@norriq/nuxt-auth 1.0.0

package/server/api/auth/oauth-callback/oauth-callback.test.ts

@@ -0,0 +1,189 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import type { EventHandler } from 'h3'
+import { fakeEvent, fakeJwt, stubCreateError, lastRedirectUrl } from '../../../test-helpers'
+
+const mockGetQuery = vi.fn()
+const mockGetCookie = vi.fn()
+const mockDeleteCookie = vi.fn()
+const mockSendRedirect = vi.fn()
+const mockGetRouterParam = vi.fn()
+const mockGetRequestHeader = vi.fn()
+const mockExchangeToken = vi.fn()
+const mockSetSessionCookie = vi.fn()
+
+vi.stubGlobal('defineEventHandler', <T>(fn: T): T => fn)
+stubCreateError()
+vi.stubGlobal('getQuery', (event: unknown) => mockGetQuery(event))
+vi.stubGlobal('getCookie', (_event: unknown, name: string) => mockGetCookie(name))
+vi.stubGlobal('deleteCookie', (_event: unknown, name: string) => mockDeleteCookie(name))
+vi.stubGlobal('setCookie', vi.fn())
+vi.stubGlobal('sendRedirect', (_event: unknown, url: string) => mockSendRedirect(url))
+vi.stubGlobal('getRouterParam', () => mockGetRouterParam())
+vi.stubGlobal('getRequestURL', () => new URL('https://app.example.com/api/auth/oauth-callback/customer'))
+vi.stubGlobal('getRequestHeader', (_event: unknown, header: string) => mockGetRequestHeader(header))
+vi.stubGlobal('isSecureRequest', () => true)
+vi.stubGlobal('isSafeReturnUrl', (url: string) => url.startsWith('/') && !url.startsWith('//'))
+vi.stubGlobal('exchangeToken', (...args: unknown[]) => mockExchangeToken(...args))
+vi.stubGlobal('setSessionCookie', (...args: unknown[]) => mockSetSessionCookie(...args))
+vi.stubGlobal('extractClaims', (decoded: Record<string, unknown>) => ({
+    sub: decoded.sub || '',
+    name: decoded.name || '',
+    customerNumber: decoded.CustomerNumber || '',
+    roles: [],
+}))
+
+function withCookies(cookies: Record<string, string>) {
+    mockGetCookie.mockImplementation((name: string) => cookies[name])
+}
+
+describe('oauth-callback', () => {
+    let handler: EventHandler
+
+    beforeEach(async () => {
+        vi.clearAllMocks()
+        mockGetRequestHeader.mockImplementation((header: string) => {
+            if (header === 'host') return 'app.example.com'
+            return undefined
+        })
+
+        vi.resetModules()
+        const mod = await import('./[connectorKey]')
+        handler = mod.default
+    })
+
+    it('redirects to login on auth server error', async () => {
+        mockGetQuery.mockReturnValue({ error: 'access_denied', error_description: 'User cancelled' })
+        mockGetRouterParam.mockReturnValue('customer')
+
+        await handler(fakeEvent())
+
+        const url = lastRedirectUrl(mockSendRedirect)
+        expect(url).toContain('/login?error=access_denied')
+        expect(url).toContain('error_description=User%20cancelled')
+    })
+
+    it('rejects mismatched state (CSRF protection)', async () => {
+        mockGetQuery.mockReturnValue({ code: 'auth-code', state: 'state-a' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'state-b', 'auth:codeVerifier': 'verifier' })
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledWith('/login?error=invalid_state')
+    })
+
+    it('rejects missing code verifier', async () => {
+        mockGetQuery.mockReturnValue({ code: 'auth-code', state: 'matching-state' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'matching-state' })
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledWith('/login?error=missing_code_verifier')
+    })
+
+    it('rejects invalid connector key', async () => {
+        mockGetQuery.mockReturnValue({ code: 'auth-code', state: 'ok' })
+        mockGetRouterParam.mockReturnValue('evil-connector')
