sveltekit-auth-example 5.8.2 → 5.8.3

package/src/lib/server/email/verify-email.ts

@@ -1,4 +1,4 @@
-import { DOMAIN, EMAIL } from '$env/static/private'
+import { env } from '$env/dynamic/private'
 import { sendMessage } from '$lib/server/brevo'
 
 /**
@@ -10,12 +10,12 @@ import { sendMessage } from '$lib/server/brevo'
 export const sendVerificationEmail = async (toEmail: string, token: string) => {
 	await sendMessage({
 		to: [{ email: toEmail }],
-		sender: { email: EMAIL },
+		sender: { email: env.EMAIL },
 		subject: 'Verify your email address',
 		tags: ['account'],
 		htmlContent: `
       <p>Thanks for registering! Please verify your email address by clicking the link below:</p>
-      <p><a href="${DOMAIN}/auth/verify/${token}">Verify my email address</a></p>
+      <p><a href="${env.DOMAIN}/auth/verify/${token}">Verify my email address</a></p>
       <p>This link expires in 24 hours. If you did not register, you can safely ignore this email.</p>
     `
 	})

package/src/lib/server/email/verify-email.unit.test.ts

@@ -0,0 +1,79 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$env/dynamic/private', () => ({ env: { EMAIL: 'no-reply@example.com', DOMAIN: 'https://example.com' } }))
+
+vi.mock('$lib/server/brevo', () => ({ sendMessage: vi.fn() }))
+
+import { sendVerificationEmail } from './verify-email'
+import { sendMessage } from '$lib/server/brevo'
+
+const mockSendMessage = vi.mocked(sendMessage)
+
+describe('sendVerificationEmail', () => {
+	beforeEach(() => {
+		mockSendMessage.mockReset()
+	})
+
+	it('calls sendMessage with the correct recipient', async () => {
+		mockSendMessage.mockResolvedValue(undefined)
+
+		await sendVerificationEmail('new@example.com', 'tok-abc')
+
+		expect(mockSendMessage).toHaveBeenCalledOnce()
+		const [msg] = mockSendMessage.mock.calls[0]
+		expect(msg.to).toEqual([{ email: 'new@example.com' }])
+	})
+
+	it('uses the EMAIL env var as the sender', async () => {
+		mockSendMessage.mockResolvedValue(undefined)
+
+		await sendVerificationEmail('new@example.com', 'tok-abc')
+
+		const [msg] = mockSendMessage.mock.calls[0]
+		expect(msg.sender).toEqual({ email: 'no-reply@example.com' })
+	})
+
+	it('sets the expected subject line', async () => {
+		mockSendMessage.mockResolvedValue(undefined)
+
+		await sendVerificationEmail('new@example.com', 'tok-abc')
+
+		const [msg] = mockSendMessage.mock.calls[0]
+		expect(msg.subject).toBe('Verify your email address')
+	})
+
+	it('includes the verification link with DOMAIN and token in the HTML content', async () => {
+		mockSendMessage.mockResolvedValue(undefined)
+
+		await sendVerificationEmail('new@example.com', 'tok-xyz-789')
+
+		const [msg] = mockSendMessage.mock.calls[0]
+		expect(msg.htmlContent).toContain('https://example.com/auth/verify/tok-xyz-789')
+	})
+
+	it('mentions the 24-hour expiry in the HTML content', async () => {
+		mockSendMessage.mockResolvedValue(undefined)
+
+		await sendVerificationEmail('new@example.com', 'tok-abc')
+
+		const [msg] = mockSendMessage.mock.calls[0]
+		expect(msg.htmlContent).toContain('24 hours')
+	})
+
+	it('tags the message as account', async () => {
+		mockSendMessage.mockResolvedValue(undefined)
+
+		await sendVerificationEmail('new@example.com', 'tok-abc')
+
+		const [msg] = mockSendMessage.mock.calls[0]
+		expect(msg.tags).toContain('account')
+	})
+
+	it('propagates errors thrown by sendMessage', async () => {
+		mockSendMessage.mockRejectedValue(new Error('Brevo API unavailable'))
+
+		await expect(sendVerificationEmail('new@example.com', 'tok-abc')).rejects.toThrow(
+			'Brevo API unavailable'
+		)
+	})
+})

package/src/lib/server/turnstile.ts

@@ -1,4 +1,4 @@
-import { TURNSTILE_SECRET_KEY } from '$env/static/private'
+import { env } from '$env/dynamic/private'
 
