@etus/bhono-app 0.1.6 → 0.1.7

package/templates/base/tests/unit/server/auth/guards.test.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect } from 'vitest'
 import { Hono } from 'hono'
-import { requireRole, requirePermission } from '@server/guards'
+import { requireRole, requirePermission } from '@server/auth/guards'
 import type { HonoEnv } from '@server/types'
 
 describe('guards', () => {

package/templates/base/tests/unit/server/middleware/auth.test.ts

@@ -371,4 +371,277 @@ describe('jwtAuth', () => {
       isSuperAdmin: false,
     })
   })
+
+  it('handles snake_case column names from DB', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    // Use snake_case column names as returned by SQLite
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      provider_ids: JSON.stringify(['google']),
+      is_super_admin: 1,
+      created_at: new Date().toISOString(),
+      updated_at: new Date().toISOString(),
+      deleted_at: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.providerIds).toEqual(['google'])
+    expect(body.user.isSuperAdmin).toBe(true)
+  })
+
+  it('handles providerIds as JSON string', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: '["google", "github"]',
+      isSuperAdmin: 0,
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.providerIds).toEqual(['google', 'github'])
+  })
+
+  it('handles invalid JSON in providerIds', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: 'invalid-json',
+      isSuperAdmin: 0,
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.providerIds).toEqual([])
+  })
+
+  it('handles non-array JSON in providerIds', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: '{"key": "value"}',
+      isSuperAdmin: 0,
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.providerIds).toEqual([])
+  })
+
+  it('handles null providerIds', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: null,
+      isSuperAdmin: 0,
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.providerIds).toEqual([])
+  })
+
+  it('handles isSuperAdmin as boolean true', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: [],
+      isSuperAdmin: true,
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.isSuperAdmin).toBe(true)
+  })
+
+  it('handles isSuperAdmin as string "1"', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: [],
+      isSuperAdmin: '1',
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.isSuperAdmin).toBe(true)
+  })
+
+  it('handles isSuperAdmin as string "true"', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: [],
+      isSuperAdmin: 'true',
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deletedAt: null,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.isSuperAdmin).toBe(true)
+  })
+
+  it('handles deletedAt with value', async () => {
+    vi.mocked(verify).mockResolvedValue({
+      sub: 'user-123',
+      email: 'test@example.com',
+      iat: Date.now(),
+      exp: Date.now() + 3600000,
+    })
+
+    const deletedDate = new Date().toISOString()
+    setMockQueryResult(mockDb, ['user-123'], {
+      id: 'user-123',
+      email: 'test@example.com',
+      name: 'Test User',
+      status: 'active',
+      providerIds: [],
+      isSuperAdmin: 0,
+      createdAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      deleted_at: deletedDate,
+    })
+
+    const app = createApp()
+    const res = await app.request('/test', {
+      headers: { Authorization: 'Bearer valid-token' },
+    })
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.user.deletedAt).toBe(deletedDate)
+  })
 })

package/templates/base/tests/unit/server/routes/auth/handlers.test.ts

@@ -167,6 +167,20 @@ describe('Auth Routes', () => {
       expect(body).toContain('Invalid state parameter')
     })
 
+    it('returns 400 when oauth_state cookie is invalid JSON', async () => {
+      const app = createApp()
+      const res = await app.request('/auth/callback?code=test-code&state=test-state', {
+        method: 'GET',
+        headers: {
+          Cookie: 'oauth_state=invalid-json-string',
+        },
+      })
+
+      expect(res.status).toBe(400)
+      const body = await res.text()
+      expect(body).toContain('Invalid OAuth state cookie')
+    })
+
     it('creates session on successful callback', async () => {
       const testUser = createUserFixture({ id: 'user-123', email: 'test@example.com' })
 
