chadstart 1.0.5 → 1.0.6

package/test/logs.test.js

@@ -0,0 +1,239 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const { buildCore } = require('../core/entity-engine');
+const dbModule = require('../core/db');
+const { initLogs, insertLog, queryLogs, cleanupOldLogs, requestLoggerMiddleware } = require('../core/logs');
+const { validateSchema } = require('../core/schema-validator');
+
+// ── Logs module ──────────────────────────────────────────────────────────
+
+describe('logs module', () => {
+  let tmpDb;
+  const core = buildCore({ name: 'LogTest', entities: { Widget: { properties: ['name'] } } });
+
+  before(async () => {
+    tmpDb = path.join(os.tmpdir(), `chadstart-logs-${Date.now()}.db`);
+    await dbModule.initDb(core, tmpDb);
+    await initLogs();
+  });
+
+  after(() => { try { fs.unlinkSync(tmpDb); } catch { /* noop */ } });
+
+  it('initLogs creates _cs_logs table', () => {
+    const tables = dbModule.getDb().prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='_cs_logs'").all();
+    assert.ok(tables.length > 0, '_cs_logs table should exist');
+  });
+
+  it('insertLog inserts a record', async () => {
+    await insertLog({
+      method: 'GET',
+      path: '/api/collections/widgets',
+      statusCode: 200,
+      duration: 42,
+      ip: '127.0.0.1',
+    });
+    const result = await queryLogs();
+    assert.ok(result.data.length >= 1);
+    assert.strictEqual(result.data[0].method, 'GET');
+    assert.strictEqual(result.data[0].statusCode, 200);
+  });
+
+  it('insertLog with user info', async () => {
+    await insertLog({
+      method: 'POST',
+      path: '/api/auth/admin/login',
+      statusCode: 200,
+      duration: 100,
+      ip: '192.168.1.1',
+      userId: 'user-123',
+      userEntity: 'Admin',
+    });
+    const result = await queryLogs({ method: 'POST' });
+    const log = result.data.find((l) => l.userId === 'user-123');
+    assert.ok(log);
+    assert.strictEqual(log.userEntity, 'Admin');
+  });
+
+  it('queryLogs returns paginated results', async () => {
+    // Insert several logs
+    for (let i = 0; i < 5; i++) {
+      await insertLog({ method: 'GET', path: `/api/test/${i}`, statusCode: 200, duration: 10 });
+    }
+    const result = await queryLogs({}, { page: 1, perPage: 3 });
+    assert.ok(result.data.length <= 3);
+    assert.strictEqual(result.perPage, 3);
+    assert.strictEqual(result.currentPage, 1);
+    assert.ok(result.total >= 5);
+  });
+
+  it('queryLogs filters by method', async () => {
+    await insertLog({ method: 'DELETE', path: '/api/delete-test', statusCode: 204, duration: 5 });
+    const result = await queryLogs({ method: 'DELETE' });
+    assert.ok(result.data.length >= 1);
+    assert.ok(result.data.every((l) => l.method === 'DELETE'));
+  });
+
+  it('queryLogs filters by statusCode', async () => {
+    await insertLog({ method: 'GET', path: '/api/not-found', statusCode: 404, duration: 1 });
+    const result = await queryLogs({ statusCode: 404 });
+    assert.ok(result.data.length >= 1);
+    assert.ok(result.data.every((l) => l.statusCode === 404));
+  });
+
+  it('queryLogs filters by path', async () => {
+    await insertLog({ method: 'GET', path: '/api/collections/unique-path', statusCode: 200, duration: 1 });
+    const result = await queryLogs({ path: 'unique-path' });
+    assert.ok(result.data.length >= 1);
+    assert.ok(result.data.every((l) => l.path.includes('unique-path')));
+  });
+
+  it('queryLogs filters by date range', async () => {
+    const now = new Date();
+    const from = new Date(now - 60 * 1000).toISOString(); // 1 min ago
+    const to = new Date(now.getTime() + 60 * 1000).toISOString(); // 1 min ahead
+    const result = await queryLogs({ from, to });
+    assert.ok(result.data.length >= 1);
+  });
+
+  it('queryLogs respects order parameter', async () => {
+    const resultAsc = await queryLogs({}, { order: 'ASC' });
+    const resultDesc = await queryLogs({}, { order: 'DESC' });
+    if (resultAsc.data.length > 1 && resultDesc.data.length > 1) {
+      // ASC: oldest first, DESC: newest first
+      assert.ok(resultAsc.data[0].createdAt <= resultAsc.data[resultAsc.data.length - 1].createdAt);