 /**
  * Verifies a Cloudflare Turnstile challenge token against the siteverify API.
@@ -11,7 +11,7 @@ export async function verifyTurnstileToken(token: string, ip?: string): Promise<
 	if (!token) return false
 
 	const formData = new FormData()
-	formData.append('secret', TURNSTILE_SECRET_KEY)
+	formData.append('secret', env.TURNSTILE_SECRET_KEY)
 	formData.append('response', token)
 	if (ip) formData.append('remoteip', ip)
 

package/src/lib/server/turnstile.unit.test.ts

@@ -0,0 +1,111 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$env/dynamic/private', () => ({ env: { TURNSTILE_SECRET_KEY: 'test-secret-key' } }))
+
+import { verifyTurnstileToken } from './turnstile'
+
+describe('verifyTurnstileToken', () => {
+	beforeEach(() => {
+		vi.restoreAllMocks()
+	})
+
+	it('returns false immediately for an empty token', async () => {
+		const fetchSpy = vi.spyOn(globalThis, 'fetch')
+
+		const result = await verifyTurnstileToken('')
+
+		expect(result).toBe(false)
+		expect(fetchSpy).not.toHaveBeenCalled()
+	})
+
+	it('returns true when the API responds with success: true', async () => {
+		vi.spyOn(globalThis, 'fetch').mockResolvedValue(
+			new Response(JSON.stringify({ success: true }), { status: 200 })
+		)
+
+		const result = await verifyTurnstileToken('valid-token')
+
+		expect(result).toBe(true)
+	})
+
+	it('returns false when the API responds with success: false', async () => {
+		vi.spyOn(globalThis, 'fetch').mockResolvedValue(
+			new Response(JSON.stringify({ success: false }), { status: 200 })
+		)
+
+		const result = await verifyTurnstileToken('invalid-token')
+
+		expect(result).toBe(false)
+	})
+
+	it('posts to the Cloudflare siteverify endpoint', async () => {
+		const fetchSpy = vi
+			.spyOn(globalThis, 'fetch')
+			.mockResolvedValue(new Response(JSON.stringify({ success: true }), { status: 200 }))
+
+		await verifyTurnstileToken('some-token')
+
+		const [url, init] = fetchSpy.mock.calls[0]
+		expect(url).toBe('https://challenges.cloudflare.com/turnstile/v0/siteverify')
+		expect((init as RequestInit).method).toBe('POST')
+	})
+
+	it('includes the secret key and token in the form data', async () => {
+		const fetchSpy = vi
+			.spyOn(globalThis, 'fetch')
+			.mockResolvedValue(new Response(JSON.stringify({ success: true }), { status: 200 }))
+
+		await verifyTurnstileToken('my-token')
+
+		const [, init] = fetchSpy.mock.calls[0]
+		const body = (init as RequestInit).body as FormData
+		expect(body.get('secret')).toBe('test-secret-key')
+		expect(body.get('response')).toBe('my-token')
+	})
+
+	it('includes remoteip in the form data when ip is provided', async () => {
+		const fetchSpy = vi
+			.spyOn(globalThis, 'fetch')
+			.mockResolvedValue(new Response(JSON.stringify({ success: true }), { status: 200 }))
+
+		await verifyTurnstileToken('my-token', '1.2.3.4')
+
+		const [, init] = fetchSpy.mock.calls[0]
+		const body = (init as RequestInit).body as FormData
+		expect(body.get('remoteip')).toBe('1.2.3.4')
+	})
+
+	it('omits remoteip from the form data when ip is not provided', async () => {
+		const fetchSpy = vi
+			.spyOn(globalThis, 'fetch')
+			.mockResolvedValue(new Response(JSON.stringify({ success: true }), { status: 200 }))
+
+		await verifyTurnstileToken('my-token')
+
+		const [, init] = fetchSpy.mock.calls[0]
+		const body = (init as RequestInit).body as FormData
+		expect(body.get('remoteip')).toBeNull()
+	})
+
+	it('returns false and logs an error when fetch throws', async () => {
+		vi.spyOn(globalThis, 'fetch').mockRejectedValue(new Error('Network error'))
+		const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {})
+
+		const result = await verifyTurnstileToken('some-token')
+
+		expect(result).toBe(false)
+		expect(consoleSpy).toHaveBeenCalledWith(
+			'Turnstile verification error:',
+			expect.any(Error)
+		)
+	})
+
+	it('returns false when the response body is not valid JSON', async () => {
+		vi.spyOn(globalThis, 'fetch').mockResolvedValue(new Response('not-json', { status: 200 }))
+		vi.spyOn(console, 'error').mockImplementation(() => {})
+
+		const result = await verifyTurnstileToken('some-token')
+
+		expect(result).toBe(false)
+	})
+})

