chadstart 1.0.0 → 1.0.1

package/core/seeder.js

@@ -192,7 +192,7 @@ async function seedAll(core) {
       }
 
       try {
-        const created = create(entity.tableName, record);
+        const created = await create(entity.tableName, record);
         ids.push(created.id);
       } catch (err) {
         logger.warn(`Seed: failed to create record for ${entityName}:`, err.message);
@@ -206,7 +206,7 @@ async function seedAll(core) {
   // Create the admin@chadstart.com user in every authenticable entity
   const adminUsers = [];
   for (const entity of Object.values(core.authenticableEntities || {})) {
-    const existing = findAllSimple(entity.tableName, { email: ADMIN_EMAIL });
+    const existing = await findAllSimple(entity.tableName, { email: ADMIN_EMAIL });
     if (existing.length === 0) {
       const extraProps = entity.properties.reduce((acc, prop) => {
         // Skip email and password — they are handled separately for authenticable entities
@@ -216,7 +216,7 @@ async function seedAll(core) {
         }
         return acc;
       }, {});
-      create(entity.tableName, {
+      await create(entity.tableName, {
         email: ADMIN_EMAIL,
         password: bcrypt.hashSync(ADMIN_PASSWORD, 10),
         ...extraProps,

package/docs/config.md

@@ -42,13 +42,13 @@ We recommend switching to [PostgreSQL](https://www.postgresql.org/) or [MySQL](h
 
 | Variable      | Default                | Description                                                               | Applies To         |
 | ------------- | ---------------------- | ------------------------------------------------------------------------- | ------------------ |
-| DB_CONNECTION | `sqlite`               | Choose `postgres` switching to PostgreSQL or `mysql` for MySQL or MariaDB | All                |
-| DB_PATH       | `/.chadstart/db.sqlite` | Path of the database. Your server should have access to this path locally | SQLite             |
+| DB_ENGINE     | `sqlite`               | Choose `postgres` switching to PostgreSQL or `mysql` for MySQL or MariaDB | All                |
+| DB_PATH       | `/data/chadstart.db`   | Path of the database. Your server should have access to this path locally | SQLite             |
 | DB_HOST       | `localhost`            | Database host                                                             | PostgreSQL / MySQL |
 | DB_PORT       | `5432`                 | Database port                                                             | PostgreSQL / MySQL |
 | DB_USERNAME   | `postgres`             | Database username                                                         | PostgreSQL / MySQL |
 | DB_PASSWORD   | `postgres`             | Database password                                                         | PostgreSQL / MySQL |
-| DB_DATABASE   | `chadstart`             | Database name                                                             | PostgreSQL / MySQL |
+| DB_DATABASE   | `manifest`             | Database name                                                             | PostgreSQL / MySQL |
 | DB_SSL        | `false`                | Require SSL for DB connection. Set to true if using remote DB.            | PostgreSQL / MySQL |
 
 ### Example configurations
@@ -58,16 +58,16 @@ Here are examples of `.env` files for different database connections:
 === "SQLite"
     ```env
 
-     DB_CONNECTION=sqlite
+     DB_ENGINE=sqlite
 
-     DB_PATH=/.chadstart/db.sqlite
+     DB_PATH=/data/chadstart.db
 
      ```
 
 === "PostgreSQL"
     ```env
 
-     DB_CONNECTION=postgres
+     DB_ENGINE=postgres
 
      DB_HOST=my-host.com
      DB_USERNAME=owner
@@ -80,12 +80,12 @@ Here are examples of `.env` files for different database connections:
 === "MySQL / MariaDB"
     ```env
 