+      assert.ok(resultDesc.data[0].createdAt >= resultDesc.data[resultDesc.data.length - 1].createdAt);
+    }
+  });
+
+  it('cleanupOldLogs removes old entries', async () => {
+    // Insert a log with a manually backdated createdAt
+    const oldDate = new Date(Date.now() - 60 * 24 * 60 * 60 * 1000).toISOString(); // 60 days ago
+    await dbModule.queryRun(
+      `INSERT INTO "_cs_logs" ("id","method","path","statusCode","duration","ip","createdAt") VALUES (?,?,?,?,?,?,?)`,
+      ['old-log-id', 'GET', '/api/old', 200, 1, '127.0.0.1', oldDate]
+    );
+
+    // Verify it exists
+    const before = await dbModule.queryOne(
+      `SELECT * FROM "_cs_logs" WHERE "id" = ?`, ['old-log-id']
+    );
+    assert.ok(before);
+
+    // Cleanup logs older than 30 days
+    await cleanupOldLogs(30);
+
+    // Verify it's been deleted
+    const after = await dbModule.queryOne(
+      `SELECT * FROM "_cs_logs" WHERE "id" = ?`, ['old-log-id']
+    );
+    assert.ok(!after);
+  });
+
+  it('cleanupOldLogs keeps recent entries', async () => {
+    const beforeCount = (await queryLogs()).total;
+    await cleanupOldLogs(30);
+    const afterCount = (await queryLogs()).total;
+    // Recent entries should not be deleted
+    assert.ok(afterCount >= 1);
+  });
+
+  it('cleanupOldLogs with 0 days does nothing', async () => {
+    const beforeCount = (await queryLogs()).total;
+    const deleted = await cleanupOldLogs(0);
+    assert.strictEqual(deleted, 0);
+    const afterCount = (await queryLogs()).total;
+    assert.strictEqual(beforeCount, afterCount);
+  });
+});
+
+// ── requestLoggerMiddleware ──────────────────────────────────────────────
+
+describe('requestLoggerMiddleware', () => {
+  it('returns a function', () => {
+    const mw = requestLoggerMiddleware();
+    assert.strictEqual(typeof mw, 'function');
+  });
+
+  it('calls next()', (done) => {
+    const mw = requestLoggerMiddleware();
+    const mockReq = { method: 'GET', path: '/api/test', originalUrl: '/api/test', ip: '127.0.0.1', connection: {} };
+    const mockRes = {
+      statusCode: 200,
+      end: function (...args) {
+        // original end
+      },
+    };
+    mw(mockReq, mockRes, done);
+  });
+
+  it('skips excluded paths', (done) => {
+    const mw = requestLoggerMiddleware({ exclude: ['/health'] });
+    const mockReq = { method: 'GET', path: '/health', originalUrl: '/health', ip: '127.0.0.1' };
+    const mockRes = { statusCode: 200 };
+    mw(mockReq, mockRes, done);
+  });
+
+  it('skips excluded path prefixes', (done) => {
+    const mw = requestLoggerMiddleware({ exclude: ['/admin/vendor'] });
+    const mockReq = { method: 'GET', path: '/admin/vendor/htmx.min.js', originalUrl: '/admin/vendor/htmx.min.js' };
+    const mockRes = { statusCode: 200 };
+    mw(mockReq, mockRes, done);
+  });
+});
+
+// ── Schema validation ───────────────────────────────────────────────────
+
+describe('schema: logs', () => {
+  it('accepts config without logs section', () => {
+    assert.strictEqual(validateSchema({ name: 'App' }), true);
+  });
+
+  it('accepts logs with retention', () => {
+    assert.strictEqual(validateSchema({ name: 'App', logs: { retention: 7 } }), true);
+  });
+
+  it('accepts logs with exclude array', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      logs: { exclude: ['/health', '/admin/vendor'] },
+    }), true);
+  });
+
+  it('accepts empty logs object', () => {
+    assert.strictEqual(validateSchema({ name: 'App', logs: {} }), true);
+  });
+
+  it('rejects unknown logs key', () => {
+    assert.throws(() => validateSchema({
+      name: 'App',
+      logs: { verbose: true },
+    }));
+  });
+
+  it('rejects retention as string', () => {
+    assert.throws(() => validateSchema({
+      name: 'App',
+      logs: { retention: '30' },
+    }));
+  });
+});
+
+// ── buildCore: logs passthrough ─────────────────────────────────────────
+
+describe('buildCore: logs passthrough', () => {
+  it('exposes logs config when provided', () => {
+    const core = buildCore({ name: 'App', logs: { retention: 7, exclude: ['/health'] } });
