269 lines
8.7 KiB
TypeScript
269 lines
8.7 KiB
TypeScript
import assert from "node:assert/strict";
|
|
import { test } from "node:test";
|
|
import request from "supertest";
|
|
import { createApp } from "../src/app";
|
|
import { createResetToken, resetPassword } from "../src/authService";
|
|
import { pool } from "../src/db";
|
|
import { extractRaceCoverImageFromHtml } from "../src/raceCoverImage";
|
|
import { hashPassword, normalizeEmail } from "../src/security";
|
|
|
|
const app = createApp();
|
|
let userCounter = 0;
|
|
|
|
async function authAgent() {
|
|
userCounter += 1;
|
|
const email = normalizeEmail(`runner${userCounter}@example.com`);
|
|
const password = "correct horse battery staple";
|
|
const passwordHash = await hashPassword(password);
|
|
const inserted = await pool.query<{ id: string }>(
|
|
`INSERT INTO users (email, password_hash)
|
|
VALUES ($1, $2)
|
|
RETURNING id`,
|
|
[email, passwordHash],
|
|
);
|
|
await pool.query("UPDATE users SET email_verified_at = COALESCE(email_verified_at, NOW()) WHERE id = $1", [
|
|
inserted.rows[0].id,
|
|
]);
|
|
const agent = request.agent(app);
|
|
const login = await agent.post("/api/auth/login").send({ email, password }).expect(200);
|
|
return { agent, csrfToken: login.body.csrfToken as string };
|
|
}
|
|
|
|
async function createVerifiedUser(email: string, password: string) {
|
|
const passwordHash = await hashPassword(password);
|
|
const inserted = await pool.query<{ id: string }>(
|
|
`INSERT INTO users (email, password_hash)
|
|
VALUES ($1, $2)
|
|
RETURNING id`,
|
|
[normalizeEmail(email), passwordHash],
|
|
);
|
|
await pool.query("UPDATE users SET email_verified_at = COALESCE(email_verified_at, NOW()) WHERE id = $1", [
|
|
inserted.rows[0].id,
|
|
]);
|
|
return inserted.rows[0].id;
|
|
}
|
|
|
|
test("GET /api/health returns ok", async () => {
|
|
const res = await request(app).get("/api/health").expect(200);
|
|
assert.equal(res.body.status, "ok");
|
|
assert.equal(typeof res.body.version, "string");
|
|
assert.ok(res.body.version.length > 0);
|
|
});
|
|
|
|
test("GET /api/meta returns version for UI footer", async () => {
|
|
const res = await request(app).get("/api/meta").expect(200);
|
|
assert.equal(typeof res.body.version, "string");
|
|
assert.ok(res.body.version.length > 0);
|
|
});
|
|
|
|
test("GET /api/ready succeeds with mock database", async () => {
|
|
const res = await request(app).get("/api/ready").expect(200);
|
|
assert.equal(res.body.status, "ready");
|
|
assert.equal(res.body.db, "connected");
|
|
});
|
|
|
|
test("GET /api/races rejects invalid year", async () => {
|
|
const { agent } = await authAgent();
|
|
const res = await agent.get("/api/races?year=bad").expect(400);
|
|
assert.equal(res.body.error, "validation_error");
|
|
assert.ok(Array.isArray(res.body.details));
|
|
});
|
|
|
|
test("GET /api/races rejects month out of range", async () => {
|
|
const { agent } = await authAgent();
|
|
const res = await agent.get("/api/races?month=13").expect(400);
|
|
assert.equal(res.body.error, "validation_error");
|
|
});
|
|
|
|
test("GET /api/races accepts year and month", async () => {
|
|
const { agent } = await authAgent();
|
|
const res = await agent.get("/api/races?year=2026&month=5").expect(200);
|
|
assert.ok(Array.isArray(res.body));
|
|
});
|
|
|
|
test("GET /api/races/:id returns not_found", async () => {
|
|
const { agent } = await authAgent();
|
|
const res = await agent.get("/api/races/does-not-exist").expect(404);
|
|
assert.equal(res.body.error, "not_found");
|
|
assert.ok(Array.isArray(res.body.details));
|
|
});
|
|
|
|
test("GET /api/races requires authentication", async () => {
|
|
const res = await request(app).get("/api/races").expect(401);
|
|
assert.equal(res.body.error, "unauthorized");
|
|
});
|
|
|
|
test("login uses generic response for missing user and wrong password", async () => {
|
|
const password = "correct horse battery staple";
|
|
await createVerifiedUser("generic@example.com", password);
|
|
|
|
const wrongPassword = await request(app)
|
|
.post("/api/auth/login")
|
|
.send({ email: "generic@example.com", password: "wrong password" })
|
|
.expect(401);
|
|
const missingUser = await request(app)
|
|
.post("/api/auth/login")
|
|
.send({ email: "missing@example.com", password })
|
|
.expect(401);
|
|
|
|
assert.deepEqual(missingUser.body, wrongPassword.body);
|
|
});
|
|
|
|
test("GET /api/races/:id returns not_found for another user's race", async () => {
|
|
const first = await authAgent();
|
|
const created = await first.agent
|
|
.post("/api/races")
|
|
.set("X-CSRF-Token", first.csrfToken)
|
|
.send({
|
|