-    DB_CONNECTION=mysql
+    DB_ENGINE=mysql
 
     DB_USERNAME=xxxxx
     DB_PASSWORD=xxxxx
     DB_HOST=my-host.com
-    DB_PORT=25060
+    DB_PORT=3306
     DB_DATABASE=my_app
     DB_SSL=true # Required for remote managed DBs, remove if local
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chadstart",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "YAML-first Backend as a Service — define your entire backend in one YAML file",
   "main": "server/express-server.js",
   "bin": {
@@ -14,6 +14,7 @@
     "seed": "node cli/cli.js seed",
     "test": "mocha --timeout 10000 'test/*.test.js'",
     "test:coverage": "c8 --reporter=text --reporter=json-summary mocha --timeout 10000 'test/*.test.js'",
+    "test:integration": "mocha --timeout 30000 'test/integration/*.test.js'",
     "test:browser": "playwright test"
   },
   "repository": {
@@ -48,7 +49,9 @@
     "express-rate-limit": "^8.3.1",
     "htmx.org": "2.0.4",
     "jsonwebtoken": "^9.0.3",
+    "mysql2": "^3.20.0",
     "node-cron": "^4.2.1",
+    "pg": "^8.20.0",
     "sharp": "^0.34.5",
     "swagger-ui-express": "^5.0.1",
     "ws": "^8.19.0",

package/server/express-server.js

@@ -101,8 +101,8 @@ async function buildApp(yamlPath, reloadFn) {
   const dbPath = core.database
     ? path.resolve(path.dirname(yamlPath), core.database)
     : undefined;
-  initDb(core, dbPath);
-  initApiKeys();
+  await initDb(core, dbPath);
+  await initApiKeys();
 
   initErrorReporter(core);
 
@@ -300,7 +300,7 @@ async function buildApp(yamlPath, reloadFn) {
   });
 
   // HTMX table partial – returns an HTML fragment used by the Admin UI
-  app.get('/admin/partials/table', adminRateLimiter, (req, res) => {
+  app.get('/admin/partials/table', adminRateLimiter, async (req, res) => {
     const header = req.headers.authorization;
     if (!header || !header.startsWith('Bearer ')) {
       return res.status(401).send('<p class="text-red-400 p-4">Unauthorized</p>');
@@ -317,7 +317,7 @@ async function buildApp(yamlPath, reloadFn) {
     const lang = parseLang(req.headers['accept-language']);
     const locale = loadLocale(lang);
     try {
-      let rows = findAllSimple(item.tableName);
+      let rows = await findAllSimple(item.tableName);
       if (type === 'collection') rows = rows.map(omitPassword);
       res.send(renderAdminTable(rows, name, type === 'collection', item.name, locale));
     } catch (err) {
@@ -325,7 +325,7 @@ async function buildApp(yamlPath, reloadFn) {
     }
   });
   // ── Admin stats endpoint ────────────────────────────────────────────
-  app.get('/admin/stats', adminRateLimiter, (req, res) => {
+  app.get('/admin/stats', adminRateLimiter, async (req, res) => {
     const header = req.headers.authorization;
     if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
     try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
@@ -338,7 +338,7 @@ async function buildApp(yamlPath, reloadFn) {
       const allRecords = [];
       for (const entity of allEntities) {
         try {
-          const rows = findAllSimple(entity.tableName);
+          const rows = await findAllSimple(entity.tableName);
           const total = rows.length;
           const lastWeek = rows.filter((r) => r.createdAt && new Date(r.createdAt) >= oneWeekAgo).length;
           const lastMonth = rows.filter((r) => r.createdAt && new Date(r.createdAt) >= oneMonthAgo).length;
@@ -368,7 +368,7 @@ async function buildApp(yamlPath, reloadFn) {
   });
 
   // ── Admin seed endpoint ─────────────────────────────────────────────
-  app.post('/admin/seed', adminRateLimiter, (req, res) => {
+  app.post('/admin/seed', adminRateLimiter, async (req, res) => {
     const header = req.headers.authorization;
     if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
     try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
@@ -393,7 +393,7 @@ async function buildApp(yamlPath, reloadFn) {
             default: record[pName] = `Sample ${pName} ${i}`;
           }
         }
-        try { const row = dbCreate(tableName, record); emit(`${name}.created`, row); created++; } catch (e) { logger.warn(`Seed: failed to create record for ${name}:`, e.message); }
+        try { const row = await dbCreate(tableName, record); emit(`${name}.created`, row); created++; } catch (e) { logger.warn(`Seed: failed to create record for ${name}:`, e.message); }
       }
       results.push({ name, created });
     }
@@ -401,7 +401,7 @@ async function buildApp(yamlPath, reloadFn) {
   });
 
