create-nodejs-express-starter 1.7.0

package/tests/integration/auth.test.js

@@ -0,0 +1,587 @@
+const request = require('supertest');
+const { faker } = require('@faker-js/faker');
+const httpStatus = require('http-status');
+const httpMocks = require('node-mocks-http');
+const moment = require('moment');
+const bcrypt = require('bcryptjs');
+const app = require('../../src/app');
+const config = require('../../src/config/config');
+const auth = require('../../src/middlewares/auth');
+const { tokenService, emailService } = require('../../src/services');
+const ApiError = require('../../src/utils/ApiError');
+const setupTestDB = require('../utils/setupTestDB');
+const { User, Token } = require('../../src/models');
+const { roleRights } = require('../../src/config/roles');
+const { tokenTypes } = require('../../src/config/tokens');
+const { userOne, admin, insertUsers } = require('../fixtures/user.fixture');
+const { userOneAccessToken, adminAccessToken } = require('../fixtures/token.fixture');
+
+setupTestDB();
+
+describe('Auth routes', () => {
+  describe('POST /v1/auth/register', () => {
+    let newUser;
+    beforeEach(() => {
+      newUser = {
+        name: faker.person.fullName(),
+        email: faker.internet.email().toLowerCase(),
+        password: 'password1',
+      };
+    });
+
+    test('should return 201 and successfully register user if request data is ok', async () => {
+      const res = await request(app).post('/v1/auth/register').send(newUser).expect(httpStatus.CREATED);
+
+      expect(res.body.user).not.toHaveProperty('password');
+      expect(res.body.user).toEqual({
+        id: expect.anything(),
+        name: newUser.name,
+        email: newUser.email,
+        role: 'user',
+        isEmailVerified: false,
+      });
+
+      const dbUser = await User.findById(res.body.user.id);
+      expect(dbUser).toBeDefined();
+      expect(dbUser.password).not.toBe(newUser.password);
+      expect(dbUser).toMatchObject({ name: newUser.name, email: newUser.email, role: 'user', isEmailVerified: false });
+
+      expect(res.body.tokens).toEqual({
+        access: { token: expect.anything(), expires: expect.anything() },
+        refresh: { token: expect.anything(), expires: expect.anything() },
+      });
+    });
+
+    test('should return 400 error if email is invalid', async () => {
+      newUser.email = 'invalidEmail';
+
+      await request(app).post('/v1/auth/register').send(newUser).expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 400 error if email is already used', async () => {
+      await insertUsers([userOne]);
+      newUser.email = userOne.email;
+
+      await request(app).post('/v1/auth/register').send(newUser).expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 400 error if password length is less than 8 characters', async () => {
+      newUser.password = 'passwo1';
+
+      await request(app).post('/v1/auth/register').send(newUser).expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 400 error if password does not contain both letters and numbers', async () => {
+      newUser.password = 'password';
+
+      await request(app).post('/v1/auth/register').send(newUser).expect(httpStatus.BAD_REQUEST);
+
+      newUser.password = '11111111';
+
+      await request(app).post('/v1/auth/register').send(newUser).expect(httpStatus.BAD_REQUEST);
+    });
+  });
+
+  describe('POST /v1/auth/login', () => {
+    test('should return 200 and login user if email and password match', async () => {
+      await insertUsers([userOne]);
+      const loginCredentials = {
+        email: userOne.email,
+        password: userOne.password,
+      };
+
+      const res = await request(app).post('/v1/auth/login').send(loginCredentials).expect(httpStatus.OK);
+
+      expect(res.body.user).toEqual({
+        id: expect.anything(),
+        name: userOne.name,
+        email: userOne.email,
+        role: userOne.role,
+        isEmailVerified: userOne.isEmailVerified,
+      });
+
+      expect(res.body.tokens).toEqual({
+        access: { token: expect.anything(), expires: expect.anything() },
+        refresh: { token: expect.anything(), expires: expect.anything() },
+      });
+    });
+
+    test('should return 401 error if there are no users with that email', async () => {
+      const loginCredentials = {
+        email: userOne.email,
+        password: userOne.password,
+      };
+
+      const res = await request(app).post('/v1/auth/login').send(loginCredentials).expect(httpStatus.UNAUTHORIZED);
+
+      expect(res.body).toMatchObject({ code: httpStatus.UNAUTHORIZED, message: 'Incorrect email or password' });
+    });
+
+    test('should return 401 error if password is wrong', async () => {
+      await insertUsers([userOne]);
+      const loginCredentials = {