slug: "2026-07-01-private-race",
|
|
date: "2026-07-01",
|
|
title: "Private Race",
|
|
distanceKm: 10,
|
|
})
|
|
.expect(201);
|
|
|
|
const second = await authAgent();
|
|
const res = await second.agent.get(`/api/races/${created.body.id}`).expect(404);
|
|
assert.equal(res.body.error, "not_found");
|
|
});
|
|
|
|
test("new password reset token invalidates previous token", async () => {
|
|
const userId = await createVerifiedUser("reset@example.com", "correct horse battery staple");
|
|
const client = await pool.connect();
|
|
const first = await createResetToken(client, userId);
|
|
const second = await createResetToken(client, userId);
|
|
client.release();
|
|
|
|
assert.equal(await resetPassword(first, "new correct horse battery staple"), false);
|
|
assert.equal(await resetPassword(second, "new correct horse battery staple"), true);
|
|
});
|
|
|
|
test("extractRaceCoverImageFromHtml prefers runc.run intro image", () => {
|
|
const html = `
|
|
<meta property="og:image" content="https://example.com/og.jpg">
|
|
<div class="run-intro__image">
|
|
<div class="run-intro__image-left-shadow"></div>
|
|
<img src="/uploads/race_landing_header_backgrounds/header.jpg" alt="">
|
|
<div class="run-intro__image-right-shadow"></div>
|
|
</div>
|
|
`;
|
|
|
|
assert.equal(
|
|
extractRaceCoverImageFromHtml(html, "https://aprilrun5km.runc.run/"),
|
|
"https://aprilrun5km.runc.run/uploads/race_landing_header_backgrounds/header.jpg",
|
|
);
|
|
});
|
|
|
|
test("extractRaceCoverImageFromHtml reads Open Graph and Twitter images", () => {
|
|
assert.equal(
|
|
extractRaceCoverImageFromHtml(
|
|
'<meta property="og:image" content="/cover.png">',
|
|
"https://example.com/race",
|
|
),
|
|
"https://example.com/cover.png",
|
|
);
|
|
assert.equal(
|
|
extractRaceCoverImageFromHtml(
|
|
'<meta name="twitter:image" content="https://cdn.example.com/twitter.jpg">',
|
|
"https://example.com/race",
|
|
),
|
|
"https://cdn.example.com/twitter.jpg",
|
|
);
|
|
});
|
|
|
|
test("POST /api/races stores manual coverImageUrl", async () => {
|
|
const { agent, csrfToken } = await authAgent();
|
|
const coverImageUrl = "https://example.com/manual.jpg";
|
|
const res = await agent
|
|
.post("/api/races")
|
|
.set("X-CSRF-Token", csrfToken)
|
|
.send({
|
|
slug: "2026-06-01-manual-cover",
|
|
date: "2026-06-01",
|
|
title: "Manual Cover",
|
|
distanceKm: 10,
|
|
officialUrl: "https://example.com/race",
|
|
coverImageUrl,
|
|
})
|
|
.expect(201);
|
|
|
|
assert.equal(res.body.coverImageUrl, coverImageUrl);
|
|
});
|
|
|
|
test("POST /api/races auto extracts coverImageUrl from officialUrl", async () => {
|
|
const originalFetch = globalThis.fetch;
|
|
globalThis.fetch = async () =>
|
|
new Response('<meta property="og:image" content="/auto.jpg">', {
|
|
status: 200,
|
|
headers: { "content-type": "text/html" },
|
|
});
|
|
|
|
try {
|
|
const { agent, csrfToken } = await authAgent();
|
|
const res = await agent
|
|
.post("/api/races")
|
|
.set("X-CSRF-Token", csrfToken)
|
|
.send({
|
|
slug: "2026-06-02-auto-cover",
|
|
date: "2026-06-02",
|
|
title: "Auto Cover",
|
|
distanceKm: 21.1,
|
|
officialUrl: "https://example.com/race",
|
|
})
|
|
.expect(201);
|
|
|
|
assert.equal(res.body.coverImageUrl, "https://example.com/auto.jpg");
|
|
} finally {
|
|
globalThis.fetch = originalFetch;
|
|
}
|
|
});
|
|
|
|
test("POST /api/races succeeds when cover extraction fails", async () => {
|
|
const originalFetch = globalThis.fetch;
|
|
globalThis.fetch = async () => {
|
|
throw new Error("network down");
|
|
};
|
|
|
|
try {
|
|
const { agent, csrfToken } = await authAgent();
|
|
const res = await agent
|
|
.post("/api/races")
|
|
.set("X-CSRF-Token", csrfToken)
|
|
.send({
|
|
slug: "2026-06-03-cover-fail",
|
|
date: "2026-06-03",
|
|
title: "Cover Fail",
|
|
distanceKm: 5,
|
|
officialUrl: "https://example.com/race",
|
|
})
|
|
.expect(201);
|
|
|
|
assert.equal(res.body.coverImageUrl, null);
|
|
} finally {
|
|
globalThis.fetch = originalFetch;
|
|
}
|
|
});
|
|
|
|
test("PATCH /api/races/:id updates coverImageUrl explicitly", async () => {
|
|
const { agent, csrfToken } = await authAgent();
|
|
const created = await agent
|
|
.post("/api/races")
|
|
.set("X-CSRF-Token", csrfToken)
|
|
.send({
|
|
slug: "2026-06-04-patch-cover",
|
|
date: "2026-06-04",
|
|
title: "Patch Cover",
|
|
distanceKm: 10,
|
|
})
|
|
.expect(201);
|
|
|
|
const coverImageUrl = "https://example.com/patched.jpg";
|
|
const res = await agent
|
|
.patch(`/api/races/${created.body.id}`)
|
|
.set("X-CSRF-Token", csrfToken)
|
|
.send({ coverImageUrl })
|
|
.expect(200);
|
|
|
|
assert.equal(res.body.coverImageUrl, coverImageUrl);
|
|
});
|