   // ── Admin data endpoint (unified, auth-bypassing) ───────────────────
-  app.get('/admin/data', adminRateLimiter, (req, res) => {
+  app.get('/admin/data', adminRateLimiter, async (req, res) => {
     const header = req.headers.authorization;
     if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
     try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
@@ -423,7 +423,7 @@ async function buildApp(yamlPath, reloadFn) {
           query[`${colName}_like`] = `%${search}%`;
         }
       }
-      const result = findAll(item.tableName, query, { page, perPage, orderBy, order });
+      const result = await findAll(item.tableName, query, { page, perPage, orderBy, order });
       if (type === 'collection') result.data = result.data.map(omitPassword);
       res.json(result);
     } catch (err) {
@@ -441,18 +441,18 @@ async function buildApp(yamlPath, reloadFn) {
   }
 
   // GET /admin/api-keys — list all API keys
-  app.get('/admin/api-keys', adminRateLimiter, (req, res) => {
+  app.get('/admin/api-keys', adminRateLimiter, async (req, res) => {
     if (!requireAdminToken(req, res)) return;
-    try { res.json(listAllApiKeys()); } catch (e) { res.status(500).json({ error: e.message }); }
+    try { res.json(await listAllApiKeys()); } catch (e) { res.status(500).json({ error: e.message }); }
   });
 
   // POST /admin/api-keys — create an API key for any user
-  app.post('/admin/api-keys', adminRateLimiter, (req, res) => {
+  app.post('/admin/api-keys', adminRateLimiter, async (req, res) => {
     if (!requireAdminToken(req, res)) return;
     const { userId, userEntity, name, permissions, entities: keyEntities, expiresAt } = req.body || {};
     if (!userId || !userEntity) return res.status(400).json({ error: 'userId and userEntity are required' });
     try {
-      const result = createApiKey(userId, userEntity, {
+      const result = await createApiKey(userId, userEntity, {
         name: name || 'API Key',
         permissions: Array.isArray(permissions) ? permissions : [],
         entities: Array.isArray(keyEntities) ? keyEntities : [],
@@ -463,13 +463,13 @@ async function buildApp(yamlPath, reloadFn) {
   });
 
   // DELETE /admin/api-keys/:id — delete any API key
-  app.delete('/admin/api-keys/:id', adminRateLimiter, (req, res) => {
+  app.delete('/admin/api-keys/:id', adminRateLimiter, async (req, res) => {
     if (!requireAdminToken(req, res)) return;
-    try { deleteApiKey(req.params.id); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); }
+    try { await deleteApiKey(req.params.id); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); }
   });
 
   // POST /admin/impersonate — generate a short-lived token as a user (for admin preview)
-  app.post('/admin/impersonate', adminRateLimiter, (req, res) => {
+  app.post('/admin/impersonate', adminRateLimiter, async (req, res) => {
     const header = req.headers.authorization;
     if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
     let adminPayload;
@@ -479,7 +479,7 @@ async function buildApp(yamlPath, reloadFn) {
     const entity = Object.values(core.authenticableEntities || {}).find((e) => e.name === userEntity);
     if (!entity) return res.status(404).json({ error: 'User collection not found' });
     const { findById } = require('../core/db');
-    const user = findById(entity.tableName, userId);
+    const user = await findById(entity.tableName, userId);
     if (!user) return res.status(404).json({ error: 'User not found' });
     const { signToken } = require('../core/auth');
     const token = signToken(

package/test/access-policies.test.js

@@ -74,19 +74,19 @@ describe('access-policies – read condition: self', () => {
     assert.strictEqual(req._selfFilter.userId, 'user-42');
   });
 
-  it('read condition:self – DB list is filtered to the owning user', () => {
+  it('read condition:self – DB list is filtered to the owning user', async () => {
     const tmp = path.join(os.tmpdir(), `chadstart-selfread-${Date.now()}.db`);
-    dbModule.initDb(selfReadCore, tmp);
+    await dbModule.initDb(selfReadCore, tmp);
 