+    assert.ok(core.logs);
+    assert.strictEqual(core.logs.retention, 7);
+    assert.deepStrictEqual(core.logs.exclude, ['/health']);
+  });
+
+  it('sets logs to null when not provided', () => {
+    const core = buildCore({ name: 'App' });
+    assert.strictEqual(core.logs, null);
+  });
+});

package/test/verification.test.js

@@ -0,0 +1,439 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const { buildCore } = require('../core/entity-engine');
+const dbModule = require('../core/db');
+const {
+  signToken, verifyToken, omitPassword, generateSecureToken,
+} = require('../core/auth');
+const { validateSchema } = require('../core/schema-validator');
+const { generateOpenApiSpec } = require('../core/openapi');
+
+// ── Helper: mock Express request/response ──────────────────────────────────
+
+function mockReq(headers = {}, body = {}) {
+  return { headers, body, user: undefined };
+}
+
+function mockRes() {
+  const r = { _status: 200, _body: undefined };
+  r.status = (s) => { r._status = s; return r; };
+  r.json   = (b) => { r._body  = b; };
+  return r;
+}
+
+// ── generateSecureToken ─────────────────────────────────────────────────
+
+describe('generateSecureToken', () => {
+  it('generates a 64-char hex string', () => {
+    const t = generateSecureToken();
+    assert.strictEqual(typeof t, 'string');
+    assert.strictEqual(t.length, 64);
+    assert.ok(/^[a-f0-9]+$/.test(t));
+  });
+
+  it('generates unique tokens', () => {
+    const a = generateSecureToken();
+    const b = generateSecureToken();
+    assert.notStrictEqual(a, b);
+  });
+});
+
+// ── omitPassword (updated to strip internal auth fields) ────────────────
+
+describe('omitPassword – extended', () => {
+  it('strips password field', () => {
+    assert.ok(!('password' in omitPassword({ id: '1', password: 'x', email: 'a@b.com' })));
+  });
+
+  it('strips emailVerificationToken', () => {
+    assert.ok(!('emailVerificationToken' in omitPassword({ id: '1', emailVerificationToken: 'tok' })));
+  });
+
+  it('strips passwordResetToken', () => {
+    assert.ok(!('passwordResetToken' in omitPassword({ id: '1', passwordResetToken: 'tok' })));
+  });
+
+  it('strips passwordResetExpiry', () => {
+    assert.ok(!('passwordResetExpiry' in omitPassword({ id: '1', passwordResetExpiry: '2025-01-01' })));
+  });
+
+  it('preserves emailVerified', () => {
+    const u = omitPassword({ id: '1', emailVerified: 1, password: 'x' });
+    assert.strictEqual(u.emailVerified, 1);
+    assert.ok(!('password' in u));
+  });
+
+  it('preserves other fields', () => {
+    const u = omitPassword({ id: '1', email: 'a@b.com', name: 'Test', password: 'x', emailVerificationToken: 'y' });
+    assert.strictEqual(u.email, 'a@b.com');
+    assert.strictEqual(u.name, 'Test');
+  });
+});
+
+// ── Entity engine: requireEmailVerification ─────────────────────────────
+
+describe('entity-engine: requireEmailVerification', () => {
+  it('defaults to false', () => {
+    const core = buildCore({ name: 'App', entities: { User: { authenticable: true, properties: ['name'] } } });
+    assert.strictEqual(core.entities.User.requireEmailVerification, false);
+  });
+
+  it('sets to true when configured', () => {
+    const core = buildCore({
+      name: 'App',
+      entities: { User: { authenticable: true, requireEmailVerification: true, properties: ['name'] } },
+    });
+    assert.strictEqual(core.entities.User.requireEmailVerification, true);
+  });
+
+  it('non-authenticable entities still parse the flag (but it has no effect)', () => {
+    const core = buildCore({
+      name: 'App',
+      entities: { Post: { requireEmailVerification: true, properties: ['title'] } },
+    });
+    // The flag is stored even on non-auth entities, but only auth routes check it
+    assert.strictEqual(core.entities.Post.requireEmailVerification, true);
+  });
+});
+
+// ── Schema validation: requireEmailVerification ─────────────────────────
+
+describe('schema: requireEmailVerification', () => {
+  it('accepts entity with requireEmailVerification: true', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      entities: { User: { authenticable: true, requireEmailVerification: true, properties: ['name'] } },