package/src/routes/api/v1/user/+server.unit.test.ts

@@ -0,0 +1,114 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+
+import { PUT, DELETE } from './+server'
+import { query } from '$lib/server/db'
+
+const mockQuery = vi.mocked(query)
+
+const adminUser: UserProperties = { id: 42, role: 'admin', email: 'admin@example.com' }
+
+function makeEvent({
+	noUser = false,
+	body = {} as unknown
+} = {}) {
+	return {
+		locals: { user: noUser ? undefined : adminUser },
+		request: { json: vi.fn().mockResolvedValue(body) },
+		cookies: { delete: vi.fn() }
+	} as unknown as Parameters<typeof PUT>[0]
+}
+
+beforeEach(() => {
+	mockQuery.mockReset()
+})
+
+// ── PUT ───────────────────────────────────────────────────────────────────────
+
+describe('PUT /api/v1/user', () => {
+	it('returns 200 with a success message on valid update', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 1 } as any)
+
+		const res = await PUT(makeEvent({ body: { firstName: 'Jane' } }))
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body.message).toContain('Successfully updated')
+	})
+
+	it('calls update_user with the user id and JSON-encoded update', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 1 } as any)
+		const update = { firstName: 'Jane', phone: '412-555-0000' }
+
+		await PUT(makeEvent({ body: update }))
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.stringContaining('update_user'),
+			[adminUser.id, JSON.stringify(update)]
+		)
+	})
+
+	it('throws 401 when user is not authenticated', async () => {
+		await expect(PUT(makeEvent({ noUser: true }))).rejects.toMatchObject({ status: 401 })
+	})
+
+	it('throws 503 when the database call fails', async () => {
+		mockQuery.mockRejectedValue(new Error('db down'))
+
+		await expect(PUT(makeEvent())).rejects.toMatchObject({ status: 503 })
+	})
+})
+
+// ── DELETE ───────────────────────────────────────────────────────────────────
+
+describe('DELETE /api/v1/user', () => {
+	it('returns 200 with a success message on valid deletion', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 1 } as any)
+
+		const res = await DELETE(makeEvent())
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body.message).toContain('deleted')
+	})
+
+	it('calls delete_user with the user id', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 1 } as any)
+
+		await DELETE(makeEvent())
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.stringContaining('delete_user'),
+			[adminUser.id]
+		)
+	})
+
+	it('deletes the session cookie on success', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 1 } as any)
+		const event = makeEvent()
+
+		await DELETE(event)
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('session', { path: '/' })
+	})
+
+	it('throws 401 when user is not authenticated', async () => {
+		await expect(DELETE(makeEvent({ noUser: true }))).rejects.toMatchObject({ status: 401 })
+	})
+
+	it('throws 503 when the database call fails', async () => {
+		mockQuery.mockRejectedValue(new Error('db down'))
+
+		await expect(DELETE(makeEvent())).rejects.toMatchObject({ status: 503 })
+	})
+
+	it('does not delete the session cookie when the db call fails', async () => {
+		mockQuery.mockRejectedValue(new Error('db down'))
+		const event = makeEvent()
+
+		await DELETE(event).catch(() => {})
+
+		expect(event.cookies.delete).not.toHaveBeenCalled()
+	})
+})

package/src/routes/auth/[slug]/+server.unit.test.ts

@@ -0,0 +1,15 @@
+import { describe, it, expect } from 'vitest'
+
+import { POST } from './+server'
+
+const event = {} as Parameters<typeof POST>[0]
+
+describe('POST /auth/[slug]', () => {
+	it('throws 404 for any unrecognized auth path', async () => {
+		await expect(POST(event)).rejects.toMatchObject({ status: 404 })
+	})
+
+	it('includes "Invalid endpoint" in the error message', async () => {
+		await expect(POST(event)).rejects.toMatchObject({ body: { message: 'Invalid endpoint.' } })
+	})
+})

package/src/routes/auth/forgot/+server.ts

@@ -1,7 +1,7 @@
 import type { Secret } from 'jsonwebtoken'
 import type { RequestHandler } from './$types'
 import jwt from 'jsonwebtoken'
-import { JWT_SECRET } from '$env/static/private'
+import { env } from '$env/dynamic/private'
 import { query } from '$lib/server/db'
 import { sendPasswordResetEmail } from '$lib/server/email'
 import { error } from '@sveltejs/kit'
@@ -30,7 +30,7 @@ export const POST: RequestHandler = async event => {
 	if (rows.length > 0) {
 		const token = jwt.sign(
 			{ subject: rows[0].userId, purpose: 'reset-password' },
-			JWT_SECRET as Secret,
+			env.JWT_SECRET as Secret,
 			{ expiresIn: '30m' }
 		)
 		try {