-    const user1 = dbModule.create('user', { name: 'Alice', email: 'alice@example.com', password: bcrypt.hashSync('pass1', 1) });
-    const user2 = dbModule.create('user', { name: 'Bob',   email: 'bob@example.com',   password: bcrypt.hashSync('pass2', 1) });
-    dbModule.create('project', { title: 'Alice Project 1', user_id: user1.id });
-    dbModule.create('project', { title: 'Alice Project 2', user_id: user1.id });
-    dbModule.create('project', { title: 'Bob Project',     user_id: user2.id });
+    const user1 = await dbModule.create('user', { name: 'Alice', email: 'alice@example.com', password: bcrypt.hashSync('pass1', 1) });
+    const user2 = await dbModule.create('user', { name: 'Bob',   email: 'bob@example.com',   password: bcrypt.hashSync('pass2', 1) });
+    await dbModule.create('project', { title: 'Alice Project 1', user_id: user1.id });
+    await dbModule.create('project', { title: 'Alice Project 2', user_id: user1.id });
+    await dbModule.create('project', { title: 'Bob Project',     user_id: user2.id });
 
     const selfFilter = { fk: 'user_id', userId: user1.id };
     const query = { [selfFilter.fk]: selfFilter.userId };
-    const result = dbModule.findAll('project', query, { perPage: 100 });
+    const result = await dbModule.findAll('project', query, { perPage: 100 });
 
     assert.strictEqual(result.total, 2, 'only Alice\'s projects returned');
     assert.ok(result.data.every((r) => r.user_id === user1.id));

package/test/api-keys.test.js

@@ -71,8 +71,8 @@ describe('API Keys', function () {
       initApiKeys, createApiKey, verifyApiKeyStr, listApiKeys, deleteApiKey,
     } = require('../core/auth');
 
-    it('createApiKey returns a key string and record', function () {
-      const { key, record } = createApiKey('user-1', 'Admin', { name: 'TestKey', permissions: ['read'], entities: [] });
+    it('createApiKey returns a key string and record', async function () {
+      const { key, record } = await createApiKey('user-1', 'Admin', { name: 'TestKey', permissions: ['read'], entities: [] });
       assert.ok(key.startsWith('cs_'), 'key should start with cs_');
       assert.strictEqual(key.length, 3 + 64, 'key should be cs_ + 64 hex chars');
       assert.strictEqual(record.name, 'TestKey');
@@ -82,38 +82,38 @@ describe('API Keys', function () {
       assert.ok(!record.keyHash, 'keyHash should not be in returned record');
     });
 
-    it('verifyApiKeyStr returns record for valid key', function () {
-      const { key } = createApiKey('user-2', 'Admin', { name: 'Verify' });
-      const record = verifyApiKeyStr(key);
+    it('verifyApiKeyStr returns record for valid key', async function () {
+      const { key } = await createApiKey('user-2', 'Admin', { name: 'Verify' });
+      const record = await verifyApiKeyStr(key);
       assert.ok(record, 'should return a record');
       assert.strictEqual(record.userId, 'user-2');
     });
 
-    it('verifyApiKeyStr returns null for wrong key', function () {
-      assert.strictEqual(verifyApiKeyStr('cs_notavalidkey'), null);
+    it('verifyApiKeyStr returns null for wrong key', async function () {
+      assert.strictEqual(await verifyApiKeyStr('cs_notavalidkey'), null);
     });
 
-    it('verifyApiKeyStr returns null for non-cs_ prefixed string', function () {
-      assert.strictEqual(verifyApiKeyStr('eyJhbGciOiJIUzI1NiJ9.x.y'), null);
+    it('verifyApiKeyStr returns null for non-cs_ prefixed string', async function () {
+      assert.strictEqual(await verifyApiKeyStr('eyJhbGciOiJIUzI1NiJ9.x.y'), null);
     });
 
-    it('verifyApiKeyStr returns null for expired key', function () {
+    it('verifyApiKeyStr returns null for expired key', async function () {
       const pastDate = new Date(Date.now() - 1000).toISOString();
-      const { key } = createApiKey('user-3', 'Admin', { expiresAt: pastDate });
-      assert.strictEqual(verifyApiKeyStr(key), null, 'expired key should return null');
+      const { key } = await createApiKey('user-3', 'Admin', { expiresAt: pastDate });
+      assert.strictEqual(await verifyApiKeyStr(key), null, 'expired key should return null');
     });
 