+        withCookies({ 'auth:state': 'ok', 'auth:codeVerifier': 'verifier' })
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledWith('/login?error=invalid_connector')
+    })
+
+    it('exchanges code for tokens and sets session cookie on success', async () => {
+        const jwt = fakeJwt({ sub: 'user@test.com', name: 'Test User', CustomerNumber: 'C-100' })
+        mockGetQuery.mockReturnValue({ code: 'valid-code', state: 'valid-state' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'valid-state', 'auth:codeVerifier': 'test-verifier', 'auth:returnUrl': '/dashboard' })
+        mockExchangeToken.mockResolvedValue({
+            access_token: jwt,
+            refresh_token: 'refresh-tok',
+            expires_in: 3600,
+            token_type: 'Bearer',
+        })
+        mockSetSessionCookie.mockResolvedValue(undefined)
+
+        await handler(fakeEvent())
+
+        expect(mockExchangeToken).toHaveBeenCalledWith(
+            expect.objectContaining({
+                grant_type: 'authorization_code',
+                code: 'valid-code',
+                code_verifier: 'test-verifier',
+            })
+        )
+        expect(mockSetSessionCookie).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.objectContaining({
+                accessToken: jwt,
+                refreshToken: 'refresh-tok',
+                authMethod: 'customer',
+            })
+        )
+        expect(mockSendRedirect).toHaveBeenCalledWith('/dashboard')
+    })
+
+    it('falls back to / when returnUrl cookie is missing', async () => {
+        mockGetQuery.mockReturnValue({ code: 'code', state: 'state' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'state', 'auth:codeVerifier': 'verifier' })
+        mockExchangeToken.mockResolvedValue({
+            access_token: fakeJwt(),
+            refresh_token: '',
+            expires_in: 3600,
+            token_type: 'Bearer',
+        })
+        mockSetSessionCookie.mockResolvedValue(undefined)
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledWith('/')
+    })
+
+    it('sanitizes unsafe returnUrl to /', async () => {
+        mockGetQuery.mockReturnValue({ code: 'code', state: 'state' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'state', 'auth:codeVerifier': 'verifier', 'auth:returnUrl': '//evil.com' })
+        mockExchangeToken.mockResolvedValue({
+            access_token: fakeJwt(),
+            refresh_token: '',
+            expires_in: 3600,
+            token_type: 'Bearer',
+        })
+        mockSetSessionCookie.mockResolvedValue(undefined)
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledWith('/')
+    })
+
+    it('redirects to login on token exchange failure', async () => {
+        mockGetQuery.mockReturnValue({ code: 'code', state: 'state' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'state', 'auth:codeVerifier': 'verifier' })
+        mockExchangeToken.mockRejectedValue(new Error('Network error'))
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledWith('/login?error=token-exchange-failed')
+    })
+
+    it('cleans up state and codeVerifier cookies', async () => {
+        mockGetQuery.mockReturnValue({ code: 'code', state: 'state' })
+        mockGetRouterParam.mockReturnValue('customer')
+        withCookies({ 'auth:state': 'state', 'auth:codeVerifier': 'verifier' })
+        mockExchangeToken.mockResolvedValue({
+            access_token: fakeJwt(),
+            expires_in: 3600,
+            token_type: 'Bearer',
+        })
+        mockSetSessionCookie.mockResolvedValue(undefined)
+
+        await handler(fakeEvent())
+
+        expect(mockDeleteCookie).toHaveBeenCalledWith('auth:state')
+        expect(mockDeleteCookie).toHaveBeenCalledWith('auth:codeVerifier')
+    })
+})

