api/todos', { title: 'Todo', product_id: 'prod-owned-by-user-1' })
-    )
-    expect(res.status).toBe(404)
-    // Verify it queries by user_id, not productAccessFilter
-    expect(mockPrisma.product.findFirst).toHaveBeenCalledWith(
-      expect.objectContaining({
-        where: expect.objectContaining({
-          id: 'prod-owned-by-user-1',
-          user_id: 'user-2',
-        }),
-      })
-    )
-  })
-})