-    it('listApiKeys returns user keys', function () {
-      const { key } = createApiKey('user-list', 'Admin', { name: 'ListKey' });
-      const keys = listApiKeys('user-list', 'Admin');
+    it('listApiKeys returns user keys', async function () {
+      await createApiKey('user-list', 'Admin', { name: 'ListKey' });
+      const keys = await listApiKeys('user-list', 'Admin');
       assert.ok(keys.length >= 1);
       assert.ok(keys.every((k) => !k.keyHash), 'keyHash should be stripped');
     });
 
-    it('deleteApiKey removes the key', function () {
-      const { record } = createApiKey('user-del', 'Admin', { name: 'ToDelete' });
-      deleteApiKey(record.id);
-      const verifiedAfterDelete = listApiKeys('user-del', 'Admin').find((k) => k.id === record.id);
+    it('deleteApiKey removes the key', async function () {
+      const { record } = await createApiKey('user-del', 'Admin', { name: 'ToDelete' });
+      await deleteApiKey(record.id);
+      const verifiedAfterDelete = (await listApiKeys('user-del', 'Admin')).find((k) => k.id === record.id);
       assert.ok(!verifiedAfterDelete, 'key should be deleted');
     });
   });
@@ -123,23 +123,23 @@ describe('API Keys', function () {
   describe('resolveAuthHeader', function () {
     const { resolveAuthHeader, signToken, createApiKey } = require('../core/auth');
 
-    it('resolves JWT Bearer tokens', function () {
+    it('resolves JWT Bearer tokens', async function () {
       const token = signToken({ id: 'u1', entity: 'Admin' });
-      const { user, error } = resolveAuthHeader(`Bearer ${token}`);
+      const { user, error } = await resolveAuthHeader(`Bearer ${token}`);
       assert.ok(user);
       assert.strictEqual(user.id, 'u1');
       assert.strictEqual(error, null);
     });
 
-    it('returns error for no header', function () {
-      const { user, error } = resolveAuthHeader(undefined);
+    it('returns error for no header', async function () {
+      const { user, error } = await resolveAuthHeader(undefined);
       assert.ok(!user);
       assert.strictEqual(error, 'no_header');
     });
 
-    it('resolves API key Bearer tokens', function () {
-      const { key } = createApiKey('u-resolve', 'Admin', { permissions: ['read'], entities: ['posts'] });
-      const { user, apiKeyPermissions, error } = resolveAuthHeader(`Bearer ${key}`);
+    it('resolves API key Bearer tokens', async function () {
+      const { key } = await createApiKey('u-resolve', 'Admin', { permissions: ['read'], entities: ['posts'] });
+      const { user, apiKeyPermissions, error } = await resolveAuthHeader(`Bearer ${key}`);
       assert.ok(user);
       assert.strictEqual(user.id, 'u-resolve');
       assert.strictEqual(error, null);
@@ -147,8 +147,8 @@ describe('API Keys', function () {
       assert.deepStrictEqual(apiKeyPermissions.entities, ['posts']);
     });
 
-    it('returns error for invalid token', function () {
-      const { user, error } = resolveAuthHeader('Bearer bad-token-here');
+    it('returns error for invalid token', async function () {
+      const { user, error } = await resolveAuthHeader('Bearer bad-token-here');
       assert.ok(!user);
       assert.strictEqual(error, 'invalid_token');
     });

package/test/auth.test.js

@@ -27,94 +27,94 @@ describe('auth', () => {
 });
 
 describe('auth – middleware', () => {
-  it('requireAuth: 401 when no Authorization header', () => {
+  it('requireAuth: 401 when no Authorization header', async () => {
     const mw  = requireAuth();
     const req = mockReq();
     const res = mockRes();
     let nextCalled = false;
-    mw(req, res, () => { nextCalled = true; });
+    await mw(req, res, () => { nextCalled = true; });
     assert.strictEqual(res._status, 401);
     assert.ok(!nextCalled);
   });
 