+        email: userOne.email,
+        password: 'wrongPassword1',
+      };
+
+      const res = await request(app).post('/v1/auth/login').send(loginCredentials).expect(httpStatus.UNAUTHORIZED);
+
+      expect(res.body).toMatchObject({ code: httpStatus.UNAUTHORIZED, message: 'Incorrect email or password' });
+    });
+  });
+
+  describe('POST /v1/auth/logout', () => {
+    test('should return 204 if refresh token is valid', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH);
+
+      await request(app).post('/v1/auth/logout').send({ refreshToken }).expect(httpStatus.NO_CONTENT);
+
+      const dbRefreshTokenDoc = await Token.findOne({ token: refreshToken });
+      expect(dbRefreshTokenDoc).toBe(null);
+    });
+
+    test('should return 400 error if refresh token is missing from request body', async () => {
+      await request(app).post('/v1/auth/logout').send().expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 404 error if refresh token is not found in the database', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+
+      await request(app).post('/v1/auth/logout').send({ refreshToken }).expect(httpStatus.NOT_FOUND);
+    });
+
+    test('should return 404 error if refresh token is blacklisted', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH, true);
+
+      await request(app).post('/v1/auth/logout').send({ refreshToken }).expect(httpStatus.NOT_FOUND);
+    });
+  });
+
+  describe('POST /v1/auth/refresh-tokens', () => {
+    test('should return 200 and new auth tokens if refresh token is valid', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH);
+
+      const res = await request(app).post('/v1/auth/refresh-tokens').send({ refreshToken }).expect(httpStatus.OK);
+
+      expect(res.body).toEqual({
+        access: { token: expect.anything(), expires: expect.anything() },
+        refresh: { token: expect.anything(), expires: expect.anything() },
+      });
+
+      const dbRefreshTokenDoc = await Token.findOne({ token: res.body.refresh.token });
+      expect(dbRefreshTokenDoc).toMatchObject({ type: tokenTypes.REFRESH, user: userOne._id, blacklisted: false });
+
+      const dbRefreshTokenCount = await Token.countDocuments();
+      expect(dbRefreshTokenCount).toBe(1);
+    });
+
+    test('should return 400 error if refresh token is missing from request body', async () => {
+      await request(app).post('/v1/auth/refresh-tokens').send().expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 401 error if refresh token is signed using an invalid secret', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH, 'invalidSecret');
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH);
+
+      await request(app).post('/v1/auth/refresh-tokens').send({ refreshToken }).expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 error if refresh token is not found in the database', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+
+      await request(app).post('/v1/auth/refresh-tokens').send({ refreshToken }).expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 error if refresh token is blacklisted', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH, true);
+
+      await request(app).post('/v1/auth/refresh-tokens').send({ refreshToken }).expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 error if refresh token is expired', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().subtract(1, 'minutes');
+      const refreshToken = tokenService.generateToken(userOne._id, expires);
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH);
+
+      await request(app).post('/v1/auth/refresh-tokens').send({ refreshToken }).expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 error if user is not found', async () => {
+      const expires = moment().add(config.jwt.refreshExpirationDays, 'days');
+      const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+      await tokenService.saveToken(refreshToken, userOne._id, expires, tokenTypes.REFRESH);
+
+      await request(app).post('/v1/auth/refresh-tokens').send({ refreshToken }).expect(httpStatus.UNAUTHORIZED);
+    });
+  });
+
+  describe('POST /v1/auth/forgot-password', () => {
+    beforeEach(() => {
+      jest.spyOn(emailService.transport, 'sendMail').mockResolvedValue();
+    });
+
+    test('should return 204 and send reset password email to the user', async () => {
+      await insertUsers([userOne]);
+      const sendResetPasswordEmailSpy = jest.spyOn(emailService, 'sendResetPasswordEmail');
+
+      await request(app).post('/v1/auth/forgot-password').send({ email: userOne.email }).expect(httpStatus.NO_CONTENT);
+
+      expect(sendResetPasswordEmailSpy).toHaveBeenCalledWith(userOne.email, expect.any(String));
+      const resetPasswordToken = sendResetPasswordEmailSpy.mock.calls[0][1];