@@ -207,6 +221,103 @@ describe('Auth Routes', () => {
       expect(res.status).toBe(302)
       expect(res.headers.get('Location')).toContain('/dashboard')
     })
+
+    it('accepts pending invitation during callback', async () => {
+      const testUser = createUserFixture({ id: 'user-123', email: 'test@example.com' })
+
+      vi.mocked(exchangeCodeForTokens).mockResolvedValue({
+        access_token: 'test-access-token',
+        id_token: 'test-id-token',
+        refresh_token: 'test-refresh-token',
+        expires_in: 3600,
+        token_type: 'Bearer',
+      })
+
+      vi.mocked(decodeIdToken).mockReturnValue({
+        sub: 'google-123',
+        email: 'test@example.com',
+        name: 'Test User',
+        picture: 'https://example.com/avatar.jpg',
+        email_verified: true,
+      })
+
+      vi.mocked(authService.findOrCreateUser).mockResolvedValue({
+        user: testUser,
+        isNew: false,
+      })
+
+      vi.mocked(invitationsService.getByToken).mockResolvedValue({
+        id: 'invite-123',
+        token: 'valid-invite-token',
+        email: 'test@example.com',
+        role: 'VIEWER',
+        accountId: 'account-1',
+        status: 'pending',
+        expiresAt: new Date(Date.now() + 86400000).toISOString(),
+        createdAt: new Date().toISOString(),
+        updatedAt: new Date().toISOString(),
+      })
+
+      vi.mocked(invitationsService.accept).mockResolvedValue()
+
+      const app = createApp()
+      const res = await app.request('/auth/callback?code=test-code&state=test-state', {
+        method: 'GET',
+        headers: {
+          Cookie: 'oauth_state=' + encodeURIComponent(JSON.stringify({
+            codeVerifier: 'test-verifier',
+            state: 'test-state',
+            redirect: null,
+          })) + '; pending_invitation=valid-invite-token',
+        },
+        redirect: 'manual',
+      })
+
+      expect(res.status).toBe(302)
+      expect(invitationsService.getByToken).toHaveBeenCalledWith(expect.anything(), 'valid-invite-token')
+      expect(invitationsService.accept).toHaveBeenCalled()
+    })
+
+    it('uses custom redirect from oauth state', async () => {
+      const testUser = createUserFixture({ id: 'user-123', email: 'test@example.com' })
+
+      vi.mocked(exchangeCodeForTokens).mockResolvedValue({
+        access_token: 'test-access-token',
+        id_token: 'test-id-token',
+        refresh_token: 'test-refresh-token',
+        expires_in: 3600,
+        token_type: 'Bearer',
+      })
+
+      vi.mocked(decodeIdToken).mockReturnValue({
+        sub: 'google-123',
+        email: 'test@example.com',
+        name: 'Test User',
+        picture: 'https://example.com/avatar.jpg',
+        email_verified: true,
+      })
+
+      vi.mocked(authService.findOrCreateUser).mockResolvedValue({
+        user: testUser,
+        isNew: false,
+      })
+
+      const app = createApp()
+      const res = await app.request('/auth/callback?code=test-code&state=test-state', {
+        method: 'GET',
+        headers: {
+          Cookie: 'oauth_state=' + encodeURIComponent(JSON.stringify({
+            codeVerifier: 'test-verifier',
+            state: 'test-state',
+            redirect: '/settings',
+          })),
+        },
+        redirect: 'manual',
+      })
+
+      expect(res.status).toBe(302)
+      expect(res.headers.get('Location')).toContain('/settings')
+    })
   })
 
   describe('POST /auth/logout', () => {

package/templates/base/tests/unit/server/routes/users/handlers.test.ts

@@ -7,9 +7,9 @@ import { createMockEnv } from '@tests/helpers/server'
 import {
   createUserFixture,
   createAccountFixture,
-  createDeletedUserFixture,
 } from '@tests/fixtures/server'
 import { NotFoundError } from '@server/lib/errors'
+import type { Role } from '@server/auth/roles'
 
 // Test UUIDs
 const TEST_USER_ID = '550e8400-e29b-41d4-a716-446655440001'
@@ -33,7 +33,6 @@ vi.mock('@server/services', () => ({
 import { usersService } from '@server/services'
 
 describe('Users Routes', () => {
-  let app: Hono<HonoEnv>
   let mockEnv: ReturnType<typeof createMockEnv>
   let mockDb: any
   let testUser: ReturnType<typeof createUserFixture>
@@ -60,12 +59,10 @@ describe('Users Routes', () => {
       delete: vi.fn().mockReturnThis(),
       execute: vi.fn().mockResolvedValue({ rows: [] }),
     }
-
-    app = new Hono<HonoEnv>()
   })
 
   // Helper to setup authenticated app with specific role
-  function setupAuthenticatedApp(userRole = 'VIEWER', isSuperAdmin = false) {
+  function setupAuthenticatedApp(userRole: Role = 'VIEWER', isSuperAdmin = false) {
     const authenticatedApp = new Hono<HonoEnv>()
 