package/server/api/auth/refresh-token.post.ts

@@ -0,0 +1,48 @@
+import type { JWT } from 'next-auth/jwt'
+import { decodeJwt } from 'jose'
+import { decodeSessionCookie, exchangeToken, setSessionCookie } from '../../utils/authSession'
+import { extractClaims } from '../../utils/jwtClaims'
+
+export default defineEventHandler(async (event) => {
+    const currentSession = await decodeSessionCookie(event)
+    if (!currentSession) {
+        throw createError({ statusCode: 401, message: 'No session' })
+    }
+
+    if (!currentSession.refreshToken) {
+        throw createError({ statusCode: 400, message: 'No refresh token' })
+    }
+
+    const tokenResponse = await exchangeToken({
+        grant_type: 'refresh_token',
+        refresh_token: currentSession.refreshToken,
+    })
+
+    const expiresAt = tokenResponse.expires_in
+        ? Math.floor(Date.now() / 1000) + tokenResponse.expires_in
+        : Math.floor(Date.now() / 1000) + 3600
+
+    const decoded = decodeJwt(tokenResponse.access_token)
+    const claims = extractClaims(decoded)
+
+    const updatedSession: JWT = {
+        ...currentSession,
+        accessToken: tokenResponse.access_token,
+        refreshToken: tokenResponse.refresh_token || currentSession.refreshToken,
+        name: claims.name,
+        username: claims.sub,
+        customerNumber: claims.customerNumber,
+        roles: claims.roles,
+        tokenPolicy: {
+            accessToken: { expiresAt },
+            refreshToken: {
+                isEnabled: true,
+                expiresAt,
+            },
+        },
+    }
+
+    await setSessionCookie(event, updatedSession)
+
+    return { success: true }
+})

package/server/api/auth/refresh-token.test.ts

@@ -0,0 +1,134 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import type { EventHandler } from 'h3'
+import type { JWT } from 'next-auth/jwt'
+import { fakeEvent, fakeJwt, stubCreateError } from '../../test-helpers'
+
+const mockDecodeSessionCookie = vi.fn()
+const mockExchangeToken = vi.fn()
+const mockSetSessionCookie = vi.fn()
+
+vi.mock('../../utils/authSession', () => ({
+    decodeSessionCookie: (...args: unknown[]) => mockDecodeSessionCookie(...args),
+    exchangeToken: (...args: unknown[]) => mockExchangeToken(...args),
+    setSessionCookie: (...args: unknown[]) => mockSetSessionCookie(...args),
+}))
+
+vi.mock('h3', async () => {
+    const actual = await vi.importActual('h3')
+    return { ...actual }
+})
+
+vi.stubGlobal('defineEventHandler', <T>(fn: T): T => fn)
+stubCreateError()
+
+describe('refresh-token.post', () => {
+    let handler: EventHandler
+
+    beforeEach(async () => {
+        vi.clearAllMocks()
+        const mod = await import('./refresh-token.post')
+        handler = mod.default
+    })
+
+    it('throws 401 when no session cookie exists', async () => {
+        mockDecodeSessionCookie.mockResolvedValue(null)
+
+        const err = await handler(fakeEvent()).catch((e: Error & { statusCode?: number }) => e)
+        expect(err.message).toBe('No session')
+        expect(err.statusCode).toBe(401)
+    })
+
+    it('throws 400 when session has no refresh token', async () => {
+        mockDecodeSessionCookie.mockResolvedValue({
+            accessToken: 'test-access',
+            refreshToken: '',