+      const dbResetPasswordTokenDoc = await Token.findOne({ token: resetPasswordToken, user: userOne._id });
+      expect(dbResetPasswordTokenDoc).toBeDefined();
+    });
+
+    test('should return 400 if email is missing', async () => {
+      await insertUsers([userOne]);
+
+      await request(app).post('/v1/auth/forgot-password').send().expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 404 if email does not belong to any user', async () => {
+      await request(app).post('/v1/auth/forgot-password').send({ email: userOne.email }).expect(httpStatus.NOT_FOUND);
+    });
+  });
+
+  describe('POST /v1/auth/reset-password', () => {
+    test('should return 204 and reset the password', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.resetPasswordExpirationMinutes, 'minutes');
+      const resetPasswordToken = tokenService.generateToken(userOne._id, expires, tokenTypes.RESET_PASSWORD);
+      await tokenService.saveToken(resetPasswordToken, userOne._id, expires, tokenTypes.RESET_PASSWORD);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: 'password2' })
+        .expect(httpStatus.NO_CONTENT);
+
+      const dbUser = await User.findById(userOne._id);
+      const isPasswordMatch = await bcrypt.compare('password2', dbUser.password);
+      expect(isPasswordMatch).toBe(true);
+
+      const dbResetPasswordTokenCount = await Token.countDocuments({ user: userOne._id, type: tokenTypes.RESET_PASSWORD });
+      expect(dbResetPasswordTokenCount).toBe(0);
+    });
+
+    test('should return 400 if reset password token is missing', async () => {
+      await insertUsers([userOne]);
+
+      await request(app).post('/v1/auth/reset-password').send({ password: 'password2' }).expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 401 if reset password token is blacklisted', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.resetPasswordExpirationMinutes, 'minutes');
+      const resetPasswordToken = tokenService.generateToken(userOne._id, expires, tokenTypes.RESET_PASSWORD);
+      await tokenService.saveToken(resetPasswordToken, userOne._id, expires, tokenTypes.RESET_PASSWORD, true);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: 'password2' })
+        .expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 if reset password token is expired', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().subtract(1, 'minutes');
+      const resetPasswordToken = tokenService.generateToken(userOne._id, expires, tokenTypes.RESET_PASSWORD);
+      await tokenService.saveToken(resetPasswordToken, userOne._id, expires, tokenTypes.RESET_PASSWORD);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: 'password2' })
+        .expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 if user is not found', async () => {
+      const expires = moment().add(config.jwt.resetPasswordExpirationMinutes, 'minutes');
+      const resetPasswordToken = tokenService.generateToken(userOne._id, expires, tokenTypes.RESET_PASSWORD);
+      await tokenService.saveToken(resetPasswordToken, userOne._id, expires, tokenTypes.RESET_PASSWORD);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: 'password2' })
+        .expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 400 if password is missing or invalid', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.resetPasswordExpirationMinutes, 'minutes');
+      const resetPasswordToken = tokenService.generateToken(userOne._id, expires, tokenTypes.RESET_PASSWORD);
+      await tokenService.saveToken(resetPasswordToken, userOne._id, expires, tokenTypes.RESET_PASSWORD);
+
+      await request(app).post('/v1/auth/reset-password').query({ token: resetPasswordToken }).expect(httpStatus.BAD_REQUEST);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: 'short1' })
+        .expect(httpStatus.BAD_REQUEST);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: 'password' })
+        .expect(httpStatus.BAD_REQUEST);
+
+      await request(app)
+        .post('/v1/auth/reset-password')
+        .query({ token: resetPasswordToken })
+        .send({ password: '11111111' })
+        .expect(httpStatus.BAD_REQUEST);
+    });
+  });
+
+  describe('POST /v1/auth/send-verification-email', () => {
+    beforeEach(() => {
+      jest.spyOn(emailService.transport, 'sendMail').mockResolvedValue();
+    });
+
+    test('should return 204 and send verification email to the user', async () => {
+      await insertUsers([userOne]);
+      const sendVerificationEmailSpy = jest.spyOn(emailService, 'sendVerificationEmail');
+
+      await request(app)
+        .post('/v1/auth/send-verification-email')
+        .set('Authorization', `Bearer ${userOneAccessToken}`)
+        .expect(httpStatus.NO_CONTENT);
+
+      expect(sendVerificationEmailSpy).toHaveBeenCalledWith(userOne.email, expect.any(String));