+    }), true);
+  });
+
+  it('accepts entity with requireEmailVerification: false', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      entities: { User: { authenticable: true, requireEmailVerification: false, properties: ['name'] } },
+    }), true);
+  });
+
+  it('accepts entity without requireEmailVerification', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      entities: { User: { authenticable: true, properties: ['name'] } },
+    }), true);
+  });
+});
+
+// ── DB: authenticable columns ───────────────────────────────────────────
+
+describe('db – verification/reset columns', () => {
+  let tmpDb;
+  const core = buildCore({
+    name: 'T',
+    entities: { User: { authenticable: true, properties: ['name'] } },
+  });
+
+  before(async () => {
+    tmpDb = path.join(os.tmpdir(), `chadstart-verif-${Date.now()}.db`);
+    await dbModule.initDb(core, tmpDb);
+  });
+
+  after(() => { try { fs.unlinkSync(tmpDb); } catch { /* noop */ } });
+
+  it('has emailVerified column', () => {
+    const cols = dbModule.getDb().pragma('table_info("user")').map((r) => r.name);
+    assert.ok(cols.includes('emailVerified'), 'missing emailVerified column');
+  });
+
+  it('has emailVerificationToken column', () => {
+    const cols = dbModule.getDb().pragma('table_info("user")').map((r) => r.name);
+    assert.ok(cols.includes('emailVerificationToken'), 'missing emailVerificationToken column');
+  });
+
+  it('has passwordResetToken column', () => {
+    const cols = dbModule.getDb().pragma('table_info("user")').map((r) => r.name);
+    assert.ok(cols.includes('passwordResetToken'), 'missing passwordResetToken column');
+  });
+
+  it('has passwordResetExpiry column', () => {
+    const cols = dbModule.getDb().pragma('table_info("user")').map((r) => r.name);
+    assert.ok(cols.includes('passwordResetExpiry'), 'missing passwordResetExpiry column');
+  });
+
+  it('emailVerified defaults to 0', async () => {
+    const user = await dbModule.create('user', {
+      email: 'vertest@example.com',
+      password: 'hash',
+    });
+    assert.strictEqual(user.emailVerified, 0);
+  });
+
+  it('can update emailVerified to 1', async () => {
+    const user = await dbModule.create('user', {
+      email: 'vertest2@example.com',
+      password: 'hash',
+    });
+    const updated = await dbModule.update('user', user.id, { emailVerified: 1 });
+    assert.strictEqual(updated.emailVerified, 1);
+  });
+
+  it('can store and query verification token', async () => {
+    const token = generateSecureToken();
+    const user = await dbModule.create('user', {
+      email: 'vertest3@example.com',
+      password: 'hash',
+      emailVerificationToken: token,
+    });
+    const found = (await dbModule.findAllSimple('user', { emailVerificationToken: token }))[0];
+    assert.ok(found);
+    assert.strictEqual(found.id, user.id);
+  });
+
+  it('can store and query password reset token', async () => {
+    const token = generateSecureToken();
+    const expiry = new Date(Date.now() + 3600000).toISOString();
+    const user = await dbModule.create('user', {
+      email: 'vertest4@example.com',
+      password: 'hash',
+      passwordResetToken: token,
+      passwordResetExpiry: expiry,
+    });
+    const found = (await dbModule.findAllSimple('user', { passwordResetToken: token }))[0];
+    assert.ok(found);
+    assert.strictEqual(found.id, user.id);
+    assert.ok(found.passwordResetExpiry);
+  });
+
+  it('can clear tokens by setting to null', async () => {
+    const token = generateSecureToken();
+    const user = await dbModule.create('user', {
+      email: 'vertest5@example.com',
+      password: 'hash',
+      emailVerificationToken: token,
+    });
+    await dbModule.update('user', user.id, { emailVerificationToken: null });
+    const updated = await dbModule.findById('user', user.id);
+    assert.strictEqual(updated.emailVerificationToken, null);
+  });
+});
+
+// ── OpenAPI: verification/reset endpoints ───────────────────────────────
+
+describe('openapi: verification/reset endpoints', () => {
+  const core = buildCore({