+            authMethod: 'customer',
+            name: '',
+            username: '',
+            customerNumber: '',
+            roles: [],
+            tokenPolicy: {
+                accessToken: { expiresAt: 0 },
+                refreshToken: { isEnabled: false, expiresAt: 0 },
+            },
+        } satisfies JWT)
+
+        const err = await handler(fakeEvent()).catch((e: Error & { statusCode?: number }) => e)
+        expect(err.message).toBe('No refresh token')
+        expect(err.statusCode).toBe(400)
+    })
+
+    it('successfully refreshes token and updates cookie', async () => {
+        const session: JWT = {
+            accessToken: 'old-access-token',
+            refreshToken: 'old-refresh-token',
+            authMethod: 'customer',
+            name: 'Test User',
+            username: 'test@example.com',
+            customerNumber: 'C-001',
+            roles: [],
+            tokenPolicy: {
+                accessToken: { expiresAt: Math.floor(Date.now() / 1000) + 100 },
+                refreshToken: { isEnabled: true, expiresAt: Math.floor(Date.now() / 1000) + 100 },
+            },
+        }
+
+        const newAccessToken = fakeJwt({ sub: 'test@example.com', name: 'Test User', CustomerNumber: 'C-001' })
+        mockDecodeSessionCookie.mockResolvedValue(session)
+        mockExchangeToken.mockResolvedValue({
+            access_token: newAccessToken,
+            refresh_token: 'new-refresh-token',
+            expires_in: 3600,
+            token_type: 'Bearer',
+        })
+        mockSetSessionCookie.mockResolvedValue(undefined)
+
+        const event = fakeEvent()
+        const result = await handler(event)
+
+        expect(result).toEqual({ success: true })
+        expect(mockExchangeToken).toHaveBeenCalledWith({
+            grant_type: 'refresh_token',
+            refresh_token: 'old-refresh-token',
+        })
+        expect(mockSetSessionCookie).toHaveBeenCalledWith(
+            event,
+            expect.objectContaining({
+                accessToken: newAccessToken,
+                refreshToken: 'new-refresh-token',
+            })
+        )
+    })
+
+    it('keeps existing refresh token when server does not return a new one', async () => {
+        const session: JWT = {
+            accessToken: 'old-access',
+            refreshToken: 'existing-refresh-token',
+            authMethod: 'customer',
+            name: 'Test User',
+            username: 'test@example.com',
+            customerNumber: 'C-001',
+            roles: [],
+            tokenPolicy: {
+                accessToken: { expiresAt: 0 },
+                refreshToken: { isEnabled: true, expiresAt: 0 },
+            },
+        }
+
+        mockDecodeSessionCookie.mockResolvedValue(session)
+        mockExchangeToken.mockResolvedValue({
+            access_token: fakeJwt({ sub: 'test@example.com', name: 'Test User', CustomerNumber: 'C-001' }),
+            expires_in: 3600,
+            token_type: 'Bearer',
+        })
+        mockSetSessionCookie.mockResolvedValue(undefined)
+
+        const event = fakeEvent()
+        await handler(event)
+
+        expect(mockSetSessionCookie).toHaveBeenCalledWith(
+            event,
+            expect.objectContaining({ refreshToken: 'existing-refresh-token' })
+        )
+    })
+})