     authenticatedApp.use('*', async (c, next) => {
@@ -523,4 +520,71 @@ describe('Users Routes', () => {
   // with body may not work correctly in the Hono test environment.
   // This endpoint is tested via E2E tests instead.
   // Role-based access control is tested via the requireRole middleware.
+
+  describe('Missing context error handling', () => {
+    it('GET /users/:id throws when context is missing', async () => {
+      const unauthApp = setupUnauthenticatedApp()
+
+      const res = await unauthApp.request(`/users/${TEST_USER_ID}`, {
+        method: 'GET',
+      })
+
+      expect(res.status).toBe(500)
+      expect(usersService.findById).not.toHaveBeenCalled()
+    })
+
+    it('PATCH /users/:id returns 401 when not authenticated', async () => {
+      const unauthApp = setupUnauthenticatedApp()
+
+      const res = await unauthApp.request(`/users/${TEST_USER_ID}`, {
+        method: 'PATCH',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ name: 'Updated' }),
+      })
+
+      expect(res.status).toBe(401)
+      expect(usersService.update).not.toHaveBeenCalled()
+    })
+
+    it('DELETE /users/:id returns 401 when not authenticated', async () => {
+      const unauthApp = setupUnauthenticatedApp()
+
+      const res = await unauthApp.request(`/users/${TEST_USER_ID}`, {
+        method: 'DELETE',
+      })
+
+      expect(res.status).toBe(401)
+      expect(usersService.delete).not.toHaveBeenCalled()
+    })
+
+    it('POST /users/:id/restore returns 401 when not authenticated', async () => {
+      const unauthApp = setupUnauthenticatedApp()
+
+      const res = await unauthApp.request(`/users/${TEST_USER_ID}/restore`, {
+        method: 'POST',
+      })
+
+      expect(res.status).toBe(401)
+      expect(usersService.restore).not.toHaveBeenCalled()
+    })
+
+    it('POST /users/accounts returns 401 when not authenticated', async () => {
+      const unauthApp = setupUnauthenticatedApp()
+
+      const res = await unauthApp.request('/users/accounts', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify([
+          { userId: TEST_USER_ID, accountId: TEST_ACCOUNT_ID, role: 'VIEWER' },
+        ]),
+      })
+
+      expect(res.status).toBe(401)
+      expect(usersService.createUserAccounts).not.toHaveBeenCalled()
+    })
+  })
 })

package/templates/base/tests/unit/server/services/accounts.test.ts

@@ -20,6 +20,17 @@ vi.mock('@server/db/sql', () => ({
   queryOne: vi.fn(),
   queryAll: vi.fn(),
   execute: vi.fn(),
+  toStringValue: (value: unknown) => {
+    if (typeof value === 'string') return value
+    if (typeof value === 'number' || typeof value === 'bigint') return String(value)
+    return ''
+  },
+  toNullableString: (value: unknown) => {
+    if (value === null || value === undefined) return null
+    if (typeof value === 'string') return value
+    if (typeof value === 'number' || typeof value === 'bigint') return String(value)
+    return null
+  },
 }))
 
 import { auditedInsert, auditedUpdate, auditedDelete } from '@server/lib/audited-db'
@@ -104,6 +115,26 @@ describe('accountsService', () => {
 
       expect((queryOne as Mock).mock.calls[0][2]).toContain(ctx.user.id)
     })
+
+    it('should filter by query when provided', async () => {
+      ;(queryOne as Mock).mockResolvedValueOnce({ count: 1 })
+      ;(queryAll as Mock).mockResolvedValueOnce([])
+
+      await accountsService.findAll(db, superAdminCtx, { ...defaultPagination, query: 'test' })
+
+      // Query should include LIKE clauses for name and domain
+      expect((queryOne as Mock).mock.calls[0][2]).toContain('%test%')
+    })
+
+    it('should handle null count result', async () => {
+      ;(queryOne as Mock).mockResolvedValueOnce(null)
+      ;(queryAll as Mock).mockResolvedValueOnce([])
+
+      const result = await accountsService.findAll(db, superAdminCtx, defaultPagination)
+
+      expect(result.data).toHaveLength(0)
+      expect(result.meta.totalItems).toBe(0)
+    })
   })
 
   describe('findById', () => {
@@ -140,6 +171,22 @@ describe('accountsService', () => {
 
       await expect(accountsService.findById(db, ctx, account.id)).rejects.toThrow(NotFoundError)
     })
+
+    it('should allow non-super-admin with valid membership', async () => {
+      const account = createAccountFixture({ id: 'account-1' })
+      ;(queryOne as Mock)
+        .mockResolvedValueOnce({
+          ...account,
+          created_at: account.createdAt,
+          updated_at: account.updatedAt,
+          deleted_at: account.deletedAt,
+        })
+        .mockResolvedValueOnce({ ok: 1 })
+
+      const result = await accountsService.findById(db, ctx, account.id)
+
+      expect(result.id).toBe(account.id)
+    })
   })
 