+    name: 'App',
+    entities: { User: { authenticable: true, properties: ['name'] } },
+  });
+  const spec = generateOpenApiSpec(core);
+
+  it('includes request-verification endpoint', () => {
+    assert.ok(spec.paths['/api/auth/user/request-verification']);
+    assert.ok(spec.paths['/api/auth/user/request-verification'].post);
+  });
+
+  it('includes confirm-verification endpoint', () => {
+    assert.ok(spec.paths['/api/auth/user/confirm-verification']);
+    assert.ok(spec.paths['/api/auth/user/confirm-verification'].post);
+  });
+
+  it('includes request-password-reset endpoint', () => {
+    assert.ok(spec.paths['/api/auth/user/request-password-reset']);
+    assert.ok(spec.paths['/api/auth/user/request-password-reset'].post);
+  });
+
+  it('includes confirm-password-reset endpoint', () => {
+    assert.ok(spec.paths['/api/auth/user/confirm-password-reset']);
+    assert.ok(spec.paths['/api/auth/user/confirm-password-reset'].post);
+  });
+
+  it('login response includes 403 for email not verified', () => {
+    const loginPath = spec.paths['/api/auth/user/login'];
+    assert.ok(loginPath.post.responses['403']);
+  });
+
+  it('user schema includes emailVerified', () => {
+    assert.ok(spec.components.schemas.User.properties.emailVerified);
+    assert.strictEqual(spec.components.schemas.User.properties.emailVerified.type, 'boolean');
+  });
+
+  it('confirm-verification has token in request body', () => {
+    const ep = spec.paths['/api/auth/user/confirm-verification'].post;
+    assert.ok(ep.requestBody);
+    const schema = ep.requestBody.content['application/json'].schema;
+    assert.ok(schema.properties.token);
+  });
+
+  it('confirm-password-reset has token and password in request body', () => {
+    const ep = spec.paths['/api/auth/user/confirm-password-reset'].post;
+    assert.ok(ep.requestBody);
+    const schema = ep.requestBody.content['application/json'].schema;
+    assert.ok(schema.properties.token);
+    assert.ok(schema.properties.password);
+  });
+
+  // Admin entity should also have the endpoints
+  it('includes admin verification endpoints', () => {
+    assert.ok(spec.paths['/api/auth/admin/request-verification']);
+    assert.ok(spec.paths['/api/auth/admin/confirm-verification']);
+    assert.ok(spec.paths['/api/auth/admin/request-password-reset']);
+    assert.ok(spec.paths['/api/auth/admin/confirm-password-reset']);
+  });
+});
+
+// ── Integration: full verification + password reset flows ───────────────
+
+describe('auth integration – email verification flow', () => {
+  let tmpDb;
+  const bcrypt = require('bcryptjs');
+  const core = buildCore({
+    name: 'TestApp',
+    entities: { User: { authenticable: true, requireEmailVerification: true, properties: ['name'] } },
+  });
+
+  before(async () => {
+    tmpDb = path.join(os.tmpdir(), `chadstart-auth-flow-${Date.now()}.db`);
+    await dbModule.initDb(core, tmpDb);
+  });
+
+  after(() => { try { fs.unlinkSync(tmpDb); } catch { /* noop */ } });
+
+  it('signup creates user with emailVerified=0 and generates token', async () => {
+    const pw = await bcrypt.hash('testpass', 10);
+    const user = await dbModule.create('user', {
+      email: 'flow1@example.com',
+      password: pw,
+      emailVerified: 0,
+      emailVerificationToken: generateSecureToken(),
+    });
+    assert.strictEqual(user.emailVerified, 0);
+    assert.ok(user.emailVerificationToken);
+    assert.strictEqual(user.emailVerificationToken.length, 64);
+  });
+
+  it('confirm-verification: can verify email with valid token', async () => {
+    const token = generateSecureToken();
+    const pw = await bcrypt.hash('testpass', 10);
+    const user = await dbModule.create('user', {
+      email: 'flow2@example.com',
+      password: pw,
+      emailVerified: 0,
+      emailVerificationToken: token,
+    });
+
+    // Simulate confirm-verification
+    const found = (await dbModule.findAllSimple('user', { emailVerificationToken: token }))[0];
+    assert.ok(found);
+    assert.strictEqual(found.id, user.id);
+
+    await dbModule.update('user', user.id, { emailVerified: 1, emailVerificationToken: null });