+      const verifyEmailToken = sendVerificationEmailSpy.mock.calls[0][1];
+      const dbVerifyEmailToken = await Token.findOne({ token: verifyEmailToken, user: userOne._id });
+
+      expect(dbVerifyEmailToken).toBeDefined();
+    });
+
+    test('should return 401 error if access token is missing', async () => {
+      await insertUsers([userOne]);
+
+      await request(app).post('/v1/auth/send-verification-email').send().expect(httpStatus.UNAUTHORIZED);
+    });
+  });
+
+  describe('POST /v1/auth/verify-email', () => {
+    test('should return 204 and verify the email', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.verifyEmailExpirationMinutes, 'minutes');
+      const verifyEmailToken = tokenService.generateToken(userOne._id, expires);
+      await tokenService.saveToken(verifyEmailToken, userOne._id, expires, tokenTypes.VERIFY_EMAIL);
+
+      await request(app)
+        .post('/v1/auth/verify-email')
+        .query({ token: verifyEmailToken })
+        .send()
+        .expect(httpStatus.NO_CONTENT);
+
+      const dbUser = await User.findById(userOne._id);
+
+      expect(dbUser.isEmailVerified).toBe(true);
+
+      const dbVerifyEmailToken = await Token.countDocuments({
+        user: userOne._id,
+        type: tokenTypes.VERIFY_EMAIL,
+      });
+      expect(dbVerifyEmailToken).toBe(0);
+    });
+
+    test('should return 400 if verify email token is missing', async () => {
+      await insertUsers([userOne]);
+
+      await request(app).post('/v1/auth/verify-email').send().expect(httpStatus.BAD_REQUEST);
+    });
+
+    test('should return 401 if verify email token is blacklisted', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().add(config.jwt.verifyEmailExpirationMinutes, 'minutes');
+      const verifyEmailToken = tokenService.generateToken(userOne._id, expires);
+      await tokenService.saveToken(verifyEmailToken, userOne._id, expires, tokenTypes.VERIFY_EMAIL, true);
+
+      await request(app)
+        .post('/v1/auth/verify-email')
+        .query({ token: verifyEmailToken })
+        .send()
+        .expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 if verify email token is expired', async () => {
+      await insertUsers([userOne]);
+      const expires = moment().subtract(1, 'minutes');
+      const verifyEmailToken = tokenService.generateToken(userOne._id, expires);
+      await tokenService.saveToken(verifyEmailToken, userOne._id, expires, tokenTypes.VERIFY_EMAIL);
+
+      await request(app)
+        .post('/v1/auth/verify-email')
+        .query({ token: verifyEmailToken })
+        .send()
+        .expect(httpStatus.UNAUTHORIZED);
+    });
+
+    test('should return 401 if user is not found', async () => {
+      const expires = moment().add(config.jwt.verifyEmailExpirationMinutes, 'minutes');
+      const verifyEmailToken = tokenService.generateToken(userOne._id, expires);
+      await tokenService.saveToken(verifyEmailToken, userOne._id, expires, tokenTypes.VERIFY_EMAIL);
+
+      await request(app)
+        .post('/v1/auth/verify-email')
+        .query({ token: verifyEmailToken })
+        .send()
+        .expect(httpStatus.UNAUTHORIZED);
+    });
+  });
+});
+
+describe('Auth middleware', () => {
+  test('should call next with no errors if access token is valid', async () => {
+    await insertUsers([userOne]);
+    const req = httpMocks.createRequest({ headers: { Authorization: `Bearer ${userOneAccessToken}` } });
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith();
+    expect(req.user._id).toEqual(userOne._id);
+  });
+
+  test('should call next with unauthorized error if access token is not found in header', async () => {
+    await insertUsers([userOne]);
+    const req = httpMocks.createRequest();
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ statusCode: httpStatus.UNAUTHORIZED, message: 'Please authenticate' }),
+    );
+  });
+
+  test('should call next with unauthorized error if access token is not a valid jwt token', async () => {
+    await insertUsers([userOne]);
+    const req = httpMocks.createRequest({ headers: { Authorization: 'Bearer randomToken' } });
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ statusCode: httpStatus.UNAUTHORIZED, message: 'Please authenticate' }),
+    );
+  });
+
+  test('should call next with unauthorized error if the token is not an access token', async () => {
+    await insertUsers([userOne]);
+    const expires = moment().add(config.jwt.accessExpirationMinutes, 'minutes');
+    const refreshToken = tokenService.generateToken(userOne._id, expires, tokenTypes.REFRESH);
+    const req = httpMocks.createRequest({ headers: { Authorization: `Bearer ${refreshToken}` } });
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ statusCode: httpStatus.UNAUTHORIZED, message: 'Please authenticate' }),