-  it('requireAuth: 401 when header lacks Bearer prefix', () => {
+  it('requireAuth: 401 when header lacks Bearer prefix', async () => {
     const mw  = requireAuth();
     const req = mockReq({ authorization: 'Basic abc123' });
     const res = mockRes();
     let nextCalled = false;
-    mw(req, res, () => { nextCalled = true; });
+    await mw(req, res, () => { nextCalled = true; });
     assert.strictEqual(res._status, 401);
     assert.ok(!nextCalled);
   });
 
-  it('requireAuth: 401 for invalid token', () => {
+  it('requireAuth: 401 for invalid token', async () => {
     const mw  = requireAuth();
     const req = mockReq({ authorization: 'Bearer not-a-valid-jwt' });
     const res = mockRes();
     let nextCalled = false;
-    mw(req, res, () => { nextCalled = true; });
+    await mw(req, res, () => { nextCalled = true; });
     assert.strictEqual(res._status, 401);
     assert.ok(!nextCalled);
   });
 
-  it('requireAuth: 403 when entity does not match', () => {
+  it('requireAuth: 403 when entity does not match', async () => {
     const token = signToken({ id: 'u1', entity: 'Admin' });
     const mw    = requireAuth('User');
     const req   = mockReq({ authorization: `Bearer ${token}` });
     const res   = mockRes();
     let nextCalled = false;
-    mw(req, res, () => { nextCalled = true; });
+    await mw(req, res, () => { nextCalled = true; });
     assert.strictEqual(res._status, 403);
     assert.ok(!nextCalled);
   });
 
-  it('requireAuth: sets req.user and calls next for valid token (with entity filter)', () => {
+  it('requireAuth: sets req.user and calls next for valid token (with entity filter)', async () => {
     const token = signToken({ id: 'u2', entity: 'Admin' });
     const mw    = requireAuth('Admin');
     const req   = mockReq({ authorization: `Bearer ${token}` });
     const res   = mockRes();
     let nextCalled = false;
-    mw(req, res, () => { nextCalled = true; });
+    await mw(req, res, () => { nextCalled = true; });
     assert.ok(nextCalled);
     assert.strictEqual(req.user.id, 'u2');
     assert.strictEqual(req.user.entity, 'Admin');
   });
 
-  it('requireAuth: sets req.user and calls next without entity filter', () => {
+  it('requireAuth: sets req.user and calls next without entity filter', async () => {
     const token = signToken({ id: 'u3', entity: 'Member' });
     const mw    = requireAuth();
     const req   = mockReq({ authorization: `Bearer ${token}` });
     const res   = mockRes();
     let nextCalled = false;
-    mw(req, res, () => { nextCalled = true; });
+    await mw(req, res, () => { nextCalled = true; });
     assert.ok(nextCalled);
     assert.strictEqual(req.user.entity, 'Member');
   });
 
-  it('optionalAuth: calls next without user when no header', () => {
+  it('optionalAuth: calls next without user when no header', async () => {
     const req = mockReq();
     const res = mockRes();
     let nextCalled = false;
-    optionalAuth(req, res, () => { nextCalled = true; });
+    await optionalAuth(req, res, () => { nextCalled = true; });
     assert.ok(nextCalled);
     assert.ok(!req.user);
   });
 
-  it('optionalAuth: calls next without user when token is invalid', () => {
+  it('optionalAuth: calls next without user when token is invalid', async () => {
     const req = mockReq({ authorization: 'Bearer bad-token' });
     const res = mockRes();
     let nextCalled = false;
-    optionalAuth(req, res, () => { nextCalled = true; });
+    await optionalAuth(req, res, () => { nextCalled = true; });
     assert.ok(nextCalled);
     assert.ok(!req.user);
   });
 
-  it('optionalAuth: sets req.user when token is valid', () => {
+  it('optionalAuth: sets req.user when token is valid', async () => {
     const token = signToken({ id: 'u4', entity: 'Guest' });
     const req   = mockReq({ authorization: `Bearer ${token}` });
     const res   = mockRes();
     let nextCalled = false;
-    optionalAuth(req, res, () => { nextCalled = true; });
+    await optionalAuth(req, res, () => { nextCalled = true; });
     assert.ok(nextCalled);
     assert.strictEqual(req.user.id, 'u4');
     assert.strictEqual(req.user.entity, 'Guest');