package/src/routes/auth/forgot/+server.unit.test.ts

@@ -0,0 +1,110 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$env/dynamic/private', () => ({ env: { JWT_SECRET: 'test-secret' } }))
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+vi.mock('$lib/server/email', () => ({ sendPasswordResetEmail: vi.fn() }))
+vi.mock('$lib/server/turnstile', () => ({ verifyTurnstileToken: vi.fn() }))
+
+import { POST } from './+server'
+import { query } from '$lib/server/db'
+import { sendPasswordResetEmail } from '$lib/server/email'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
+
+const mockQuery = vi.mocked(query)
+const mockSendPasswordResetEmail = vi.mocked(sendPasswordResetEmail)
+const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
+
+function makeEvent(body: Record<string, unknown> = {}) {
+	return {
+		request: {
+			json: vi.fn().mockResolvedValue({ turnstileToken: 'tok', email: 'user@example.com', ...body }),
+			headers: { get: vi.fn().mockReturnValue(null) }
+		},
+		getClientAddress: vi.fn().mockReturnValue('127.0.0.1')
+	} as unknown as Parameters<typeof POST>[0]
+}
+
+beforeEach(() => {
+	vi.clearAllMocks()
+	mockVerifyTurnstileToken.mockResolvedValue(true)
+})
+
+describe('POST /auth/forgot', () => {
+	it('returns 204 when user email exists', async () => {
+		mockQuery.mockResolvedValue({ rows: [{ userId: 1 }], rowCount: 1 } as any)
+		mockSendPasswordResetEmail.mockResolvedValue(undefined)
+
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(204)
+	})
+
+	it('returns 204 when email is not found (prevents user enumeration)', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 0 } as any)
+
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(204)
+	})
+
+	it('sends a password reset email when user exists', async () => {
+		mockQuery.mockResolvedValue({ rows: [{ userId: 7 }], rowCount: 1 } as any)
+		mockSendPasswordResetEmail.mockResolvedValue(undefined)
+
+		await POST(makeEvent())
+
+		expect(mockSendPasswordResetEmail).toHaveBeenCalledOnce()
+		expect(mockSendPasswordResetEmail).toHaveBeenCalledWith('user@example.com', expect.any(String))
+	})
+
+	it('does not send an email when user is not found', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 0 } as any)
+
+		await POST(makeEvent())
+
+		expect(mockSendPasswordResetEmail).not.toHaveBeenCalled()
+	})
+
+	it('queries users table with the provided email', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 0 } as any)
+
+		await POST(makeEvent({ email: 'test@example.com' }))
+
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('users'), ['test@example.com'])
+	})
+
+	it('throws 400 when Turnstile verification fails', async () => {
+		mockVerifyTurnstileToken.mockResolvedValue(false)
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 400 })
+	})
+
+	it('verifies the Turnstile token using the CF-Connecting-IP header when present', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 0 } as any)
+		const event = makeEvent()
+		vi.mocked(event.request.headers.get).mockReturnValue('1.2.3.4')
+
+		await POST(event)
+
+		expect(mockVerifyTurnstileToken).toHaveBeenCalledWith('tok', '1.2.3.4')
+	})
+
+	it('falls back to getClientAddress when CF-Connecting-IP is absent', async () => {
+		mockQuery.mockResolvedValue({ rows: [], rowCount: 0 } as any)
+		const event = makeEvent()
+		vi.mocked(event.request.headers.get).mockReturnValue(null)
+
+		await POST(event)
+
+		expect(mockVerifyTurnstileToken).toHaveBeenCalledWith('tok', '127.0.0.1')
+	})
+
+	it('still returns 204 when sendPasswordResetEmail throws', async () => {
+		mockQuery.mockResolvedValue({ rows: [{ userId: 3 }], rowCount: 1 } as any)
+		mockSendPasswordResetEmail.mockRejectedValue(new Error('SMTP failure'))
+
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(204)
+	})
+})