package/server/plugins/validate-env.ts

@@ -0,0 +1,24 @@
+/**
+ * Validates that all required environment variables are set at server startup.
+ * Fails fast with a clear error instead of crashing later with cryptic messages.
+ * Only enforced in production — local dev uses .env files with defaults.
+ */
+export default defineNitroPlugin(() => {
+    if (process.env.NODE_ENV !== 'production') return
+
+    const required: Record<string, string | undefined> = {
+        NUXT_AUTH_URL: process.env.NUXT_AUTH_URL,
+        NUXT_PUBLIC_AUTH_URL: process.env.NUXT_PUBLIC_AUTH_URL,
+        NUXT_PUBLIC_AUTH_CLIENT_ID: process.env.NUXT_PUBLIC_AUTH_CLIENT_ID,
+        NUXT_AUTH_SECRET: process.env.NUXT_AUTH_SECRET,
+        AUTH_ORIGIN: process.env.AUTH_ORIGIN,
+    }
+
+    const missing = Object.entries(required)
+        .filter(([, value]) => !value)
+        .map(([key]) => key)
+
+    if (missing.length > 0) {
+        throw new Error(`Missing required environment variables:\n  ${missing.join('\n  ')}`)
+    }
+})

package/server/test-helpers.ts

@@ -0,0 +1,54 @@
+import { vi } from 'vitest'
+import { base64url } from 'jose'
+import type { H3Event } from 'h3'
+
+export function fakeEvent(overrides: Partial<H3Event> = {}): H3Event {
+    return { method: 'GET', ...overrides } as H3Event
+}
+
+export function fakeJwt(claims: Record<string, unknown> = {}): string {
+    const header = base64url.encode(JSON.stringify({ alg: 'none' }))
+    const payload = base64url.encode(
+        JSON.stringify({
+            sub: 'user@test.com',
+            name: 'Test',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            ...claims,
+        })
+    )
+    return `${header}.${payload}.`
+}
+
+interface HttpError extends Error {
+    statusCode: number
+}
+
+export function stubCreateError() {
+    vi.stubGlobal('createError', (opts: { statusCode: number; message?: string; statusMessage?: string }) => {
+        const error = new Error(opts.message || opts.statusMessage) as HttpError
+        error.statusCode = opts.statusCode
+        return error
+    })
+}
+
+export function lastRedirectUrl(mock: ReturnType<typeof vi.fn>): string {
+    return mock.mock.calls[0][0]
+}
+
+export function fetchCallUrl(mock: ReturnType<typeof vi.fn>): string {
+    return mock.mock.calls[0][0]
+}
+
+export function fetchCallHeaders(mock: ReturnType<typeof vi.fn>): Record<string, string> {
+    return mock.mock.calls[0][1].headers
+}
+
+export async function catchHttpError(fn: () => unknown): Promise<HttpError> {
+    try {
+        await fn()
+        throw new Error('Expected function to throw')
+    } catch (err) {
+        if (err instanceof Error && 'statusCode' in err) return err as HttpError
+        throw err
+    }
+}

package/server/utils/authSession.test.ts

@@ -0,0 +1,34 @@
+import { describe, it, expect } from 'vitest'
+import { isSafeReturnUrl } from './authSession'
+
+describe('isSafeReturnUrl', () => {
+    it('allows simple relative paths', () => {
+        expect(isSafeReturnUrl('/')).toBe(true)
+        expect(isSafeReturnUrl('/dashboard')).toBe(true)
+        expect(isSafeReturnUrl('/customer/orders')).toBe(true)
+        expect(isSafeReturnUrl('/path?query=1')).toBe(true)
+        expect(isSafeReturnUrl('/path#fragment')).toBe(true)
+    })
+
+    it('blocks protocol-relative URLs (open redirect)', () => {
+        expect(isSafeReturnUrl('//evil.com')).toBe(false)
+        expect(isSafeReturnUrl('//evil.com/path')).toBe(false)
+    })
+
+    it('blocks absolute URLs', () => {
+        expect(isSafeReturnUrl('https://evil.com')).toBe(false)
+        expect(isSafeReturnUrl('http://evil.com')).toBe(false)
+        expect(isSafeReturnUrl('ftp://evil.com')).toBe(false)
+    })
+
+    it('blocks backslash tricks', () => {
+        expect(isSafeReturnUrl('/\\evil.com')).toBe(false)
+        expect(isSafeReturnUrl('/path\\to\\evil')).toBe(false)
+    })
+
+    it('blocks empty and non-slash-prefixed strings', () => {
+        expect(isSafeReturnUrl('')).toBe(false)
+        expect(isSafeReturnUrl('evil.com')).toBe(false)
+        expect(isSafeReturnUrl('javascript:alert(1)')).toBe(false)
+    })
+})