+    const updated = await dbModule.findById('user', user.id);
+    assert.strictEqual(updated.emailVerified, 1);
+    assert.strictEqual(updated.emailVerificationToken, null);
+  });
+
+  it('confirm-verification: returns null for invalid token', async () => {
+    const found = (await dbModule.findAllSimple('user', { emailVerificationToken: 'nonexistent-token-12345' }))[0];
+    assert.ok(!found);
+  });
+
+  it('request-verification: can regenerate token', async () => {
+    const token1 = generateSecureToken();
+    const pw = await bcrypt.hash('testpass', 10);
+    const user = await dbModule.create('user', {
+      email: 'flow3@example.com',
+      password: pw,
+      emailVerified: 0,
+      emailVerificationToken: token1,
+    });
+
+    const token2 = generateSecureToken();
+    await dbModule.update('user', user.id, { emailVerificationToken: token2 });
+    const updated = await dbModule.findById('user', user.id);
+    assert.strictEqual(updated.emailVerificationToken, token2);
+    assert.notStrictEqual(token1, token2);
+  });
+});
+
+describe('auth integration – password reset flow', () => {
+  let tmpDb;
+  const bcrypt = require('bcryptjs');
+  const core = buildCore({
+    name: 'TestApp',
+    entities: { User: { authenticable: true, properties: ['name'] } },
+  });
+
+  before(async () => {
+    tmpDb = path.join(os.tmpdir(), `chadstart-reset-flow-${Date.now()}.db`);
+    await dbModule.initDb(core, tmpDb);
+  });
+
+  after(() => { try { fs.unlinkSync(tmpDb); } catch { /* noop */ } });
+
+  it('request-password-reset: creates token and expiry', async () => {
+    const pw = await bcrypt.hash('oldpass', 10);
+    const user = await dbModule.create('user', {
+      email: 'reset1@example.com',
+      password: pw,
+    });
+
+    const token = generateSecureToken();
+    const expiry = new Date(Date.now() + 3600000).toISOString();
+    await dbModule.update('user', user.id, { passwordResetToken: token, passwordResetExpiry: expiry });
+
+    const updated = await dbModule.findById('user', user.id);
+    assert.strictEqual(updated.passwordResetToken, token);
+    assert.ok(updated.passwordResetExpiry);
+  });
+
+  it('confirm-password-reset: updates password and clears token', async () => {
+    const pw = await bcrypt.hash('oldpass', 10);
+    const token = generateSecureToken();
+    const expiry = new Date(Date.now() + 3600000).toISOString();
+    const user = await dbModule.create('user', {
+      email: 'reset2@example.com',
+      password: pw,
+      passwordResetToken: token,
+      passwordResetExpiry: expiry,
+    });
+
+    // Simulate confirm
+    const found = (await dbModule.findAllSimple('user', { passwordResetToken: token }))[0];
+    assert.ok(found);
+    assert.ok(new Date(found.passwordResetExpiry) > new Date());
+
+    const newPw = await bcrypt.hash('newpass', 10);
+    await dbModule.update('user', user.id, {
+      password: newPw,
+      passwordResetToken: null,
+      passwordResetExpiry: null,
+    });
+
+    const updated = await dbModule.findById('user', user.id);
+    assert.strictEqual(updated.passwordResetToken, null);
+    assert.strictEqual(updated.passwordResetExpiry, null);
+    assert.ok(await bcrypt.compare('newpass', updated.password));
+  });
+
+  it('confirm-password-reset: rejects expired token', async () => {
+    const pw = await bcrypt.hash('oldpass', 10);
+    const token = generateSecureToken();
+    const expiry = new Date(Date.now() - 1000).toISOString(); // Already expired
+    const user = await dbModule.create('user', {
+      email: 'reset3@example.com',
+      password: pw,
+      passwordResetToken: token,
+      passwordResetExpiry: expiry,
+    });
+
+    const found = (await dbModule.findAllSimple('user', { passwordResetToken: token }))[0];
+    assert.ok(found);
+    // Token found but expired
+    assert.ok(new Date(found.passwordResetExpiry) < new Date());
+  });
+
+  it('confirm-password-reset: returns null for invalid token', async () => {
+    const found = (await dbModule.findAllSimple('user', { passwordResetToken: 'nonexistent-token' }))[0];
+    assert.ok(!found);
+  });
+});