package/src/routes/auth/google/+server.unit.test.ts

@@ -0,0 +1,132 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('$env/static/public', () => ({ PUBLIC_GOOGLE_CLIENT_ID: 'test-client-id' }))
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+vi.mock('google-auth-library', () => ({
+	OAuth2Client: vi.fn()
+}))
+
+import { POST } from './+server'
+import { query } from '$lib/server/db'
+import { OAuth2Client } from 'google-auth-library'
+
+const mockQuery = vi.mocked(query)
+const MockOAuth2Client = vi.mocked(OAuth2Client)
+
+const mockUser: User = { id: 1, email: 'jane@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+const mockUserSession: UserSession = { id: 'session-abc', user: mockUser }
+
+function makeVerifyIdToken(payload: Record<string, unknown> | null) {
+	return vi.fn().mockResolvedValue({ getPayload: () => payload })
+}
+
+function setupOAuth2Mock(verifyIdToken: ReturnType<typeof vi.fn>) {
+	MockOAuth2Client.mockImplementation(function () {
+		return { verifyIdToken }
+	} as unknown as new (clientId: string) => OAuth2Client)
+}
+
+function makeEvent(body: Record<string, unknown> = { token: 'google-jwt' }) {
+	return {
+		request: { json: vi.fn().mockResolvedValue(body) },
+		cookies: { set: vi.fn() },
+		locals: {} as App.Locals
+	} as unknown as Parameters<typeof POST>[0]
+}
+
+beforeEach(() => {
+	vi.clearAllMocks()
+})
+
+describe('POST /auth/google', () => {
+	it('returns 200 with user data on successful sign-in', async () => {
+		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
+
+		const res = await POST(makeEvent())
+
+		expect(res.status).toBe(200)
+		const body = await res.json()
+		expect(body.message).toBe('Successful Google Sign-In.')
+		expect(body.user).toEqual(mockUser)
+	})
+
+	it('sets an httpOnly session cookie on success', async () => {
+		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
+		const event = makeEvent()
+
+		await POST(event)
+
+		expect(event.cookies.set).toHaveBeenCalledWith('session', 'session-abc', expect.objectContaining({
+			httpOnly: true,
+			sameSite: 'lax',
+			secure: true,
+			path: '/'
+		}))
+	})
+
+	it('sets event.locals.user on success', async () => {
+		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
+		const event = makeEvent()
+
+		await POST(event)
+
+		expect(event.locals.user).toEqual(mockUser)
+	})
+
+	it('uses PUBLIC_GOOGLE_CLIENT_ID when verifying the token', async () => {
+		const verifyIdToken = makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		setupOAuth2Mock(verifyIdToken)
+		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
+
+		await POST(makeEvent({ token: 'my-token' }))
+
+		expect(MockOAuth2Client).toHaveBeenCalledWith('test-client-id')
+		expect(verifyIdToken).toHaveBeenCalledWith({ idToken: 'my-token', audience: 'test-client-id' })
+	})
+
+	it('passes the Google user data to the DB upsert', async () => {
+		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
+
+		await POST(makeEvent())
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.stringContaining('start_gmail_user_session'),
+			[JSON.stringify({ firstName: 'Jane', lastName: 'Doe', email: 'jane@example.com' })]
+		)
+	})
+
+	it('falls back to placeholder names when given_name/family_name are missing', async () => {
+		setupOAuth2Mock(makeVerifyIdToken({ email: 'noname@example.com' }))
+		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
+
+		await POST(makeEvent())
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.any(String),
+			[JSON.stringify({ firstName: 'UnknownFirstName', lastName: 'UnknownLastName', email: 'noname@example.com' })]
+		)
+	})
+
+	it('throws 401 when the Google token is invalid', async () => {
+		setupOAuth2Mock(vi.fn().mockRejectedValue(new Error('Invalid token')))
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 401 })
+	})
+
+	it('throws 401 when the DB upsert fails', async () => {
+		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		mockQuery.mockRejectedValue(new Error('db error'))
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 401 })
+	})
+
+	it('throws 401 when the Google payload is null', async () => {
+		setupOAuth2Mock(makeVerifyIdToken(null))
+
+		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 401 })
+	})
+})

package/src/routes/auth/login/+server.ts

@@ -2,7 +2,7 @@ import { error, json } from '@sveltejs/kit'
 import type { RequestHandler } from './$types'
 import type { Secret } from 'jsonwebtoken'
 import jwt from 'jsonwebtoken'
-import { JWT_SECRET } from '$env/static/private'
+import { env } from '$env/dynamic/private'
 import { query } from '$lib/server/db'
 import { sendMfaCodeEmail } from '$lib/server/email'
 import { verifyTurnstileToken } from '$lib/server/turnstile'
@@ -97,7 +97,7 @@ export const POST: RequestHandler = async event => {
 	const trustedToken = cookies.get(MFA_TRUSTED_COOKIE)
 	if (trustedToken) {
 		try {
-			const payload = jwt.verify(trustedToken, JWT_SECRET as Secret) as {
+			const payload = jwt.verify(trustedToken, env.JWT_SECRET as Secret) as {
 				userId: number
 				purpose: string
 			}