+    );
+  });
+
+  test('should call next with unauthorized error if access token is generated with an invalid secret', async () => {
+    await insertUsers([userOne]);
+    const expires = moment().add(config.jwt.accessExpirationMinutes, 'minutes');
+    const accessToken = tokenService.generateToken(userOne._id, expires, tokenTypes.ACCESS, 'invalidSecret');
+    const req = httpMocks.createRequest({ headers: { Authorization: `Bearer ${accessToken}` } });
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ statusCode: httpStatus.UNAUTHORIZED, message: 'Please authenticate' }),
+    );
+  });
+
+  test('should call next with unauthorized error if access token is expired', async () => {
+    await insertUsers([userOne]);
+    const expires = moment().subtract(1, 'minutes');
+    const accessToken = tokenService.generateToken(userOne._id, expires, tokenTypes.ACCESS);
+    const req = httpMocks.createRequest({ headers: { Authorization: `Bearer ${accessToken}` } });
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ statusCode: httpStatus.UNAUTHORIZED, message: 'Please authenticate' }),
+    );
+  });
+
+  test('should call next with unauthorized error if user is not found', async () => {
+    const req = httpMocks.createRequest({ headers: { Authorization: `Bearer ${userOneAccessToken}` } });
+    const next = jest.fn();
+
+    await auth()(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ statusCode: httpStatus.UNAUTHORIZED, message: 'Please authenticate' }),
+    );
+  });
+
+  test('should call next with forbidden error if user does not have required rights and userId is not in params', async () => {
+    await insertUsers([userOne]);
+    const req = httpMocks.createRequest({ headers: { Authorization: `Bearer ${userOneAccessToken}` } });
+    const next = jest.fn();
+
+    await auth('anyRight')(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith(expect.any(ApiError));
+    expect(next).toHaveBeenCalledWith(expect.objectContaining({ statusCode: httpStatus.FORBIDDEN, message: 'Forbidden' }));
+  });
+
+  test('should call next with no errors if user does not have required rights but userId is in params', async () => {
+    await insertUsers([userOne]);
+    const req = httpMocks.createRequest({
+      headers: { Authorization: `Bearer ${userOneAccessToken}` },
+      params: { userId: userOne._id.toHexString() },
+    });
+    const next = jest.fn();
+
+    await auth('anyRight')(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith();
+  });
+
+  test('should call next with no errors if user has required rights', async () => {
+    await insertUsers([admin]);
+    const req = httpMocks.createRequest({
+      headers: { Authorization: `Bearer ${adminAccessToken}` },
+      params: { userId: userOne._id.toHexString() },
+    });
+    const next = jest.fn();
+
+    await auth(...roleRights.get('admin'))(req, httpMocks.createResponse(), next);
+
+    expect(next).toHaveBeenCalledWith();
+  });
+});

package/tests/integration/docs.test.js

@@ -0,0 +1,14 @@
+const request = require('supertest');
+const httpStatus = require('http-status');
+const app = require('../../src/app');
+const config = require('../../src/config/config');
+
+describe('Docs routes', () => {
+  describe('GET /v1/docs', () => {
+    test('should return 404 when running in production', async () => {
+      config.env = 'production';
+      await request(app).get('/v1/docs').send().expect(httpStatus.NOT_FOUND);
+      config.env = process.env.NODE_ENV;
+    });
+  });
+});

package/tests/integration/health.test.js

@@ -0,0 +1,32 @@
+const request = require('supertest');
+const httpStatus = require('http-status');
+const mongoose = require('mongoose');
+const app = require('../../src/app');
+const setupTestDB = require('../utils/setupTestDB');
+
+setupTestDB();
+
+describe('Health routes', () => {
+  describe('GET /health', () => {
+    test('should return 200 and health status', async () => {
+      const res = await request(app).get('/health').send().expect(httpStatus.OK);
+
+      expect(res.body).toHaveProperty('status', 'ok');
+      expect(res.body).toHaveProperty('timestamp');
+      expect(res.body).toHaveProperty('uptime');
+      expect(res.headers['x-request-id']).toBeDefined();
+    });
+  });
+
+  describe('GET /health/ready', () => {
+    test('should return 200 when database is connected', async () => {
+      // setupTestDB connects in beforeAll, so mongoose should already be connected
+      expect(mongoose.connection.readyState).toBe(1);
+
+      const res = await request(app).get('/health/ready').send().expect(httpStatus.OK);
+
+      expect(res.body).toHaveProperty('status', 'ready');
+      expect(res.body).toHaveProperty('database', 'connected');
+    });
+  });
+});