   describe('create', () => {
@@ -166,6 +213,27 @@ describe('accountsService', () => {
       expect(result.name).toBe('New Account')
       expect(auditedInsert).toHaveBeenCalled()
     })
+
+    it('should create account with domain when no conflict', async () => {
+      ;(queryOne as Mock).mockResolvedValueOnce(null)
+
+      const account = createAccountFixture({ id: 'account-1', name: 'New Account', domain: 'unique.com' })
+      ;(auditedInsert as Mock).mockResolvedValueOnce([
+        { ...account, created_at: account.createdAt, updated_at: account.updatedAt, deleted_at: account.deletedAt },
+      ])
+
+      const result = await accountsService.create(db, superAdminCtx, { name: 'New Account', domain: 'unique.com' })
+
+      expect(result.domain).toBe('unique.com')
+    })
+
+    it('should throw when auditedInsert returns empty array', async () => {
+      ;(auditedInsert as Mock).mockResolvedValueOnce([])
+
+      await expect(
+        accountsService.create(db, superAdminCtx, { name: 'New Account' })
+      ).rejects.toThrow('Failed to create account')
+    })
   })
 
   describe('update', () => {
@@ -209,6 +277,67 @@ describe('accountsService', () => {
       expect(result.name).toBe('Updated')
       expect(auditedUpdate).toHaveBeenCalled()
     })
+
+    it('should update with domain when no conflict', async () => {
+      const account = createAccountFixture({ id: 'account-1' })
+      ;(queryOne as Mock)
+        .mockResolvedValueOnce({
+          ...account,
+          created_at: account.createdAt,
+          updated_at: account.updatedAt,
+          deleted_at: account.deletedAt,
+        })
+        .mockResolvedValueOnce(null)
+
+      const updated = { ...account, domain: 'new.com' }
+      ;(auditedUpdate as Mock).mockResolvedValueOnce([
+        { ...updated, created_at: updated.createdAt, updated_at: updated.updatedAt, deleted_at: updated.deletedAt },
+      ])
+
+      const result = await accountsService.update(db, superAdminCtx, account.id, { domain: 'new.com' })
+
+      expect(result.domain).toBe('new.com')
+    })
+
+    it('should update description and domain', async () => {
+      const account = createAccountFixture({ id: 'account-1' })
+      ;(queryOne as Mock)
+        .mockResolvedValueOnce({
+          ...account,
+          created_at: account.createdAt,
+          updated_at: account.updatedAt,
+          deleted_at: account.deletedAt,
+        })
+        .mockResolvedValueOnce(null)
+
+      const updated = { ...account, description: 'New desc', domain: 'new.com' }
+      ;(auditedUpdate as Mock).mockResolvedValueOnce([
+        { ...updated, created_at: updated.createdAt, updated_at: updated.updatedAt, deleted_at: updated.deletedAt },
+      ])
+
+      const result = await accountsService.update(db, superAdminCtx, account.id, {
+        description: 'New desc',
+        domain: 'new.com',
+      })
+
+      expect(result.description).toBe('New desc')
+      expect(result.domain).toBe('new.com')
+    })
+
+    it('should throw when auditedUpdate returns empty array', async () => {
+      const account = createAccountFixture({ id: 'account-1' })
+      ;(queryOne as Mock).mockResolvedValueOnce({
+        ...account,
+        created_at: account.createdAt,
+        updated_at: account.updatedAt,
+        deleted_at: account.deletedAt,
+      })
+      ;(auditedUpdate as Mock).mockResolvedValueOnce([])
+
+      await expect(
+        accountsService.update(db, superAdminCtx, account.id, { name: 'Updated' })
+      ).rejects.toThrow('Failed to update account')
+    })
   })
 
   describe('delete', () => {
@@ -254,5 +383,24 @@ describe('accountsService', () => {
 
       expect(result.deletedAt).toBeNull()
     })
+
+    it('should throw NotFoundError when account not found or not deleted', async () => {
+      ;(queryOne as Mock).mockResolvedValueOnce(null)
+
+      await expect(accountsService.restore(db, superAdminCtx, 'not-deleted')).rejects.toThrow(NotFoundError)
+    })
+
+    it('should throw when auditedUpdate returns empty array', async () => {
+      const deleted = createDeletedAccountFixture({ id: 'account-1' })
+      ;(queryOne as Mock).mockResolvedValueOnce({
+        ...deleted,
+        created_at: deleted.createdAt,
+        updated_at: deleted.updatedAt,
+        deleted_at: deleted.deletedAt,
+      })
+      ;(auditedUpdate as Mock).mockResolvedValueOnce([])
+
+      await expect(accountsService.restore(db, superAdminCtx, deleted.id)).rejects.toThrow(NotFoundError)
+    })
   })
 })