feat(16-04): update all service tests to pass userId and add isolation tests

- Destructure { db, userId } from createTestDb() in all 8 service test files - Pass userId to every service function call - Add cross-user isolation tests for items, categories, threads, setups - Add composite unique constraint test for categories - Update verifyApiKey assertions to check { userId } return - Update verifyAccessToken assertions to check { userId } return - Pass userId to exchangeCode and refreshAccessToken calls
2026-04-05 11:01:51 +02:00
parent 884bec0b35
commit 5b702a0e98
8 changed files with 659 additions and 288 deletions
--- a/tests/services/oauth.service.test.ts
+++ b/tests/services/oauth.service.test.ts
@@ -18,9 +18,10 @@ function generatePkce() {

 describe("OAuth Service", () => {
 	let db: any;
+	let userId: number;

 	beforeEach(async () => {
-		db = await createTestDb();
+		({ db, userId } = await createTestDb());
 	});

 	describe("Client Registration", () => {
@@ -92,6 +93,7 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);

 			expect(tokens).not.toBeNull();
@@ -122,6 +124,7 @@ describe("OAuth Service", () => {
 				"wrongverifier",
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);

 			expect(tokens).toBeNull();
@@ -147,6 +150,7 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:9999/wrong",
+				userId,
 			);

 			expect(tokens).toBeNull();
@@ -173,6 +177,7 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);
 			expect(first).not.toBeNull();

@@ -183,13 +188,14 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);
 			expect(second).toBeNull();
 		});
 	});

 	describe("Token Verification", () => {
-		it("verifies a valid access token (returns true)", async () => {
+		it("verifies a valid access token returns { userId }", async () => {
 			const { clientId } = await registerClient(db, "Test App", [
 				"http://localhost:8080/callback",
 			]);
@@ -209,15 +215,17 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);

-			const isValid = await verifyAccessToken(db, tokens!.accessToken);
-			expect(isValid).toBe(true);
+			const verified = await verifyAccessToken(db, tokens!.accessToken);
+			expect(verified).not.toBeNull();
+			expect(verified?.userId).toBe(userId);
 		});

-		it("rejects an unknown token (returns false)", async () => {
-			const isValid = await verifyAccessToken(db, "unknowntoken12345678");
-			expect(isValid).toBe(false);
+		it("rejects an unknown token (returns null)", async () => {
+			const verified = await verifyAccessToken(db, "unknowntoken12345678");
+			expect(verified).toBeNull();
 		});
 	});

@@ -242,12 +250,14 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);

 			const newTokens = await refreshAccessToken(
 				db,
 				tokens!.refreshToken,
 				clientId,
+				userId,
 			);

 			expect(newTokens).not.toBeNull();
@@ -276,12 +286,14 @@ describe("OAuth Service", () => {
 				verifier,
 				clientId,
 				"http://localhost:8080/callback",
+				userId,
 			);

 			const newTokens = await refreshAccessToken(
 				db,
 				tokens!.refreshToken,
 				"wrong-client-id",
+				userId,
 			);

 			expect(newTokens).toBeNull();