package/server/utils/authSession.ts

@@ -0,0 +1,88 @@
+import { encode, decode } from 'next-auth/jwt'
+import type { JWT } from 'next-auth/jwt'
+import type { H3Event } from 'h3'
+
+/**
+ * Detects whether the request was made over HTTPS,
+ * accounting for reverse proxies that set x-forwarded-proto.
+ */
+export function isSecureRequest(event: H3Event): boolean {
+    const forwardedProto = getRequestHeader(event, 'x-forwarded-proto')
+    if (forwardedProto) return forwardedProto === 'https'
+    return getRequestURL(event).protocol === 'https:'
+}
+
+export function getSessionCookieName(event: H3Event): string {
+    return isSecureRequest(event) ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
+}
+
+export function decodeSessionCookie(event: H3Event): Promise<JWT | null> {
+    const cookieName = getSessionCookieName(event)
+    const token = getCookie(event, cookieName)
+    if (!token) return Promise.resolve(null)
+
+    const secret = useRuntimeConfig().authSecret
+    return decode({ token, secret })
+}
+
+export async function setSessionCookie(event: H3Event, session: JWT): Promise<void> {
+    const secret = useRuntimeConfig().authSecret
+    const cookieName = getSessionCookieName(event)
+    const secure = isSecureRequest(event)
+
+    const encoded = await encode({ token: session, secret })
+
+    setCookie(event, cookieName, encoded, {
+        httpOnly: true,
+        secure,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 60 * 60 * 24,
+    })
+}
+
+/** Validates that a URL is a relative path, preventing open redirects. */
+export function isSafeReturnUrl(url: string): boolean {
+    return url.startsWith('/') && !url.startsWith('//') && !url.includes('\\')
+}
+
+/**
+ * Exchanges an authorization code or other grant at the NORRIQ.Auth /connect/token endpoint.
+ */
+export function exchangeToken(
+    params: Record<string, string>,
+    options?: { headers?: Record<string, string> }
+): Promise<{
+    access_token: string
+    refresh_token?: string
+    expires_in?: number
+    token_type: string
+}> {
+    const config = useRuntimeConfig()
+    const authUrl = config.authUrlInternal || config.authUrl
+    const clientId = config.public.authClientId
+    if (!authUrl || !clientId) {
+        throw new Error('Auth environment variables not configured (NUXT_AUTH_URL, NUXT_PUBLIC_AUTH_CLIENT_ID)')
+    }
+
+    const clientSecret = config.authClientSecret || ''
+
+    const body: Record<string, string> = {
+        client_id: clientId,
+        ...params,
+    }
+    if (clientSecret) {
+        body.client_secret = clientSecret
+    }
+
+    const url: string = `${authUrl}/connect/token`
+    // @ts-expect-error Nuxt route type inference causes excessive stack depth with $fetch
+    return $fetch(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            ...options?.headers,
+        },
+        body: new URLSearchParams(body).toString(),
+    })
+}

package/server/utils/jwtClaims.test.ts

@@ -0,0 +1,81 @@
+import { describe, it, expect } from 'vitest'
+import { extractClaims, hasErrorData } from './jwtClaims'
+
+describe('extractClaims', () => {
+    it('extracts all claims from a well-formed JWT payload', () => {
+        const result = extractClaims({
+            sub: 'user-123',
+            name: 'John Doe',
+            CustomerNumber: 'CUST-456',
+            role: ['Admin', 'User'],
+        })
+
+        expect(result).toEqual({
+            sub: 'user-123',
+            name: 'John Doe',
+            customerNumber: 'CUST-456',
+            roles: ['Admin', 'User'],
+        })
+    })
+
+    it('handles single role as string', () => {
+        const result = extractClaims({
+            sub: 'user-1',
+            name: 'Jane',
+            CustomerNumber: 'C1',
+            role: 'Admin',
+        })
+
+        expect(result.roles).toEqual(['Admin'])
+    })
+
+    it('returns empty strings and array for missing claims', () => {
+        const result = extractClaims({})
+
+        expect(result).toEqual({
+            sub: '',
+            name: '',
+            customerNumber: '',
+            roles: [],
+        })
+    })
+
+    it('ignores non-string values in role arrays', () => {
+        const result = extractClaims({
+            role: ['Admin', 42, null, 'User', undefined],
+        })
+
+        expect(result.roles).toEqual(['Admin', 'User'])
+    })
+
+    it('returns empty roles for non-string, non-array role', () => {
+        expect(extractClaims({ role: 42 }).roles).toEqual([])
+        expect(extractClaims({ role: null }).roles).toEqual([])
+        expect(extractClaims({ role: true }).roles).toEqual([])
+    })
+})
+
+describe('hasErrorData', () => {
+    it('returns true for objects with a data property', () => {
+        expect(hasErrorData({ data: { type: 'SomeError' } })).toBe(true)
+    })
+
+    it('returns false for null', () => {
+        expect(hasErrorData(null)).toBe(false)
+    })
+
+    it('returns false for primitives', () => {
+        expect(hasErrorData('string')).toBe(false)
+        expect(hasErrorData(42)).toBe(false)
+        expect(hasErrorData(undefined)).toBe(false)
+    })
+
+    it('returns false for objects without data', () => {
+        expect(hasErrorData({ message: 'error' })).toBe(false)
+    })
+
+    it('returns false when data is not an object', () => {
+        expect(hasErrorData({ data: 'string' })).toBe(false)
+        expect(hasErrorData({ data: 42 })).toBe(false)
+    })
+})